EAP/TLS Auth issues

Similar Messages

• EAP-TLS auth between 2 1310 bridges

  Hello,
  Am working on getting EAP-TLS auth working between a root and non-root 1310 bridge. I've had success getting LEAP working but EAP-TLS is kicking my butt.
  I have an ACS 4.1 server acting as the Radius server and the auth is failing there with the code "EAP-TLS or PEAP authentication failed during SSL handshake". I think I'm missing something related to the certs but don't know where.
  I can post config snippets if that will help but if someone knows of any examples configuring a 1310 or similar bridge with EAP-TLS that would be fantastic.
  TIA,
  BR

  Hi Bastien,
  it is actually what i did.
  The point here i have 2 CA involved, with no relation between them.
  So I did the operation twice for each CA :
  -> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
  -> I have added the root CA of each CA into the ACS as well.
  The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
  So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
  I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
  Then another conf I do not understand is the option:
  EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
  I do not undestand what does this option stand for ?
  Then I culd see into Cisco do :
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
  Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
  Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
  thx

• EAP-TLS configuration issues

  Hi ,
  I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
  Many thanks

  Hi,
  unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
  I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
  I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
  I have see the following messages in EAPOL.log
  (Win XP Prof. with SP1)
  [1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
  [1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
  Please, could you tell me your workaround?
  Thanks in advance.

• EAP/TLS authentication Issue

  I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
  We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
  In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
  I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
  I'm at a bit of a loss as to what to do next.

  Try this link
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

• WLC Local EAP-TLS auth, certificate ACL feature?

  Hi All,
  I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
  Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
  Thanks in advance.

  Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
  It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

• For those having EAP auth issue using the ACS appliance

  Thought I'd pass along my config and resolution to an issue I was having concerning EAP-TLS auth on an ACS appliance.
  We have two ACS Solution Engines (3.2.2) running and doing a database synch and using Generic LDAP as the external database. We did the certificate walk through for the ACS and then turned on EAP-TLS auth. We are trying to use EAP-TLS auth for wireless access through our AP1200s and Windows XP laptops, but we kept getting errors.
  After digging for days I found out that when you request a certificate it pulls the CN name. Our CN name in Active Directory did not match our login name. I changed my CN name to match my login name and I was then able to grab a certificate and authenticate using EAP-TLS for our wireless.
  I am in the process of upgrading our ACSes to ver 3.3.2 so that I can run the Remote Agent for Windows on a Windos 2003 server and then use the Windows database as the external database and not Generic LDAP.
  I hope this helps someone!
  Jeff

  The document discusses the Extensible Authentication Protocol Transport Layer Security (EAP-TLS) authentication protocol deployment in wireless networks.
  http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• EAP-TLS Error

  Hello.
  I cannot get EAP-TLS auth to work on windows 7 wired setup. I've tested EAP-PEAP on wireless and wired - works fine. Also EAP-TLS for wireless works great. Clients are on same domain as radius (wich is Cisco ISE), we've deployed CA-services on that same domain too and are distributing certificates to clients via GPOs. Authenticators (switchports) are configured correctly, certificates work on EAP-TLS wireless setup, everything seems to be ok, but wired connection still cannot auth and  EAP timeouts.
  Here is the error:
  Logged At: May 14,2013 11:52:12.159 AM
  RADIUS Status: No response received during 120 seconds on last EAP message sent to the client : 5411 No response received during 120 seconds on last EAP message sent to the client

  Have you confirmed that the Supplicant is configured properly for EAP-TLS authentication? I have done this type of deployment many times and haven't had this issue. 
  Thank you for rating helpful posts! 

• WLC 4400: EAP-TLS

  Good day!
  I tried to set up the EAP-TLS according to
  - http://cciew.wordpress.com/2010/06/10/eap-tls-on-the-wlc/
  - http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  - Jeremy video about EAP-TLS
  The main question is about certificates.
  Tell me if I am wrong -  There are two types of certificates that we need to upload to the WLC:
  1) Device certificate - this is quite clear, OpenSSL, Certificate Request and e.t.c.
  2) CA Root certificate - if there is only one CA Root than clear, but if we have the following chain
  Root CA -> Intermediate CA -> WLC
  a) Do we need to upload the whole chain "Root CA -> Intermediate CA" to the WLC ?
  b) If yes, what format is it going to be? maybe smth like this
  ------BEGIN CERTIFICATE------
  *Intermediate CA cert *
  ------END CERTIFICATE--------
  ------BEGIN CERTIFICATE------
  *Root CA cert *
  ------END CERTIFICATE------

  Nicolas, thank you for your reply!
  1)
  I've already seen the article, but now notice some interesting fact:
  "Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
  Regarding this note, do we need to bundle any certificates for EAP-TLS scheme?
  2)
  On the WLC we have an opportunity to download two types of Certificates:
  - Vendor Device Certificate - it is made of CSR request and then uploaded to the WLC in .pem format
  - Vendor CA Certificate - this is more interesting:
    Yesterday I bundled Root and Intermediate CA Certificates in one .pem file, then uploaded it to the WLC as "Vendor CA Certificate" - the result was suсcessful! During the EAP-TLS auth process SSL Handshake completed sucessfully and I connected to my EAP WLAN!
  In the controller Client Properties I saw the EAP TLS>
  Everything seems to be ok, strange...
  May be, the chain of Root and Intermediate CA Certificates is the redundant information, but the scheme seems to be working!

• EAP-TLS and MS AD auth problem

  Hi,
  I have a problem with an ACS to authenticate users with certificate on MS AD.
  Working things:
  PEAP authentication with the MS AD;
  EAP-TLS authentication with the local DB.
  Not working things:
  EAP-TLS authentication with MS AD.
  Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
  Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
  So, why it's not working with the combination EAP-TLS and MS AD.
  I receive the error 'External DB Account Restriction'
  Thanks for your help.

  This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• User auth fails using 802.1x (EAP-TLS)

  I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.
  Here's what I'm using:
  Smart Cards ->
  Built-in Microsoft XP supplicant ->
  Catalyst 4006 Switch ->
  Cisco Secure ACS 3.3 ->
  Microsoft Active Directory
  After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.
  Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.

  I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.
  In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-)

• Issue with iphone configuration utility: eap-tls certificate selection

  hello,
  I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
  here's my issue:
  I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
  this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
  i am wondering if anyone has similar issue and how to fix this.
  thanks,
  -ns

  the configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
  upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back.

• EAP-TLS 802.1x certificate issue..

  Hi All,
  I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...
  1) Generate Certificate Signing Request:
  Certificate subject ---- CN=idea_acs_01
  Private key file ---- privatekeyfile.pem
  Private key password -- cisco
  Retype private key password -- cisco
  Key length --- 1024
  Digest to sign with --- SHA1
  Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded
  certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.
  Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.
  2)Install ACS Certificate:
  Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:
  "Unsupported private key file format."
  m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.
  Can anyone guide me whats the issue. Thanks in advance..
  Regards,
  Piyush

  Have you looked at this:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
  Try to open up the certificate and verify that it looks something like this:
  -----BEGIN CERTIFICATE-----
  IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
  MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
  aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
  VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
  LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
  MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
  hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
  Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
  reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
  dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
  ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
  EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
  A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
  iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
  eUv4viaap9fTfcVM=
  -----END CERTIFICATE-----