Cisco WLC EAP-TLS configuration

Similar Messages

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• Eap-tls configuration assistance

  I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
  Scenario
  MS CA (Windows 2008 Server)
  MS DC (Windows 2003 Server)
  ACS 4.2 (Windows 2003 Server)
  WLC 4402 (5.2)
  LWAP AIR-LAP1142N-N-K9
  Client MS XP SP3
  I have confirmed that the certficates are valid on both the ACS and client.
  The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
  13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
  I have configured ACS for Unkown User Policy and have the client e26458 in AD.
  I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
  debug dot1x events enable,debug dot1x states enable on the WLC.
  frustratingly yours

  I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
  1. Both your client and server certificates should be from same authority
  2. You should have the same username in which the certificate issued should be in your ACS database.
  3. Conform the validity of both your CA and device certificate
  Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

• ACS 5.2 / WLC - EAP-TLS Certificate from 2 CA

  Hello,
  I'm Newbie with ACS equipment, i'm trying to implement it to secure our WIFI environment.
  One wifi SSID is broadcasted on a site, I would like to authenticate WIFI client through machine certificate.
  The big deal is that some client computer belong to an AD (AD1) and having its own CA1. Other client computer belong to another AD (AD2) also having its own CA (CA2). (With no relation or between the 2 CA)
  So computer1 having machine certificate from CA1 and computer2 having machine certificate from CA2
  I have imported the root certificate from the both CA into the "certificate authorities" store of the ACS.
  I have generated certificate signing request, one for each CA. Then I have binding the CA signed certificate.
  After configuring... the access services (identity, authorization...) and so on  I have the following issue:
  - Computer with certificate from the CA1 can connect without any problem.
  - Computer with certificate from the CA2 can NOT connect:
       - After investigation: the client computer do not trust the server ACS and reject the connection
       - Error return :
  RADIUS Status:Authentication failed 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
       - (If i get ridd of the option "verify server identity" on wifi optionof the client, the computer can conect: but this option is not acceptable)
       - It seems that the ACS sends only its certificate signed by the CA1
  The questions are:
  1- How can I configure the ACS to send the right certificate signed by the right CA corresponding to the computer that is intenting to authenticate
  2- I could see in documentation:
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
       --> Does it mean that we can only configure one local certificate to allow the ACS to authenticate to client for all the EAP-TLS protocol used ?
       --> How can I choose it ?
       --> For the current configuration, I have only the certificate signed by the CA which is configure "EAP: Used for EAP protocols that use SSL/TLS tunneling" (i don't know if this option has an impact with the certificate presented by the ACS when it authenticate itself to the client")
  Thanks for your helk and your information.
  Guillaume

  Hi Bastien,
  it is actually what i did.
  The point here i have 2 CA involved, with no relation between them.
  So I did the operation twice for each CA :
  -> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
  -> I have added the root CA of each CA into the ACS as well.
  The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
  So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
  I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
  Then another conf I do not understand is the option:
  EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
  I do not undestand what does this option stand for ?
  Then I culd see into Cisco do :
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
  Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
  Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
  thx

• WLC EAP-TLS

  Hi,
  My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.
  So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.
  •1.     What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
  •2.     Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
  •3.     What Certificate should be installed on Client.
  •4.     What should be the client PC security setting for EAP-TLS
  I had gone through the following Docs for reference.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
  https://supportforums.cisco.com/docs/DOC-24723
  Thanks
  Nibin

  Dear Philip,
  Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
  Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
  AUTH 02/10/2013  13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS  data: SSL state=SSLv3 read  client certificate A
  AUTH 02/10/2013  13:29:58 I 2009 1756 0xb EAP: EAP-TLS:  Handshake failed
  AUTH 02/10/2013  13:29:58 E 2255 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL recv alert fatal:bad certificate
  AUTH 02/10/2013  13:29:58 E 2258 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL ext error reason: 412 (Ext error code =  0)
  AUTH 02/10/2013  13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519):  mapped SSL error code (3) to -2198
  AUTH 02/10/2013  13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code  Unknown EAP code
  AUTH 02/10/2013  13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
  AUTH 02/10/2013  13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned  -2198
  AUTH 02/10/2013  13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7,  seq_id=7)
  AUTH 02/10/2013  13:29:58 I 5501 1756 0xb Done  UDB_SEND_RESPONSE, client 50, status  UDB_EAP_TLS_INVALID_CERTIFICATE
  Thanks
  Nibin Rodrigues

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• Cisco WLC : AP automatic configuration for flexconnect parameters and ap group

  Hello !
  Is there a way to configure cisco WLC to automatically set flexconnect parameters such as Vlan support and Native Vlan ID when an access point join the controller ? 
  Same question to assign the access point to a specific AP Group ?
  PS: The access points are set with usine parameters and the WLC is in version 7.4
  Thank you for your answers !
  Stephane

  To my knowledge these features are not available in 7.4, but from what I understand 8.0 will have similar features. I can say that 7.6 has global commands, not sure if its part of 7.4.
  If it is you can navigate there Wireless>Access Points>Global Configuration you can do things like configure your primary and backup controllers, set login credentials, pre-download images to AP's.
  Please rate if you find the information helpful.
  HTH

• EAP-TLS configuration issues

  Hi ,
  I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
  Many thanks

  Hi,
  unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
  I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
  I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
  I have see the following messages in EAPOL.log
  (Win XP Prof. with SP1)
  [1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
  [1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
  Please, could you tell me your workaround?
  Thanks in advance.

• Eap-tls configuration

  how do you select certificate for enterprise wireless authentication?
  Our wireless is nb-ssid and when I enter the config, I only get the option for username and password.  Not to select certificate per the documentation
  ATT Pre Plus
  Post relates to: Pre Plus p100una (AT&T)

  I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
  1. Both your client and server certificates should be from same authority
  2. You should have the same username in which the certificate issued should be in your ACS database.
  3. Conform the validity of both your CA and device certificate
  Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

• Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

  Dear Folks,
  Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
  OS = Win 7 SP1 (32/64 Bit) and Win 8
  Thanks,
  Regards,
  Mubasher Sultan

  Hi Mubasher
  KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
  KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
  KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
  KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
  KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
  KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
  KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
  For more information please go through this link:
  http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
  Best Regards:
  Muhammad Munir

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• WLC configuration for EAP-TLS

  Hi,
  I am tring to set up a Cisco WLC 2006 with EAP-TLS + WPA.
  Everytime I try to log in to the network my wireless card gives a message saying " validating user", but nothing else happens.
  I cannot find any manual for configuring this. Can anyone perhaps assist?
  Regards
  Dean

  More details would be helpful:
  What RADIUS server are you using, what CA are you using, where (what VLAN) they located, which port of the WLC are you connected to (RADIUS/CA)?
  Are you using the Vendor's client software or MS wireless zero config? Which version? or Linux? Which distribution/version?
  Having this info will be a good start ...
  Let us know
  Scott

• WLC Local EAP-TLS auth, certificate ACL feature?

  Hi All,
  I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
  Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
  Thanks in advance.

  Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
  It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.