EAP-TLS Questions....

Similar Messages

• Quick eap-tls question?

  If I have a laptop running eap-tls in the following way
  laptop ---- ap -----wlc ------cisco acs (radius)
  lets say the laptop starts eap-tls when it boots up and exchanges certificates with the acs
  If i have no encrytion set on the WLAN, would the whole tls and certificate exchange be readable by a wireless network sniffer?
  I really get confused between eap-tls and lets say a web ssl (tls) session
  eap-tls is pure authentication, no encrytion?
  where when you start an ssl session, lets say with amazon.co.uk, all data within the ssl (tls) session is encrypted
  Is anything encrypted when using eap-tls if you use an open network?
  Many thx indeed,
  Ken

  Also, just reading the rfc is states "MAY"
  It states that you use eap-tls within eap-tls?
  2.1.4. Privacy
  EAP-TLS peer and server implementations MAY support privacy.
  Disclosure of the username is avoided by utilizing a privacy Network
  Access Identifier (NAI) [RFC 4282] in the EAP-Response/Identity, and
  transmitting the peer certificate within a TLS session providing
  confidentiality.
  Any comments and clarification on this would be great. I just have the ssl web scenario stuck in my brain and cant adapt it (if appropriate) to eap-tls?
  Thx guys,
  Ken

• EAP-TLS question

  Hi,
  does anybody know if, by using EAP-TLS, it's possible to start network connection before login like with LEAP. I tryed it but the certificate seems to be personnal. Is it possible to associate this one to the computer only (with a generic store or user) ???
  In fact i'd like my stations to be reachable even if nobody's logged onto.
  Thanks for help

  I don't believe you can use EAP-TLS for "generic" PC authentication since the credentials for authentication are based off of the certificate that the user must import into their local machine store along with their network logon credentials. With the certificate that the user(s) imports into their local machine store, the "Issued to:" field of the certificate must match the user's account name in the DB that ACS is using for this, whether it's an external DB such as Active Directory or whatever. So, you are correct in saying that the user certificate seems to be personal to the specified user.
  Hope that helps.

• EAP-TLS User Certificate Question

  I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
  I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
  Thanks
  -Raun

  If you are using the MS Supplicant, you need the following registry settings:
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
  "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
  This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
  As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
  Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

• EAP-TLS client security policy enforcement question using ISE

  Hi Experts ,
  I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
  I am using EAP-TLS and machine authentication.
  In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  I am not sure ... will it get pushed through AD ? how will it happen ?
  It would be really helpful if someone could put light on this ..

  Hello Vino,
  Some answers below :
  how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
  You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
  It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
  If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
  In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
  In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
  and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
  If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
  This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
  The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
  Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
  how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
  You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
  Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
  I hope it helps.

• EAP-TLS User and machine authentication question

  Hello,
  i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
  i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
  What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
  thanks in advanced
  alex

  Sounds like you rather want to use PEAP/MSChapV2

• Question RE: eap-tls

  So I have an AP configured to use a radius server for eap-tls the CA and Radius server are MS CA and MS IAS clients are XPpro. Everything is working fine. So where my question is the cracking of a WEP(128bit encryption). Could someone be in the area sniff the wireless data traffic which is encrypted, then later crack the WEP encryption to view the data? Our WEP keys change every 7 minutes. Thanks John

  But once they've cracked the key from the capture. Could they then view the data? ie capture id's and pwds that are in the clear? reconstruct an email,etc? I'm not worried about them connecting since they'd need the certificates and a valid ID and password.
  thanks

• EAP-TLS Wireless Authentication - General questions

  Hi,
  I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
  What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
  Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
  even if a user doesn’t have Admin privileges in their machine?
  I have also been told that using user certificates could result in some issues to pass some Compliance audits.
  I would like to be sure that the design complies with the most recommended and secure alternative.
  I would appreciate some help.
  Many thanks.

  There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
  controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
  above passwords. It's not foolproof.
  The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
  to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
  The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
  computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
  User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
  they want to use as there is no means to contact a DC to authenticate a user the first time.
  Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
  to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
  security option, but it means managing both user and computer objects properly.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS

  In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
  on this computer" and un-checked "Use simple certificate selection".
  My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
  client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
  drop down.
  Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
  TIA,
  -Rick

  Hi Rick,
  Thank you for your patience.
  According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
  know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• ISE - EAP-TLS and then webAuth?

  Hello everyone!
  I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
  Hardware:
  Cisco ISE VM running 1.1.3.124
  WLC 5508 running 7.4.100.0
  AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
  iPod Touch version 6.1.3(10B329)
  Senario:
  •- User Authenticates to SSID that is 802.1x WPA2 AES,
  •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
  •- User open’s their browser
  •- WLC redirects them to ISE CWA
  •- User provides credentials on the portal
  •- User to CoA’d to full access network
  Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
  I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
  Thank you in advance!
  Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
  I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• Trying to implement EAP/TLS using java (as part of RADIUS server)

  Hi
  This is a cross port since I didn't know which forum to post in!
  I'm trying to implement a RADIUS server (EAP/TLS) as part of my master thesis. I'm not used to Java SSL libraries and can't get it to work. The server will respond to an accesspoint that uses 802.1x. I have created certificates using openssl and imported the "cert-clt.pl2"and "root.pem" to a laptop trying to connect to the accesspoint. On the server side i imported the "cacert.pem" and "cert-srv.der" using keytool to a keystore. In my code I read the keystore and create the SSLEngine with following code:
            KeyStore ksKeys = KeyStore.getInstance("JKS");
              ksKeys.load(new FileInputStream("certs/FeebeeCommunity.keystore"), passphrase);
              KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
              kmf.init(ksKeys, passphrase);
              KeyStore ksTrust = KeyStore.getInstance("JKS");
              ksTrust.load(new FileInputStream("FeebeeCommunity.keystore"), passphrase);
              TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
              tmf.init(ksKeys);
              sslContext = SSLContext.getInstance("TLS");
              sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
              sslEngine = sslContext.createSSLEngine();
              sslEngine.setUseClientMode(false);
              sslEngine.setNeedClientAuth(true);
              sslEngine.setWantClientAuth(true);
              sslEngine.setEnableSessionCreation(true);
              appBuffer = ByteBuffer.allocate(sslEngine.getSession().getApplicationBufferSize());
              appBuffer.clear();
              netBuffer = ByteBuffer.allocate(sslEngine.getSession().getPacketBufferSize());
              netBuffer.clear();All I want to do with TLS is a handshake.
  I'm not talking ssl using sockets instead I receive and send all TLS data encapsulated in EAP packet that are incapsulated in RADIUS packets. I start off with sending TLS-Start upon I recive TLS data. I handle it with the following code:
         SSLEngineResult result = null;
          SSLEngineResult.HandshakeStatus hsStatus = null;
          if( internalState != EAPTLSState.Handshaking ) {
              if( internalState == EAPTLSState.None ) {
                  TLSPacket tlsPacket = new TLSPacket( packet.getData() );
                  peerIdentity = tlsPacket.getData();
                  internalState = EAPTLSState.Starting;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
                  return;
              else if(internalState == EAPTLSState.Starting ) {
                  internalState = EAPTLSState.Handshaking;
                  try {
                      sslEngine.beginHandshake();
                  } catch (SSLException e) {
                      e.printStackTrace();
          TLSPacket tlsPacket = new TLSPacket( packet.getData() );
          netBuffer.put( tlsPacket.getData() );
          netBuffer.flip();
          while(true) {
              hsStatus = sslEngine.getHandshakeStatus();
              if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                  Runnable task;
                  while((task=sslEngine.getDelegatedTask()) != null) {
                      new Thread(task).start();
              else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
                  try {
                      result = sslEngine.unwrap( netBuffer, appBuffer );
                  } catch (SSLException e) {
                      e.printStackTrace();
              else {
                  return;
          }When I try to send data I use the following code:
             SSLEngineResult.HandshakeStatus hsStatus = null;
              SSLEngineResult result = null;
  //            netBuffer = ByteBuffer.allocate(EAPTLSMethod.BUFFER_SIZE);
              netBuffer.clear();
              while(true) {
                  hsStatus = sslEngine.getHandshakeStatus();
                  if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
                      Runnable task;
                      while((task=sslEngine.getDelegatedTask()) != null) {
                          new Thread(task).start();
                  else if(hsStatus == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
                      try {
                          result = sslEngine.wrap( dummyBuffer, netBuffer );
                      } catch (SSLException e) {
                          e.printStackTrace();
                  else {
                      if( result != null && result.getStatus() == SSLEngineResult.Status.OK ) {
                          int size = Math.min(result.bytesProduced(),this.MTU);
                          byte [] tlsData = new byte[size];
                          netBuffer.flip();
                          netBuffer.get(tlsData,0,size);
                          TLSPacket tlsPacket = new TLSPacket((byte)0,tlsData);
                          if( size < result.bytesProduced() ) {
                              tlsPacket.setFlag(TLSFlag.MoreFragments);
                          return new EAPTLSRequestPacket( ID,
                                  (short)(tlsPacket.getData().length + 6),
                                  stateMachine.getCurrentMethod(), tlsPacket );
                      else {
                          return null;
                  }After I sent TLS-Start I receive data and manage to process it but when then trying to produce TLS data I get the following error:
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:992)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.java:125)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStateMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.java:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:930)
  Any help wold be most greatfull, if any questions or anything unclear plz let me know.
  add some additional information here is a debug output
  Before this I have sent a TLS-star package and this is when I receive new information and then try to create the answer
  [Raw read]: length = 5
  0000: 16 03 01 00 41 ....A
  [Raw read]: length = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-2, READ: TLSv1 Handshake, length = 65
  *** ClientHello, TLSv1
  RandomCookie: GMT: 1084488726 bytes = { 168, 20, 137, 240, 89, 129, 200, 201, 4
  1, 194, 9, 209, 10, 112, 24, 88, 220, 46, 176, 200, 20, 144, 212, 253, 164, 198,
  50, 201 }
  Session ID: {}
  Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH
  _3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA,
  SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EX
  PORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DE
  S_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
  Compression Methods: { 0 }
  [read] MD5 and SHA1 hashes: len = 65
  0000: 01 00 00 3D 03 01 41 A4 FC 16 A8 14 89 F0 59 81 ...=..A.......Y.
  0010: C8 C9 29 C2 09 D1 0A 70 18 58 DC 2E B0 C8 14 90 ..)....p.X......
  0020: D4 FD A4 C6 32 C9 00 00 16 00 04 00 05 00 0A 00 ....2...........
  0030: 09 00 64 00 62 00 03 00 06 00 13 00 12 00 63 01 ..d.b.........c.
  0040: 00 .
  Thread-5, fatal error: 40: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  Thread-5, SEND TLSv1 ALERT: fatal, description = handshake_failure
  Thread-5, WRITE: TLSv1 Alert, length = 2
  Thread-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeEx
  ception: no cipher suites in common
  javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:9
  92)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineI
  mpl.java:459)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineIm
  pl.java:1054)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:10
  26)
  at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
  at RadiusServerSimulator.EAPModule.EAPTLSMethod.buildReq(EAPTLSMethod.ja
  va:153)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.methodRequest(EAPStat
  eMachine.java:358)
  at RadiusServerSimulator.EAPModule.EAPStateMachine.run(EAPStateMachine.j
  ava:262)
  at java.lang.Thread.run(Thread.java:595)
  Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1
  352)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(Serve
  rHandshaker.java:638)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHands
  haker.java:450)
  at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHa
  ndshaker.java:178)
  at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:4
  95)
  at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.
  java:930)
  ... 1 more

  I am developing a simple client/server SSL app using sdk 1.4 (no SSLEngine) and am faced with the same problem. Could anybody track down the problem further?

• EAP-TLS new user login

  Hi!
  I´m having a logical misunderstanding about NPS, EAP-TLS and certificates. Maybe you can help me out with this.
  In my environment I have AD, NPS, CA and network devices. I´m using successfully Wifi EAP-TLS policy and my Ethernet policies are working aswell. I have two policies for ethernet and for wifi:
  1. Computer policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Computer Group
  2. User policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Users Group
  When I turn on computer it get acces to network (if I have certificate and machine is domain computer). When I log in with user who has a certificate and who is domain user - everything still works. So policies are working! If user don´t have certificate
  then connection is disconnected.
  Problem is that when I have a new user logging to the machine then it don´t have certificate. And authentication will fail! Is there a way to allow user to request certificate and then try to authenticate? GPO policy is "enroll automatically" turned
  on but it will not work cause user log in is using TEMP account and certificate is not enrolled! So new users can´t access to network to download profile if I don´t put the certificate there by myself. 
  Second question is about PXE an computer certificate. Is there a way to use SCCM/PXE for OSD?
  Any help would be appriciated!
  Taavi

  On Wed, 22 Jan 2014 09:07:38 +0000, asfewfewf wrote:
  I´m having a logical misunderstanding about NPS, EAP-TLS and certificates. Maybe you can help me out with this.
  In my environment I have AD, NPS, CA and network devices. I´m using successfully Wifi EAP-TLS policy and my Ethernet policies are working aswell. I have two policies for ethernet and for wifi:
  1. Computer policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Computer Group
  2. User policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Users Group
  When I turn on computer it get acces to network (if I have certificate and machine is domain computer). When I log in with user who has a certificate and who is domain user - everything still works. So policies are working! If user don´t have certificate
  then connection is disconnected.
  Problem is that when I have a new user logging to the machine then it don´t have certificate. And authentication will fail! Is there a way to allow user to request certificate and then try to authenticate? GPO policy is "enroll automatically"
  turned on but it will not work cause user log in is using TEMP account and certificate is not enrolled! So new users can´t access to network to download profile if I don´t put the certificate there by myself. 
  You need to look into setting up remediation.
  http://technet.microsoft.com/en-us/library/dd125372%28v=ws.10%29.aspx
  Second question is about PXE an computer certificate. Is there a way to use SCCM/PXE for OSD?
  You should be asking this question in a System Center forum -
  http://technet.microsoft.com/en-ca/systemcenter/bb625749.aspx
  Paul Adare - FIM CM MVP
  How do I set my LaserPrinter to "Stun"?!

• ACS 5.2 / WLC - EAP-TLS Certificate from 2 CA

  Hello,
  I'm Newbie with ACS equipment, i'm trying to implement it to secure our WIFI environment.
  One wifi SSID is broadcasted on a site, I would like to authenticate WIFI client through machine certificate.
  The big deal is that some client computer belong to an AD (AD1) and having its own CA1. Other client computer belong to another AD (AD2) also having its own CA (CA2). (With no relation or between the 2 CA)
  So computer1 having machine certificate from CA1 and computer2 having machine certificate from CA2
  I have imported the root certificate from the both CA into the "certificate authorities" store of the ACS.
  I have generated certificate signing request, one for each CA. Then I have binding the CA signed certificate.
  After configuring... the access services (identity, authorization...) and so on  I have the following issue:
  - Computer with certificate from the CA1 can connect without any problem.
  - Computer with certificate from the CA2 can NOT connect:
       - After investigation: the client computer do not trust the server ACS and reject the connection
       - Error return :
  RADIUS Status:Authentication failed 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
       - (If i get ridd of the option "verify server identity" on wifi optionof the client, the computer can conect: but this option is not acceptable)
       - It seems that the ACS sends only its certificate signed by the CA1
  The questions are:
  1- How can I configure the ACS to send the right certificate signed by the right CA corresponding to the computer that is intenting to authenticate
  2- I could see in documentation:
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
       --> Does it mean that we can only configure one local certificate to allow the ACS to authenticate to client for all the EAP-TLS protocol used ?
       --> How can I choose it ?
       --> For the current configuration, I have only the certificate signed by the CA which is configure "EAP: Used for EAP protocols that use SSL/TLS tunneling" (i don't know if this option has an impact with the certificate presented by the ACS when it authenticate itself to the client")
  Thanks for your helk and your information.
  Guillaume

  Hi Bastien,
  it is actually what i did.
  The point here i have 2 CA involved, with no relation between them.
  So I did the operation twice for each CA :
  -> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
  -> I have added the root CA of each CA into the ACS as well.
  The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
  So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
  I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
  Then another conf I do not understand is the option:
  EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
  I do not undestand what does this option stand for ?
  Then I culd see into Cisco do :
      "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
  Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
  Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
  thx

• ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

  Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
  Long story short, what I'd like to do is: 
  User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
  Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
  personally owned devices only allowed to do ICA,
  corporate device can use SQL, RDP, etc...
  Thoughts, ideas?

  Not sure i understand your response, or perhaps my original question isn't clear.
  User authenticates with EAP-TLS / User cert
  User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
  Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
  My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks