EAP-TLS problems Windows XP

We are using Cisco ACS 4.1 for Windows RADIUS server, Windows 2003 PKI, 3750 access switch and Windows XP SP 3 workstations.
Problem is that users with user certificate can loging successful by 802.1x. When user logs in without user certificate (but with computer certificate) no record will be written in ACS log. Windows tells that authentication is not ok. But client keeps ip address form successful computer authentication. After a few minutes, the connection will be dropped.
AuthMode is set to 2 in Windows. At first there will be computer auth, then user auth takes place. Why does the computer keeps the ip address from successful computer auth ? We want to put the computer in aut-fail VLAN. But that doesn't happen...

Do you see same issue with SP2 ?
Here is important information about dot1x configured on XP SP3.
You cannot connect to an 802.1X wired network after you upgrade to Windows XP Service Pack 3
http://support.microsoft.com/kb/953650
Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3
http://support.microsoft.com/kb/949984/
Regards,
~JG

Similar Messages

  • EAP-TLS with windows machine

    I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
    I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
    Just list of RDS.log appears some activity ended with
    NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
    If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
    Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
    Please let attentions to Attachments and let me know
    what could be a problem of my unsuccessness of use EAP-TLS.
    configuration of interface which I use for testing:
    interface GigabitEthernet0/42
    description Test 802.1X klient - Filip
    switchport access vlan 34
    switchport mode access
    switchport voice vlan 31
    authentication host-mode multi-domain
    authentication open
    authentication port-control auto
    authentication periodic
    authentication violation protect
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    end

    Hi Filip,
    Just noticed your post...
    In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
    Microsoft has done some changes in SP 3 for wired 802.1x
    Changes to the 802.1X-based wired network connection settings in Windows XP
    Service Pack 3
    http://support.microsoft.com/kb/949984/
    In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
    * The WZCSVC service
    * The Wired AutoConfig service (DOT3SVC)
    As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
    If you are an end-user who has already installed Windows XP SP3, follow
    these steps:
    1. Click Start, and then click Run.
    2. In the Open box, type services.msc, and then press ENTER.
    3. Locate the Wired AutoConfig service, right-click it, and then click
    Start
    Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
    CERTIFICATE REQUIREMENT IN EAP-TLS:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
    ACS CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
    MICROSOFT XP CLIENT CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
    As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
    Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
    Also, let me know the full ACS version and platform.
    HTH
    JK
    Do rate helpful posts-

  • ACS 3.3 for windows - Win AD and eap-tls problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    Hi,
    This is what is interesting,
    AuthenProcessResponse: process response for 'phd' against Windows Database
    Unknown User 'phd' was not authenticated
    Done RQ1027, client 50, status -2125
    The field that is being picked from certificate has the value 'phd', check you check which field is it.
    And was the logging at full?, I think something is missing in the logs.
    Lets do a sanity check, and go through following link again,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
    Regards,
    Prem

  • EAP-TLS problems with Cisco AP541N and Server 2008 NPS

    Hi,
    I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
    I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
    Oct 18 15:42:58
    info
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
    Oct 18 15:42:58
    warn
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
    Oct 18 15:42:58
    info
    hostapd
    The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
    NPS logs this:
    Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
    Netzwerkrichtlinienname: XXXXXX
    Authentifizierungsanbieter: Windows
    Authentifizierungsserver: XXXXX
    Authentifizierungstyp: EAP
    EAP-Typ: -
    Kontositzungs-ID: -
    Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    Ursachencode: 22
    Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
    I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
    I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
    Did anybody encounter something like this before? Or just knows what to do?
    Thanks in advance
    Lenni

    Joe:
    Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
    EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
    PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
    for PEAP-MSCHAPv2, Your options are:
    - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
    - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
    - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
    You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Wired EAP-TLS Problems

    I'm trying to setup wired clients to authenticate with EAP-TLS on a Catalyst 2950, I put together a test setup using the configs on my freeRADIUS server taken from another which is working with EAP-TLS over wireless, the requests are being passed through to the server but the authentication is still failing, could anyone give me some advice? Logs and configs included below......
    My current setup is:
    FreeRADIUS server - Fedora Core 6, freeradius-1.1.3-2.fc6, freeradius-mysql-1.1.3-2.fc6
    Cisco Catalyst 2950 - IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA9, RELEASE SOFTWARE (fc1) - c2950-i6q4l2-mz.121-22.EA9.bin
    Laptop - OpenSUSE 10.2
    I followed the guide to setting up 802.1x auth on the switch from the 2950 docs and from here:
    http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO (although I'm not using Windows, so only the switch config is relevant)
    "select * from nas" (comma seperated to make it easier):
    id,nasname,shortname,type,ports,secret,community,description
    1,10.10.0.9/32,Catalyst,cisco,NULL,<secret>,NULL Catalyst 2950
    wpa_supplicant.conf on laptop:
    ctrl_interface=/var/run/wpa_supplicant
    ctrl_interface_group=wheel
    ap_scan=0
    network={
    key_mgmt=IEEE8021X
    identity="SUSE Laptop"
    eapol_flags=0
    eap=TLS
    ca_cert="/home/evosys/Documents/cacert.pem"
    client_cert="/home/evosys/Documents/suse_cert.pem"
    private_key="/home/evosys/Documents/suse_key.pem"
    private_key_passwd="<password>"
    Outputs of the radiusd and wpa_supplicant are attached...

    Based on this:
    TLS: Certificate verification failed, error 19 (self signed certificate in certificate chain)
    SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
    I would say that your freeRADIUS server is providing a self-signed cert and the supplicant doesn't trust the signature. The client's ca_cert has to be the same one that signed the freeRADIUS server's cert (or you have to disable certificate verification on the client).
    Shelly

  • WLC 5508 - EAP-TLS - Windows 8.1 Third Party PKI

    Hello,
    Does anybody know what could prevent a Windows 8/8.1 system to connect to a WLC via EAP-TLS? Windows 7/XP do not have any problems here.The radius server accepts the request, but WIndows 8 still tries to authenticate.
    Software is updated to 7.6.120.0, I tried to setup timeout values, but no success at all.
    Did anyone have similar problems with Windows 8/81?
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Starting key exchange to mobile 0c:8b:fd:eb:16:17, data packets will be dropped
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Sending EAPOL-Key Message to mobile 0c:8b:fd:eb:16:17
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Reusing allocated memory for  EAP Pkt for retransmission to mobile 0c:8b:fd:eb:16:17
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId =
    0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Entering Backend Auth Success state (id=6) for mobile 0c:8b:fd:eb:16:17
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 Received Auth Success while in Authenticating state for mobile 0c:8b:fd:eb:16:17
    *Dot1x_NW_MsgTask_7: Jun 24 12:43:10.604: 0c:8b:fd:eb:16:17 dot1x - moving mobile 0c:8b:fd:eb:16:17 into Authenticated state
    *osapiBsnTimer: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
    *dot1xMsgTask: Jun 24 12:43:13.801: 0c:8b:fd:eb:16:17 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
    *dot1xMsgTask: Jun 24 12:43:13.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
    *osapiBsnTimer: Jun 24 12:43:16.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 Retransmit 2 of EAPOL-Key M1 (length 121) for mobile 0c:8b:fd:eb:16:17
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17 mscb->apfMsLwappLradNhMac = 00:24:97:52:87:d6 mscb->apfMsLradSlotId = 0 mscb->apfMsLradJumbo = 0 mscb->apfMsintIfNum = 13
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsBssid = 00:24:97:70:9a:00 mscb->apfMsAddress = 0c:8b:fd:eb:16:17 mscb->apfMsApVapId = 1
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  dot1xcb->snapOrg = 00 00 00 dot1xcb->eapolWepBit = 0 mscb->apfMsLwappLradVlanId = 0 mscb->apfMsLwappMwarInet.ipv4.addr = -1407817979
    *dot1xMsgTask: Jun 24 12:43:16.802: 0c:8b:fd:eb:16:17  mscb->apfMsLwappMwarPort = 5246 mscb->apfMsLwappLradInet.ipv4.addr = -1407817773 mscb->apfMsLwappLradPort = 10367
    *osapiBsnTimer: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 802.1x 'timeoutEvt' Timer expired for station 0c:8b:fd:eb:16:17 and for message = M2
    *dot1xMsgTask: Jun 24 12:43:19.801: 0c:8b:fd:eb:16:17 Retransmit failure for EAPOL-Key M1 to mobile 0c:8b:fd:eb:16:17, retransmit count 3, mscb deauth count 0
    Any hint would be great .... Thank you...

    Hello Dino,
      thanks very much for your reply.
      The client uses a machine-certificate, the PKI is not a microsoft one, but a third party PKI.   The certificate is fresh and valid, the root-cert is installed and checked to be validated against it for the login.
    Clock is correct too. The same setup works flawlessly in Windows 7 and XP.
    EKU is set on the certificate (1.3.6.1.5.5.7.3.2)
    I suspect the cert-setup itself, but don't get a clue where this might stuck...
    Björn

  • EAP-TLS with IAS

    Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
    Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
    Any suggestions?

    Hi,
    I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
    Regards,
    Davy

  • ACS 4.2 and EAP-TLS with AD and prefix problem

    Hi there
    we have the following situation:
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
    First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
    Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
    This is the normal output of the Remote Agent, it finds the host but then nothing happens:
    CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
    CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
    CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
    CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
    So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
    test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
    CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
    CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
    Could this be the problem or does someone see any other problem?
    Best Regards
    Dominic

    Hi Colin
    thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
    I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
    Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
    Regards
    Dominic

  • Trouble with EAP-TLS with Wireless before Windows logon

    Ill start with a list of equipment;
    5508 WLC
    3502i AP's
    Cisco ACS 5.3
    Windows 7 clients
    WLAN is configure with WPA2/AES with 802.1x for key management.
    Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication.  The client is configured to use a certificate on the computer.  "It only works if user or computer auth is seected."  If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
    ACS is configured to only allow for protocol EAP-TLS.
    We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
    This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials.  Once I log off the Windows 7 client, I lose connection to the WLAN.  We would like to stay logged on to the WLAN.  PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
    Any ideas??
    Thanks in advanced,
    Ryan

    Hi Ryan,
    You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
    Richard

  • EAP-TLS machine authentication problems

    Well..
    I have the following devices:
    WCS
    Wlan controller 4402
    AP 1130 LWAPP
    Workstation XP sp2
    Secure ACS 4.0
    Windows CA
    Windows AD
    Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
    Which clarifications do I have to do in ACS and AD?
    Can someone help me and give me very detailed instructions on how to make it work.

    Hi,
    We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
    Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

  • EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.

    We have: ap Cisco AiroNet350 with WPA-EAP, Freeradius with configured EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2.
    This problem discribed at http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
    Maybe to solve this problem we need a fix ( http://support.microsoft.com/kb/885453/en-us ), but microsoft support tells to contact with notebook manufacturer.
    Can anybody help me with this problem?

    Hmmm Im not expert on this field but it seems that the MS OS update is need. (I hope)
    The preinstalled Windows OS is a simply OEM version and usually every updates should be possible. However, if the MS guys told you to contact the notebook manufacture so you can contact the Toshiba authorized service provider in your country for more details.
    But I have investigated a little bit in the net and found this useful site:
    http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci945257,00.html
    1. 802.1X depends on communication between your wireless router and a RADIUS authentication server. Whether you're using WPA2, WPA, or WEP with dynamic keys, the following 802.1X debugging hints can be helpful:
    a. Re-enter the same RADIUS secret into your wireless router and RADIUS server.
    b. Configure your RADIUS server to accept RADIUS request from your router's IP address.
    c. Use ping to verify router-to-server reachability.
    d. Watch LAN packet counts to verify that RADIUS requests and responses are flowing.
    e. Use an Ethernet analyzer like Ethereal to watch RADIUS success/failure messages.
    f. For XP SP2, turn on Wzctrace.log by entering "netsh ras set tracing * enabled"
    2. If RADIUS is flowing but access requests are being rejected, you may have an 802.1X Extensible Authentication Protocol (EAP) mismatch or credential problem. Fixing this depends on EAP Type. For example, if your RADIUS server requires EAP-TLS, then select "Smart Card or other Certificate" on your wireless adapter's Network Properties / Authentication panel. If your RADIUS server requires PEAP, then select "Protected EAP" for the adapter. If your RADIUS server requires EAP-TTLS, then you'll need a third-party wireless client like AEGIS or Odyssey.
    Make sure that EAP-specific properties match for your adapter and server, including server certificate Trusted Root Authority, server domain name (optional but must match when specified), and client authentication method (e.g., EAP-MSCHAPv2, EAP-GTC). When using PEAP, use the CHAP "Configure" panel to prevent Windows from automatically re-using your logon.

  • Connecting iPads to an Enterprise Wireless 802.1x (EAP-TLS) Network Using Windows Server 2003 IAS

    Hi there,
    I am asked to deploy iPads on an 802.1x EAP-TLS WiFi network. The customer has a Windows Server 2003 IAS server providing RADIUS. There also is a Windows based CA infrastructure in place. This solution is in production and is already being used by other wireless devices. Could someone please highlight the configuration steps for the iPad deployment? The customer whishes to automate the initial deployment and the renewal of the certificates. I have a basic understanding of 802.1x, RADIUS, Certificates etc. in a Windows infrastructure but I am new to enterprise deployment of iPads. There is no MDM tool in place by the way...
    I did find a Microsoft article which I think describes what needs to be done: http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx. This article basically states the following steps:
    1. Create a placeholder computer account in Active Directory Domain Services (AD DS)
    2. Configure a Service Principal Name (SPN) for the new computer object.
    3. Enroll a computer certificate passing the FQDN of the placeholder computer object as a Subject Name, using Web Enrollment Pages or Certificates MMC snap-in directly from the computer (Skip step 4 if you are using the Certificates MMC snap-in)
    4. Export the certificate created for the non-domain joined machine and install it.
    5. Associate the newly created certificate to the placeholder AD DS domain computer account manually created through Name Mappings
    The article then elaborates on specific steps needed for the iPad because it treats all certificates as user certificates. Can someone confirm this behavior??
    Regards,
    Jeffrey

    Use VPP.  Select an MDM.  Read the google doc below.
    IT Resources -- ios & OS X -- This is a fantastic web page.  I like the education site over the business site.
    View documentation, video tutorials, and web pages to help IT professionals develop and deploy education solutions.
    http://www.apple.com/education/resources/information-technology.html
       business site is:
       http://www.apple.com/lae/ipad/business/resources/
    Excellent guide. See announcment post -- https://discussions.apple.com/thread/4256735?tstart=0
    https://docs.google.com/document/d/1SMBgyzONxcx6_FswgkW9XYLpA4oCt_2y1uw9ceMZ9F4/ edit?pli=1
    good tips for initial deployment:
    https://discussions.apple.com/message/18942350#18942350
    https://discussions.apple.com/thread/3804209?tstart=0

  • EAP-TLS and MS AD auth problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

  • ISE problem with EAP-TLS Supplicant Provisioning

    Hi All,
    I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
    The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
    The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
    Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
    Cheers,
    Richard
    PS - Also using WinSPWizard 1.0.0.28

    Hi Richard,
    This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
    Istvan Segyik
    Systems Engineer
    Global Virtual Engineering
    WW Partner Organization
    Cisco Systems, Inc
    Email: [email protected]
    Work: +36 1 2254604
    Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

  • ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

    Hello, I´m stucked with this problem for 3 weeks now.
    I´m not able to configure the EAP-TLS autentication.
    In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
    The ISE´s certificate has been issued with the "server Authentication certificate" template.
    The clients have installed the certificates  also the certificate chain.
    When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
    and "OpenSSLErrorMessage=SSL alert
    code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
    I don´t know what else can I do.
    Thank you
    Jorge

    Hi Rik,
    the Below are the certificate details
    ISE Certificate Signed by XX-CA-PROC-06
    User PKI Signed by XX-CA-OTHER-08
    In ISE certificate Store i have the below certificates
    XX-CA-OTHER-08 signed by XX-CA-ROOT-04
    XX-CA-PROC-06 signed by XX-CA-ROOT-04
    XX-CA-ROOT-04 signed by XX-CA-ROOT-04
    ISE certificate signed by XX-CA-PROC-06
    I have enabled - 'Trust for client authentication' on all three certificates
    this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
    when i check the certificates of current user in the Client PC this is how it shows.
    XX-CA-ROOT-04 is listed in Trusted root Certification Authority
    and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

Maybe you are looking for