EAP-TLS certificates accross multiple computers?

Hi
So I've got eap-tls working with W2k IAS/Certificate Services and an AP1100. My clients are all XP/2000 notebooks and each machine has a computer certificate. The problem is that the notebooks are generic (not user specific) and the notebook that user1 got today may not be the same notebook that user1 gets tomorrow and therefore he/she will not be able to login tomorrow (because their user certificate is stored on the first notebook they had...the one that they used to request the cert). Is there any way to have the user certificates follow the user, regardless of which PC to logon to the domain with? Maybe with romain profiles or something like that. Any ideas. Thanks.

You could roll back to PEAP, using LDAP or MSCAHPv2 for authentication. You'll still authenticate the server and get dynamic keys, but the client authentication will still occur at the domain level.
Other than that, I don't think you can have a "mobile/portable" certificate (that would be more like a SecureID fob).
FWIW
Scott

Similar Messages

  • How to install EAP-TLS certificate?

    Hi All,
    Our wireless network requires EAP-TLS certificate installation.
    We use a MS 2003 server as a CA server.
    I tried to brows to the issuing website (http://CAserver/certsrv) but when I get to the section where I need to choose the strength of the key, somehow the phone's browser is not showing the options...
    So, I tried to issue a certificate from the issuing station and got a file called certnew.cer .
    From what I read this is the right certificate type, so I copied the file to the phone and tried to open it...
    But it only open it with the Notes application...
    Any help????
    10x in advanced,
    Naor. 

    The certificate needs to be in .der format. You probably have it in .cer (PEM) format right now.
    You can convert it using openssl. Change the filenames appropriately:
    openssl x509 -outform der -in MYCERT.pem -out MYCERT.der 
    Then send the .der file to the phone and open it. The phone should offer to install it as a certificate.
    Message Edited by sanjaymehta on 06-Aug-2009 09:22 PM
    Message Edited by sanjaymehta on 06-Aug-2009 09:23 PM
    Sanjay Mehta
    Motorola "Brickphone" circa 1996, Alcatel One Touch, Ericsson R380, Sony Ericsson T220, Sony Ericsson T630, Nokia E50, Nokia E61i, Nokia 9300i, Nokia E71,Nokia X6, Google Nexus S, iPhone 4S

  • Issue with iphone configuration utility: eap-tls certificate selection

    hello,
    I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
    here's my issue:
    I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
    this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
    i am wondering if anyone has similar issue and how to fix this.
    thanks,
    -ns

    the configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
    upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back.

  • ACS 5.2 / WLC - EAP-TLS Certificate from 2 CA

    Hello,
    I'm Newbie with ACS equipment, i'm trying to implement it to secure our WIFI environment.
    One wifi SSID is broadcasted on a site, I would like to authenticate WIFI client through machine certificate.
    The big deal is that some client computer belong to an AD (AD1) and having its own CA1. Other client computer belong to another AD (AD2) also having its own CA (CA2). (With no relation or between the 2 CA)
    So computer1 having machine certificate from CA1 and computer2 having machine certificate from CA2
    I have imported the root certificate from the both CA into the "certificate authorities" store of the ACS.
    I have generated certificate signing request, one for each CA. Then I have binding the CA signed certificate.
    After configuring... the access services (identity, authorization...) and so on  I have the following issue:
    - Computer with certificate from the CA1 can connect without any problem.
    - Computer with certificate from the CA2 can NOT connect:
         - After investigation: the client computer do not trust the server ACS and reject the connection
         - Error return :
    RADIUS Status:Authentication failed 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
         - (If i get ridd of the option "verify server identity" on wifi optionof the client, the computer can conect: but this option is not acceptable)
         - It seems that the ACS sends only its certificate signed by the CA1
    The questions are:
    1- How can I configure the ACS to send the right certificate signed by the right CA corresponding to the computer that is intenting to authenticate
    2- I could see in documentation:
        "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
         --> Does it mean that we can only configure one local certificate to allow the ACS to authenticate to client for all the EAP-TLS protocol used ?
         --> How can I choose it ?
         --> For the current configuration, I have only the certificate signed by the CA which is configure "EAP: Used for EAP protocols that use SSL/TLS tunneling" (i don't know if this option has an impact with the certificate presented by the ACS when it authenticate itself to the client")
    Thanks for your helk and your information.
    Guillaume

    Hi Bastien,
    it is actually what i did.
    The point here i have 2 CA involved, with no relation between them.
    So I did the operation twice for each CA :
    -> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
    -> I have added the root CA of each CA into the ACS as well.
    The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
    So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
    I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
    Then another conf I do not understand is the option:
    EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
    I do not undestand what does this option stand for ?
    Then I culd see into Cisco do :
        "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
    Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
    Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
    thx

  • EAP-TLS Certificate Key Size

    Hi,
    I'm in the process of setting up EAP-TLS authentication in my network. I have installed 2048 bit certificates on my ACS server and Client. When attempting to authenticate I receive the following message in ACS: EAP-TLS or PEAP authentication failed during SSL handshake.   
    Is anyone using 2048 bit certs or know if they work? Any suggestions what else might be causing the authentication failure?
    Thanks,              

    2048 bit is the standard these days. I have used 2048 bit with both PEAP and EAP-TLS with no issues. The error might be the shared secret between ACS and the WLC.
    Sent from Cisco Technical Support iPhone App

  • AnyConnect, EAP-TLS, Certificate Store Issue

    Morning All,
    I've got a customer that wants to deploy AnyConnect for their new EAP-TLS based WLAN. We can get the service working perfectly using the windows 7 supplicant. The problems start when using AnyConnect.
    When we create a profile with certificate store set to all in the profile editor, we get an error along the lines of no valid certificate found. This seems a bit crazy considering the windows supplicant can both find and use it.
    Any ideas?
    Cheers,
    N

    Hi Salod,
    I now believe it to be an AD permission issue with regard to the cert stores. I have lab'd this and have got both user and machine certs working through the anyconnect client.
    Regards,
    Nick

  • EAP-TLS Certificate Installation

    Hello,
    I generated a certificate on my ACS - how do I add it to my windows PC wireless client so I can use it for EAP-TLS. On my windows PC I found certificate import wizard but the types supported are for .P7B, .PFX, .P12 file type and I believe the one on the ACS is a .ca file. Also how do I get it off the ACS for distribution. Thank You - Sean

    Hi,
    Do you have an root CA into your network? Did you use this to generate the Server certificate for ACS or you have used "generate self-signed certificate" option to do that? Using self-signed certificate you'll can use PEAP authentication only. For EAP-TLS authentication, you need a root CA server to generate a server certificate to ACS and a client certificate to users. Server and CA certificate files must be in Base64-encoded X.509
    format or DER-encoded binary X.509 format. Use SHA-1 and a key size of 1024.The windows server has a certificate service and you can use it to generate these files.
    Regards,

  • Script to list all SSL certificates of multiple computers with all properties.

    Hi,
    Need help to list all SSL certficates in excel available on multiple computers. Also, it details should have all properties of certificate.
    Thanks!
    Pranay (MCSE, MCITP)

    Go through this link
    Regards Chen V [MCTS SharePoint 2010]

  • EAP-TLS, Certificates for the machine...prompt for the user?

    I've got a wireless network made up of AP1200s and I'm testing EAP-TLS. I have the cert piece working but I would also like the users to be prompted for a user/pass upon association. Is that going to far?
    If not; how do I set it up? I also want to make sure that they are not prompted each time they roam to a new AP if they were previously authenticated.

    I think if you leave the username/password fields blank, the system will prompt you for them.
    There might even be a checkbox for "Prompt for User Name" (gonna depend on the client software & nic).
    Good Luck
    Scott

  • Using same mail certificate on multiple computers

    I have a MacPro and a MacBookPro. I could just retrieve my Thawte email certificate on both and they would be usable to encryption and signing on both computers. This renewal though only the requesting computer (the MacPro) shows them up in the 'My Certificate' section with both the public and the private key - downloading the certificate with the MBP just adds it to the 'Certificates' section with just the public so I can't sign or encrypt from there.
    How is it keying them to the particular machine? I of course want what I previously had: a signed email account not tied to a particular originating machine.
    Is it something simple? Do I need to transfer Thawte certificates too?

    Hi,
    This is what i did for installing wildcard certificates:
    On the OS of the sap server, log in with the sapadm account.
    Open a command prompt:
    make a backup of your sec directory in drive:\usr\sap\<SID>DVEBMGS00\  (just to be sure)
    cd to drive:\usr\sap\<SID>DVEBMGS00\exe
    >sapgenpse.exe import_p12 =p SAPSSLS.PSE location\to\the\certfile.pfx
    It will ask you for the pin, and to overwrite the file, answer yes.
    Now copy the new SAPSSLS.PSE to a desktop that has sapgui
    Login with the sapgui and run transaction strust
    Select import from the PSE menu and open the SAPSSLS.PSE
    Then again goto PSE menu  and select Save As
    I saved it twice, once in System PSE  and then again in SSL Server
    For me SSL is now working without problems on a couple of servers.
    -small update-
    You can check internal servers using the certificate utility from digicert https://www.digicert.com/util/
    It has the option to specify port numbers, usefull for internal web services.
    Regards,
    Rolf

  • Wireless ISE - 12508 EAP-TLS handshake failed

    Hi guys,
    I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
    Authentication failed : 12508 EAP-TLS handshake failed
    OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
    Setup:
    - Single standalone ISE 3355 appliance
    - Two tier MS enterprise PKI (outside of my direct control)
    - WLC 5508
    - Windows 7 laptop\
    - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
    - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
    Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
    This is what TAC came back with, but none of the workarounds helped
    Symptom:
    ========
    EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
    Conditions:
    =========
    EAP-TLS certificate based authentications ISE 1.1.2.145
    Workaround:
    ===========
    1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

    Hi Amjad,
    Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
    Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
    The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
    Cheers,
    Owen

  • ISE problem with EAP-TLS Supplicant Provisioning

    Hi All,
    I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
    The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
    The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
    Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
    Cheers,
    Richard
    PS - Also using WinSPWizard 1.0.0.28

    Hi Richard,
    This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
    Istvan Segyik
    Systems Engineer
    Global Virtual Engineering
    WW Partner Organization
    Cisco Systems, Inc
    Email: [email protected]
    Work: +36 1 2254604
    Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

  • Cisco ISE for 802.1x (EAP-TLS)

    I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
    I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
    I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
    I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
    I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
    I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
    My email: [email protected]
    Cheers,
    Krishil Reddy

    Hello Mubashir,
    Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
    The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
    Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
    Configure the tx-period timer.
    C3750X(config-if-range)#dot1x timeout tx-period 10

  • EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

    I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
    If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

    A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

  • EAP-TLS and getting a new user to log in on a wireless network

    I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
    My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
    How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
    After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
    Paras

    check the below link and read server requirements.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
    The stanalone ca needs to be trusted by AD
    http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
    What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
    You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
    Please rate the post if it helps

Maybe you are looking for

  • Repetitive Wire - FRFT help

    Hi Everyone, My client requested for me to implement Repetitive Wires and treasury payment program. I have not done this before but for my understanding all the configuration needed are treasury payment program and creating repetitive codes and group

  • Customize APEX components

    Hi... I want to customize apex components to meet my needs but the problem is that I can't find where apex store html templates for some components like interactive report. so where can I find these templates Thanks

  • How to use buttons in MIDP

    Hi all, I m currently building a calculator in MIDP and as there is no Button class so would like to know how to make some custom buttons ? Thanks in advance. - Tanveer

  • ConsoleOne.exe won't start and takes up 100% of system resources

    The process starts up, waits for a few seconds and then take all the system CPU resources. AND the program doesn't start. I've heard malfunctioning ConsoleOne software is caused by Java2 issues, but I have (almost) ruled that out by uninstalling and

  • FMS on Invoice

    Hi, I need a FMS on AR Invoice to change automatically the series name when I choose "Service". Can anyone help me with this? Thanks Pedro Santos