Authentication failed using EAP-TLS and CSSC against ACS

Similar Messages

• EAP-TLS and LEAP on a 1200 AP

  Is it possible to have a 1200 AP use EAP-TLS and LEAP authentication simultaneously? We currently use LEAP in production and I have successfully configured a test 1200 AP to use EAP-TLS, but we would like to have it use both methods until all clients can be set up for EAP-TLS.

  You may view this link : http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm
  Regards
  Mc

• ISE 1.2 EAP-TLS and AD authentication

  Hi,
  I am sure I have had this working but Just cant get it to now.
  So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
  My Authentication profile says
  IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
  Then my authorization profile says
  if active directoy group = "Domian computers" then allow access.
  When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
  24433          Looking up machine in Active Directory - [email protected]
  24492          Machine authentication against Active Directory has failed
  22059          The advanced option that is configured for process failure is used
  22062          The 'Drop' advanced option is configured in case of a failed authentication request
  But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
  Cheers

  This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
  This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• L2TP/IPSec with PIX using EAP-TLS

  Hi,
  i have big problems with using my PIX515 (SW 7.2.1) for L2TP/IPSec VPN-Connections using EAP-TLS. With the option EAP-Proxy activated on PIX a RADIUS Access-Request Message reaches the configured RADIUS-SERVER (IAS2003), but the request is rejected by Radius. I did inspection of the packets with a sniffer and see following strange behavior:
  - There is a Tunnel-Client-Endpoint AVP with no value and, even stranger, an existing AVP titled User-Password with an encrypted value.
  I dont understand where the encrypted Password comes from in the first RADIUS Access-Request message received from the PIX, since the authentication method should be certificate-based (EAP-TLS). And I dont know either if the Tunnel-Client-Endpoint MUST be present in the message. Fact is the RADIUS responds with an Access-Reject Message.
  The other AVPs in the request seem to be OK, and there is an existend AVP titled EAP-Message (79) that seems alright...
  Other detail: In the event log on the IAS the request is logged as Type "PAP" (and not EAP as it should be!) and the log tells me about a problem with wrong username/password.
  Tested the same client and Radius configuration using a RRAS-Server from Microsoft instead of the PIX and it worked fine! Could this be a bug of the Pix EAP-Proxy function?
  EAP-Proxy should pass all EAP packets unmodified to the Radius, right? This seems not to be the case. Comparing the RADIUS Access-Request Message received from the Pix (which fails) with the RADIUS Access-Request Message received from the RRAS-Server (which successes) shows significant differences.
  Every help appreciated. Please ask me for further infos if needed or if you would like me to post the Packet Capture file (Ethereal format)/Configuration information.
  Thank you very much!!
  Best regards,
  Matthias

  The Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall

• EAP-TLS and MS AD auth problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x with EAP-TLS and dACLs

  Hi,
  i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).
  I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?
  in 'worst'  case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?
  Thanks,
  Guy

  Hi Guy,
  provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.
  In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.
  So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.
  However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.
  If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:
  1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.
  2) configure an "Indentity Store Sequence" where you select:
    - Authentication Method List : Certificate based : "Certificate Authentication Profile"
    - Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores
  In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)
  You can find relevant documentation about this on the ACS user guide:
  - Configuring "Certificate Authentication Profile"
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057
  - Configuring "Identity Store Sequence"
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132
  - Managing policy elements:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• Cisco 7921 - Does anyone Use EAP-TLS in their VoWLAN Deployments?

  Hi Guys,
  I am looking at making a technology decision, in regards to VoWLAN and authentication.
  For our Data Deployment, we use EAP-TLS with a PKI infrastructure and ACS. The ACS passes fields from the certs to AD for verification.
  Can I do exactly the same for the Voice Deployment?
  Has anyone used EAP-TLS with Voice? Are there any problems? Or should I just go ahead and get some certs minted for the phones, setup some AD accounts and whey hey, its time to party?
  Many thx indeed,
  Ken

  Hi Michael,
  So looking at the deployment guide, this is worded (imho) in a confusing manor? Sorry.
  CCKM is listed under authentication, where i though CCKM is an authentication "key managment" protocol?
  It also says 802.1x authentication with AES encrytion, under the authentication heading?
  It says eap-tls, should this not say 802.1x eap-tls or collapse this with the 802.1x authentication?
  ahh, when it says 802.1x, does that mean 802.1x dynamic wep?
  Would it be correct to say, that I want to use 802.1x eap-tls with tkip and CCKM?
  Sorry, this hurts :)
  Thx,
  Ken
  Wireless Security
  When deploying a wireless LAN, you must provide security. The Cisco Unified Wireless IP Phone 7921G supports the following wireless security features.
  Authentication
  - Cisco Centralized Key Management (CCKM)
  - 802.11i (802.1x authentication + TKIP encryption)
  - 802.11i (802.1x authentication + AES encryption)
  - 802.11i (Pre-Shared key + TKIP encryption)
  - 802.11i (Pre-Shared key + AES encryption)
  - Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
  - Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
  - Protected Extensible Authentication Protocol (PEAP)
  - Lightweight Extensible Authentication Protocol (LEAP)
  - Open and Shared Key
  Encryption
  - Advanced Encryption Scheme (AES)
  - Temporal Key Integrity Protocol (TKIP) / Message Integrity Check (MIC)
  - 40-bit and 128-bit Wired Equivalent Protocol (WEP)
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time. TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

• EAP-TLS and CA export

  Iam using EAP-TLS for client authentication. I dont want connect new user to our wired network in order to install certificate. Is possible to export certificate and install certificate from diskette or from CD?????

  If you are using MS Certificate server you can export the certificates to a file from the web gui by selecting "Retrieve the CA certificate or certificate revocation list" and then either "Download CA certificate" or "Download CA certification path" You are then given the normal download file option.
  Rgds
  Paddy

• Psconsole  Authentication Failed, Please reenter username and password

  Hi,
  I have JES5 installed ( App server + Directory server + Portal server + Access manager) on a windows 2003 server with Oracle 10g. After the installation i was able to access the amconsole, psconsole, and the admin console without any errors.
  After the server was restarted, i started the application server and the directory server (dsadm start) and now i can login to admin console and /amconsle and also to the /portal/dt, but i am not able to login to /psconsole.
  i have used the default login details(amadmin) login for both the /amconsole and the /psconsle, /amconsole logins sucessfully but /psconsole gives me the error "Authentication Failed, Please reenter username and password"
  the log details of portal.admin.console.0.0.log are:
  [#|2008-01-08T12:13:58.672+0530|SEVERE|SJS Portal Server|debug.com.sun.portal.admin.console|ThreadID=21; ClassName=com.sun.portal.admin.console.common.PSBaseBean; MethodName=log; |Failed to authenticate with JMX Server: LoginBean.login()
  javax.management.remote.JMXProviderException: Connection refused: connect
       at com.sun.cacao.agent.impl.CacaoJmxConnectorProvider.newJMXConnector(CacaoJmxConnectorProvider.java:388)
       at javax.management.remote.JMXConnectorFactory.getConnectorAsService(JMXConnectorFactory.java:415)
       at javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:307)
       at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:247)
       at com.sun.portal.admin.common.util.AdminUtil.getConnector(AdminUtil.java:813)
       at com.sun.portal.admin.common.util.AdminClientUtil.getJMXConnector(AdminClientUtil.java:113)
       at com.sun.portal.admin.common.util.AdminClientUtil.getJMXConnector(AdminClientUtil.java:139)
       at com.sun.portal.admin.common.util.AdminClientUtil.getJMXConnector(AdminClientUtil.java:163)
       at com.sun.portal.admin.console.common.LoginBean.JMXConnect(LoginBean.java:287)
       at com.sun.portal.admin.console.common.LoginBean.authenticate(LoginBean.java:256)
       at com.sun.portal.admin.console.common.LoginBean.login(LoginBean.java:230)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at com.sun.faces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:146)
       at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:92)
       at javax.faces.component.UICommand.broadcast(UICommand.java:332)
       at javax.faces.component.UIViewRoot.broadcastEvents(UIViewRoot.java:287)
       at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:401)
       at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:95)
       at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:245)
       at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:110)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:213)
       at sun.reflect.GeneratedMethodAccessor139.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
       at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
       at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
       at com.sun.web.ui.util.UploadFilter.doFilter(UploadFilter.java:203)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
       at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
       at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
       at java.security.AccessController.doPrivileged(Native Method)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
       at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
       at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
       at com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:235)
       at com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:2114)
  Caused by: java.net.ConnectException: Connection refused: connect
       at java.net.PlainSocketImpl.socketConnect(Native Method)
       at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
       at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
       at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
       at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)
       at java.net.Socket.connect(Socket.java:516)
       at java.net.Socket.connect(Socket.java:466)
       at java.net.Socket.<init>(Socket.java:366)
       at java.net.Socket.<init>(Socket.java:179)
       at com.sun.jmx.remote.socket.SocketConnection.connect(SocketConnection.java:94)
       at com.sun.jmx.remote.generic.ClientSynchroMessageConnectionImpl.connect(ClientSynchroMessageConnectionImpl.java:69)
       at javax.management.remote.generic.GenericConnector.connect(GenericConnector.java:177)
       at javax.management.remote.jmxmp.JMXMPConnector.connect(JMXMPConnector.java:119)
       at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
       at com.sun.cacao.agent.JmxClient.getUnknownJmxClientConnection(JmxClient.java:904)
       at com.sun.cacao.agent.impl.CacaoJmxConnectorProvider.newJMXConnector(CacaoJmxConnectorProvider.java:362)
       ... 52 more
  Also, when i try to start the cacaoadm or check for the status i get the Perl lib version (v5.8.3) doesn't match executable version (v5.8.8) error.
  i have JES5 and Oracle 10G installed on a windows 2003 server,
  can you please let me know what do i have to correct here.
  C:\Program Files\Sun\JavaES5\share\cacao_2\bin>cacaoadm.bat status
  Perl lib version (v5.8.3) doesn't match executable version (v5.8.8) at E:\oracle
  \product\10.2.0\db_1\perl\5.8.3\lib/MSWin32-x86-multi-thread/Config.pm line 32.
  Compilation failed in require at E:\oracle\product\10.2.0\db_1\perl\5.8.3\lib/Fi
  ndBin.pm line 97.
  BEGIN failed--compilation aborted at E:\oracle\product\10.2.0\db_1\perl\5.8.3\li
  b/FindBin.pm line 97.
  Compilation failed in require at C:\PROGRA~1\Sun\JavaES5\share\cacao_2\lib\tools
  \scripts\cacaoadm.pl line 17.
  BEGIN failed--compilation aborted at C:\PROGRA~1\Sun\JavaES5\share\cacao_2\lib\t
  ools\scripts\cacaoadm.pl line 17.
  Thanks in advance
  Regards
  Gani

  Hi,
  depending on the cacao version used. The only authorized user (user allowed to use cacao) may be a privileged user (user part of local administrator group).
  to know the version of cacao just run "cacaoadm -V" .
  from 2.1 , non privileged user can install their own copy of cacao.
  Your case (login on pconsole failing) may be a credential
  probleme. did you check the password given for the connection ?
  For the service part (enabling cacao) you must not touch the configuration. Everything is done using the command line.
  you should not modify information set in the service manager.
  just use the command line "cacaoadm enable -f <password file>". the Password file must contain the password of the Administrator who installed cacao.
  hope this helps

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App

• EAP-TLS and ACS 5.1 with AD

  Hello,
  I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
  24435  Machine Groups retrieval from Active Directory succeeded
  24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
  24483  Failed to retrieve the machine certificate from Active Directory.
  22049  Binary comparison of certificates failed
  22057  The advanced option that is configured for a failed authentication request is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  12507  EAP-TLS authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  What ist the problem? I can't find documents how to configure this in detail.
  Can some one helf me?
  King regardes
  Torsten

  Hi Torsten,
  The option you are looking for is under system configuration:
  Configuring Local Server Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
  Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
  Configuring CA Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf