EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.

Similar Messages

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected]
  = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP-TLS and ACS 5.1 with AD

  Hello,
  I want to set up the ACS 5.1 for dot1x-Port authentication. I want to make a machine authentication against an AD-Domain and I got the following error Message:
  24435  Machine Groups retrieval from Active Directory succeeded
  24100  Some of the expected attributes are not found on the subject record. The default values, if configured, will be used for these attributes.
  24483  Failed to retrieve the machine certificate from Active Directory.
  22049  Binary comparison of certificates failed
  22057  The advanced option that is configured for a failed authentication request is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  12507  EAP-TLS authentication failed
  11504  Prepared EAP-Failure
  11003  Returned RADIUS Access-Reject
  What ist the problem? I can't find documents how to configure this in detail.
  Can some one helf me?
  King regardes
  Torsten

  Hi Torsten,
  The option you are looking for is under system configuration:
  Configuring Local Server Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/admin_config.html#wp1052640
  Under acs-->Users and Identity Stores-->Local certificate-->Edit. You can only import/configure CA certificate:
  Configuring CA Certificates
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1158666
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• EAP-TLS match on custom EKU with ACS 5.5

  Hi,
  is there any possibility to match on a custom EKU with ACS 5.5?
  I have to create a solution to limit access to a specific WLAN SSID. Only certificates containing a specific, self-created EKU should have access to this SSID. Other certificates from the same CA should be denied.
  I know that it's possible with Microsoft NPS but I would prefer a solution with ACS. But in ACS the ceritifcate dictionary contains only a few attributes i.e. common name, issuer, subject, but not the Enhanced Key Usage  (EKU).
  Any suggestions?
  Thanks,
  Werner

  Object Identifier Check for EAP-TLS Authentication
  ACS can compare the OID against the Enhanced Key Usage (EKU) field in the user's certificate. ACS denies access if the OID and EKU do not match. For more information about options, see Authentication for profile_name Page, page 14-46.
  When OID comparison is enabled and a valid OID string is entered, all the certificates that the users present for EAP-TLS authentication are checked against the OIDs entered. Authentication will be successful only if the OIDs match. If OID comparison is enabled but the user certificate presented does not contain any OID in the EKU field, authentication will fail.
  To enable OID comparison you must:
  •Enable EAP-TLS from the NAP page.
  •Enter only contain numbers, dots, commas and spaces in the OID strings, for example: 1.3.6.1.5.5.7.3.2 is a valid OID string.
  •Enter multiple OIDs as comma-separated values. For example: 1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2 is a valid string.

• EAP-TLS possible problem

  Hi everyone, were using EAP-TLS for wlan security. we got hundreds of wlan users, what will happen if the client certificate expires? what can we do avoid it?
  thanks

  Hi,
  there is an option under the certificate template configuration, that renews client certificates when they expire.
  See point 15 under "Create the Certificate Template for the ACS Web Server" on this link:
  http://www.cisco.com/en/US/partner/products/ps6366/products_configuration_example09186a00807917a6.shtml
  Hope this helps!

• Is it really unnecessary to use ipodmini with winxp sp2?

  I got an ipod mini recently,and just found it needs winxp sp2, but mine is sp1.I asked some guys, they said it's unnecessary with sp2. Is it ture?

  SP2 is pretty important from a Windows perspective but it will work with either. Get SP2 as fast as you can though.

• Java Plug-in not working with WinXP SP2 Registry Key Missing Error Pop-Up

  I have WinXp PRO with SP2 and the Oct 12 Security Update Patch for SP2 loaded and I went to my Control Panel and saw that the JavaRuntime Environment 1.4.2_04 icon was missing and when I went to click the Java Plugin icon to Open it, I got the following message in a Error Pop-Up window:
  The system cannot find the registry key specified:
  HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java pPlug-in\1.4.2_04\JavaHome
  I then went to Chage Access Program Controls and when I clicked on the Change box for the program, it wanted me to re-install the whole environment.
  Prior to doing this, and potentially screwing up my MS winXp environment, I went to the Sun support page for Java Plug-in and I did get the dancing elmo appear as they said I would but I noticed that my environment was MS VM, not Java and that I was out of date and a newer update was avaliable.
  The downloads page for the plug-in states clearly that it supports WinXp SP1 and NOT SP2.
  SO, my question is, do I need to re-install anything or wait till the whole SP2 issue and java with (BITS) issue gets resolved and just use the MS VM engine during my browsing time? Is there a workaround and what impact will this have on my system? I am not developing Java Apps but am a Power user in Windows who is wondering if applets and general browsing might be easier, faster and more fluid if the Java Runtime was enabled as opposed to the MS VM solution?
  Any ideas or thoughts on this very timely issue would be greatly appreciated as I see others have tried to post related issues but none that succinctly combines what I have asked for here in this post.
  Thanks from NYC -Phil

  did you know that XP SP2 has so many technical problems? try SP1 or contact the WindowsXP Vendor

• MSI K8N neo4 platinum chipset drivers issue with winxp sp2

  Here is my previous post. I am just wondering if there may be any issues if I do not install Nvidia crap.All I have right now is the graphics driver from nvidia, rest are from microsoft.

  Hello !!
  Download and install the drivers you will find here:
  http://www.msi.com.tw/program/support/download/dld/spt_dld_detail.php?UID=637&kind=1
  Good Luck
  Greetz MurdoK

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• Computer Authentication /host/machine name using EAP on AP Problem

  Hi All,
  I have a wireless access point model 1242 with ACS server. Acs server is intigrated with windows domain. The user authentication is working ok but i would like to have a computer authentication setup. I am using PEAP with MS chapv2 on client machine and on access point using open authentication with EAP. ACS has its on certificate and client has the root certificate. I can see the acs server pulls the /host/machine name from AD but i am getting (EAP-TLS or PEAP authentication failed during SSL handshake) message on ACS server for computer authentication. What could be the problem? user authentication is working OK....
  Does computer authentication require the EAP-TLS? I don't have client certificate in my setup.
  I would be gratefull for any suggestion / help.

  You did not mention whether your clients are running Windows or Mac OS (or some mixture of OS's)?  If you are running in a pure Windows environment, it is very easy to enable PEAP machine authentication.  It sounds like you have properly enabled machine authentication on the client side (since you are seeing host/machine auth attempts in the ACS log), but have you enabled machine authentication on the ACS server?
  Which version of ACS are you running (hopefully 4.2).
  Read up on this:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354014
  ACS supports EAP-TLS, PEAP (EAP-MS-CHAPv2), and  PEAP (EAP-TLS) for machine authentication. You can enable each  separately on the Windows User Database Configuration page, which allows  a mix of computers that authenticate with EAP-TLS or PEAP  (EAP-MS-CHAPv2). Microsoft operating systems that perform machine  authentication might limit the user authentication protocol to the same  protocol that is used for machine authentication. For more information  about Microsoft operating systems and machine authentication, see Microsoft  Windows and Machine Authentication.
  Windows User Database Support
  ACS supports the use of Windows external user databases for:
  •User Authentication—For  information about the types of authentication that ACS supports with  Windows Security Accounts Manager (SAM) database or a Windows Active  Directory database, see Authentication  Protocol-Database Compatibility, page 1-8.
  •Machine Authentication—ACS  supports machine authentication with EAP-TLS and PEAP (EAP-MS-CHAPv2).  For more information, see EAP  and Windows Authentication.
  •Group Mapping for  Unknown Users— ACS supports group mapping for unknown users by  requesting group membership information from Windows user databases. For  more information about group mapping for users authenticated with a  Windows user database, see Group Mapping by Group  Set Membership, page 16-3.
  •Password-Aging—  ACS supports password aging for users who are authenticated by a Windows  user database. For more information, see User-Changeable  Passwords with Windows User Databases.
  •Dial-in Permissions—ACS  supports use of dial-in permissions from Windows user databases. For  more information, see Preparing  Users for Authenticating with Windows.
  •Callback Settings—ACS  supports use of callback settings from Windows user databases. For  information about configuring ACS to use Windows callback settings, see Setting the User  Callback Option, page 6-6.

• EAP-TLS - 802.1x - Certificate renewal

  Hello
  I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.
  Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.
  By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.
  Could somebody give me a hint if there are other Cisco solutions for this issue.
  I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?

  The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.
  What I don't get is the following:
  Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.
  The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

• Implementing EAP-TLS in the enterprise

  Hi all,
  I'm currently performing a review of our global corporate wireless network with a view to implementing user and device authentication. We currently use PEAP-Ms Chapv2 and i'm considering the move to EAP-TLS, however I understand this has its pitfalls in terms of added administrative overheads, particularly around manging user certs.
  Does anyone have any experiencing in rolling EAP-TLS that can provide me with some advice about what to look out for? We have a full PKI and I understand auto enrolment of user certs can be done using group policy and AD but has anyone seen any other issues I should be wary of?
  We have a full Cisco autonomous unified wireless network with Cisco ACS servers for our Radius, tied into AD.
  Appreciate any comments, advice or even direction to other resources where I can find some valuble info.
  cheers.
  Rob

  Rob,
  Since you are already using PEAP, moving to EAP-TLS is not that bad.  Again.... you already have a PKI infrastructure and domain computers should have a certificate already.  So with GPO, you just make a change to the wireless profile to change from PEAP to EAP-TLS.  Peolpe do look at it as more management.... well it sort of is, but if you have staff that is experience in setting up the PKI, GPO, etc, it really isn't that bad.  Client device support is what you will need to look at.  If you have devices like iPads, non domain computers that need to be on the network, then maybe you will need to add EAP-TLS and keep PEAP for those other devices.

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• ACS / Novell / EAP-TLS

  Is it possible to authenticate Users with the EAP-TLS mechanism against a ACS Server coupled with a Novell eDirectory?
  Are there any limitations?

  I think as long as your Novell Directory is configured to use standard LDAP, for Novell, you should be fine. Below is some documentation from Cisco Secure ACS 3.2, regarding your question.
  Here is some information regarding your question: I
  About Novell NDS User Databases
  To use NDS authentication with a Cisco Secure ACS Appliance, you must have a Novell NDS database that is configured to use standard LDAP.
  Note Cisco Secure ACS Appliance only supports NDS servers that are configured to use standard LDAP.
  Cisco Secure ACS Appliance supports ASCII, PAP, EAP-TLS, PEAP(EAP-GTC), and EAP-FAST (phase two only) authentication with Novell NetWare Directory Services (NDS) servers. Other authentication protocols are not supported with Novell NDS external user databases.