EAP-TLS config - No certificates found on your computer.

Similar Messages

• Suspicious Activity Found On Your Computer, Due to Pop-Up Advertisement Windows and Invasive Links.   Please Contact Certified Live Technicians 1-888-893-2451 (Toll Free)

  Anyone have problems with safari browser getting hijacked to "search" browser.  Also then took me to page with this alert "
  Suspicious Activity Found On Your Computer, Due to Pop-Up Advertisement Windows and Invasive Links.
  Please Contact Certified Live Technicians 1-888-893-2451 (Toll Free)"  How do I get this to stop.

  Force quit Safari and then launch it with the Shift key held down. If that doesn't work, temporarily disconnect the computer from the Internet.
  (122945)

• EAP-TLS - ACS - Machine Certificates

  Hi,
  I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195.  I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
  Which is the best ACS option to choose for machine certificate comparison:
  - Certificate Subject AlternativeName
  - Certificate Common Name
  - Certificate Binary
  Is there a guide to use for setting up machine certificate templates for Windows Clients?
  Thanks,

  CN (or Name)Comparison—Compares the CN in the           certificate with the username in the database. More information on  this           comparison type is included in the description of the Subject field of  the           certificate.
  SAN Comparison—Compares the SAN in the certificate           with the username in the database. This is only supported as of ACS  3.2. More           information on this comparison type is included in the description of  the           Subject Alternative Name field of the certificate.
  Binary Comparison—Compares the certificate with a           binary copy of the certificate stored in the database (only AD and  LDAP can do           this). If you use certificate binary comparison, you must store the  user           certificate in a binary format. Also, for generic LDAP and Active  Directory,           the attribute that stores the certificate must be the standard LDAP  attribute           named "usercertificate".
  Whatever comparison method is used, the information in the  appropriate       field (CN or SAN) must match the name that your database uses for       authentication.

• EAP-TLS - 802.1x - Certificate renewal

  Hello
  I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.
  Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.
  By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.
  Could somebody give me a hint if there are other Cisco solutions for this issue.
  I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?

  The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
  What I don't get is the following:
  Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
  The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• EAP-TLS Machine Authentication/Certificate

  Hi,
  I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN.  I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.
  Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.
  When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).
  Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?
  Any help will be greatfully received.
  Thanks,

  It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?
  Or perhaps you don't have a machine cert on the computer.  You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

• EAP-TLS 802.1x certificate issue..

  Hi All,
  I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...
  1) Generate Certificate Signing Request:
  Certificate subject ---- CN=idea_acs_01
  Private key file ---- privatekeyfile.pem
  Private key password -- cisco
  Retype private key password -- cisco
  Key length --- 1024
  Digest to sign with --- SHA1
  Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded
  certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.
  Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.
  2)Install ACS Certificate:
  Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:
  "Unsupported private key file format."
  m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.
  Can anyone guide me whats the issue. Thanks in advance..
  Regards,
  Piyush

  Have you looked at this:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
  Try to open up the certificate and verify that it looks something like this:
  -----BEGIN CERTIFICATE-----
  IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
  MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
  aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
  VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
  LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
  MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
  hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
  Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
  reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
  dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
  ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
  EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
  A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
  iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
  eUv4viaap9fTfcVM=
  -----END CERTIFICATE-----

• EAP-TLS 802.1x Certificat​e issue

  Hi,
  I have some issues trying to connect to my enterprise network. I'm using this link to get my certificate in my device : 
  here
  Here's my device :
  BlackBerry Curve 9360 
  7.1 Bundle 2841
  (v7.1.0.1047, Platform 9.6.0.160)
  Every time i do that, it goes in "other's certificates" instead of "personnal certificate"
  When I try to go to connect to the wifi, I choose the right CA certificate which is "COMPANY-CA" and then I have a "none available" client certificate.
  I would like to know if there's somehing wrong with my user template certificate or something related to the configuration in my blackberry phone.
  Can anyone help me please?
  Thanks in advance.

  Have you looked at this:
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
  Try to open up the certificate and verify that it looks something like this:
  -----BEGIN CERTIFICATE-----
  IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
  MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
  aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
  VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
  LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
  MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
  hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
  Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
  reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
  dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
  ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
  EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
  A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
  iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
  eUv4viaap9fTfcVM=
  -----END CERTIFICATE-----

• I changed to a new computer, but after I installed the software, went to set up, entered the serial number, then a pop up window tells me: "the serial # you enter is valid but  a qualifying product was not found on your computer" and on the selection it g

  How can I get my serial number to work with my product?

  So you are installing Design and Web Premium CS6?
  I started with a student Cs5
  That's the qualifying version serial number which the dialogue box is asking for.
  Is it a CS5 Creative Suite (doesn't matter if it's a Student version)?

• Issue with iphone configuration utility: eap-tls certificate selection

  hello,
  I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
  here's my issue:
  I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
  this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
  i am wondering if anyone has similar issue and how to fix this.
  thanks,
  -ns

  the configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
  upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back.

• Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

  Hello,
  I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
  In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
  Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
  Any way to resolve this?
  Thanks,
  Steve

  You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
  an example (uses user/pass though, but same concept)
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• EAP-TLS client security policy enforcement question using ISE

  Hi Experts ,
  I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
  I am using EAP-TLS and machine authentication.
  In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  I am not sure ... will it get pushed through AD ? how will it happen ?
  It would be really helpful if someone could put light on this ..

  Hello Vino,
  Some answers below :
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
  It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
  If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
  In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
  In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
  Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
  Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
  I hope it helps.

• EAP-TLS problems with Cisco AP541N and Server 2008 NPS

  Hi,
  I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
  I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
  Oct 18 15:42:58
  info
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
  Oct 18 15:42:58
  warn
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
  Oct 18 15:42:58
  info
  hostapd
  The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
  NPS logs this:
  Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
  Netzwerkrichtlinienname: XXXXXX
  Authentifizierungsanbieter: Windows
  Authentifizierungsserver: XXXXX
  Authentifizierungstyp: EAP
  EAP-Typ: -
  Kontositzungs-ID: -
  Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
  Ursachencode: 22
  Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
  I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
  I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
  Did anybody encounter something like this before? Or just knows what to do?
  Thanks in advance
  Lenni

  Joe:
  Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
  EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
  PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
  for PEAP-MSCHAPv2, Your options are:
  - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
  - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
  - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
  You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"