Authenticating cisco phones via EAP-TLS by LSC with Radiator

Similar Messages

• ISE AuthZ for Wireless Phones MIC EAP-TLS

  Hi all,
  Trying to authorise 7925G phones using MIC and EAP-TLS. My problem is that I can't seem to get the username in the MIC to match against an Internal Identity group on ISE AuthZ policies. If I remove the endpoint ID group I am able to auth no worries. Everything looks great including the username been in a specific User ID group but I just cannot get it to match a policy with this group selected (both as the ID Group and as an "Internal User:Identity Group" condition).
  Any ideas or is this just not possible?

  Out of curiousity why would you suggest MAB in this instance? These devices have MIC certs and are pretty much EAP-TLS ready out of the box? My problem simply lies with the apparent inability of ISE to match the Subject CN againt an internal group.

• EAP-TLS not working with IOS 4.1

  Hello,
  I've lot of iPhone in my enterprise,
  I've configured it putting user certificate and authenticate on the wireless network using EAP-TLS mode, choosing user certificate and give the username, and it was working.
  sometime "can't connect to network" append, but after lot of tries, it work.
  when the network is configured, it's working all the time.
  since 4.1.3, I can't configure this network, I can't approve my server radius certificate (so I succeed to authenticate from server)
  I've already tried to put my root CA certificate in iPhone, doesn't change anything (It should be trusted ! all servers certificate are from this CA)
  I've tried to preconfigure this wireless network with iphone configuration utility, not working.
  Iphone 3GS, iphone 4 since IOS 4.1.3

  Here is the dump log obtened via Iphone configuration utility, with certificate deployed but configuration manually
  Oct 14 15:40:41 unknown wifid[29] <Error>: WiFi:[340292441.191866]: Processing link event UP
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLANCore::setDISASSOCIATE() [wifid]:
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLANCore::setASSOCIATE() [wifid]:  lowerAuth = AUTHTYPE_OPEN, upperAuth = AUTHTYPE_WPA2_8021X, key = CIPHER_NONE    , 802.1X .
  Oct 14 15:40:41 unknown kernel[0] <Debug>: [6225.861292541]: AppleBCMWLANNetManager::prepareToBringUpLink(): Delaying powersave entry in order to get an IP address
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AppleBCMWLAN Joined BSS:     @ 0xc0befa00, BSSID = 00:15:70:e6:6d:90, rssi = -41, rate = 54 (100%), channel =  1, encryption = 0x8, ap = 1, failures =   0, age = 9, ssid[11] = "TAO_Employe"
  Oct 14 15:40:41 unknown kernel[0] <Debug>: AirPort: Link Up on en0
  Oct 14 15:40:41 unknown kernel[0] <Debug>: en0: BSSID changed to 00:15:70:e6:6d:90
  Oct 14 15:40:41 unknown eapolclient[410] <Notice>: eaptls_verify_server: server certificate not trusted, status 3 0
  Oct 14 15:40:41 unknown Preferences[101] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
  Oct 14 15:40:41 unknown Preferences[101] <Warning>: -[APOtherNetworkController keyboardWillShow:]
  Oct 14 15:40:42 unknown kernel[0] <Debug>: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
  Oct 14 15:40:43 unknown Preferences[101] <Warning>: -[VPNBundleController _vpnConfigurationChanged:] (0x278960:<VPNBundleController: 0x278960>): _serviceCount(3), serviceCount(3), toggleInRootMenu(0), RootMenuItem(1)
  Oct 14 15:40:45 unknown wifid[29] <Error>: WiFi:[340292445.893128]: Already associating, will not queue request.
  Oct 14 15:40:46 unknown UserEventAgent[12] <Warning>: Unable to cancel system wake for 2011-10-14 15:40:31 +0200. IOPMCancelScheduledPowerEvent() returned 0xe00002c2
  Oct 14 15:40:51 unknown kernel[0] <Debug>: [6235.874083208]: AppleBCMWLANNetManager::handleDelayedPowerManagementTimeout(): Timed out waiting for IP address, entering powersave mode: 2

• Recording Cisco phones registered on CUCM 8.6 with Verint Impact 360 not working.

  Hello,
  We're trying to record audio from Cisco IP phones registered to a CUCM 8.6 using SPAN and Verint Impact 360 with no success.
  Verint provided us with some information to do the integration but we understand we don't need to do much on Cisco side besides configuring SPAN session to monitor the traffic we want.
  We configured the following SPAN session:
  monitor session 2 source interface Gi1/0/1 - 48
  monitor session 2 source interface Gi2/0/1 - 47
  monitor session 2 destination interface Gi2/0/48
  Verint Impact 360 NIC is connected on port Gi2/0/48 but no RTP traffic is being detected.
  Phones are connected to ports 1/0/5 and 1/0/6, this is a two 3750E switches stack. The configuration on the ports is:
  interface GigabitEthernet1/0/5
   switchport access vlan 186
   switchport mode access
   switchport voice vlan 176
   switchport port-security maximum 2
   switchport port-security
   speed 100
   duplex full
   spanning-tree portfast
  interface GigabitEthernet1/0/6
   switchport access vlan 186
   switchport mode access
   switchport voice vlan 176
   switchport port-security maximum 2
   switchport port-security
   speed 100
   duplex full
   spanning-tree portfast
  Vlan 176 is the voice vlan we're using. Wireshark will see SCCP traffic but nothing else.
  Does anybody have any tips or recommendations we could try?
  Regards,
  Daniel G.

  is there any difference when you SPAN based on vlan?
  monitor session 1 source vlan 176
  monitor session 1 destination interface Gi2/0/48

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• How to authenticate Cisco IP Phones via ISE

  Hello
  Has anybody an idea or official link to a Cisco instruction, how to configure a Cisco ISE to authenticate Cisco IP Telephony via EAP-TLS (802.1x)?
  Can anybody help?
  Thanks!
  Marco

  HEre you go.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1146222
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Cisco ISE - eap-peap and eap-tls

  Hi,
  Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
  I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
  If peap use this identity source, if tls use 'this certificate authentication profile'.
  Thx

  OK,
  so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
  The authentication policy was allowing EAP-TLS & EAP-PEAP.
  I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
  What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
  In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
  When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
  Hope that helps.
  Mario

• PEAP vs EAP-TLS Wireless Authentication Method

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

• ISE 1.1.1 - Error Code 12521 EAP-TLS failed SSL/TLS handshake after a client alert

  Hello,
  Has anyone come across this error code before?  I have looked in the 1.1.1 troubleshooting section and there is nothing there. When I click on the link for the description off the error in ISE I get the following error:
  I setup 7925 phones for EAP-TLS using MIC.  I have uploaded Cisco's Root CA and Manufactoring CA Certificates and enabled "Trust for client authentication".  A Certificate Profile is configured matching Common Name and is added to the Identity Sequence.    I got some additional attribute information, where there is a error message:
  OpenSSLErrorMessage=SSL alert code=0x233=563 ; source=remote ; type=fatal ; message="decrypt error"
  Anyone know what this error means?

  Yes,
  That could be it see if you can follow this guide on importing the ISE self signed cert: (i used a 7921 guide but it should be similar).
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/7_0/english/administration/guide/7921cfgu.html#wp1376129
  Installing the Authentication Server Root Certificate
  The Authentication Server Root Certificate must be installed on the Cisco Unified Wireless IP Phone 7921G.
  To install the certificate, follow these steps:
  Step 1 Export the Authentication Server Root Certificate from the ACS. See Exporting Certificates from the ACS.
  Step 2 Go to the phone web page and choose Certificates.
  Step 3 Click Import next to the Authentication Server Root certificate.
  Step 4 Restart the phone.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE & EAP-TLS Wired document

  All,
  Is there a document out there that explicitly shows wired authentication via EAP-TLS and explains the steps?
  I have a good handle on what's needed, but I had trouble finding relevant documentation.

  Please review the below link:
  http://http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_LANAndWirelessLAN802.1xAuthenticationDeploymentGuide-Aug2012.pdf

• WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

  Hello,
  Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
  Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
  Did anyone have similar problems with Windows 8/81?
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
     state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
  0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
  *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
  *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
  *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
  *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
  *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
  Any hint would be great .... Thank you...

  Hello Dino,
    thanks very much for your reply.
    The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
  Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
  EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
  I suspect the cert-setup itself, but don't get a clue where this might stuck...
  Björn

• EAP-TLS and ACS 5.1 with AD

  Hello,
  I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
  24435  Machine Groups retrieval from Active Directory succeeded
  24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
  24483  Failed to retrieve the machine certificate from Active Directory.
  22049  Binary comparison of certificates failed
  22057  The advanced option that is configured for a failed authentication request is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  12507  EAP-TLS authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  What ist the problem? I can't find documents how to configure this in detail.
  Can some one helf me?
  King regardes
  Torsten

  Hi Torsten,
  The option you are looking for is under system configuration:
  Configuring Local Server Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
  Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
  Configuring CA Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

  Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
  Long story short, what I'd like to do is: 
  User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
  Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
  personally owned devices only allowed to do ICA,
  corporate device can use SQL, RDP, etc...
  Thoughts, ideas?

  Not sure i understand your response, or perhaps my original question isn't clear.
  User authenticates with EAP-TLS / User cert
  User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
  Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
  My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

• EAP/TLS on PPC2002&WinCE3.0.11171

  Hi
  I'm trying to configure EAP-TLS on Pocket2002 , I installed the necessary Cisco software and it's working fine but I have a great problem. Windows CE only lets me to install certificates with .cer extension . But with this format I can't export the private key . Is there any solution? Anybody has found this problem?
  Thanks for your help

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.