EAP-TLS with machine certificate

Similar Messages

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!

• EAP-TLS - ACS - Machine Certificates

  Hi,
  I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195.  I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
  Which is the best ACS option to choose for machine certificate comparison:
  - Certificate Subject AlternativeName
  - Certificate Common Name
  - Certificate Binary
  Is there a guide to use for setting up machine certificate templates for Windows Clients?
  Thanks,

  CN (or Name)Comparison—Compares the CN in the           certificate with the username in the database. More information on  this           comparison type is included in the description of the Subject field of  the           certificate.
  SAN Comparison—Compares the SAN in the certificate           with the username in the database. This is only supported as of ACS  3.2. More           information on this comparison type is included in the description of  the           Subject Alternative Name field of the certificate.
  Binary Comparison—Compares the certificate with a           binary copy of the certificate stored in the database (only AD and  LDAP can do           this). If you use certificate binary comparison, you must store the  user           certificate in a binary format. Also, for generic LDAP and Active  Directory,           the attribute that stores the certificate must be the standard LDAP  attribute           named "usercertificate".
  Whatever comparison method is used, the information in the  appropriate       field (CN or SAN) must match the name that your database uses for       authentication.

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• Access connection​s 5.50 and EAP TLS with Computer certificat​e

  Hello,
  I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
  I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
  OS is windows XP with SP3 and all the windows update (as of today).
  On my Radius server this is what I get:
  If I use WZC I get this in the authentication:
  Security ID: DOMAIN\R61WXP$ (this is my computer name)
  Account name: host/R61WXP.domain.local
  Account Domain: DOMAIN
  FQDN: DOMAIN\R61WXP$
  When I use Access Connections:
  Security ID: DOMAIN\Guest
   Account name: 
  Account Domain: DOMAIN
  FQDN: DOMAIN\Guest
  My Access connection profile is set this way:
  IEEE802.1x => Authenticate as Computer when the information is available.
  I hope someone can help !
  Thanks!

  Hi,
  try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
  Make also sure, that the profile connection is correctly configured in the AC profile settings.
  This mighe the the root cause.
  I can tell you, that there must be something missconfigured, as this configuration will surelly work .
  Cheers

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• EAP Chaining with Machine TLS and User PEAP

  We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
  Thanks a lot.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• EAP TLS for machine and EAP PEAP for user

  Hi forum
  I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
  Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
  Just wondering if anyone has done this before:
  1. Will this work?
  2. Any gottas?
  3. what is the user experience like?
  All machines are win7 based.
  Thanks

  You can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
  Tarik Admani
  *Please rate helpful posts*

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• SSL VPN with machine certificate authentication

  Hi All,
  I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
  Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
  The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
  btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
  Thanks in advance for your help
  Hardware is ASA5540, software version 8.2(5).
  Some pieces of the configuration below:
  group-policy VPN4TEST-Policy internal
  group-policy VPN4TEST-Policy attributes
    wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  vpn-simultaneous-logins 1
  vpn-idle-timeout 60
  vpn-filter value VPN4TEST_allow_access
  vpn-tunnel-protocol IPSec svc webvpn
  group-lock none
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  default-domain value cs.ad.klmcorp.net
  vlan 44
  nac-settings none
  address-pools value VPN4TEST-xxx
  webvpn
    svc modules value vpngina
    svc profiles value KLM-SSL-VPN-VPN4TEST
  tunnel-group VPN4TEST-VPN type remote-access
  tunnel-group VPN4TEST-VPN general-attributes
  address-pool VPN4TEST-xxx
  authentication-server-group RSA-7-Authent
  default-group-policy VPN4TEST-Policy
  tunnel-group VPN4TEST-VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN4TEST-ANYCONNECT enable

  Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

• I want to bind my client certificate with machine certificate in order to bind user with dedicated one machine. Kindly help

  I have created one dedicated root CA for domain and auto enrollment has been enabled through Group Policy.
  I want to bind my client certificate with machine certificate in order to bind user with dedicated with one machine. In order to prevent duplicate logins

  Hi,
  How about using
  User Rights Assignment?
  You can deny all other users’
  log on locally right on the machine.
  User Rights Assignment
  http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
  Best Regards,
  Amy Wang

• EAP-TLS with IAS

  Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
  Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
  Any suggestions?

  Hi,
  I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
  Regards,
  Davy

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• IPhone and EAP-TLS with ACS & 5508

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I have a large customer that is moving into a new building and adding some
  new wireless.
  They are using a 5508 with 1142's and an ACS server.
  They will have the following SSID's
  SSID01 -> WPA-EAP-TLS
  SSID02 -> WPA2-EAP-TLS (future use)
  SSID03 -> Guest Access (internet access only)
  They currently use this design across the enterprise which has worked well.
  The problem is to get certificates pushed down to the client for the EAP-TLS
  they always connect the machine once by wire and log on to the domain so a
  GPO pushes the cert to the machine.
  This creates a problem that I don't know how to solve as they want to use
  iPhones on the new deployment.
  Does anyone have any ideas on how to get a cert down to the iPhones for use
  with the SSID's?
  Thanks in advance for any assistance.

  I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid  from which clients can download and install cert. ?