EAP-TLS Wireless Authentication - General questions

Hi,
I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
even if a user doesn’t have Admin privileges in their machine?
I have also been told that using user certificates could result in some issues to pass some Compliance audits.
I would like to be sure that the design complies with the most recommended and secure alternative.
I would appreciate some help.
Many thanks.

There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
above passwords. It's not foolproof.
The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
they want to use as there is no means to contact a DC to authenticate a user the first time.
Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
security option, but it means managing both user and computer objects properly.
Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

Similar Messages

PEAP vs EAP-TLS Wireless Authentication Method

Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks,

Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks,

ACS 5.3, EAP-TLS Machine Authentication with Active Directory

I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
Evaluating Identity Policy
15006 Matched Default Rule
22037 Authentication Passed
22023 Proceed to attribute retrieval
24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
24437 Machine not found in Active Directory
22016 Identity sequence completed iterating the IDStores
Evaluating Group Mapping Policy
12506 EAP-TLS authentication succeeded
11503 Prepared EAP-Success
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
22065 Max sessions policy passed
22064 New accounting session created in Session cache
11002 Returned RADIUS Access-Accept
I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
Note: In my Identity Store Sequence, I did enable the option:
For Attribute Retrieval only:
If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
but this only seems to work for internal identity stores (at least based on my testing)
Under my Access Policy Identity tab, I configured the following Advanced features:
Advanced Options
If authentication failed
RejectDropContinue
If user not found
RejectDropContinue
If process failed
RejectDropContinue
And that didn't do anything either.
Any ideas? Thanks in advance.

Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
Then can make a rule in the authorization policy such as
If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

EAP-TLS machine authentication problems

Well..
I have the following devices:
WCS
Wlan controller 4402
AP 1130 LWAPP
Workstation XP sp2
Secure ACS 4.0
Windows CA
Windows AD
Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
Which clarifications do I have to do in ACS and AD?
Can someone help me and give me very detailed instructions on how to make it work.

Hi,
We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

Eap-tls wireless machine authentication without AD

Hi all,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)
I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.
With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),
but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.
My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)
Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252
Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.
Thanks for your help,

Assuming you're using the stock XP wifi client.
When running XPSP3, you need to set two things:
1) force one registry setting.
According to
http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
You need to force usage of machine cert-store certificate:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
"AuthMode"=dword:00000002
2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
- show available wireless networks
- change advanced settings
- wireless networks tab
- select your SSID, and then hit the "properties" button
- select authentication tab, and then hit "properties" button
- search for your signing CA, and check the box.
I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
please cross reference to
https://supportforums.cisco.com/message/3280232
for a better description of the whole setup.
Ivan

EAP-TLS Machine Authentication/Certificate

Hi,
I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN. I can make each user get a user cert from my CA and if I use an admin account I can get windows to put these certs into the machine store, but when it comes to a login attempt my RADIUS failure messages look like host/axelfoley001 instead of host/MACHINE001xp, which is how the login looks on RADIUS when using EAP/PEAP.
Clients are WinXPSP3, and I'm using CiscoACS 4.1, MS Certificate Services CA.
When a user gets its own cert it can log into the WLAN fine after already logging onto the machine, but i can't seem to figure out how to pass the machine name with the cert on machine login (pre-auth).
Do I need to alter some setting in the cert to pass a different user/machine name or do i need to get a different kind of cert from the CA?
Any help will be greatfully received.
Thanks,

It sounds like your supplicant isn't configured to use machine credentials. In WZC there is a checkbox for "user machine credentials if available".... Perhaps that isn't enabled?
Or perhaps you don't have a machine cert on the computer. You mentioned a "user cert", but I think if you want machine credentials, don't you need a certificate for the machine itself? I could be wrong on this though.

ISE 1.1 EAP-TLS User Authentication in Multiforest

Hello,
we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.
This is the setup:
In domain1 is a MSFT CA with OCSP, DC and ISE
In domain2 is a DC and the users
there is a two way trust between the domains.
This is my authentication scenario:
1. agent connect to a wireless network (ok)
2. client exchanges certificate information with ISE (ok)
3. ISE exchanges certificate status with CA (ok)
4. ISE extracts the subject Alternative Name from the certificate [email protected] (ok)
5. ISE queries Active Directory store for the user [email protected] (not ok fails with 22056 Subject not found)
in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.
I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.
Any Ideas?
Regards
Alex
Extract from Log File
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person
[email protected]
options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:
[email protected]#012name
[email protected]
type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
)), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
)), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
[email protected]
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="
[email protected]
" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper
'[email protected]'
is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
DIAG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person [email protected] options=2
DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch. Blocked, not in DNS or our domain list
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: [email protected]#012name: [email protected] type=SAM domain=domain1.LAN#012
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs 7e638646 (cacheOps=40f, GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs e4a3aa15 (cacheOps=40f, GC=1)
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
DIAG <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="[email protected]" (GC=0)
DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper '[email protected]' is not a canonical name
DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

Tarik,
from the ISE cli i can nslookup domain2.lan and i get this result
nos-ch-wbn-ise1/admin# nslookup domain2.lan
Trying "domain2.lan"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5
;; QUESTION SECTION:
;domain2.lan.              IN      ANY
;; ANSWER SECTION:
domain2.lan.       600     IN      A       192.168.68.21
domain2.lan.       600     IN      A       172.28.1.3
domain2.lan.       600     IN      A       172.28.1.2
domain2.lan.       600     IN      A       192.168.68.20
domain2.lan.       3600    IN      NS      labdc01.lab.lan.
domain2.lan.       3600    IN      NS      labdc02.lab.lan.
domain2.lan.       3600    IN      NS      labex01.lab.lan.
domain2.lan.       3600    IN      NS      bsdehepdc01.domain2.lan.
domain2.lan.       3600    IN      NS      bsdehepfs01.domain2.lan.
domain2.lan.       3600    IN      NS      mordor.softlink.ch.
domain2.lan.       3600    IN      NS      shire.softlink.ch.
domain2.lan.       3600    IN      NS      labex02.lab.lan.
domain2.lan.       3600    IN      NS      icm60.icm60domain.lan.
domain2.lan.       3600    IN      NS      bsfs02.domain2.lan.
domain2.lan.       3600    IN      NS      bsfs03.domain2.lan.
domain2.lan.       3600    IN      SOA     bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600
;; ADDITIONAL SECTION:
labdc01.lab.lan.        3600    IN      A       172.28.2.196
bsdehepdc01.domain2.lan. 311 IN    A       192.168.68.20
bsdehepfs01.domain2.lan. 2771 IN   A       192.168.68.21
bsfs02.domain2.lan. 1649   IN      A       172.28.1.2
bsfs03.domain2.lan. 595    IN      A       172.28.1.3
So i assume dns is working fine.
Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?
thanks & regards
Alex

Wired/wireless traffic general question

I originally set up my Airport Extreme without much expertise on WiFi or routers, but I want to raise my knowledge base now.
My current question: In general operation with both ethernet and wireless clients, obviously all the traffic with wireless clients is broadcast over RF to anything out there that can receive them, but is any of the traffic between the base station and the ethernet clients also broadcast over the RF signal? To put it another way, can eaves dropping on the RF traffic also allow eaves dropping on the ethernet traffic?
Are there any good educational books like a Missing Manual or such on WiFi or Airport?

A lot of very interesting aspect of "others experience w/airport". I'm also in a suburb w/a lot of WiFi, other variation's of the same, and Airport traffic. One early concern I had was the Rf-AP system starting up, as it does right out of the box. Not knowing this, (at least at first) was for me an embarrassing wake-up call. As for near-by WiFi/and other "dish, etc" systems, A few thing's I noticed, and thanks to associate's who know WiFi/Rf tech very well, a few observations, for what it's worth. Regarding "Ghosting" of certain signals, it is almost inevitable for many reasons. It's a bit like (usually and harmlessly) being at a crowded party, where you "hear" many people jabbering away, but don't really know "what they're saying, other then 'something."
Oddly enough, I have an associate who calls that (a bit like a cheap hearing aid) "Rf, or harmonic din". As for it being problematic from a security point-of-view one needs to isolate "sections" from one "broadcast" which I'm told is rather low tech, as a first step to having one "borrow your specific signal,' for say either sub-Walmart (cheap bas******) access to the net thanks to your WiFi AP. As you mentioned, w/so much depending on the chronic pain that's all based on passwords, well, we know the issue w/that.
Several aspects of trying to maintain some dignity in not getting hacked for whatever intent present repeated problems. I was hacked, and it was (unfortunately not benign). Believe me. Since , I have done everything short of active EW suppression (FTC, and anyone in range would be understandably ******-off.) Your comment about "flat signal strength" I'm told is screaming, "I'm blending in, move on." Varying sig strength is one way to blend in yourself, but only a bit.
But WiFi signal structure has certain quiescent properties reported in the literature (I read it on physorg.com, or technology review I think) that makes that soft engulfing-Rf nature of WiFi useful, Ex: for those who want to know, or really just be aware "someone, a pet", etc; who is moving around a room, compared w/the stuff in a room, building, etc. That attribute provide's a technical/mathematical yardstick that is at least one reproducible and exploitable aspect of the technology. As with that noisy background "party din," it's why noise in general can be cut through as long as you get even a small piece of a conversation.
I've looked at passive material "blankets" that smother Rf. Certain conductive polymer's woven in the density of a gym mat are somewhat useful if its something serious enough. Naturally, (pricey) and by no means perfect. Beyond that one can use old power company techniques developed to know where a line goes down, for example if using a hard line. Since ac can be modulated, it can also be run through what looks like a small old desk-top pc cpu tower. ****, anyone can buy a plugin, looks a small 120vt-12v transformer you plug in the wall ac, and that turns ones household wiring into a local, house/office Rf wireless network.
In the end it can get surreal, silly, paranoid. or just sad. Been there too. Anyway, best of luck. Bob.

Wireless printing - general question

Hello,
I am considering buying a OJ Pro 8000 Wireless. How does the wireless work? Is it only ad-hoc with one PC or does the printer associate with an access point and then is available to entire wired and wireless subnet?
Best regards
FISHRMAN

The latter is the primary purpose and most common installation.
Ad-hoc is also supported, although it is not very reliable and interrupts any infrastructure wireless with which the computer is associated.
Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
I am employed by HP

Wireless ISE - 12508 EAP-TLS handshake failed

Hi guys,
I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication. In short, all EAP-TLS authentication is failing with the following error. Below that is the relevant excerpt from the logs:
Authentication failed : 12508 EAP-TLS handshake failed
OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error - certificate signature failure", OpenSSLErrorStack= 597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146:,
Setup:
- Single standalone ISE 3355 appliance
- Two tier MS enterprise PKI (outside of my direct control)
- WLC 5508
- Windows 7 laptop\
- The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
- The test laptop has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
Now, I'm pretty new to certs so I'm sure I'm missing something simple here. One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that. Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
This is what TAC came back with, but none of the workarounds helped
Symptom:
========
EAP-TLS auth handshake failing with X509 decrypt error. The error presented to the ISE administrator is "12508: EAP-TLS handshake failed"
Conditions:
=========
EAP-TLS certificate based authentications ISE 1.1.2.145
Workaround:
===========
1) Reboot or restart ISE application service 2) Recreate CAP (Certificate Authentication Profile) 3) Toggle between ID sequence and single ID source

Hi Amjad,
Thanks for the response. I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year). On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
The certificate format has not been modified in any way. The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
Cheers,
Owen

EAP-TLS and getting a new user to log in on a wireless network

I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
Paras

check the below link and read server requirements.
http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
The stanalone ca needs to be trusted by AD
http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
Please rate the post if it helps

EAP-TLS or PEAP authentication failed during SSL handshake

Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---

Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul

802.1x eap-tls machine + user authentication (wired)

Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
    <string>System</string>
    <string>Loginwindow</string>
</array>
<key>PayloadScope</key>
    <string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
Thanks

Unfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ?

Eap-tls wired 802.1x - certificate issue?

I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
The information about the correct settings can be found in this Microsoft document:
http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
Roaming AP to AP I only lost 1 packet.
Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
Shutting the wireless off and back on I only lost 8 packets.
I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

EAP-TLS Error

Hello.
I cannot get EAP-TLS auth to work on windows 7 wired setup. I've tested EAP-PEAP on wireless and wired - works fine. Also EAP-TLS for wireless works great. Clients are on same domain as radius (wich is Cisco ISE), we've deployed CA-services on that same domain too and are distributing certificates to clients via GPOs. Authenticators (switchports) are configured correctly, certificates work on EAP-TLS wireless setup, everything seems to be ok, but wired connection still cannot auth and EAP timeouts.
Here is the error:
Logged At: May 14,2013 11:52:12.159 AM
RADIUS Status: No response received during 120 seconds on last EAP message sent to the client : 5411 No response received during 120 seconds on last EAP message sent to the client

Have you confirmed that the Supplicant is configured properly for EAP-TLS authentication? I have done this type of deployment many times and haven't had this issue.
Thank you for rating helpful posts!

EAP-TLS Wireless Authentication - General questions

Similar Messages

Maybe you are looking for