EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

Similar Messages

• EAP-TLS authentication with ACS 5.2

  Hi all,
  I have question on EAP-TLS with ACS 5.2.
  If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
  Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
  If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
  And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
  And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
  Hope you guys can help on this. THanks.

  Yes, you can configure:
  machine authentication only
  user authentication only
  Machine and user authentication.
  Machine or user authentication
  So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
  PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
  host/computer.domain
  If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
  Regards,
  Jatin

• Meaning of EAP-TLS errors in ACS

  Hi Guys,
  I'm trying to get a device authenticated to my wireless network using certificates. I get the generic error in ACS (4.2.0.124):
  EAP-TLS or PEAP authentication failed during SSL handshake
  Looking in the Auth log I get:
  AUTH 12/09/2013 15:56:40 E 2255 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL send alert fatal:handshake failure
  AUTH 12/09/2013 15:56:40 E 2258 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL ext error reason: c7 (Ext error code = 0)
  AUTH 12/09/2013 15:56:40 E 2297 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2120
  AUTH 12/09/2013 15:56:42 E 3159 297052 0x0 AuthenReaper thread : Session Timed out since challenge not provided, freeing it
  Can anyone help me with the reason codes or point me in the right direction?
  Thanks,
  John.

  Hi John,
  This is mostly due to improper certificate installed on either the server or on the client machine.
  Considering the issue with only one client I guess the server is clean.
  Can you verify if proper root certificate, intermediate certificate and the id certificates are installed on client?
  You can also regenerate a new machine ID cert for the client and give a try.
  Thanks.

• PEAP & EAP-TLS together on ACS

  We have recently deployed lightweight APs/WLCs in my organization and the authentication mechanism for WLANs is PEAP. We plan to add a new wireless LAN and want to use certificate based authentication, EAP-TLS for this new wlan. Our authenticating server is Cisco ACS, and want to use the same authenticating server for authenticating these two wlans. I haven't found a way to configure exclusively to assign a particular authentication mechanism for a wlan on ACS. Neither the sub authentication be specified in WLC. Any clues?
  Thanks,
  Vijay

  In ACS 5.x, you can specify both EAP type and then also have a condition to grant access to a certain AD OU.  If users are in a different OU, then you create two policies that look at conditions for EAP type, SSID and OU.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html

• 802.1x Wired using EAP-TLS with Microsoft SCCM 2007

  Hi,
  I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7
  The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's
  Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??
  The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(
  Any ideas or suggestions?
  Many thanks,
  Matt

  Hello Matt-
  The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.
  Thank you for rating!

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• EAP-TLS configuration issues

  Hi ,
  I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
  Many thanks

  Hi,
  unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
  I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
  I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
  I have see the following messages in EAPOL.log
  (Win XP Prof. with SP1)
  [1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
  [1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
  Please, could you tell me your workaround?
  Thanks in advance.

• EAP-TLS and getting a new user to log in on a wireless network

  I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
  My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
  How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
  After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
  Paras

  check the below link and read server requirements.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
  The stanalone ca needs to be trusted by AD
  http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
  What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
  You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
  Please rate the post if it helps

• EAP-TLS Questions....

  Hi all,
  My setup is like this..
  Laptop - LWAPP - WLC - ACS - AD
  I m using CA to generate certificate.. I have configured EAP-TLS on WLC & ACS SE. Everything is working fine ie when i issue a certificate from CA on my AD login name & install that certificate i m able to connect to WLAN.. For security on WLC i have enable WPA & 802.1x...
  What i want is that when i boot up the laptop it should directly get connected to Wireless network & whne i try to login using my user name & password it should prompt for if my password is expired or something & get connected to AD. But this is not happening which use to happen when we were using peap as it ask for username & paswword to connect but not in case of EAP_TLS it only check for valid certificates....
  Thanks in advance..
  regards,
  piyush

  Hi Fella,
  i had one more issue ie want to do perform machine authentication as the laptops boot up along with the user authentication hen the users logs in.
  I had set AuthMode value to 1 for it. But how should i check on my ACS SE that the machine is authenticated or not & is it possible that during login using username & password the WLAN should get connected as it is for ethernet LAN.
  Thanks for ur reply..
  Piyush

• ISE - dot1x EAP TLS for Cisco IP Phones

  Hi Gents,
  I have a question about the CA configs for ISE or ACS.
  As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
  1. Cisco CA Certificate
  2. CUCM Locally signed Certificate or CUCM Identity Certificate
  And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
  Is there any other configs needed?
  I would highly appreicate if someone can clearify me this process.
  Regards,

  I got the answer, for the first part of the EAP TLS authentication: Phone authentication
  In an IEEE 802.1X authentication, the AAA server  is responsible for validating the certificate provided by the phone. To  do this, the AAA server must have a copy of the root CA certificate that  signed the phone's certificate. The root certificates for both LSCs and  MICs can be exported from the CUCM Operating System Administration  interface and imported into your AAA server
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
  As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
  What is needed for this?

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• Cisco 7921 - Does anyone Use EAP-TLS in their VoWLAN Deployments?

  Hi Guys,
  I am looking at making a technology decision, in regards to VoWLAN and authentication.
  For our Data Deployment, we use EAP-TLS with a PKI infrastructure and ACS. The ACS passes fields from the certs to AD for verification.
  Can I do exactly the same for the Voice Deployment?
  Has anyone used EAP-TLS with Voice? Are there any problems? Or should I just go ahead and get some certs minted for the phones, setup some AD accounts and whey hey, its time to party?
  Many thx indeed,
  Ken

  Hi Michael,
  So looking at the deployment guide, this is worded (imho) in a confusing manor? Sorry.
  CCKM is listed under authentication, where i though CCKM is an authentication "key managment" protocol?
  It also says 802.1x authentication with AES encrytion, under the authentication heading?
  It says eap-tls, should this not say 802.1x eap-tls or collapse this with the 802.1x authentication?
  ahh, when it says 802.1x, does that mean 802.1x dynamic wep?
  Would it be correct to say, that I want to use 802.1x eap-tls with tkip and CCKM?
  Sorry, this hurts :)
  Thx,
  Ken
  Wireless Security
  When deploying a wireless LAN, you must provide security. The Cisco Unified Wireless IP Phone 7921G supports the following wireless security features.
  Authentication
  - Cisco Centralized Key Management (CCKM)
  - 802.11i (802.1x authentication + TKIP encryption)
  - 802.11i (802.1x authentication + AES encryption)
  - 802.11i (Pre-Shared key + TKIP encryption)
  - 802.11i (Pre-Shared key + AES encryption)
  - Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
  - Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
  - Protected Extensible Authentication Protocol (PEAP)
  - Lightweight Extensible Authentication Protocol (LEAP)
  - Open and Shared Key
  Encryption
  - Advanced Encryption Scheme (AES)
  - Temporal Key Integrity Protocol (TKIP) / Message Integrity Check (MIC)
  - 40-bit and 128-bit Wired Equivalent Protocol (WEP)
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time. TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

• EAP-TLS machine authentication problems

  Well..
  I have the following devices:
  WCS
  Wlan controller 4402
  AP 1130 LWAPP
  Workstation XP sp2
  Secure ACS 4.0
  Windows CA
  Windows AD
  Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
  Which clarifications do I have to do in ACS and AD?
  Can someone help me and give me very detailed instructions on how to make it work.

  Hi,
  We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
  Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

• ACS 4.0 EAP-TLS Cert not working

  Hey,
  so i generated my certificate signing request, took it to my CA, got a cert. From "ACS Certification Authority Setup" i installed it onto my ACS appliance, then from "Install ACS Certificate" installed it (it prepopulated the privkey and password so i assume it got that from the cert file). I then add the CA from the "Edit Certificate Trust List". All this goes off without a hitch.
  However when i try to add the "Certificate Revocation List" I am unable to add both LDAP:\\\ and http://. I have confirmed that the http:// is working on the CA, and every indication is that the ldap is working too but i don't know of the tools to test that with.
  When i go into "System Configuration"->"Global Authentication Setup"->"Allow EAP-TLS" i get the following error.
  Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.
  What exactly is not installed about the Certificate? it's on the ACS server, it's configured and the date range is correct.
  I've been banging my head against this all day and could use some suggestions. :)

  Ok, i now understand it a little better. I needed to install 2 certificates. the first being the Root CA's certificate in the "ACS Certification Authority Setup" section (i mistakenly thought this was simply where i download my generated cert for the next spot.
  The second cert is the one i generated using "Generate Certificate Signing Request", i then took that to my Root CA, generated a cert and installed that along with the private key under "Install ACS Certificate".
  Thanks for pointing me in the right direction since the error i was getting wasnt helpful to me.

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.