EAP-TLS and MS AD auth problem

Similar Messages

• EAP-TLS and LEAP on a 1200 AP

  Is it possible to have a 1200 AP use EAP-TLS and LEAP authentication simultaneously? We currently use LEAP in production and I have successfully configured a test 1200 AP to use EAP-TLS, but we would like to have it use both methods until all clients can be set up for EAP-TLS.

  You may view this link : http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm
  Regards
  Mc

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• EAP-TLS and ACS 5.1 with AD

  Hello,
  I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
  24435  Machine Groups retrieval from Active Directory succeeded
  24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
  24483  Failed to retrieve the machine certificate from Active Directory.
  22049  Binary comparison of certificates failed
  22057  The advanced option that is configured for a failed authentication request is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  12507  EAP-TLS authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  What ist the problem? I can't find documents how to configure this in detail.
  Can some one helf me?
  King regardes
  Torsten

  Hi Torsten,
  The option you are looking for is under system configuration:
  Configuring Local Server Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
  Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
  Configuring CA Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• Authentication failed using EAP-TLS and CSSC against ACS

  Hi.
  Playing with a trial version of CSSC (Cisco secure services client) I had a problem that really I don´t understand.
  Any 802.1x configuration work fine but when I use anything involving the use of certificates (EAP-TLS or PEAP using a certificate instead a password to autenticate) I always see the same log message in ACS:
  "Authen session timed out: Challenge not provided by client" It seems that my client supplicant does not repond to the ACS when the first one proposed an EAP method.
  First I discart a certificate error because the same certificate works fine with Intel Proset Wireless supplicant and Windows Zero Configuration. EAP Fast works fine using auto provisioning or manual provisioning.
  Any idea? I red the CSSC administration guide but I did not find anything that explains this behaviour or defines the right configuration for this EAP method.
  I´m using Windows XP SP3, Intel Wireless 4965AGN and CSSC 5.1.1.18; My CA is a Windows CA.ACS version 4.2
  Thanks in advanced.
  Best regards.

  Today is not mmy day.
  It´s still failing and maybe I will open a TAC case.
  I´m looking at the log file of the CSSC and I don´t like what I have seen.
  2125: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=344][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP suggested by server: leap
  2126: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=2044][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP requested by client:  eapTls
  2127: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP methods sent : sync=8
  2128: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=8
  2129: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED
  2130: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_SERVER_VERIFY, sync=9
  2131: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
  2132: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=9
  2133: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Server verification sent : sync=9
  2134: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=9
  2135: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_USER_CERT, sync=10
  2136: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
  2137: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=10
  2138: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Impersonating user
  2139: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Loading client certificate private key...
  2140: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Calling acCertLoadPrivateKey()...
  2141: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: ...acCertLoadPrivateKey() returned
  2142: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 204, contact software manufacturer
  2143: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: acCertLoadPrivateKey() error -20 [c:\acebuild\bldrobot_cssc_5.1.1.21_view\monadnock\src\ace\certificate\certificateimpl.cpp:239]
  2144: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 4, contact software manufacturer
  2145: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: CssException for function 'acCertLoadPrivateKey' => -20{error} [certificateimpl.cpp:240]
  2146: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 7, contact software manufacturer
  2147: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Assertion 'CSS exception - should this be logged instead?' failed at [cssexception.cpp:114]
  2148: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Client certificate private key has not been loaded
  2149: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Deimpersonating user
  2150: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Client certificate 239f43fdcde8e190540fab2416253c5660c0d959 has been processed: ERR_INTERNAL_ERROR(7)
  2151: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Certificate 239f43fdcde8e190540fab2416253c5660c0d959 is unusable
  2152: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, no response sent : sync=10
  2153: portable-9b7161: oct 28 2010 20:34:30.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
  2154: portable-9b7161: oct 28 2010 20:34:32.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
  2155: portable-9b7161: oct 28 2010 20:34:34.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
  It seems that It found a valid certificate, starts the Authentication proccess and when it must request the ACS challenge it fails when loading the private key and crash the supplicant 
  Do you think the same??
  Thanks.
  Best Regards.

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 8021.x EAP-TLS "User" vs "System" profile problems

  Hello. I have a macbook using EAP-TLS (wired) with digital certificate authentication. Finally, it's working but I have the following workarounds/questions.
  1. I have had to set the Username field to "HOST/<machine FQDN>". Other systems (ie: Windows) prepend "HOST/" automatically. Is this a known limitation or is there something I can/should do to have OS/X pull out the certificate identity and put it in as "host/identity" in response to the Identity EAP request?
  2. This works fine for USER profiles, but I cannot get a SYSTEM profile to work. When I setup a SYSTEM profile, it screws with the keychain (my root CA has to be explicitly trusted, and the SYSTEM profile only turns on Trust for eapolclient), and the auth fails. There's not enough logging detail (LogLevel=1 only gives you a network trace...) to see what's going on, so I'll ask the experts here - what's going on?
  I concede that I have played around with System profiles quite a bit, so maybe I need to delete the system profile and restart but I don't know how to do that.
  Thanks!

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• 802.1x with EAP-TLS and dACLs

  Hi,
  i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).
  I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?
  in 'worst'  case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?
  Thanks,
  Guy

  Hi Guy,
  provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.
  In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.
  So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.
  However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.
  If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:
  1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.
  2) configure an "Indentity Store Sequence" where you select:
    - Authentication Method List : Certificate based : "Certificate Authentication Profile"
    - Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores
  In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)
  You can find relevant documentation about this on the ACS user guide:
  - Configuring "Certificate Authentication Profile"
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057
  - Configuring "Identity Store Sequence"
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132
  - Managing policy elements:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• ISE 1.2 EAP-TLS and AD authentication

  Hi,
  I am sure I have had this working but Just cant get it to now.
  So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
  My Authentication profile says
  IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
  Then my authorization profile says
  if active directoy group = "Domian computers" then allow access.
  When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
  24433          Looking up machine in Active Directory - [email protected]
  24492          Machine authentication against Active Directory has failed
  22059          The advanced option that is configured for process failure is used
  22062          The 'Drop' advanced option is configured in case of a failed authentication request
  But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
  Cheers

  This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
  This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App

• EAP-TLS and EAP-FAST

  Hi NetPro.
  EAP-TLS is working now, but how to configure EAP-FAST as the backup in case TLS is failure then user still able to use FAST as the second choice ?
  your reply will be highly appreciated.
  thanks heaps.
  Jack

  All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.

• EAP-TLS and getting a new user to log in on a wireless network

  I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
  My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
  How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
  After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
  Paras

  check the below link and read server requirements.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
  The stanalone ca needs to be trusted by AD
  http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
  What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
  You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
  Please rate the post if it helps

• EAP-TLS and multiple ADs

  I have a customer with multiple Microsoft ADs.
  And I need to get EAP-TLS working for client in all ADs.
  Each AD has it's own CA.
  We will do machine authentication.
  We have a Cisco Secure ACS server to handle the authentication.
  My question: Is it possible to have the ACS authenticate clients with certificates from various ADs/CAs?
  Best regards
  Kennet Grau

  Are these different AD domains belong to the same forest or diffent? Is there any trust relationship among them?

• EAP-TLS and CA export

  Iam using EAP-TLS for client authentication. I dont want connect new user to our wired network in order to install certificate. Is possible to export certificate and install certificate from diskette or from CD?????

  If you are using MS Certificate server you can export the certificates to a file from the web gui by selecting "Retrieve the CA certificate or certificate revocation list" and then either "Download CA certificate" or "Download CA certification path" You are then given the normal download file option.
  Rgds
  Paddy