Disabling EAP-TLS

User uses EAP-TLS - he installed certificate but now we dont want to permit him access to our wi-fi network. How to disable his access????

Hi,
Did you find a solution to this? I have exactly the same concern, ACS does not seem to check if a certificate is revoked, so revoking a certificate has no effect!! Seems pretty poor to me.
From what I see, the only way is to delete that particular user ID, at least until the cert is out of date. Or, there is an option to binary compare the cert in ACS, but no real help on how to use this.
-phil

Similar Messages

  • ACS 5.3, EAP-TLS Machine Authentication with Active Directory

    I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
    My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
    Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
    Evaluating Identity Policy
    15006 Matched Default Rule
    22037 Authentication Passed
    22023 Proceed to attribute retrieval
    24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
    24437 Machine not found in Active Directory
    22016 Identity sequence completed iterating the IDStores
    Evaluating Group Mapping Policy
    12506 EAP-TLS authentication succeeded
    11503 Prepared EAP-Success
    Evaluating Exception Authorization Policy
    15042 No rule was matched
    Evaluating Authorization Policy
    15006 Matched Default Rule
    15016 Selected Authorization Profile - Permit Access
    22065 Max sessions policy passed
    22064 New accounting session created in Session cache
    11002 Returned RADIUS Access-Accept
    I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
    Note: In my Identity Store Sequence, I did enable the option:
    For Attribute Retrieval only:
    If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
    but this only seems to work for internal identity stores (at least based on my testing)
    Under my Access Policy Identity tab, I configured the following Advanced features:
    Advanced Options
    If authentication failed
    RejectDropContinue
    If user not found
    RejectDropContinue
    If process failed
    RejectDropContinue
    And that didn't do anything either.
    Any ideas? Thanks in advance.

    Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
    Then can make a rule in the authorization policy such as
    If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

  • ISE - EAP-TLS and then webAuth?

    Hello everyone!
    I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
    Hardware:
    Cisco ISE VM running 1.1.3.124
    WLC 5508 running 7.4.100.0
    AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
    iPod Touch version 6.1.3(10B329)
    Senario:
    •- User Authenticates to SSID that is 802.1x WPA2 AES,
    •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
    •- User open’s their browser
    •- WLC redirects them to ISE CWA
    •- User provides credentials on the portal
    •- User to CoA’d to full access network
    Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
    I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
    Thank you in advance!
    Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
    I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

    Please review the below link which might be helpful :
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

  • Wired EAP-TLS Problems

    I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
    My current setup is:
    FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
    Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
    Laptop - OpenSUSE 10.2
    I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
    http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
    "select * from nas" (comma seperated to make it easier):
    id,nasname,shortname,type,ports,secret,community,description
    1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
    wpa_supplicant.conf on laptop:
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    ap_scan=0
    network={
    key_mgmt=IEEE8021X
    identity="SUSE Laptop"
    eapol_flags=0
    eap=TLS
    ca_cert="/home/evosys/Documents/cacert.pem"
    client_cert="/home/evosys/Documents/suse_cert.pem"
    private_key="/home/evosys/Documents/suse_key.pem"
    private_key_passwd="<password>"
    Outputs of the radiusd and wpa_supplicant are attached...

    Based on this:
    TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
    SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
    I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
    Shelly

  • EAP-TLS authentication failure

    We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
    Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
    This situation is as follows:
    WLAN infrastructure with:
    1 x
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    AIR-WLC2112-K9 (IP address = 10.10.10.10)
    8 x
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    AIR-LAP1142N-E-K9
    Data for the WLC:
    Product Version.................................. 6.0.199.4
    RTOS Version..................................... 6.0.199.4
    Bootloader Version.............................. 4.0.191.0
    Emergency Image Version................... 6.0.199.4
    The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
    The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
    The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
    The problem: no wireless client (Windows XP) is able to go past the initial authentication.
    I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
    On the RADIUS side we find these error messages:
    Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
    NAS-IP-Address = 10.10.10.10
    NAS-Identifier = XX-002_WLAN
    Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
    Calling-Station-Identifier = 00-1c-bf-7b-08-xx
    Client-Friendly-Name = xxxxxxx_10.10.10.10
    Client-IP-Address = 10.10.10.10
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 2
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless LAN Access
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 22
    Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    On the WLC side, the error messages are:
    TRAP log:
    RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
    SYSLOG:
    Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
    Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
    Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
    Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
    Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
    WLC Debug:
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
    *Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
    *Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
    *Jan 07 19:31:42.711:     Callback.....................................0x87e1870
    *Jan 07 19:31:42.712:     protocolType.................................0x00140001
    *Jan 07 19:31:42.712:     proxyState...................................58:94:6B:15:F5:D0-9B:00
    *Jan 07 19:31:42.712:     Packet contains 12 AVPs (not shown)
    *Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
    *Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
    *Jan 07 19:31:42.788:     structureSize................................145
    *Jan 07 19:31:42.788:     resultCode...................................255
    *Jan 07 19:31:42.788:     protocolUsed.................................0x00000001
    *Jan 07 19:31:42.788:     proxyState...................................58:94:6B:15:F5:D0-9B:00
    *Jan 07 19:31:42.788:     Packet contains 4 AVPs (not shown)
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
    *Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
    *Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
    *Jan 07 19:31:42.806:     Callback.....................................0x87e1870
    *Jan 07 19:31:42.806:     protocolType.................................0x00140001
    *Jan 07 19:31:42.807:     proxyState...................................58:94:6B:15:F5:D0-9B:01
    *Jan 07 19:31:42.807:     Packet contains 13 AVPs (not shown)
    *Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00                               ..
    *Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
    *Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
    Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
    ******************** WIRESHARK CAPTURE ********************
    No.     Time        Source                Destination           Protocol Info
          1 0.000000    10.10.10.10        15.15.15.15           RADIUS   Access-Request(1) (id=125, l=280)
    Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
    Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
    Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 308
        Identification: 0x501f (20511)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (17)
        Header checksum: 0x4aee [correct]
        Source: 10.10.10.10 (10.10.10.10)
        Destination: 15.15.15.15 (15.15.15.15)
    User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
        Source port: filenet-rpc (32769)
        Destination port: radius (1812)
        Length: 288
        Checksum: 0xe8e0 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Radius Protocol
        Code: Access-Request (1)
        Packet identifier: 0x7d (125)
        Length: 280
        Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
        Attribute Value Pairs
            AVP: l=27  t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
            AVP: l=19  t=Calling-Station-Id(31): 00-21-6a-29-80-xx
            AVP: l=27  t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
            AVP: l=6  t=NAS-Port(5): 2
            AVP: l=6  t=NAS-IP-Address(4): 10.10.10.10
            AVP: l=13  t=NAS-Identifier(32): XX-002_WLAN
            AVP: l=12  t=Vendor-Specific(26) v=Airespace(14179)
            AVP: l=6  t=Service-Type(6): Framed(2)
            AVP: l=6  t=Framed-MTU(12): 1300
            AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
            AVP: l=89  t=EAP-Message(79) Last Segment[1]
                EAP fragment
                Extensible Authentication Protocol
                    Code: Response (2)
                    Id: 3
                    Length: 87
                    Type: EAP-TLS [RFC5216] [Aboba] (13)
                    Flags(0x80): Length
                    Length: 77
                    Secure Socket Layer
            AVP: l=25  t=State(24): 1d68036a000001370001828b38990000000318a3088c00
            AVP: l=18  t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
    No.     Time        Source                Destination           Protocol Info
          2 0.060373    15.15.15.15        10.10.10.10          IP       Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
    Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
    Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 44
        Identification: 0x2935 (10549)
        Flags: 0x01 (More Fragments)
        Fragment offset: 0
        Time to live: 122
        Protocol: UDP (17)
        Header checksum: 0x58e0 [correct]
        Source: 15.15.15.15 (15.15.15.15)
        Destination: 10.10.10.10 (10.10.10.10)
        Reassembled IP in frame: 3
    Data (24 bytes)
    0000  07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae   .....i...}.al...
    0010  d0 75 05 c3 56 29 a7 b1                           .u..V)..
    No.     Time        Source                Destination           Protocol Info
          3 0.060671    15.15.15.15        10.10.10.10          RADIUS   Access-challenge(11) (id=125, l=1377)
    Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
    Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
    Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 1381
        Identification: 0x2935 (10549)
        Flags: 0x00
        Fragment offset: 24
        Time to live: 122
        Protocol: UDP (17)
        Header checksum: 0x73a4 [correct]
        Source: 15.15.15.15 (15.15.15.15)
        Destination: 10.10.10.10 (10.10.10.10)
        [IP Fragments (1385 bytes): #2(24), #3(1361)]
    User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
        Source port: radius (1812)
        Destination port: filenet-rpc (32769)
        Length: 1385
        Checksum: 0xe8f5 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Radius Protocol
        Code: Access-challenge (11)
        Packet identifier: 0x7d (125)
        Length: 1377
        Authenticator: 6c8300aed07505c35629a7b14de483be
        Attribute Value Pairs
            AVP: l=6  t=Session-Timeout(27): 30
                Session-Timeout: 30
            AVP: l=255  t=EAP-Message(79) Segment[1]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[2]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[3]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[4]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[5]
                EAP fragment
            AVP: l=33  t=EAP-Message(79) Last Segment[6]
                EAP fragment
                Extensible Authentication Protocol
                    Code: Request (1)
                    Id: 4
                    Length: 1296
                    Type: EAP-TLS [RFC5216] [Aboba] (13)
                    Flags(0xC0): Length More
                    Length: 8184
                    Secure Socket Layer
    [Malformed Packet: SSL]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Message: Malformed Packet (Exception occurred)]
            [Severity level: Error]
            [Group: Malformed]
    ******************** COMMVIEW CAPTURE ******************
    Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
    Ethernet II
        Destination MAC: 1C:DF:0F:55:20:xx
        Source MAC: F8:66:F2:62:63:xx
        Ethertype: 0x0800 (2048) - IP
    IP
        IP version: 0x04 (4)
        Header length: 0x05 (5) - 20 bytes
        Differentiated Services Field: 0x00 (0)
            Differentiated Services Code Point: 000000 - Default
            ECN-ECT: 0
            ECN-CE: 0
        Total length: 0x0135 (309)
        ID: 0x2B26 (11046)
        Flags
            Don't fragment bit: 1 - Don't fragment
            More fragments bit: 0 - Last fragment
        Fragment offset: 0x0000 (0)
        Time to live: 0x40 (64)
        Protocol: 0x11 (17) - UDP
        Checksum: 0x6FE6 (28646) - correct
        Source IP: 161.86.66.49
        Destination IP: 15.15.15.15
        IP Options: None
    UDP
        Source port: 32769
        Destination port: 1812
        Length: 0x0121 (289)
        Checksum: 0x5824 (22564) - correct
    Radius
        Code: 0x01 (1) - Access-Request
        Identifier: 0x8D (141)
        Packet Length: 0x0119 (281)
        Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
        Attributes
            Attribute
                Type: 0x01 (1) - User-Name
                Length: 0x1A (26)
                Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
            Attribute
                Type: 0x1F (31) - Calling-Station-Id
                Length: 0x11 (17)
                Calling id: 58-94-6b-15-5f-xx
            Attribute
                Type: 0x1E (30) - Called-Station-Id
                Length: 0x19 (25)
                Called id: f0-25-72-70-65-c0:WLAN-XX
            Attribute
                Type: 0x05 (5) - NAS-Port
                Length: 0x04 (4)
                Port: 0x00000002 (2)
            Attribute
                Type: 0x04 (4) - NAS-IP-Address
                Length: 0x04 (4)
                Address: 10.10.10.10
            Attribute
                Type: 0x20 (32) - NAS-Identifier
                Length: 0x0B (11)
                NAS identifier: XX-002_WLAN
            Attribute
                Type: 0x1A (26) - Vendor-Specific
                Length: 0x0A (10)
                Vendor id: 0x00003763 (14179)
                Vendor specific:  
            Attribute
                Type: 0x06 (6) - Service-Type
                Length: 0x04 (4)
                Service type: 0x00000002 (2) - Framed
            Attribute
                Type: 0x0C (12) - Framed-MTU
                Length: 0x04 (4)
                Framed MTU: 0x00000514 (1300)
            Attribute
                Type: 0x3D (61) - NAS-Port-Type
                Length: 0x04 (4)
                NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
            Attribute
                Type: 0x4F (79) - EAP-Message
                Length: 0x57 (87)
                EAP-Message
            Attribute
                Type: 0x18 (24) - State
                Length: 0x17 (23)
                State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
            Attribute
                Type: 0x50 (80) - Message-Authenticator
                Length: 0x10 (16)
                Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
    Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
    Ethernet II
        Destination MAC: F8:66:F2:62:63:xx
        Source MAC: 1C:DF:0F:55:20:xx
        Ethertype: 0x0800 (2048) - IP
    IP
        IP version: 0x04 (4)
        Header length: 0x05 (5) - 20 bytes
        Differentiated Services Field: 0x00 (0)
            Differentiated Services Code Point: 000000 - Default
            ECN-ECT: 0
            ECN-CE: 0
        Total length: 0x002C (44)
        ID: 0x4896 (18582)
        Flags
            Don't fragment bit: 0 - May fragment
            More fragments bit: 1 - More fragments
        Fragment offset: 0x0000 (0)
        Time to live: 0x7A (122)
        Protocol: 0x11 (17) - UDP
        Checksum: 0x397F (14719) - correct
        Source IP: 15.15.15.15
        Destination IP: 10.10.10.10
        IP Options: None
    UDP
        Source port: 1812
        Destination port: 32769
        Length: 0x0569 (1385)
        Checksum: 0x2FE4 (12260) - incorrect

    Hi,
    We spent many hours trying to solve this problem.
    Our setup:
    Cisco wireless setup, using windows NPS for 802.1x authentication.
    Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
    Auth was failing with "reason code 22, The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
    It turned out to be a GPO setting on the server, that was enforcing key protection.
    There is this note on the below technet article:
    Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
    http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
    Hopefully this helps someone out, if you have the same annoying error.

  • EAP-TLS with Radius Server configuration (1130AG)

    Hi All,
    Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
    My steps for radius:- (i think this part ive actually got ok)
    http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
    Steps for the wirless profile on a win 7 client:- this has me confused all over the place
    http://technet.microsoft.com/en-us/library/dd759246.aspx
    My 1130 Config:-
    [code]
    Current configuration : 3805 bytes
    ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
    ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname WAP1
    aaa new-model
    aaa group server radius RAD_EAP
    server 10.1.1.29 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login EAP_LOGIN group RAD_EAP
    aaa authorization exec default local
    aaa authorization network default local
    aaa session-id common
    ip domain name ************
    dot11 syslog
    dot11 ssid TEST
       authentication open eap EAP_LOGIN
       authentication network-eap EAP_LOGIN
       guest-mode
    crypto pki trustpoint TP-self-signed-1829403336
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1829403336
    revocation-check none
    rsakeypair TP-self-signed-1829403336
      quit
    username ***************
    ip ssh version 2
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    ssid TEST
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface Dot11Radio1
    no ip address
    no ip route-cache
    ssid TEST
    no dfs band block
    channel dfs
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface FastEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address 10.1.2.245 255.255.255.0
    ip helper-address 10.1.1.27
    no ip route-cache
    no ip http server
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
    radius-server key ************
    bridge 1 route ip
    line con 0
    logging synchronous
    transport preferred ssh
    line vty 0 4
    logging synchronous
    transport input ssh
    sntp server 130.88.212.143
    end
    [/code]
    and my current debug
    [code]
    Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
    Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
    Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
    Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
    WAP1#
    Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
    Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
    Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
    Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
    Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
    Jan
    WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
    Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
    Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
    Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
    Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
    Jan 25 12:01:27.580: AAA/BIND(000000
    WAP1#12): Bind i/f
    Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
    Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
    Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
    Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
    Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
    WAP1#h method EAP or LEAP
    Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
    Jan 25 12:01:27.581: EAPOL pak dump tx
    Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
    01801670:                   0100002B 0101002B          ...+...+
    01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
    WAP1#
    01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
    018016A0: 6F727469 643D30                      ortid=0
    Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
    Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
    Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
    Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
    WAP1#
    [/code]
    Can anyone point me in the right direction with this?
    i also dont like it that you can attempt to join the network first before failing
    can i have user cert based + psk? and then apply it all by GPO
    Thanks for any help

    ok ive ammdened the wireless profile as suggested
    i already have the root ca and a user certificate installed with matching usernames
    I had already added the radius device to the NPS server and matched the keys to the AP
    now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
    Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
    Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
    Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
    Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
    Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
    Jan
    WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
    Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
    Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
    Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
    Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
    Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
    WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
    Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
    Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
    Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
    Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
    Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
    WAP1#lient 74de.2b81.56c4 for application 0x1
    Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
    Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
    Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
    Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
    Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
    Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
    WAP1#_auth_dot1x_start
    Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
    Jan 29 11:53:14.620: EAPOL pak dump tx
    Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
    01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
    01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
    01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
    Jan 29 11:53
    WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
    Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
    Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
    Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
    Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
    Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
    WAP1#cator message to client 74de.2b81.56c4
    Jan 29 11:53:14.622: EAPOL pak dump tx
    Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
    01808690:                   0100002B 0101002B          ...+...+
    018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
    018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
    018086C0: 6F727469 643D30                      ortid=0
    Jan 29 11:53:14.623: dot1x-regi

  • EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

    Hello all,
    I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
    His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
    We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
    The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
    When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
    All of this appears to be successful the first time.
    If we disassociate the machine, the problems start. The accounting STOP message is never sent.
    Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
    Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
    My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
    IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
    Thanks
    Gustavo

    Assuming you're using the stock XP wifi client.
    When running XPSP3, you need to set two things:
    1) force one registry setting.
    According to
    http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
    You need to force usage of machine cert-store certificate:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
    "AuthMode"=dword:00000002
    2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
    - show available wireless networks
    - change advanced settings
    - wireless networks tab
    - select your SSID, and then hit the "properties" button
    - select authentication tab, and then hit "properties" button
    - search for your signing CA, and check the box.
    I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
    Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
    please cross reference to
    https://supportforums.cisco.com/message/3280232
    for a better description of the whole setup.
    Ivan

  • EAP-TLS and getting a new user to log in on a wireless network

    I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
    My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
    How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
    After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
    Paras

    check the below link and read server requirements.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
    The stanalone ca needs to be trusted by AD
    http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
    What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
    You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
    Please rate the post if it helps

  • EAP-TLS Wireless Authentication - General questions

    Hi,
    I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
    What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
    Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
    even if a user doesn’t have Admin privileges in their machine?
    I have also been told that using user certificates could result in some issues to pass some Compliance audits.
    I would like to be sure that the design complies with the most recommended and secure alternative.
    I would appreciate some help.
    Many thanks.

    There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
    controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
    above passwords. It's not foolproof.
    The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
    to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
    The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
    computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
    User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
    they want to use as there is no means to contact a DC to authenticate a user the first time.
    Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
    to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
    security option, but it means managing both user and computer objects properly.
    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

  • Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

    Dear Folks,
    Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
    OS = Win 7 SP1 (32/64 Bit) and Win 8
    Thanks,
    Regards,
    Mubasher Sultan

    Hi Mubasher
    KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
    KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
    KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
    KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
    KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
    KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
    KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
    For more information please go through this link:
    http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
    Best Regards:
    Muhammad Munir

  • Local eap-tls drawbacks

    Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
        I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
    but dont know if this is true or not either. I would like to know if I am locking myself into never having an external  radius server If i go down the local eap-tls path.
    Thanks,
    Brian

    Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
    It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

  • Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

    In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
    on this computer" and un-checked "Use simple certificate selection".
    My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
    client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
    drop down.
    Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
    TIA,
    -Rick

    Hi Rick,
    Thank you for your patience.
    According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
    know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
    Best regards,
    Steven Song
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • Implementing EAP-TLS in the enterprise

    Hi all,
    I'm currently performing a review of our global corporate wireless network with a view to implementing user and device authentication. We currently use PEAP-Ms Chapv2 and i'm considering the move to EAP-TLS, however I understand this has its pitfalls in terms of added administrative overheads, particularly around manging user certs.
    Does anyone have any experiencing in rolling EAP-TLS that can provide me with some advice about what to look out for? We have a full PKI and I understand auto enrolment of user certs can be done using group policy and AD but has anyone seen any other issues I should be wary of?
    We have a full Cisco autonomous unified wireless network with Cisco ACS servers for our Radius, tied into AD.
    Appreciate any comments, advice or even direction to other resources where I can find some valuble info.
    cheers.
    Rob

    Rob,
    Since you are already using PEAP, moving to EAP-TLS is not that bad.  Again.... you already have a PKI infrastructure and domain computers should have a certificate already.  So with GPO, you just make a change to the wireless profile to change from PEAP to EAP-TLS.  Peolpe do look at it as more management.... well it sort of is, but if you have staff that is experience in setting up the PKI, GPO, etc, it really isn't that bad.  Client device support is what you will need to look at.  If you have devices like iPads, non domain computers that need to be on the network, then maybe you will need to add EAP-TLS and keep PEAP for those other devices.

  • Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

    Hi there,
    I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
    I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
    1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
    2. Configure a Service Principal Name (SPN) for the new computer object.
    3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
    4. Export the certificate created for the non-domain joined machine and install it.
    5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
    The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
    Regards,
    Jeffrey

    Use VPP.  Select an MDM.  Read the google doc below.
    IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
    View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
    http://www.apple.com/education/resources/information-technology.html
       business site is:
       http://www.apple.com/lae/ipad/business/resources/
    Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
    https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
    good tips for initial deployment:
    https://discussions.apple.com/message/18942350#18942350
    https://discussions.apple.com/thread/3804209?tstart=0

  • ISE 1.2 EAP-TLS handshake to external RADIUS

    Hi everyone!
    I'm trying to implement ISE to authenticate a wireless network using a cisco WLC 5508, I have an ISE virtual Appliance version 1.2  and a WLC 5508 version 7.6 with several 3602e Access Points (20 aproximately).
    Right now they are authenticating with a RADIUS Server (which I don't manage, it's out of my scope), the WLC uses this RADIUS Server to authenticate using 802.1x and EAP-TLS (which means the clients need to have a valid certificate and be in the RADIUS database which is integrated to the Active Directory), I can't touch the CA either. So now I need to authenticate using Cisco ISE instead of the RADIUS Server (at least directly), the problem is that for "security" reasons or whatever they don't let me integrate the ISE to the CA, so I added the RADIUS server as an external identity source and made my authentication Policy rule pointing at it, like this:
    If: Wireless_802.1X          Allow Protocols: Default Network Access          Use: RADIUS
    Then I added ISE as a RADIUS Server on my WLC and made a Test SSID 802.1X pointing to ISE to authenticate and all that, I did some tests and I got this error:
    12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate
    Which means the clients are trying to do the EAP-TLS Process to validate the certificate with the Cisco ISE (but ISE does not have the certificate because they won't let me integrate to the CA directly) so it fails. Is there any way I can do something to redirect that EAP-TLS handshake to the exernal RADIUS Server? Making ISE kind of like a connecting point only for the authentication, I realize it's not the best scenario but giving the circumstances it's the best I can do for now, later on I will add the AD to ISE and start creating some authorization policies based on that, but right now I just want them to authenticate.
    Any help is appreciated, thanks in advance!

Maybe you are looking for

  • Error Message no. FICUSTOM098

    Dear Experts I am getting the below error while posting the downpayment in FB01 T.code, my client doesn't want to use the F-48 to make the down payment. so i used the FB01 down payment since parking & posting option is available for FB01. No Funds Ma

  • How do I keep images from deteriorating in InDesign?

    I'm making book covers to use in CreateSpace, which means I have to make PDFs of my InDesign file. I can make a PDF fine, but here's my problem: Every time I save the file, the images get progressively more pixilated. If I make a PDF as soon as I cre

  • Lint [lint2n] caught in infinite loop in Studio 11 and 12

    Here's another one: lint is trapped in an endless loop by the following simple stripped-down code snippet, if invoked with -Ncheck: # cat endlessloop.c struct B {     struct A* a; struct A {     const char* name;     struct A*   next;     struct B   

  • Missing songs in Smart Playlists on iOS

    I use smart playlists a lot. For example I have a playlist like this: "Rating" IS "5 stars" "Last played" NOT WITHIN "6 months" "Media Type" IS "Music" "Last Skipped" NOT WITHIN "7 days" When I start iTunes I have 447 songs in this playlist, on iOS I

  • Setting up photo albums

    Only just bought my iPhone and having looked on the support pages cannot work out how to set up photo albums. Anyone help a complete technophobe?