Eap-tls wireless machine authentication without AD

Similar Messages

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan

• EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

  Hi All ,
               I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
               I have downloaded client supplicant certficate file for my windows XP machine .
  When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
  Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
  Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

  Hello,
  I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
  Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
  -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
  -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
  -          Delete the wireless network from the computer
  -          REBOOT!!
  -          Open the Microsoft Management Console, “mmc”.
  -          Go FILE\Add Remove SnapIn. Select Certificates ..
  -          If promoted, do it for “My User Account”.
  -          Make sure the certificates are where you put them. 
  -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
  -          Redo wireless network setup again
  I hope this helps you.
  Mike

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• EAP TLS for machine and EAP PEAP for user

  Hi forum
  I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
  Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
  Just wondering if anyone has done this before:
  1. Will this work?
  2. Any gottas?
  3. what is the user experience like?
  All machines are win7 based.
  Thanks

  You can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
  Tarik Admani
  *Please rate helpful posts*

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

  Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
  Does anyone have any ideas how to troubleshoot this problem with the appliance?

  If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• 802.1x Machine Authentication without AD

  Hello,
  I'm new to 802.1x security, and i'm wondering if it's possible to do windows machine authentication without an active directory?
  Thanks,
  Dan.

  Hi,
  Windows Machine authentication requires machine credentials, and these credentials can only exist on the AD.
  What you can do is authenticate the machine using its MAC address (Mac authentication bypass), and for this you only need to configure mab on the switch, make sure the client do not speak dot1x and create the user with username/password = mac address on the RADIUS server.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• EAP-TLS Wireless Authentication - General questions

  Hi,
  I want to use EAP-TLS as a method of authentication for users/computers to join the Wireless. Devices that will connect to the Wireless are part of the domain.
  What certificate is preferred to use for this purpose? Computer o User certificates? I guess that it probably depends on what you want to identify or authenticate, a user or a device, but what option is “generally” recommended?
  Is there any difference from the point of view of security? Is a computer certificate more secure than a user certificate o vice versa? I have been told that user certificates are easier to compromise (or steal from a windows machine) than computer certificates
  even if a user doesn’t have Admin privileges in their machine?
  I have also been told that using user certificates could result in some issues to pass some Compliance audits.
  I would like to be sure that the design complies with the most recommended and secure alternative.
  I would appreciate some help.
  Many thanks.

  There are pros and cons to using workstation or user based certificates, as well as benefits to using "both". But first thing, both user and computer certificates are secured in the same way in the operating system - in an encrypted state. There are reasonable
  controls in place, but anyone bent on hacking a system and has physical control of it, has many options available to them. Things like Bitlocker with TPM can help mitigate many of these attacks. The purpose of certificates is to increase the security and integrity
  above passwords. It's not foolproof.
  The benefit to using computer/workstation authentication is that when the computer boots up, it joins the WiFi and enables domain users to log on. This is even the case if the user has never logged onto the computer before. The workstation has a secure channel
  to a domain controller and is fully managed and applies GPO updates. In this model, the WiFi connected machine is no different from a wired machine.
  The disadvantage is that you need to carefully manage your computer devices in AD. Imagine the scenario of a laptop that is stolen. Do you have the means to know which computer object it is and to disable/delete it from AD? If not, then whoever uses the
  computer will be able to get onto your WiFi. Many organizations have trouble with this aspect.
  User Authentication is a little easier as its easy to manage users who should be allowed to get onto a network. If they leave, their account is disabled. However, they must have cached credentials on the laptop
  they want to use as there is no means to contact a DC to authenticate a user the first time.
  Another option to consider is to use BOTH. In this scenario, you issue certificates to both the computer and user. When the computer boots, it joins the WiFi. When a user logs on, the computer stays connected
  to the WiFi for 60 seconds to allow the user to authenticate and to receive their credentials which are then used to authenticate to the WiFi. If the user is not authorized or is unable to authenticate, then the WiFi is disconnected. This provides the best
  security option, but it means managing both user and computer objects properly.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• PEAP vs EAP-TLS Wireless Authentication Method

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• ISE 1.2 EAP-TLS and AD authentication

  Hi,
  I am sure I have had this working but Just cant get it to now.
  So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
  My Authentication profile says
  IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
  Then my authorization profile says
  if active directoy group = "Domian computers" then allow access.
  When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
  24433          Looking up machine in Active Directory - [email protected]
  24492          Machine authentication against Active Directory has failed
  22059          The advanced option that is configured for process failure is used
  22062          The 'Drop' advanced option is configured in case of a failed authentication request
  But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
  Cheers

  This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
  This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

• EAP-TLS - ACS - Machine Certificates

  Hi,
  I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195.  I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
  Which is the best ACS option to choose for machine certificate comparison:
  - Certificate Subject AlternativeName
  - Certificate Common Name
  - Certificate Binary
  Is there a guide to use for setting up machine certificate templates for Windows Clients?
  Thanks,

  CN (or Name)Comparison—Compares the CN in the           certificate with the username in the database. More information on  this           comparison type is included in the description of the Subject field of  the           certificate.
  SAN Comparison—Compares the SAN in the certificate           with the username in the database. This is only supported as of ACS  3.2. More           information on this comparison type is included in the description of  the           Subject Alternative Name field of the certificate.
  Binary Comparison—Compares the certificate with a           binary copy of the certificate stored in the database (only AD and  LDAP can do           this). If you use certificate binary comparison, you must store the  user           certificate in a binary format. Also, for generic LDAP and Active  Directory,           the attribute that stores the certificate must be the standard LDAP  attribute           named "usercertificate".
  Whatever comparison method is used, the information in the  appropriate       field (CN or SAN) must match the name that your database uses for       authentication.

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!