Eap-tls configuration

Similar Messages

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• Eap-tls configuration assistance

  I am trying to get eap-tls working on my wireless network, with machine authentication. I have followed the numerous configuration guides on CCO but seem to be running around in circles. So can someone please give me a sanity check.
  Scenario
  MS CA (Windows 2008 Server)
  MS DC (Windows 2003 Server)
  ACS 4.2 (Windows 2003 Server)
  WLC 4402 (5.2)
  LWAP AIR-LAP1142N-N-K9
  Client MS XP SP3
  I have confirmed that the certficates are valid on both the ACS and client.
  The problem I have is, I see the client associate, but fails authentication. I look in the ACS failed log attempts, I see:
  13/07/2009 11:19:17 Authen failed host/e26458.internal.company Default Group 00-12-F0-82-77-2D (Default) External user not found .. .. 1 10.10.10.100 .. .. 13 EAP-TLS .. TWLC01 CITY
  I have configured ACS for Unkown User Policy and have the client e26458 in AD.
  I would like some advice from some people who have successfuly implemented EAP-TLS, as I have hit a brick wall. I have attached the results of the debug aaa events enable,debug aaa detail enable,
  debug dot1x events enable,debug dot1x states enable on the WLC.
  frustratingly yours

  I am unable to open the attachment, anyway let me tell you few things which you should conform while using certificates.
  1. Both your client and server certificates should be from same authority
  2. You should have the same username in which the certificate issued should be in your ACS database.
  3. Conform the validity of both your CA and device certificate
  Just to conform this is not an issue with your ACS server you can install the cert in your controller and try to authenticate the client using local auth.If this works then your certs are perfect and verify your ACS configurations

• Cisco WLC EAP-TLS configuration

  I need help. I'm trying to configure virtual WLC for EAP-TLS authentication. I configured that, but I don't know where I can set CRL (certificate revocation list) or OCSP (Online Certificate Status Protocol). I must to use this technolodgy for deny access for laid-off employees.

  CRL and OCSP are both part of the certificate itself. Your CA must add the URL for these services when the cert is generated. The WLC does not get configured with the URL for these services. The WLC simply knows the Radius Server IP(s) and has the root cert installed so it can handle the TLS authentication. 

• EAP-TLS configuration issues

  Hi ,
  I am trying to set up a mixed vendor NIC wireless environment and have opted to use EAP-TLS. I am however having some problems getting it to work. I am using AP1100, Aironet 350 PCMCIA cards , Microsoft CA, and ACS3.1. I have successfully setup the client and ACS side certificates and followed the instructions on the EAP-TLS Deployment Guide for Wireless networks which I downloaded off CCO. When I run a "debug radius" on the Access point I dont see any debug info. When I reconfigure everything for LEAP I can then see the AP radius debugs. Does anyone have any tips or recommendations ? I have upgraded XP to service pack 1 ? If you could perhaps direct me to a more comprehensive installation document I would also appreciate it .
  Many thanks

  Hi,
  unfortunately I have no answer for your current issues. I have post this message to ask for your help. I have the same issue that you talk about.
  I'm trying to deploy a WLAN with EAP-TLS XP clients but without success. With LEAP all work fine and I can see AP debugs but not with EAP-TLS.
  I think certificates works fine because the same user unable to authenticate with AP1100 is able to authenticate with EAP-TLS with Catalyst 2950.
  I have see the following messages in EAPOL.log
  (Win XP Prof. with SP1)
  [1144] 17:41:25: ElProcessEapConfigChange: Modified SSID non-NULL, PCB SSID NULL
  [1144] 17:41:25: ElProcessEapConfigChange: Finished with error 0
  Please, could you tell me your workaround?
  Thanks in advance.

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• Issue with iphone configuration utility: eap-tls certificate selection

  hello,
  I am a new Apple user so if there's anything obvious, please bear with me. I also tried to search in the forum but didn't find any solution.
  here's my issue:
  I use iphone configuration utility v2.1 for windows. I added 2 certificates(one user cert and one CA cert) under 'credentials'. then i configured one wifi network (eap-tls using the certificate i justed added). then i synced with my phone. everything worked fine so far. however, when I tried to connect to wifi, i got error and found out that iphone was using a certificate issued by IPCU CA instead of the certificate i uploaded.
  this behavior could be corrected by manually change the certificate from wireless setting. however, this has to be done every time I try to connect to wireless network which is quite frustrated. a workaround is to email me the certificate and install it from iphone. but i can't install the CA certificate via this way.
  i am wondering if anyone has similar issue and how to fix this.
  thanks,
  -ns

  the configuration utility doesn't allow you to select the iPCU cert which is kind of a self signed by the software. you could only select the cert that you imported.
  upgraded to ipcu ver 2.2 today and it seems to fix the problem. will monitor it for several days and report back.

• EAP-TLS with Radius Server configuration (1130AG)

  Hi All,
  Im currently tryign to get eap-tls user certificate based wireless authentication working. The mismatch of guides im trying to follow has me ocming up trumps with success so far, so heres hoping you guys can right me wrongs and put me on the right path again.
  My steps for radius:- (i think this part ive actually got ok)
  http://technet.microsoft.com/en-us/library/dd283091(v=ws.10).aspx
  Steps for the wirless profile on a win 7 client:- this has me confused all over the place
  http://technet.microsoft.com/en-us/library/dd759246.aspx
  My 1130 Config:-
  [code]
  Current configuration : 3805 bytes
  ! Last configuration change at 11:57:56 UTC Fri Jan 25 2013 by apd
  ! NVRAM config last updated at 14:43:51 UTC Fri Jan 25 2013 by apd
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname WAP1
  aaa new-model
  aaa group server radius RAD_EAP
  server 10.1.1.29 auth-port 1812 acct-port 1813
  aaa authentication login default local
  aaa authentication login EAP_LOGIN group RAD_EAP
  aaa authorization exec default local
  aaa authorization network default local
  aaa session-id common
  ip domain name ************
  dot11 syslog
  dot11 ssid TEST
     authentication open eap EAP_LOGIN
     authentication network-eap EAP_LOGIN
     guest-mode
  crypto pki trustpoint TP-self-signed-1829403336
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1829403336
  revocation-check none
  rsakeypair TP-self-signed-1829403336
    quit
  username ***************
  ip ssh version 2
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid TEST
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  ssid TEST
  no dfs band block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 10.1.2.245 255.255.255.0
  ip helper-address 10.1.1.27
  no ip route-cache
  no ip http server
  ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  radius-server host 10.1.1.29 auth-port 1812 acct-port 1813 key **************
  radius-server key ************
  bridge 1 route ip
  line con 0
  logging synchronous
  transport preferred ssh
  line vty 0 4
  logging synchronous
  transport input ssh
  sntp server 130.88.212.143
  end
  [/code]
  and my current debug
  [code]
  Jan 25 12:00:56.703: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:00:56.703: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:00:56.703: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:00:56.703: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  Jan 25 12:01:26.698: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 25 12:01:26.698: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 25 12:01:26.698: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 25 12:01:26.699: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#25 12:01:26.699: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_aaa_upd_accounting: Updating attributes for user: 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 25 12:01:26.699: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: AAA/BIND(000000
  WAP1#12): Bind i/f
  Jan 25 12:01:27.580: dot11_auth_add_client_entry: Create new client 74de.2b81.56c4 for application 0x1
  Jan 25 12:01:27.580: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: req->auth_type 0
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 25 12:01:27.581: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 25 12:01:27.581: dot11_run_auth_methods: Start aut
  WAP1#h method EAP or LEAP
  Jan 25 12:01:27.581: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Jan 25 12:01:27.581: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 25 12:01:27.581: EAPOL pak dump tx
  Jan 25 12:01:27.581: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 25 12:01:27.581: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01801670:                   0100002B 0101002B          ...+...+
  01801680: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  WAP1#
  01801690: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018016A0: 6F727469 643D30                      ortid=0
  Jan 25 12:01:27.582: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 25 12:01:27.582: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 25 12:01:27.582: dot1x-registry:registry:dot1x_ether_macaddr called
  Jan 25 12:01:27.583: dot11_auth_dot1x_send_id_req_to_client: Client 74de.2b81.56c4 timer started for 30 seconds
  WAP1#
  [/code]
  Can anyone point me in the right direction with this?
  i also dont like it that you can attempt to join the network first before failing
  can i have user cert based + psk? and then apply it all by GPO
  Thanks for any help

  ok ive ammdened the wireless profile as suggested
  i already have the root ca and a user certificate installed with matching usernames
  I had already added the radius device to the NPS server and matched the keys to the AP
  now heres the debug im getting, when i check the NPS server, still doesnt look like its getting any requests at all :|
  Jan 29 11:53:13.501: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_dot1x_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.501: dot11_auth_send_msg:  sending data to requestor status 0
  Jan 29 11:53:13.501: dot11_auth_send_msg: client FAILED to authenticate 74de.2b81.56c4, node_type 64 for application 0x1
  Jan 29 11:53:13.501: dot11_auth_delete_client_entry: 74de.2b81.56c4 is deleted for application 0x1
  Jan
  WAP1#29 11:53:13.501: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_disp_callback: Received FAIL from Local Authenticator
  Jan 29 11:53:13.501: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_FAIL) for 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_mgr_sm_send_client_fail: Authentication failed for 74de.2b81.56c4
  Jan 29 11:53:13.502: %DOT11-7-AUTH_FAILED: Station 74de.2b81.56c4 Authentication failed
  Jan 29 11:53:13.502: dot11_mgr_disp_auth_abort
  WAP1#: Sending abort request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:13.502: dot11_auth_client_abort: Received abort request for client 74de.2b81.56c4
  Jan 29 11:53:13.502: dot11_auth_client_abort: No client entry to abort: 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.619: AAA/BIND(00000019): Bind i/f
  Jan 29 11:53:14.619: dot11_mgr_disp_auth_request: Send auth request for client 74de.2b81.56c4 to local Authenticator
  Jan 29 11:53:14.619: dot11_auth_add_client_entry: Create new c
  WAP1#lient 74de.2b81.56c4 for application 0x1
  Jan 29 11:53:14.620: dot11_auth_initialize_client: 74de.2b81.56c4 is added to the client list for application 0x1
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: req->auth_type 0
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: auth_methods_inprocess: 2
  Jan 29 11:53:14.620: dot11_auth_add_client_entry: eap list name: EAP_LOGIN
  Jan 29 11:53:14.620: dot11_run_auth_methods: Start auth method EAP or LEAP
  Jan 29 11:53:14.620: dot11_auth_dot1x_start: in the dot11
  WAP1#_auth_dot1x_start
  Jan 29 11:53:14.620: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 74de.2b81.56c4
  Jan 29 11:53:14.620: EAPOL pak dump tx
  Jan 29 11:53:14.621: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.621: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808560: 0100002B 0101002B 01006E65 74776F72  ...+...+..networ
  01808570: 6B69643D 54455354 2C6E6173 69643D41  kid=TEST,nasid=A
  01808580: 50445741 50312C70 6F727469 643D30    WAP1,portid=0
  Jan 29 11:53
  WAP1#:14.621: dot11_auth_send_msg:  sending data to requestor status 1
  Jan 29 11:53:14.621: dot11_auth_send_msg: Sending EAPOL to requestor
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received message from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_disp_callback: Received DOT11_AAA_EAP from Local Authenticator
  Jan 29 11:53:14.622: dot11_mgr_sm_run_machine: Executing Action(BRIDGE,AUTHENTICATOR_REPLY) for 74de.2b81.56c4
  Jan 29 11:53:14.622: dot11_mgr_sm_send_response_to_client: Forwarding Authenti
  WAP1#cator message to client 74de.2b81.56c4
  Jan 29 11:53:14.622: EAPOL pak dump tx
  Jan 29 11:53:14.622: EAPOL Version: 0x1  type: 0x0  length: 0x002B
  Jan 29 11:53:14.622: EAP code: 0x1  id: 0x1  length: 0x002B type: 0x1
  01808690:                   0100002B 0101002B          ...+...+
  018086A0: 01006E65 74776F72 6B69643D 54455354  ..networkid=TEST
  018086B0: 2C6E6173 69643D41 50445741 50312C70  ,nasid=WAP1,p
  018086C0: 6F727469 643D30                      ortid=0
  Jan 29 11:53:14.623: dot1x-regi

• Need configuration guide for EAP-TLS

  I need to setup the AP-1200 I have for EAP-TLS. Anyone know of some good documentation that I can use to configure this? I already have the CA and RADIUS servers up and going.
  Thanks in advance for your help.

  Here are some docs that I used when setting up EAP-TLS with my Cisco 350 APs and Cisco 340/350 wireless client adapters. I made notes in them but they were derived from Cisco support originally. I've found that Win2K clients have more trouble with authenticaion because they must have the 802.11x engine installed (MS update/hotfix) which I've found only can be installed on clients running SP3 (not SP2 or even SP4). Kinda weird. Anyways, you'll probably have the best luck with XP clients because of its native 802.11x support that's built in.
  Hope that helps...

• How to configure EAP-TLS OTA

  Hello, I am trying to configure wi-fi setting OTA on iPhone/iPad.  The certificate enrolment goes thru fine and the device signs the final request with newly acquired certificate. I am stuck in the last phase i.e. pushing the final mobileconfig containing EAP-TLS setting. It seems the configuration is accepted even though it is not signed or encrypted. Also, the configuration includes the root CA certificate which issued the device certificate as well as identity certificate (which is the newly issued certificate) for EAP-TLS setting . The device complains about not able to connect using the pushed profile. Is it okay to send root CA certificate in the mobileconfig and will it be trusted? Also, what is the encoding format for the certificate? 
  Thanks for any help.

  Here is how it's work for me :
  server radius configured to EAP with certificate authentication (not PEAP or anything else)
  send USER certificate by email (run certmgr.msc > personal certificate > the one with your name > export with private key)
  retrieve it on your iphone, click on it and install it on iphone
  in the wifi connection tab, enter your username, and choose in 'mode" : EAP-TLS
  in identity choose your user certificate.
  It will connect and ask you to trust the authentication server certificate
  putting root CA doesn't trust the authentication server for me in later IOS version (after 4.1)

• WLC configuration for EAP-TLS

  Hi,
  I am tring to set up a Cisco WLC 2006 with EAP-TLS + WPA.
  Everytime I try to log in to the network my wireless card gives a message saying " validating user", but nothing else happens.
  I cannot find any manual for configuring this. Can anyone perhaps assist?
  Regards
  Dean

  More details would be helpful:
  What RADIUS server are you using, what CA are you using, where (what VLAN) they located, which port of the WLC are you connected to (RADIUS/CA)?
  Are you using the Vendor's client software or MS wireless zero config? Which version? or Linux? Which distribution/version?
  Having this info will be a good start ...
  Let us know
  Scott

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

  Hi there,
  I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
  I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
  1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
  2. Configure a Service Principal Name (SPN) for the new computer object.
  3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
  4. Export the certificate created for the non-domain joined machine and install it.
  5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
  The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
  Regards,
  Jeffrey

  Use VPP.  Select an MDM.  Read the google doc below.
  IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
  View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
  http://www.apple.com/education/resources/information-technology.html
     business site is:
     http://www.apple.com/lae/ipad/business/resources/
  Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
  https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
  good tips for initial deployment:
  https://discussions.apple.com/message/18942350#18942350
  https://discussions.apple.com/thread/3804209?tstart=0