EAP-TLS, how is dynamic key transmitted?

how is the dynamic key derived and transmitted?

You may want to look into section 3.5 and 3.8 of RFC 2716. There is also a seciton on this in the following link:
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/acstl_wp.htm

Similar Messages

802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

How to configure EAP-TLS OTA

Hello, I am trying to configure wi-fi setting OTA on iPhone/iPad. The certificate enrolment goes thru fine and the device signs the final request with newly acquired certificate. I am stuck in the last phase i.e. pushing the final mobileconfig containing EAP-TLS setting. It seems the configuration is accepted even though it is not signed or encrypted. Also, the configuration includes the root CA certificate which issued the device certificate as well as identity certificate (which is the newly issued certificate) for EAP-TLS setting . The device complains about not able to connect using the pushed profile. Is it okay to send root CA certificate in the mobileconfig and will it be trusted? Also, what is the encoding format for the certificate?
Thanks for any help.

Here is how it's work for me :
server radius configured to EAP with certificate authentication (not PEAP or anything else)
send USER certificate by email (run certmgr.msc > personal certificate > the one with your name > export with private key)
retrieve it on your iphone, click on it and install it on iphone
in the wifi connection tab, enter your username, and choose in 'mode" : EAP-TLS
in identity choose your user certificate.
It will connect and ask you to trust the authentication server certificate
putting root CA doesn't trust the authentication server for me in later IOS version (after 4.1)

FlexConnect, EAP-TLS and dynamic VLAN assignments

I need to integrate Cisco ISE and WLC5508 with FlexConnect (local switching) using EAP-TLS security for wireless clients across multiple floors (dynamic VLAN assignments based on floor level). The AP model used is 3602.
I have some questions:
- What RADIUS Attribute can be used for dynamic VLAN assignments based on floor level? Is there an option where I can group all LWAPs in same floor for getting certain VLAN from ISE?
- I intend to use WLC software version 7.2 since 7.3 is latest version. Has someone use WLC software version 7.3 without any major bugs/issues pertaining to FlexConnect and EAP-TLS?
- I read some documents saying L3 roaminig is where the associated WLC has changed. However if user move to different subnet but still associated to the same WLC, would this be consider as L3 roaming too?
Can someone assist to clear my confusion here? any reference url for layer 2 and layer 3 roaming details is appreciated. Thanks

I'll give this a shot:)
For radius vlan attributes, bothe ACS and ISE in the policies have the ability to just enter the vlan id in the profile. You can either do that or use the IETF attributes.
The RADIUS attributes to configure for VLAN assignment are IETF RADIUS attributes 64, 65, and 81, which control VLAN assignment of users and groups. See RFC 2868 for more information.
64 (Tunnel-Type) should be set to VLAN (Integer = 13)
65 (Tunnel-Medium-Type) should be set to 802 (Integer = 6)
81 (Tunnel-Private-Group-ID) should be set to the VLAN number. This can also be set to VLAN name if using a Cisco IOS device (excludes Aironet and Wireless Controllers however).
You can find this by searching on Google.... A lot of examples out there
v7.2 and v7.3 I have had no issues with, with any type of encryption used. With 7.0 and 7.2, I would use the latest due to the Windows 8 fix.
Layer 3 roaming is what's going to happen if the AP's are in local mode. This means that the client will keep their IP address no matter what ap they are connected to and or WLC as long as the mobility group is the same. So a user who boots up in floor 1 will keep its IP address even if he or she roams to the 12th floor and as long as he or she didn't loose wireless connection.
FlexConnect you can do that. The AP's are trunked and need to have the vlans. So what your trying to do will be disruptive to clients. When the roam to another floor ap that is FlexConnect locally switched, they will drop and have to re-associate in order to get a new IP address.
Hope this helps.
Sent from Cisco Technical Support iPhone App

How to install EAP-TLS certificate?

Hi All,
Our wireless network requires EAP-TLS certificate installation.
We use a MS 2003 server as a CA server.
I tried to brows to the issuing website (http://CAserver/certsrv) but when I get to the section where I need to choose the strength of the key, somehow the phone's browser is not showing the options...
So, I tried to issue a certificate from the issuing station and got a file called certnew.cer .
From what I read this is the right certificate type, so I copied the file to the phone and tried to open it...
But it only open it with the Notes application...
Any help????
10x in advanced,
Naor.

The certificate needs to be in .der format. You probably have it in .cer (PEM) format right now.
You can convert it using openssl. Change the filenames appropriately:
openssl x509 -outform der -in MYCERT.pem -out MYCERT.der
Then send the .der file to the phone and open it. The phone should offer to install it as a certificate.
Message Edited by sanjaymehta on 06-Aug-2009 09:22 PM
Message Edited by sanjaymehta on 06-Aug-2009 09:23 PM
Sanjay Mehta
Motorola "Brickphone" circa 1996, Alcatel One Touch, Ericsson R380, Sony Ericsson T220, Sony Ericsson T630, Nokia E50, Nokia E61i, Nokia 9300i, Nokia E71,Nokia X6, Google Nexus S, iPhone 4S

How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

Hi Team,
We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy. However, we're now looking to see how we can accomplish this for Mac book and iphones? Is there an open source application or something we can leverage to do this?
Thanks

I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications.
Hope this helps!
Thank you for rating helpful posts!

"Unable to transmit key to mobile" eap-tls

Hi,
I got a Wireless Controlleer with a few APs. Now testing EAP auth. Clients fails to authenticate on the network using EAP-TLS. Client status shows as Associated but Auth as No. Ive attached the client debug. It got stuck on "Unable to transmit key to mobile" where XP is "Validating identity". Any sugestions?

Hi fella,
Sorted. Make sure you got all certificates installed and don't use to complicated shared passwords for radius.
Regards

EAP-TLS Certificate Key Size

Hi,
I'm in the process of setting up EAP-TLS authentication in my network. I have installed 2048 bit certificates on my ACS server and Client. When attempting to authenticate I receive the following message in ACS: EAP-TLS or PEAP authentication failed during SSL handshake.
Is anyone using 2048 bit certs or know if they work? Any suggestions what else might be causing the authentication failure?
Thanks,

2048 bit is the standard these days. I have used 2048 bit with both PEAP and EAP-TLS with no issues. The error might be the shared secret between ACS and the WLC.
Sent from Cisco Technical Support iPhone App

Cisco ACS with External DB - EAP-TLS

Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Ken

only TLS *handshake* is completed/succcessful, but because user authentication fails,
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
EAP: EAP-TLS: Handshake succeeded
EAP: EAP-TLS: Authenticated handshake
EAP: EAP-TLS: Using CN from certificate as identity for authentication
EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
pvAuthenticateUser: authenticate 'jatin' against CSDB
pvCopySession: setting session group ID to 0.
pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
pvAuthenticateUser: authenticate 'jatin' against Windows Database
External DB [NTAuthenDLL.dll]: Creating Domain cache
External DB [NTAuthenDLL.dll]: Loading Domain Cache
External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Domain cache loaded
External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
External DB [NTAuthenDLL.dll]: User jatin was not found
pvCheckUnknownUserPolicy: setting session group ID to 0.
Unknown User 'jatin' was not authenticated
So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Regards,
Prem

EAP-TLS authentication failure

We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711:     Callback.....................................0x87e1870
*Jan 07 19:31:42.712:     protocolType.................................0x00140001
*Jan 07 19:31:42.712:     proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712:     Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788:     structureSize................................145
*Jan 07 19:31:42.788:     resultCode...................................255
*Jan 07 19:31:42.788:     protocolUsed.................................0x00000001
*Jan 07 19:31:42.788:     proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788:     Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806:     Callback.....................................0x87e1870
*Jan 07 19:31:42.806:     protocolType.................................0x00140001
*Jan 07 19:31:42.807:     proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807:     Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00                               ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.10.10        15.15.15.15           RADIUS   Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 308
    Identification: 0x501f (20511)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x4aee [correct]
    Source: 10.10.10.10 (10.10.10.10)
    Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
    Source port: filenet-rpc (32769)
    Destination port: radius (1812)
    Length: 288
    Checksum: 0xe8e0 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x7d (125)
    Length: 280
    Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
    Attribute Value Pairs
        AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
        AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
        AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
        AVP: l=6 t=NAS-Port(5): 2
        AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
        AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
        AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
        AVP: l=6 t=Service-Type(6): Framed(2)
        AVP: l=6 t=Framed-MTU(12): 1300
        AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=89 t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 3
                Length: 87
                Type: EAP-TLS [RFC5216] [Aboba] (13)
                Flags(0x80): Length
                Length: 77
                Secure Socket Layer
        AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
        AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No.     Time        Source                Destination           Protocol Info
      2 0.060373    15.15.15.15        10.10.10.10          IP       Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 44
    Identification: 0x2935 (10549)
    Flags: 0x01 (More Fragments)
    Fragment offset: 0
    Time to live: 122
    Protocol: UDP (17)
    Header checksum: 0x58e0 [correct]
    Source: 15.15.15.15 (15.15.15.15)
    Destination: 10.10.10.10 (10.10.10.10)
    Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae   .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1                           .u..V)..
No.     Time        Source                Destination           Protocol Info
      3 0.060671    15.15.15.15        10.10.10.10          RADIUS   Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1381
    Identification: 0x2935 (10549)
    Flags: 0x00
    Fragment offset: 24
    Time to live: 122
    Protocol: UDP (17)
    Header checksum: 0x73a4 [correct]
    Source: 15.15.15.15 (15.15.15.15)
    Destination: 10.10.10.10 (10.10.10.10)
    [IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
    Source port: radius (1812)
    Destination port: filenet-rpc (32769)
    Length: 1385
    Checksum: 0xe8f5 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-challenge (11)
    Packet identifier: 0x7d (125)
    Length: 1377
    Authenticator: 6c8300aed07505c35629a7b14de483be
    Attribute Value Pairs
        AVP: l=6 t=Session-Timeout(27): 30
            Session-Timeout: 30
        AVP: l=255 t=EAP-Message(79) Segment[1]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[2]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[3]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[4]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[5]
            EAP fragment
        AVP: l=33 t=EAP-Message(79) Last Segment[6]
            EAP fragment
            Extensible Authentication Protocol
                Code: Request (1)
                Id: 4
                Length: 1296
                Type: EAP-TLS [RFC5216] [Aboba] (13)
                Flags(0xC0): Length More
                Length: 8184
                Secure Socket Layer
[Malformed Packet: SSL]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
    Destination MAC: 1C:DF:0F:55:20:xx
    Source MAC: F8:66:F2:62:63:xx
    Ethertype: 0x0800 (2048) - IP
IP
    IP version: 0x04 (4)
    Header length: 0x05 (5) - 20 bytes
    Differentiated Services Field: 0x00 (0)
        Differentiated Services Code Point: 000000 - Default
        ECN-ECT: 0
        ECN-CE: 0
    Total length: 0x0135 (309)
    ID: 0x2B26 (11046)
    Flags
        Don't fragment bit: 1 - Don't fragment
        More fragments bit: 0 - Last fragment
    Fragment offset: 0x0000 (0)
    Time to live: 0x40 (64)
    Protocol: 0x11 (17) - UDP
    Checksum: 0x6FE6 (28646) - correct
    Source IP: 161.86.66.49
    Destination IP: 15.15.15.15
    IP Options: None
UDP
    Source port: 32769
    Destination port: 1812
    Length: 0x0121 (289)
    Checksum: 0x5824 (22564) - correct
Radius
    Code: 0x01 (1) - Access-Request
    Identifier: 0x8D (141)
    Packet Length: 0x0119 (281)
    Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
    Attributes
        Attribute
            Type: 0x01 (1) - User-Name
            Length: 0x1A (26)
            Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
        Attribute
            Type: 0x1F (31) - Calling-Station-Id
            Length: 0x11 (17)
            Calling id: 58-94-6b-15-5f-xx
        Attribute
            Type: 0x1E (30) - Called-Station-Id
            Length: 0x19 (25)
            Called id: f0-25-72-70-65-c0:WLAN-XX
        Attribute
            Type: 0x05 (5) - NAS-Port
            Length: 0x04 (4)
            Port: 0x00000002 (2)
        Attribute
            Type: 0x04 (4) - NAS-IP-Address
            Length: 0x04 (4)
            Address: 10.10.10.10
        Attribute
            Type: 0x20 (32) - NAS-Identifier
            Length: 0x0B (11)
            NAS identifier: XX-002_WLAN
        Attribute
            Type: 0x1A (26) - Vendor-Specific
            Length: 0x0A (10)
            Vendor id: 0x00003763 (14179)
            Vendor specific:
        Attribute
            Type: 0x06 (6) - Service-Type
            Length: 0x04 (4)
            Service type: 0x00000002 (2) - Framed
        Attribute
            Type: 0x0C (12) - Framed-MTU
            Length: 0x04 (4)
            Framed MTU: 0x00000514 (1300)
        Attribute
            Type: 0x3D (61) - NAS-Port-Type
            Length: 0x04 (4)
            NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
        Attribute
            Type: 0x4F (79) - EAP-Message
            Length: 0x57 (87)
            EAP-Message
        Attribute
            Type: 0x18 (24) - State
            Length: 0x17 (23)
            State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
        Attribute
            Type: 0x50 (80) - Message-Authenticator
            Length: 0x10 (16)
            Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
    Destination MAC: F8:66:F2:62:63:xx
    Source MAC: 1C:DF:0F:55:20:xx
    Ethertype: 0x0800 (2048) - IP
IP
    IP version: 0x04 (4)
    Header length: 0x05 (5) - 20 bytes
    Differentiated Services Field: 0x00 (0)
        Differentiated Services Code Point: 000000 - Default
        ECN-ECT: 0
        ECN-CE: 0
    Total length: 0x002C (44)
    ID: 0x4896 (18582)
    Flags
        Don't fragment bit: 0 - May fragment
        More fragments bit: 1 - More fragments
    Fragment offset: 0x0000 (0)
    Time to live: 0x7A (122)
    Protocol: 0x11 (17) - UDP
    Checksum: 0x397F (14719) - correct
    Source IP: 15.15.15.15
    Destination IP: 10.10.10.10
    IP Options: None
UDP
    Source port: 1812
    Destination port: 32769
    Length: 0x0569 (1385)
    Checksum: 0x2FE4 (12260) - incorrect

Hi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error.

EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
Fabian

The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU.

EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

Hello all,
I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
All of this appears to be successful the first time.
If we disassociate the machine, the problems start. The accounting STOP message is never sent.
Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
Thanks
Gustavo

Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan

EAP-TLS on WLC 5508 agains IAS RADIUS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi, anyone experienced issue like this?
I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
I got “Access-Accept” debug message received from RADIUS server.
However the wireless client failed to connect.
Below is partially the debug message from the WLC
Any feedbacks are welcome
*Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
*Oct 07 15:08:24.403:     protocolType.................................0x00140001
*Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
*Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
*Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b f7 c9 71 dd 32 cb b7 0a .e........q.2...
*Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f 73 74 2f 49 44 31 30 2d R..>."host/ID10-
*Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 65 73 74 0AFJ031.euc.test
*Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13 30 30 2d 31 39 2d 37 64 01.com..00-19-7d
*Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33 62 1e 1a 30 30 2d 33 61 -72-b4-3b..00-3a
*Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34 36 2d 35 30 3a 57 57 53 -98-95-46-50:TES
*Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00 01 04 06 0a 56 0c d2 20 300.........V...
*Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43 30 30 31 1a 0c 00 00 37 .IDHOJXC001....7
*Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06 06 00 00 00 02 0c 06 00 c...............
*Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00 13 4f 27 02 03 00 25 01 ...=.....O'...%.
*Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31 30 2d 30 41 46 4a 30 33 host/ID10-0AFJ03
*Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65 73 74 6c 65 2e 63 6f 6d 1.euc.nestle.com
*Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52 8e 63 0f 2f 87 a5 78 53 P...T.&R.c./..xS
*Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
*Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35 f7 be 57 75 43 ce 19 ca .e.4>.g5..WuC...
*Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1 03 a2 00 00 01 37 00 01 .]....1......7..
*Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b 13 1e 16 37 00 00 00 00 .V.i..c....7....
*Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
*Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
*Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
*Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
*Oct 07 15:08:24.405:     structureSize................................78
*Oct 07 15:08:24.405:     resultCode...................................0
*Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
*Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.405:     Packet contains 1 AVPs:
*Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
    source: 4, valid bits: 0x0
    qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
    source: 4, valid bits: 0x0
    qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
*Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
*Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
*Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
*Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f 6d                       est01.com
*Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f 6d                       est01.com
*Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

Thanks for your reply jedubois
Really appreciate it.
I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
Below are the outputs for the eap advanced config
(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 2
(Cisco Controller) >
Any other suggestion?

802.1x eap-tls machine + user authentication (wired)

Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
    <string>System</string>
    <string>Loginwindow</string>
</array>
<key>PayloadScope</key>
    <string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
Thanks

Unfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ?

WPA2 security with EAP-TLS user cert auth

I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth. The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer.
When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged. On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

Well Well
WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
Please make sure to rate correct answers

EAP-TLS, how is dynamic key transmitted?

Similar Messages

Maybe you are looking for