Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)

Similar Messages

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

  Hi there,
  I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
  I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
  1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
  2. Configure a Service Principal Name (SPN) for the new computer object.
  3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
  4. Export the certificate created for the non-domain joined machine and install it.
  5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
  The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
  Regards,
  Jeffrey

  Use VPP.  Select an MDM.  Read the google doc below.
  IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
  View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
  http://www.apple.com/education/resources/information-technology.html
     business site is:
     http://www.apple.com/lae/ipad/business/resources/
  Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
  https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
  good tips for initial deployment:
  https://discussions.apple.com/message/18942350#18942350
  https://discussions.apple.com/thread/3804209?tstart=0

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• 802.1x/EAP-TLS Fragmentation across VPN tunnel

  I am having an issue authenticating users via 802.1x/EAP-TLS across an IPSec tunnel. I am using route-based VPN with SVTI configuration on a 2921 and 1941. I have the following settings defined:
  - Under the tunnel interfaces:
  - MTU 1390
  - MSS 1350
  - PMTUD
  - Under the ingress LAN interface
  - route-map to set the DNF bit to 0
  - On the RADIUS Server (2008 NPS)
  - Framed-MTU: 1300
  This had been working for months until I got a call last week about users not being able to authenticate to our secured SSID. I fired up wireshark and also used my client monitor tool in my wireless NMS to watch what is going on. I see all of the access-request and access-challenge exchanges, but the final exchange never happens. In both captures you can see messages with id's 77-81, but message id 82 isn't shown in the wireshark capture, only fragments are. In the client monitor capture you can see that message id 82 is 1726 bytes in length. Now, if I capture packets on my local LAN, the 1726 byte packet is properly fragmented and users can authenticate just fine.
  What am I missing with this?? I have scoured the Internet trying to find a setting that I must have missed, but I can't. I've tried adjusting the Framed-MTU, all the way down to 1100.
  Thanks for you help.

  I figured I would post back with my results. I ended up removing my mtu value from the tunnel interfaces and then fired up wireshark again. This time I found a crap load of ICMP time-exceeded messages which told me that PMTUD is not working properly across the tunnel. From there I simply re-applied my previous MTU numbers back into the tunnel configs and all of the sudden EAP-TLS started flowing fine. I do not know why removing and re-applying the MTU would make things start working again so I assume that I'll be dealing with this again sometime in the future.

• Cisco ISE and authentication for 802.1x printer

  Hello
  What is the best practice to authenticate a 802.1x printer in Cisco ISE?
  The printer can store a certificate for authentication and support EAP-TLS.
  Thanks for answer.
  Marco

  EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
  I hope this puts you in the right direction!
  Thank you for rating helpful posts!

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

  Dear Folks,
  Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
  OS = Win 7 SP1 (32/64 Bit) and Win 8
  Thanks,
  Regards,
  Mubasher Sultan

  Hi Mubasher
  KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
  KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
  KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
  KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
  KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
  KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
  For more information please go through this link:
  http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
  Best Regards:
  Muhammad Munir

• ISE 802.1x EAP-TLS machine and smart card authentication

  I suspect I know the answer to this, but thought that I would throw it out there anway...
  With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

  Hope this video link will help you
  http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

• Cisco ISE functionally and license

  HI. 
  I wanna configure the following on Cisco ISE 1.2.1.
  Self-registration portal for guests (SSID: guests)
  802.1x user certificate check (Cisco NAM supplicant) for employees (SSID: Corporate) (EAP-TLS)
  Self provisioning portal (to deploy BYOD certificate and give access for BYOD devices) for BYOD devices (SSID: Corporate) (PEAP, MSHAPv2)
  Can I configure these things with PLUS license or do I need Adv or Wireless? I am not sure if one of these requires profiling functionally.

  With plus license all the above items should work.
  Here is what plus license supports:
  Bring Your Own Device (BYOD)
  Profiling
  Endpoint Protection Service (EPS)
  TrustSec SGT
  For more info, refer ISE license section:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_license.html#41012
  Regards,
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE Admin and EAP certificate renewal

  Hi board,
  maybe I'm asking a rather dumb question here, but anyway :)
  I'm currently thinking about how to renew an admin/EAP certificate on an ISE node and the effect on the endpoint authentication.
  Here's the thing I do, when I initially install an ISE node
  1.) CSR creation on ISE (PAN) - CN=$FQDN$ and SAN="fqdn as well"
  2.) Sign CSR and bind certificate on ISE node - done
  Now after 10 month or so (if the certificate is valid for one year) I want to renew the ISE admin/EAP certificate.
  CSR creation: I cannot use the $FQDN$ as the CN, because there is still the current certificate (CN must be unique in the store, right?)
  So what to do now? Do I really need to create a temporary SSC and make it the admin/EAP certificate, delete the current certificate and then create a new CSR? There must be a better and more important non-disruptive way of doing this.
  How do you guys do this in your deployments?
  Thanks in advance and sorry again if this is a silly question.
  Johannes

  you can install a new certificate on the ISE before it is active, Cisco recommends that you install the new certificate before the old certificate expires. This overlap period between the old certificate expiration date and the new certificate start date gives you time to renew certificates and plan their installation with little or no downtime. Once the new certificate enters its valid date range, enable the EAP and/or HTTPS protocol. Remember, if you enable HTTPS, there will be a service restart
  Certificate Renewal on Cisco Identity Services Engine Configuration Guide
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116977-technote-ise-cert-00.html