Eap-tls configuration assistance

Similar Messages

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• Cisco WLC EAP-TLS configuration

  I need help. I'm trying to configure virtual WLC for EAP-TLS authentication. I configured that, but I don't know where I can set CRL (certificate revocation list) or OCSP (Online Certificate Status Protocol). I must to use this technolodgy for deny access for laid-off employees.

  CRL and OCSP are both part of the certificate itself. Your CA must add the URL for these services when the cert is generated. The WLC does not get configured with the URL for these services. The WLC simply knows the Radius Server IP(s) and has the root cert installed so it can handle the TLS authentication. 

• EAP-TLS configuration issues

  Hi ,
  I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
  Many thanks

  Hi,
  unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
  I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
  I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
  I have see the following messages in EAPOL.log
  (Win XP Prof. with SP1)
  [1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
  [1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
  Please, could you tell me your workaround?
  Thanks in advance.

• Eap-tls configuration

  how do you select certificate for enterprise wireless authentication?
  Our wireless is nb-ssid and when I enter the config, I only get the option for username and password.  Not to select certificate per the documentation
  ATT Pre Plus
  Post relates to: Pre Plus p100una (AT&T)

  I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
  1. Both your client and server certificates should be from same authority
  2. You should have the same username in which the certificate issued should be in your ACS database.
  3. Conform the validity of both your CA and device certificate
  Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• WLC configuration for EAP-TLS

  Hi,
  I am tring to set up a Cisco WLC 2006 with EAP-TLS + WPA.
  Everytime I try to log in to the network my wireless card gives a message saying " validating user", but nothing else happens.
  I cannot find any manual for configuring this. Can anyone perhaps assist?
  Regards
  Dean

  More details would be helpful:
  What RADIUS server are you using, what CA are you using, where (what VLAN) they located, which port of the WLC are you connected to (RADIUS/CA)?
  Are you using the Vendor's client software or MS wireless zero config? Which version? or Linux? Which distribution/version?
  Having this info will be a good start ...
  Let us know
  Scott

• Issue with iphone configuration utility: eap-tls certificate selection

  hello,
  I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
  here's my issue:
  I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
  this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
  i am wondering if anyone has similar issue and how to fix this.
  thanks,
  -ns

  the configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
  upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back.

• EAP-TLS with Radius Server configuration (1130AG)

  Hi All,
  Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
  My steps for radius:- (i think this part ive actually got ok)
  http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
  Steps for the wirless profile on a win 7 client:- this has me confused all over the place
  http://technet.microsoft.com/en-us/library/dd759246.aspx
  My 1130 Config:-
  [code]
  Current configuration : 3805 bytes
  ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
  ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname WAP1
  aaa new-model
  aaa group server radius RAD_EAP
  server 10.1.1.29 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login EAP_LOGIN group RAD_EAP
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  ip domain name ************
  dot11 syslog
  dot11 ssid TEST
     authentication open eap EAP_LOGIN
     authentication network-eap EAP_LOGIN
     guest-mode
  crypto pki trustpoint TP-self-signed-1829403336
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1829403336
  revocation-check none
  rsakeypair TP-self-signed-1829403336
    quit
  username ***************
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid TEST
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid TEST
  no dfs band block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.1.2.245 255.255.255.0
  ip helper-address 10.1.1.27
  no ip route-cache
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
  radius-server key ************
  bridge 1 route ip
  line con 0
  logging synchronous
  transport preferred ssh
  line vty 0 4
  logging synchronous
  transport input ssh
  sntp server 130.88.212.143
  end
  [/code]
  and my current debug
  [code]
  Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: AAA/BIND(000000
  WAP1#12): Bind i/f
  Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
  WAP1#h method EAP or LEAP
  Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 25 12:01:27.581: EAPOL pak dump tx
  Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01801670:                   0100002B 0101002B          ...+...+
  01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  WAP1#
  01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018016A0: 6F727469 643D30                      ortid=0
  Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  [/code]
  Can anyone point me in the right direction with this?
  i also dont like it that you can attempt to join the network first before failing
  can i have user cert based + psk? and then apply it all by GPO
  Thanks for any help

  ok ive ammdened the wireless profile as suggested
  i already have the root ca and a user certificate installed with matching usernames
  I had already added the radius device to the NPS server and matched the keys to the AP
  now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
  Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
  WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
  Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
  WAP1#lient 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
  Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
  WAP1#_auth_dot1x_start
  Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 29 11:53:14.620: EAPOL pak dump tx
  Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
  01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
  01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
  Jan 29 11:53
  WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
  Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
  WAP1#cator message to client 74de.2b81.56c4
  Jan 29 11:53:14.622: EAPOL pak dump tx
  Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808690:                   0100002B 0101002B          ...+...+
  018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018086C0: 6F727469 643D30                      ortid=0
  Jan 29 11:53:14.623: dot1x-regi

• Need configuration guide for EAP-TLS

  I need to setup the AP-1200 I have for EAP-TLS. Anyone know of some good documentation that I can use to configure this? I already have the CA and RADIUS servers up and going.
  Thanks in advance for your help.

  Here are some docs that I used when setting up EAP-TLS with my Cisco 350 APs and Cisco 340/350 wireless client adapters. I made notes in them but they were derived from Cisco support originally. I've found that Win2K clients have more trouble with authenticaion because they must have the 802.11x engine installed (MS update/hotfix) which I've found only can be installed on clients running SP3 (not SP2 or even SP4). Kinda weird. Anyways, you'll probably have the best luck with XP clients because of its native 802.11x support that's built in.
  Hope that helps...

• How to configure EAP-TLS OTA

  Hello, I am trying to configure wi-fi setting OTA on iPhone/iPad.  The certificate enrolment goes thru fine and the device signs the final request with newly acquired certificate. I am stuck in the last phase i.e. pushing the final mobileconfig containing EAP-TLS setting. It seems the configuration is accepted even though it is not signed or encrypted. Also, the configuration includes the root CA certificate which issued the device certificate as well as identity certificate (which is the newly issued certificate) for EAP-TLS setting . The device complains about not able to connect using the pushed profile. Is it okay to send root CA certificate in the mobileconfig and will it be trusted? Also, what is the encoding format for the certificate? 
  Thanks for any help.

  Here is how it's work for me :
  server radius configured to EAP with certificate authentication (not PEAP or anything else)
  send USER certificate by email (run certmgr.msc > personal certificate > the one with your name > export with private key)
  retrieve it on your iphone, click on it and install it on iphone
  in the wifi connection tab, enter your username, and choose in 'mode" : EAP-TLS
  in identity choose your user certificate.
  It will connect and ask you to trust the authentication server certificate
  putting root CA doesn't trust the authentication server for me in later IOS version (after 4.1)

• EAP-TLS on ACS v4 for wireless users

  Hi,
  I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
  As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
  Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
  Regards,
  Belal

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• FlexConnect, EAP-TLS and dynamic VLAN assignments

  I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
  I have some questions:
  - What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
  - I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
  - I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
  Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

  I'll give this a shot:)
  For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
  The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
  64 (Tunnel-Type) should be set to VLAN (Integer = 13)
  65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
  81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
  You can find this by searching on Google.... A lot of examples out there
  v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
  Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
  FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
  Hope this helps.
  Sent from Cisco Technical Support iPhone App

• EAP-TLS in the MAC world

  Hello,
  The challenge is to take the existing wireless infrastructure using PSK and upgrade to EAP-TLS. I have had the opportunity to configure using the AD world with CA servers, Wireless Group Policies etc prior to this. But could use some insight in getting this
  This is a controller based environment.
  Clients MAC OS vary from the most recent to maybe 4 versions back
  ACS aapliance and an LDAP server.
  Active Directory - box with rules. Easier distribution, policies, set a rule apply to many
  MAC - autonomous
  Any assistance would be most helpful, any articles, discussions etc that could shed some light on this.
  Thanks,
  Erik

  Are you able to push group policies using AD to your Mac clients? Or is that where the trouble is?