EAP-TLS with machine certificate
Hello all,
I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
Thanks a lot.
Best regards.
Hi Alfonso,
Certificate Retrieval for EAP-TLS Authentication
ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute.
ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates.
After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network.
Configuring CA Certificates
When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate.
If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates.
You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs).
Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems.
Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
Also check the below link,
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404
Similar Messages
-
Windows EAP-TLS with machine cert only?
Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
Thanks for any clues.Hello Leroy-
EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
Cisco TrustSec Guide:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
RFC:
https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
Thank you for rating helpful posts! -
EAP-TLS - ACS - Machine Certificates
Hi,
I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195. I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
Which is the best ACS option to choose for machine certificate comparison:
- Certificate Subject AlternativeName
- Certificate Common Name
- Certificate Binary
Is there a guide to use for setting up machine certificate templates for Windows Clients?
Thanks,CN (or Name)Comparison—Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison—Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison—Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
Whatever comparison method is used, the information in the appropriate field (CN or SAN) must match the name that your database uses for authentication. -
ISE EAP-Chaining with machine, certificate and domain credentials
Good morning,
A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
Corp. wireless to authenticate with 2-factor authentication:
•1. Certificate
•2. Machine auth thru AD
•3. Domain creds
When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
Clients are Windows laptops and corporate iPhones.
Certs can be issued thru GPO and MDM for iPhones
Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
My first question is: can this be done?
Second question: how would i implement this from an AuthC/AuthZ perspective?
Thanks in advance,
AndrewYou can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
Good luck and keep in touch.
http://support.microsoft.com/kb/2743127/en-us -
Access connection​s 5.50 and EAP TLS with Computer certificat​e
Hello,
I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
OS is windows XP with SP3 and all the windows update (as of today).
On my Radius server this is what I get:
If I use WZC I get this in the authentication:
Security ID: DOMAIN\R61WXP$ (this is my computer name)
Account name: host/R61WXP.domain.local
Account Domain: DOMAIN
FQDN: DOMAIN\R61WXP$
When I use Access Connections:
Security ID: DOMAIN\Guest
Account name:
Account Domain: DOMAIN
FQDN: DOMAIN\Guest
My Access connection profile is set this way:
IEEE802.1x => Authenticate as Computer when the information is available.
I hope someone can help !
Thanks!Hi,
try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
Make also sure, that the profile connection is correctly configured in the AC profile settings.
This mighe the the root cause.
I can tell you, that there must be something missconfigured, as this configuration will surelly work .
Cheers -
EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s
We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
FabianThe policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU. -
EAP-TLS with WLC 5.2.178 Improve Performance and Roams?
Good Morning...
I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.
-
EAP Chaining with Machine TLS and User PEAP
We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
Thanks a lot.http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings. -
EAP TLS for machine and EAP PEAP for user
Hi forum
I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
Just wondering if anyone has done this before:
1. Will this work?
2. Any gottas?
3. what is the user experience like?
All machines are win7 based.
ThanksYou can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
Tarik Admani
*Please rate helpful posts* -
802.1x EAP-TLS with Cisco IP-Phone on MS NPS
Hi,
does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
With ACS it is not a problem at all.
thx
SebastianHi all !
Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
This is the last e-mail that Microsoft TAC has sent to the customer:
====================================================================================
As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
"Please find below some more information about the same from Microsoft TechNet Article :
CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
=====================================================================================
Tks for your help !!!!!!!
Luis -
SSL VPN with machine certificate authentication
Hi All,
I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
Thanks in advance for your help
Hardware is ASA5540, software version 8.2(5).
Some pieces of the configuration below:
group-policy VPN4TEST-Policy internal
group-policy VPN4TEST-Policy attributes
wins-server value xx.xx.xx.xx
dns-server value xx.xx.xx.xx
vpn-simultaneous-logins 1
vpn-idle-timeout 60
vpn-filter value VPN4TEST_allow_access
vpn-tunnel-protocol IPSec svc webvpn
group-lock none
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
default-domain value cs.ad.klmcorp.net
vlan 44
nac-settings none
address-pools value VPN4TEST-xxx
webvpn
svc modules value vpngina
svc profiles value KLM-SSL-VPN-VPN4TEST
tunnel-group VPN4TEST-VPN type remote-access
tunnel-group VPN4TEST-VPN general-attributes
address-pool VPN4TEST-xxx
authentication-server-group RSA-7-Authent
default-group-policy VPN4TEST-Policy
tunnel-group VPN4TEST-VPN webvpn-attributes
authentication aaa certificate
group-alias VPN4TEST-ANYCONNECT enableForgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.
-
I have created one dedicated root CA for domain and auto enrollment has been enabled through Group Policy.
I want to bind my client certificate with machine certificate in order to bind user with dedicated with one machine. In order to prevent duplicate loginsHi,
How about using
User Rights Assignment?
You can deny all other users’
log on locally right on the machine.
User Rights Assignment
http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
Best Regards,
Amy Wang -
Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
Any suggestions?Hi,
I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
Regards,
Davy -
I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
Just list of RDS.log appears some activity ended with
NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
Please let attentions to Attachments and let me know
what could be a problem of my unsuccessness of use EAP-TLS.
configuration of interface which I use for testing:
interface GigabitEthernet0/42
description Test 802.1X klient - Filip
switchport access vlan 34
switchport mode access
switchport voice vlan 31
authentication host-mode multi-domain
authentication open
authentication port-control auto
authentication periodic
authentication violation protect
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
endHi Filip,
Just noticed your post...
In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
Microsoft has done some changes in SP 3 for wired 802.1x
Changes to the 802.1X-based wired network connection settings in Windows XP
Service Pack 3
http://support.microsoft.com/kb/949984/
In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
* The WZCSVC service
* The Wired AutoConfig service (DOT3SVC)
As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
If you are an end-user who has already installed Windows XP SP3, follow
these steps:
1. Click Start, and then click Run.
2. In the Open box, type services.msc, and then press ENTER.
3. Locate the Wired AutoConfig service, right-click it, and then click
Start
Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
CERTIFICATE REQUIREMENT IN EAP-TLS:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
ACS CONFIGURATION:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
MICROSOFT XP CLIENT CONFIGURATION:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
Also, let me know the full ACS version and platform.
HTH
JK
Do rate helpful posts- -
IPhone and EAP-TLS with ACS & 5508
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I have a large customer that is moving into a new building and adding some
new wireless.
They are using a 5508 with 1142's and an ACS server.
They will have the following SSID's
SSID01 -> WPA-EAP-TLS
SSID02 -> WPA2-EAP-TLS (future use)
SSID03 -> Guest Access (internet access only)
They currently use this design across the enterprise which has worked well.
The problem is to get certificates pushed down to the client for the EAP-TLS
they always connect the machine once by wire and log on to the domain so a
GPO pushes the cert to the machine.
This creates a problem that I don't know how to solve as they want to use
iPhones on the new deployment.
Does anyone have any ideas on how to get a cert down to the iPhones for use
with the SSID's?
Thanks in advance for any assistance.I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid from which clients can download and install cert. ?
Maybe you are looking for
-
ITunes 7.3.1 cannot run as it has detected a problem with your audio..
Hey I installed iTunes 7.3.1 last night, and when I click to open it, a message comes up saying 'iTunes 7.3.1 cannot run as it has detected a problem with your audio configeration' Please help Thanks
-
Service Specification in sales order
Hi, Can any letme know what are the tables or functional modules which can be used to get done a ABAP report to get display the plan value of service specification of a sales order evel . In brief i need to develop a ABAP report considering the figur
-
Time Capsule.....should we purchase on Black Friday?
Okay, I was all set to purchase Time Capsule today, then read some unflattering reviews and looked through some issues on this discussion board. My wife and I are long-time Mac users and the only issue we've ever had with an Apple product was activat
-
How to initialize a Type Object??
Hi, I have a procedure as below, which has type t_r_rep_data and a table having this type as record, but when I called this procedure, it has ORA-06530 error: Reference to uninitialized composite. Can you tell me how to initialize a type Object? Also
-
I would like to ask how to create ASP documents
Dreamweaver CC without the ASP option, I would like to ask how to create ASP documents Thanks