EAP-TLS over wireless

Quick question for you EAP experts out there.
I want to be able to deploy EAP-TLS I understand that you need a machine and user certificate, does this mean that i would have to place the cetificate for each user account on that paticular laptop if utilised by more than one menber of staff ?
Thanks in advance.
Chris

Hi Chris,
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
If many users share clients, it can be problem that all users certificate have to be on the shared hardware. I had this issue in a school, and we ended up with using EAP-TLS and only hardware certificate. You don’t get full security in this case since you only verify the hardware, but on the other hand, the user have to log in to the domain, so users will be verified as well. Just not by the wireless system.
//Johan

Similar Messages

  • EAP-TLS for Wireless network and PEAP for wired network

    Hello,
    it is possible to use EAP-TLS for Wireless network and PEAP for wired network on the same laptop (Windows 7).
    Thank you in advance.
    Thibault

    Yes, this is possible. You just need to properly configure each interface to use the EAP type you want.
    HTH,
    Steve
    Sent from Cisco Technical Support iPad App

  • Trouble with EAP-TLS with Wireless before Windows logon

    Ill start with a list of equipment;
    5508 WLC
    3502i AP's
    Cisco ACS 5.3
    Windows 7 clients
    WLAN is configure with WPA2/AES with 802.1x for key management.
    Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication.  The client is configured to use a certificate on the computer.  "It only works if user or computer auth is seected."  If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
    ACS is configured to only allow for protocol EAP-TLS.
    We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
    This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials.  Once I log off the Windows 7 client, I lose connection to the WLAN.  We would like to stay logged on to the WLAN.  PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
    Any ideas??
    Thanks in advanced,
    Ryan

    Hi Ryan,
    You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
    Richard

  • Wired EAP-TLS Problems

    I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
    My current setup is:
    FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
    Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
    Laptop - OpenSUSE 10.2
    I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
    http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
    "select * from nas" (comma seperated to make it easier):
    id,nasname,shortname,type,ports,secret,community,description
    1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
    wpa_supplicant.conf on laptop:
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    ap_scan=0
    network={
    key_mgmt=IEEE8021X
    identity="SUSE Laptop"
    eapol_flags=0
    eap=TLS
    ca_cert="/home/evosys/Documents/cacert.pem"
    client_cert="/home/evosys/Documents/suse_cert.pem"
    private_key="/home/evosys/Documents/suse_key.pem"
    private_key_passwd="<password>"
    Outputs of the radiusd and wpa_supplicant are attached...

    Based on this:
    TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
    SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
    I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
    Shelly

  • EAP-TLS Error

    Hello.
    I cannot get EAP-TLS auth to work on windows 7 wired setup. I've tested EAP-PEAP on wireless and wired - works fine. Also EAP-TLS for wireless works great. Clients are on same domain as radius (wich is Cisco ISE), we've deployed CA-services on that same domain too and are distributing certificates to clients via GPOs. Authenticators (switchports) are configured correctly, certificates work on EAP-TLS wireless setup, everything seems to be ok, but wired connection still cannot auth and  EAP timeouts.
    Here is the error:
    Logged At: May 14,2013 11:52:12.159 AM
    RADIUS Status: No response received during 120 seconds on last EAP message sent to the client : 5411 No response received during 120 seconds on last EAP message sent to the client

    Have you confirmed that the Supplicant is configured properly for EAP-TLS authentication? I have done this type of deployment many times and haven't had this issue. 
    Thank you for rating helpful posts! 

  • Local eap-tls drawbacks

    Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
        I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
    but dont know if this is true or not either. I would like to know if I am locking myself into never having an external  radius server If i go down the local eap-tls path.
    Thanks,
    Brian

    Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
    It seems I need to configure external RADIUS and use local EAP only in case of WAN failure.

  • Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

    Hi there,
    I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
    I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
    1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
    2. Configure a Service Principal Name (SPN) for the new computer object.
    3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
    4. Export the certificate created for the non-domain joined machine and install it.
    5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
    The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
    Regards,
    Jeffrey

    Use VPP.  Select an MDM.  Read the google doc below.
    IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
    View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
    http://www.apple.com/education/resources/information-technology.html
       business site is:
       http://www.apple.com/lae/ipad/business/resources/
    Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
    https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
    good tips for initial deployment:
    https://discussions.apple.com/message/18942350#18942350
    https://discussions.apple.com/thread/3804209?tstart=0

  • Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

    Hi All,
    I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
    Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
    For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
    I confront PEAP and Eap-TLS for now:
    1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
    2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
    so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
    If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
    I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
    I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
    can you help me to know if I understood everything good ? I would be please to exchange experience on that
    thanks ;)
    bye

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • Wireless ISE - 12508 EAP-TLS handshake failed

    Hi guys,
    I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
    Authentication failed : 12508 EAP-TLS handshake failed
    OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
    Setup:
    - Single standalone ISE 3355 appliance
    - Two tier MS enterprise PKI (outside of my direct control)
    - WLC 5508
    - Windows 7 laptop\
    - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
    - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
    Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
    This is what TAC came back with, but none of the workarounds helped
    Symptom:
    ========
    EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
    Conditions:
    =========
    EAP-TLS certificate based authentications ISE 1.1.2.145
    Workaround:
    ===========
    1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

    Hi Amjad,
    Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
    Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
    The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
    Cheers,
    Owen

  • EAP-TLS on ACS v4 for wireless users

    Hi,
    I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
    As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
    Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
    Regards,
    Belal

    I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
    Setup a Microsoft Certificate server as my
    CA. You can use same machine wih your ACS and CA.
    Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
    On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
    At that poit you should be able to connect you r wireless client using EAP-TLS.

  • Eap-tls wireless machine authentication without AD

    Hi all,
    I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
    I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
    With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
    but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
    My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
    Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
    Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
    Thanks for your help,

    Assuming you're using the stock XP wifi client.
    When running XPSP3, you need to set two things:
    1) force one registry setting.
    According to
    http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
    You need to force usage of machine cert-store certificate:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
    "AuthMode"=dword:00000002
    2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
    - show available wireless networks
    - change advanced settings
    - wireless networks tab
    - select your SSID, and then hit the "properties" button
    - select authentication tab, and then hit "properties" button
    - search for your signing CA, and check the box.
    I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
    Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
    please cross reference to
    https://supportforums.cisco.com/message/3280232
    for a better description of the whole setup.
    Ivan

  • Windows Client cannot connect to wireless LAN through EAP-TLS

    I have a Cisco Aironet Access point which cannot be authenticated by a remote RADIUS server to connect to wireless lan through EAP-TLS. These is the debug output from the AAA process.
    *Mar  7 10:56:56.337: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:56:56.369: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:56.385: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:56.385: dot11_auth_parse_client_pak: id is not matching req-id:1re
    sp-id:2, waiting for response
    *Mar  7 10:56:56.401: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:56.717: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:56.717: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:56.785: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:57.097: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:57.097: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:57.101: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:57.393: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:57.393: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:57.397: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:57.673: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:57.673: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:57.677: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:57.953: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:57.953: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:57.957: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:58.317: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:58.317: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:58.321: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:58.685: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:58.685: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:58.685: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:56:58.993: dot11_auth_dot1x_parse_aaa_resp: Received server response:
    GET_CHALLENGE_RESPONSE
    *Mar  7 10:56:58.993: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
    esponse
    *Mar  7 10:56:59.041: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:57:01.077: Client 0811.9650.8cb0 failed: reached maximum retries
    *Mar  7 10:57:08.997: %RADIUS-4-RADIUS_DEAD: RADIUS server 165.72.12.12:1812,181
    3 is not responding.
    *Mar  7 10:57:08.997: %RADIUS-4-RADIUS_ALIVE: RADIUS server 165.72.12.12:1812,18
    13 is being marked alive.
    *Mar  7 10:57:14.481: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:57:14.521: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:57:44.521: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
    n failed
    *Mar  7 10:57:44.801: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:57:44.829: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:58:14.829: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
    n failed
    *Mar  7 10:58:15.105: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:58:15.141: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:58:45.141: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
    n failed
    *Mar  7 10:58:45.425: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:58:45.449: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:59:15.449: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
    n failed
    *Mar  7 10:59:15.729: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:59:15.753: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:59:45.753: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
    n failed
    *Mar  7 10:59:46.009: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:59:46.037: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:59:50.077: Client 0811.9650.8cb0 failed: reached maximum retries
    *Mar  7 10:59:50.349: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:59:50.373: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 10:59:55.077: Client 0811.9650.8cb0 failed: reached maximum retries
    *Mar  7 10:59:55.341: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 10:59:55.361: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 11:00:00.077: Client 0811.9650.8cb0 failed: reached maximum retries
    *Mar  7 11:00:00.333: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 11:00:00.357: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 11:00:05.077: Client 0811.9650.8cb0 failed: reached maximum retries
    *Mar  7 11:00:05.341: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
    *Mar  7 11:00:05.365: dot11_auth_parse_client_pak: Received EAPOL packet from 08
    11.9650.8cb0
    *Mar  7 11:00:10.077: Client 0811.9650.8cb0 failed: reached maximum retries

    Kindly get verified the configuration and the compatibility if there is a mismatch. Please find the link below for more information on EAP-TLS functions in Access points and clients.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39110

  • EAP-TLS and getting a new user to log in on a wireless network

    I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
    My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
    How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
    After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
    Paras

    check the below link and read server requirements.
    http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
    The stanalone ca needs to be trusted by AD
    http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
    What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
    You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
    Please rate the post if it helps

  • EAP-TLS Wireless Authentication - General questions

    Hi,
    I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
    What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
    Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
    even if a user doesn’t have Admin privileges in their machine?
    I have also been told that using user certificates could result in some issues to pass some Compliance audits.
    I would like to be sure that the design complies with the most recommended and secure alternative.
    I would appreciate some help.
    Many thanks.

    There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
    controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
    above passwords. It's not foolproof.
    The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
    to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
    The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
    computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
    User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
    they want to use as there is no means to contact a DC to authenticate a user the first time.
    Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
    to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
    security option, but it means managing both user and computer objects properly.
    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

  • Different wireless clients, should go for LEAP, PEAP or EAP-TLS?

    Hi ,
    I have a mixture of wireless clients in this customer environment such as PDA, Cisco clients and third party PCMCIA cards.
    Customer requires me to propose an EAP authentication method to authenticate them. WHat suits them?
    I plan to have authentication done on application level. Could you recommend any?
    Thanks.
    Delon

    Delon
    It will more be a matter of what all the clients support, you normally set it up for the least supported client or have different VLANs with different security levels based on what you clients support
    LEAP is only on Cisco or CCX certified cards
    If you base OS is Windows XP and the client cards they have support EAP then EAP-TLS is a pretty good choice if they will support PEAP then that is even better again.
    So to make this choice you really need to know exactly what client cards you have and what they support The AP will support all of them so the choice is based on the clients

Maybe you are looking for

  • Can't load Windows 7 on Bootcamp 3.0.4

    So, I've got a couple things working against me.  I traded my friend for his late 2006 Macbook 2,1 and have upgraded to Snow Leopard.  The only issue with the computer itself is the optical drive is broken, but I have purchased an external USB drive,

  • To add condition on which distribution model MATMAS should be sent

    Hello All, I have to send MATMAS Idoc to XI. But in R/3 there 2 distribution models created one for XI and other for some R/# system. I have created a custom report of MASTERIDOC_CREATE_SMD_MATMAS to handle specific conditions. Now I want to send to

  • Attributes are not displaying

    Hi,     I m unable to see the attributes of an object (ZER34) and after creating the an attribute when I delete it in attribute list it still appearing in the tree of that (ZER34) info object

  • Connection to hotmail stopped working

    Hotmail connection says either user I'd or pswd is incorrect yet I can access it from safari. It has been working for years.  What do I need to try to attempt to get this fixed

  • MAP & NAVIGATION HELP

    i am planning to buy a N78 or N82 my dealer said its come with 3months navigation license. but after this period what are functionality will dead ? will nokia map work ? i am confused within GPS, Map Application and Navigation . .. NEWBOSS ::N73::