8021.x EAP-TLS "User" vs "System" profile problems

Similar Messages

• ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

  Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
  Long story short, what I'd like to do is: 
  User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
  Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
  personally owned devices only allowed to do ICA,
  corporate device can use SQL, RDP, etc...
  Thoughts, ideas?

  Not sure i understand your response, or perhaps my original question isn't clear.
  User authenticates with EAP-TLS / User cert
  User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
  Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
  My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• EAP-TLS User Certificate Question

  I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
  I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
  Thanks
  -Raun

  If you are using the MS Supplicant, you need the following registry settings:
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
  This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
  As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
  Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• 802.1X EAP-TLS User Certificate Errors

  I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
  Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.
  No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:
  [236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
  [236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
  [236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
  [236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
  [236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
  [236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
  [236] 06-04 09:26:35:720: DwGetEKUUsage
  [236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
  [236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  Also, in the event viewer I get the following:
  Wireless 802.1x authentication failed.
  Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
  Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
  Local MAC Address: C4:17:FE:48:F2:79
  Network SSID: *****
  BSS Type: Infrastructure
  Peer MAC Address: 00:12:17:01:F7:2F
  Identity: NULL
  User: presentation
  Domain: ****
  Reason: Explicit Eap failure received
  Error: 0x80420014
  EAP Reason: 0x80420100
  EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
  I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User
  Principal Name (UPN) is checked.  All other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate
  exists in the "Personal" user certificate store on the client.
  There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

  Hey,
  I am precisely in the same situation now. I have  a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
  when I use the user certificate it doesn't work. Both  user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
  personal stores.
  I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
  [6472] 12-10 13:39:04:327: DwGetEKUUsage
  [6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
  [6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
  [6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
  [6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
  [6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
  [6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
  [6472] 12-10 13:39:04:327:  Self Signed Certificates will not be selected.
  [6472] 12-10 13:39:04:327: EAP-TLS will accept the  All-purpose cert
  I am stuck at it for last few days with no real cause known as yet.!
  Any help will be thoroughly appreciated!!!

• EAP-TLS and MS AD auth problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

• ACS 4.2 and EAP-TLS with AD and prefix problem

  Hi there
  we have the following situation:
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
  First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
  Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
  This is the normal output of the Remote Agent, it finds the host but then nothing happens:
  CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
  CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
  CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
  CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
  So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
  test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
  CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
  CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
  Could this be the problem or does someone see any other problem?
  Best Regards
  Dominic

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• 10.3 System Profiler problems

  Hi, I've just installed OSX 10.3 and done all the updates but when I try and open the system profiler I get the following error message -
  'The application Apple System Profiler has unexpectedly quit.The system and other applications have not been affected.
  Would you like to submit a bug report to Apple?'
  I tried about ten times and I'm getting nowhere. Just the same error message. Any ideas?
  Thanks

  madcap3,
  According to Mac OS X: Issues After System Fonts Removed or Relocated: Applications, including Apple System Profiler, TextEdit, Address Book, and Safari, may unexpectedly quit if System fonts are deleted or moved from /System/Library/Fonts.I would recommend that you check out Font Management in Mac OS X Tiger and Panther, by Kurt Lang.
  ;~)

• System Profiler Problem...

  Good Afternoon,
  For some reason system profiler is freezing on me. When I click, the "Logs" section I get the rainbow spinning wheel, and the system profiler app becomes unresponsive. I have shut down and restarted my computers and still have the problem. What should I do?

  baltwo wrote:
  Step one. Move thr com.apple.SystemProfiler.plist file out of your /Library/Preferences folder to the Desktop, restart, and try Sys Profiler again.
  Done! and your solution worked!
  thanks baltwo!

• ISE 1.1 EAP-TLS User Authentication in Multiforest

  Hello,
  we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.
  This is the setup:
  In domain1 is a MSFT CA with OCSP, DC and ISE
  In domain2 is a DC and the users
  there is a two way trust between the domains.
  This is my authentication scenario:
  1. agent connect to a wireless network (ok)
  2. client exchanges certificate information with ISE (ok)
  3. ISE exchanges certificate status with CA (ok)
  4. ISE extracts the subject Alternative Name from the certificate [email protected] (ok)
  5. ISE queries Active Directory store for the user  [email protected] (not ok fails with  22056 Subject not found)
  in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.
  I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.
  Any Ideas?
  Regards
  Alex
  Extract from Log File
  DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
  DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person
  [email protected]
  options=2
  DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
  DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
  DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:
  [email protected]#012name
  [email protected]
  type=SAM domain=domain1.LAN#012
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
  [email protected]
  )), attrs 7e638646 (cacheOps=40f, GC=0)
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
  DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
  [email protected]
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
  DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
  [email protected]
  )), attrs e4a3aa15 (cacheOps=40f, GC=1)
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
  DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
  [email protected]
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
  DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
  DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="
  [email protected]
  " (GC=0)
  DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper
  '[email protected]'
  is not a canonical name
  DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
  DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person [email protected] options=2
  DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
  DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
  DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: [email protected]#012name: [email protected] type=SAM domain=domain1.LAN#012
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs 7e638646 (cacheOps=40f, GC=0)
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
  DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
  DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs e4a3aa15 (cacheOps=40f, GC=1)
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
  DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
  DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
  DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
  DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="[email protected]" (GC=0)
  DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
  DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper '[email protected]' is not a canonical name
  DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

  Tarik,
  from the ISE cli i can nslookup domain2.lan and i get this result
  nos-ch-wbn-ise1/admin# nslookup domain2.lan
  Trying "domain2.lan"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373
  ;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5
  ;; QUESTION SECTION:
  ;domain2.lan.              IN      ANY
  ;; ANSWER SECTION:
  domain2.lan.       600     IN      A       192.168.68.21
  domain2.lan.       600     IN      A       172.28.1.3
  domain2.lan.       600     IN      A       172.28.1.2
  domain2.lan.       600     IN      A       192.168.68.20
  domain2.lan.       3600    IN      NS      labdc01.lab.lan.
  domain2.lan.       3600    IN      NS      labdc02.lab.lan.
  domain2.lan.       3600    IN      NS      labex01.lab.lan.
  domain2.lan.       3600    IN      NS      bsdehepdc01.domain2.lan.
  domain2.lan.       3600    IN      NS      bsdehepfs01.domain2.lan.
  domain2.lan.       3600    IN      NS      mordor.softlink.ch.
  domain2.lan.       3600    IN      NS      shire.softlink.ch.
  domain2.lan.       3600    IN      NS      labex02.lab.lan.
  domain2.lan.       3600    IN      NS      icm60.icm60domain.lan.
  domain2.lan.       3600    IN      NS      bsfs02.domain2.lan.
  domain2.lan.       3600    IN      NS      bsfs03.domain2.lan.
  domain2.lan.       3600    IN      SOA     bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600
  ;; ADDITIONAL SECTION:
  labdc01.lab.lan.        3600    IN      A       172.28.2.196
  bsdehepdc01.domain2.lan. 311 IN    A       192.168.68.20
  bsdehepfs01.domain2.lan. 2771 IN   A       192.168.68.21
  bsfs02.domain2.lan. 1649   IN      A       172.28.1.2
  bsfs03.domain2.lan. 595    IN      A       172.28.1.3
  So i assume dns is working fine.
  Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?
  thanks & regards
  Alex

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication

  Hi All,
  We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
  We have the leap as well as eap-tls in the authentication part.
  We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
  5/3/2011
  23:16:38
  Authen failed
  [email protected]
  EAP-TLS users
  0023.1413.de18
  (Default)
  EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
  21356
  10.121.198.38
  13
  EAP-TLS
  ap-1242b4 
    Bangalore APs
  We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
  Could anyone help me out in this?
  Regards
  Karthik

  Hi,
  Looks like the CA Cert is not installed on the ACS.
  The following link will help you install the CA cert.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
  Also trust the CA certificate in the Edit trust list list.
  Hope this helps.
  Regards,
  Anisha
  P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

• EAP-TLS help needed

  I have a lab setup and I am trying to get EAP-TLS working.  I have ACS 4.2 running on my active directory machine which is also my certificate authority.  I obtained a cert for the ACS and installed it, reset the ACS, then edited the certificate trust list and restarted.
  I added a user to the AD.  I then obtained a cert for my laptop logging into the certsrv as the user and installed it.
  I added the user to the ACS.
  When I try to connect from the wireless laptop using EAP-TLS with the wireless profile EAP TYPE set to Smart Card or Certificate the connection fails.  I have unchecked validate certficate authority with no luck connecting.
  When I check the ACS under the failed attemps it says ACS user unknown.  This is the same user, all I did was change the EAP type on the laptop.
  When I set the EAP type to PEAP I am able to get connected with or without validating the server certificate.
  Any help would be greatly appreciated.
  Seth

  Hello,
  I provided a few links that you may find helpful
  TLS config example
  http://www.cisco.com/en/US/customer/products/ps6366/products_configuration_example09186a00807917a6.shtml
  TLS Video
  http://www.youtube.com/watch?v=sazfGz2D3eo
  I hope this helps. Please rate helpful post ... Thanks

• EAP-TLS with Radius Server configuration (1130AG)

  Hi All,
  Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
  My steps for radius:- (i think this part ive actually got ok)
  http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
  Steps for the wirless profile on a win 7 client:- this has me confused all over the place
  http://technet.microsoft.com/en-us/library/dd759246.aspx
  My 1130 Config:-
  [code]
  Current configuration : 3805 bytes
  ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
  ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname WAP1
  aaa new-model
  aaa group server radius RAD_EAP
  server 10.1.1.29 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login EAP_LOGIN group RAD_EAP
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  ip domain name ************
  dot11 syslog
  dot11 ssid TEST
     authentication open eap EAP_LOGIN
     authentication network-eap EAP_LOGIN
     guest-mode
  crypto pki trustpoint TP-self-signed-1829403336
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1829403336
  revocation-check none
  rsakeypair TP-self-signed-1829403336
    quit
  username ***************
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid TEST
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid TEST
  no dfs band block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.1.2.245 255.255.255.0
  ip helper-address 10.1.1.27
  no ip route-cache
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
  radius-server key ************
  bridge 1 route ip
  line con 0
  logging synchronous
  transport preferred ssh
  line vty 0 4
  logging synchronous
  transport input ssh
  sntp server 130.88.212.143
  end
  [/code]
  and my current debug
  [code]
  Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: AAA/BIND(000000
  WAP1#12): Bind i/f
  Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
  WAP1#h method EAP or LEAP
  Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 25 12:01:27.581: EAPOL pak dump tx
  Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01801670:                   0100002B 0101002B          ...+...+
  01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  WAP1#
  01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018016A0: 6F727469 643D30                      ortid=0
  Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  [/code]
  Can anyone point me in the right direction with this?
  i also dont like it that you can attempt to join the network first before failing
  can i have user cert based + psk? and then apply it all by GPO
  Thanks for any help

  ok ive ammdened the wireless profile as suggested
  i already have the root ca and a user certificate installed with matching usernames
  I had already added the radius device to the NPS server and matched the keys to the AP
  now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
  Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
  WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
  Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
  WAP1#lient 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
  Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
  WAP1#_auth_dot1x_start
  Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 29 11:53:14.620: EAPOL pak dump tx
  Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
  01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
  01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
  Jan 29 11:53
  WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
  Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
  WAP1#cator message to client 74de.2b81.56c4
  Jan 29 11:53:14.622: EAPOL pak dump tx
  Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808690:                   0100002B 0101002B          ...+...+
  018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018086C0: 6F727469 643D30                      ortid=0
  Jan 29 11:53:14.623: dot1x-regi