EAP-TLS configuration issues
Hi ,
I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
Many thanks
Hi,
unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
I have see the following messages in EAPOL.log
(Win XP Prof. with SP1)
[1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
[1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
Please, could you tell me your workaround?
Thanks in advance.
Similar Messages
-
How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones
Hi Team,
We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy. However, we're now looking to see how we can accomplish this for Mac book and iphones? Is there an open source application or something we can leverage to do this?
ThanksI think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications.
Hope this helps!
Thank you for rating helpful posts! -
Eap-tls configuration assistance
I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
Scenario
MS CA (Windows 2008 Server)
MS DC (Windows 2003 Server)
ACS 4.2 (Windows 2003 Server)
WLC 4402 (5.2)
LWAP AIR-LAP1142N-N-K9
Client MS XP SP3
I have confirmed that the certficates are valid on both the ACS and client.
The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
I have configured ACS for Unkown User Policy and have the client e26458 in AD.
I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
debug dot1x events enable,debug dot1x states enable on the WLC.
frustratingly yoursI am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
1. Both your client and server certificates should be from same authority
2. You should have the same username in which the certificate issued should be in your ACS database.
3. Conform the validity of both your CA and device certificate
Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations -
I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
I'm at a bit of a loss as to what to do next.Hi Rob,
The error is common for 802.1x.
You mentioned the problem started when you assigned new IP to the ACS. Have you tried to generate new ACS cert (running on new IP) again and load it to the client?
*http://www.ciscotaccc.com/kaidara-advisor/wireless/showcase?case=K56560228
*http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
*http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml
Rgds,
AK -
EAP/TLS authentication Issue
I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
I'm at a bit of a loss as to what to do next.Try this link
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml -
Cisco WLC EAP-TLS configuration
I need help. I'm trying to configure virtual WLC for EAP-TLS authentication. I configured that, but I don't know where I can set CRL (certificate revocation list) or OCSP (Online Certificate Status Protocol). I must to use this technolodgy for deny access for laid-off employees.
CRL and OCSP are both part of the certificate itself. Your CA must add the URL for these services when the cert is generated. The WLC does not get configured with the URL for these services. The WLC simply knows the Radius Server IP(s) and has the root cert installed so it can handle the TLS authentication.
-
how do you select certificate for enterprise wireless authentication?
Our wireless is nb-ssid and when I enter the config, I only get the option for username and password. Not to select certificate per the documentation
ATT Pre Plus
Post relates to: Pre Plus p100una (AT&T)I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
1. Both your client and server certificates should be from same authority
2. You should have the same username in which the certificate issued should be in your ACS database.
3. Conform the validity of both your CA and device certificate
Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations -
I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
Just list of RDS.log appears some activity ended with
NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
Please let attentions to Attachments and let me know
what could be a problem of my unsuccessness of use EAP-TLS.
configuration of interface which I use for testing:
interface GigabitEthernet0/42
description Test 802.1X klient - Filip
switchport access vlan 34
switchport mode access
switchport voice vlan 31
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication periodic
authentication violation protect
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
endHi Filip,
Just noticed your post...
In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
Microsoft has done some changes in SP 3 for wired 802.1x
Changes to the 802.1X-based wired network connection settings in Windows XP
Service Pack 3
http://support.microsoft.com/kb/949984/
In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
* The WZCSVC service
* The Wired AutoConfig service (DOT3SVC)
As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
If you are an end-user who has already installed Windows XP SP3, follow
these steps:
1. Click Start, and then click Run.
2. In the Open box, type services.msc, and then press ENTER.
3. Locate the Wired AutoConfig service, right-click it, and then click
Start
Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
CERTIFICATE REQUIREMENT IN EAP-TLS:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
ACS CONFIGURATION:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
MICROSOFT XP CLIENT CONFIGURATION:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
Also, let me know the full ACS version and platform.
HTH
JK
Do rate helpful posts- -
EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.
Hello,
I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
What was done:
- set up freeradius with EAP-TLS configuration, trusting both cisco CA root and manufacturing root.
- freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
- Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
What I can see while running a wireshark trace on freeradius is:
- both parties negotiate properly that they will engage in EAP-TLS.
- they start the TLS handshake
- Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
- Client (phone) never sends its certificate (MIC) to the server.
- Client restarts EAP-TLS negotiation and goes on and on.
Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
Phone firmware is 9.2(3) and callmanager 8.6
Thanks
Gustavo NovaisFound the problem. Apparently ADU can't access certificate store if client is not part of the AD domain
-
Issue with iphone configuration utility: eap-tls certificate selection
hello,
I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
here's my issue:
I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
i am wondering if anyone has similar issue and how to fix this.
thanks,
-nsthe configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back. -
Eap-tls wired 802.1x - certificate issue?
I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
The information about the correct settings can be found in this Microsoft document:
http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
Roaming AP to AP I only lost 1 packet.
Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
Shutting the wireless off and back on I only lost 8 packets.
I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios. -
Hi,
we have an issue with eap-tls authentication with SAN (Subject Alternate Name). The authentication uses the CN instead of SAN.
Our enviroment is so build:
1 LWAPP Cisco AP
1 WLC & 1 WCS
1 ACS (4.2.(1) Build 15 Patch 3)
1 CA (Certification Authority enTrust)
1 Windows 8.1 Client
The ACS global authentication configuration is attacched to the discussion.
The ACS certification is loaded correctly and the CA is trusted.
On the client the user certificate is correctly loaded.
In the Failed Attempts I can found in the username field the CN of user's certificate but i cannot see the SAN.
Thanks in advanceIt should not happen, Please check the error codes from here
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1.3/troubleshooting/guide/ecodes.html -
Hello, I am trying to configure wi-fi setting OTA on iPhone/iPad. The certificate enrolment goes thru fine and the device signs the final request with newly acquired certificate. I am stuck in the last phase i.e. pushing the final mobileconfig containing EAP-TLS setting. It seems the configuration is accepted even though it is not signed or encrypted. Also, the configuration includes the root CA certificate which issued the device certificate as well as identity certificate (which is the newly issued certificate) for EAP-TLS setting . The device complains about not able to connect using the pushed profile. Is it okay to send root CA certificate in the mobileconfig and will it be trusted? Also, what is the encoding format for the certificate?
Thanks for any help.Here is how it's work for me :
server radius configured to EAP with certificate authentication (not PEAP or anything else)
send USER certificate by email (run certmgr.msc > personal certificate > the one with your name > export with private key)
retrieve it on your iphone, click on it and install it on iphone
in the wifi connection tab, enter your username, and choose in 'mode" : EAP-TLS
in identity choose your user certificate.
It will connect and ask you to trust the authentication server certificate
putting root CA doesn't trust the authentication server for me in later IOS version (after 4.1) -
EAP-TLS 802.1x certificate issue..
Hi All,
I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...
1) Generate Certificate Signing Request:
Certificate subject ---- CN=idea_acs_01
Private key file ---- privatekeyfile.pem
Private key password -- cisco
Retype private key password -- cisco
Key length --- 1024
Digest to sign with --- SHA1
Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded
certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.
Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.
2)Install ACS Certificate:
Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:
"Unsupported private key file format."
m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.
Can anyone guide me whats the issue. Thanks in advance..
Regards,
PiyushHave you looked at this:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
Try to open up the certificate and verify that it looks something like this:
-----BEGIN CERTIFICATE-----
IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
eUv4viaap9fTfcVM=
-----END CERTIFICATE----- -
ISE Provisioning Issues - Public Certificate & EAP-TLS
Anyone run into the issues similar to the below?:
Public Certificate bound for HTTPS
Internal AD Certificate Bound for EAP
Issue is SPW or Native Supplicant will be provisioned with Root CA of Public Cert then SCEP enrolls EAP-TLS with Internal CA however as client device (ipad/iphone/android) doesnt get the Internal Root CA provisioned they will fail EAP-TLS communication
Running ISE 1.1.2 patch2, 2 node-cluster
Guest Portal being used for Provisioning if AD credentials passed
Works a treat if i bind both https & eap on the Internal identity ceritficate (only issue then is Guests/BYOD devices get Certificate Warnings on the portal)
Cheers
Kamthe process doesnt fail as such for the onboarding/provisioning on the iphone, however the when entering domain credentials to the guest portal which intiates the onboarding/provisioning process, i notice the root CA certificate is prompted to be installed on the iphone is that of the public certificate instead of the internal root CA, the rest of the user certificate and scep process properly completes however as the root CA for the internal CA wasnt installed i get warnings when connect to our dot1x eap-tls SSID.
On other devices this process fails which i can only assume is down to the lack of internal root CA cert
so as per the above im pretty much following this (differentiated access via certificates) :
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
however my setup is slighlty different as the EAP & HTTPS indentity certificate is not the internal, i have installed a public cert for HTTPS to remove certificate warnings on guest portal (as BYOD devices and guests will only have non-domain machines thus a public cert removes the certificate warnings)
does that clarify anymore?
Cheers
Kam
Maybe you are looking for
-
When i login with microsoft account cannot access with administrative share c$
i have a problem when i login to windows with microsoft account cannot access any network computer with administrative sharing c$,d$ with windows 8.1 but when i login with local account can access and some people tell me create key in regedit t fix
-
Error while integrating with Kerberos and AD
Hi, Implementing Kerberos as the Desktop Single Signon Solution Environment : Peoplesoft OS : Redhat Linux webserver: Weblogic 10.3.4 appserver : tuxedo 10gr3 While doing this implementation I was able to complete it successfully with the JDK linux h
-
Retention period not maintained
Hi, When i'm doing data archiving for purchase orders,i got the message " Retention period is not maintained ". Please any one can tell where i have to maintain.
-
Assign NC to Component - Copy not working
Hi, We have a business scenario that we want to copy the NC code logged on the final product SFC to the component SFC. But we haven't had it work even we change the Assign NC to Component dropdownlist from Stay to Copy. Here are the steps we did: 1.
-
Error while transferring Business Partner
Hi, When i go to BBPMAINTINT in SRM and try to transfer Business partner from SUS to SRM as vendor, i am choosing the SUS supplier directory and vendor and i selected the accepted supplier and clicked on transfer. Now i am getting an error message "