EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
For example:
Policy 1: allowed-certificate-OID --> corporate
Policy 2: allowed-certificate-OID --> private
Client authenticates with EKU corporate --> success
Client authenticates with EKU private --> reject
My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
Has anyone a simmilar setup or can help to figure out what is going wrong?
We have a WLC 5508 with Software Version 7.4.100.0 and a NPS on a Windows Server 2008 R2
regards
Fabian

The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
The certificate does include this OID but not the custom EKU.

Similar Messages

EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

Good Morning...
I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

EAP-TLS with ISE 1.1.2 and WLC 7.0.228

Hi,
I'm on process of implement Cisco ISE with Wireless LAN Controller. According to my post, I would like to know that if Supplicant Provisioning and EAP-TLS does support on this type of firmware code.
WLC running on 7.0.228 since most of production APs are 1230
ISE running on the latest version.
I have to use EAP-TLS and Supplicant Provisioning on these platforms.
Is this possible to do about this ?
Thanks,
Pongsatorn Maneesud

Please check the below compatibility matrix link for Cisco ISE along with a link for client provisioning which might be helpful:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_client_prov.html

IPhone and EAP-TLS with ACS & 5508

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I have a large customer that is moving into a new building and adding some
new wireless.
They are using a 5508 with 1142's and an ACS server.
They will have the following SSID's
SSID01 -> WPA-EAP-TLS
SSID02 -> WPA2-EAP-TLS (future use)
SSID03 -> Guest Access (internet access only)
They currently use this design across the enterprise which has worked well.
The problem is to get certificates pushed down to the client for the EAP-TLS
they always connect the machine once by wire and log on to the domain so a
GPO pushes the cert to the machine.
This creates a problem that I don't know how to solve as they want to use
iPhones on the new deployment.
Does anyone have any ideas on how to get a cert down to the iPhones for use
with the SSID's?
Thanks in advance for any assistance.

I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid from which clients can download and install cert. ?

EAP-TLS on WLC 5508 agains IAS RADIUS

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Hi, anyone experienced issue like this?
I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
I got “Access-Accept” debug message received from RADIUS server.
However the wireless client failed to connect.
Below is partially the debug message from the WLC
Any feedbacks are welcome
*Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
*Oct 07 15:08:24.403:     protocolType.................................0x00140001
*Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
*Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
*Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b f7 c9 71 dd 32 cb b7 0a .e........q.2...
*Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f 73 74 2f 49 44 31 30 2d R..>."host/ID10-
*Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 65 73 74 0AFJ031.euc.test
*Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13 30 30 2d 31 39 2d 37 64 01.com..00-19-7d
*Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33 62 1e 1a 30 30 2d 33 61 -72-b4-3b..00-3a
*Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34 36 2d 35 30 3a 57 57 53 -98-95-46-50:TES
*Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00 01 04 06 0a 56 0c d2 20 300.........V...
*Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43 30 30 31 1a 0c 00 00 37 .IDHOJXC001....7
*Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06 06 00 00 00 02 0c 06 00 c...............
*Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00 13 4f 27 02 03 00 25 01 ...=.....O'...%.
*Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31 30 2d 30 41 46 4a 30 33 host/ID10-0AFJ03
*Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65 73 74 6c 65 2e 63 6f 6d 1.euc.nestle.com
*Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52 8e 63 0f 2f 87 a5 78 53 P...T.&R.c./..xS
*Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
*Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35 f7 be 57 75 43 ce 19 ca .e.4>.g5..WuC...
*Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1 03 a2 00 00 01 37 00 01 .]....1......7..
*Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b 13 1e 16 37 00 00 00 00 .V.i..c....7....
*Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
*Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
*Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
*Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
*Oct 07 15:08:24.405:     structureSize................................78
*Oct 07 15:08:24.405:     resultCode...................................0
*Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
*Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
*Oct 07 15:08:24.405:     Packet contains 1 AVPs:
*Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
    source: 4, valid bits: 0x0
    qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
    source: 4, valid bits: 0x0
    qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    dataAvgC: -1, rTAvgC
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
*Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
*Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
*Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 00 ..._............
*Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22 71 0b 06 e8 42 6c 3c bf .>]*.*."q...Bl<.
*Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c c0 9f 22 ce 0c 3e 96 45 E.\..h...."..>.E
*Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
*Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
*Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
*Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30 01 00 6e 65 74 77 6f 72 ...0...0..networ
*Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33 30 30 2c 6e 61 73 69 64 kid=TES300,nasid
*Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43 30 30 31 2c 70 6f 72 74 =IDHOJXC001,port
*Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
*Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f 6d                       est01.com
*Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
*Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25 01 68 6f 73 74 2f 49 44 ...%...%.host/ID
*Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30 33 31 2e 65 75 63 2e 6e 10-0AFJ031.euc.t
*Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f 6d                       est01.com
*Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

Thanks for your reply jedubois
Really appreciate it.
I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
Below are the outputs for the eap advanced config
(Cisco Controller) >show advanced eap
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 5000
EAPOL-Key Max Retries............................ 2
(Cisco Controller) >
Any other suggestion?

Windows EAP-TLS with machine cert only?

Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
Thanks for any clues.

Hello Leroy-
EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
Cisco TrustSec Guide:
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
RFC:
https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
Thank you for rating helpful posts!

802.1x EAP-TLS with Cisco IP-Phone on MS NPS

Hi,
does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
With ACS it is not a problem at all.
thx
Sebastian

Hi all !
Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
This is the last e-mail that Microsoft TAC has sent to the customer:
====================================================================================
As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
"Please find below some more information about the same from Microsoft TechNet Article :
CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
=====================================================================================
Tks for your help !!!!!!!
Luis

An issue with WLC 5508 and 7921 phone

Hello all!
I have a system with WLC 5508 and some 1242 APs. And I use a lot of 7921 phones.
One of 7921 phones was in trouble. It loses registration, disconnect conversations...
I installed the trial WLC and run voice diagnostics.
I saw some of "Potentially degraded QoS in downlink direction because of incorrect packet classification" messages and one "Fair upstream packet loss ratio: 1,2%, which is less than threshold 2.5%"
As I understand all of 7921 phones in these area are affected.
what does it mean? I set up Platinum QoS for voice WLAN. I don't have any qos configuration string for AP and WLC ports on switches...
any ideas?
thanx in advance

Sergey:
There is one application called "WLC Config analyzer". You save your "show run-config" from your WLC in a text file and import it by this application. it will analyze the file for you and tell you what recommendations for voice are missing so you improve them.
When importing a config file you choose what voice clinets you are using, so you need to choose cisco 7921 to it tells you what config improvemetns is needed based on 7921 needs.
Here is the link to download the application:
https://supportforums.cisco.com/docs/DOC-1373
download the latest versoin.
BTW, how many voice/data clients are connected to one AP in that area? if I remember correctly if you are utilizing voice then the max number of clients connected to one AP should not exceed 17. If you have more than this number per AP try to minimize the number of users concurrently connected to the AP then try again.
Hope you'll find the config analyzer useful.
If useful please don't forget to rate.
Amjad

LEAP EAP-TLS on WLC

Hi,
I need to deploy certificate based authentication for some Intermec client devices for a customer. I am planning to use a separate SSID for this. There are other already existing SSID's which have radius based authentication.
question : if i dont select any radius server for this eap tls ssid and select only 'LEAP' , will it work ? Or will the WLC still search for the already defined radius servers and fail authentication ?
question2 : if above is not possible, i will have to go for eap tls with ACS . anybody has got easy steps to get eap tls up and running ? (LAP 1252, wlc 4400, acs 4.1, windows CA )
regards
Joe

wireless wlc,
The WLC side and the radius side is basically setup the same as you would for PEAP. The only difference is if your policy you create in the radius specifies a certain eap type. If not, then you don't have to worry about that. The main thing is that you have a valid computer cert and users cert. You can verify this by the device wireless profile and on Windows 7 you select user authentication or computer authentication. If one works and the other doesn't, then you knop which cert is missing. Selecting user and computer will check for both. Vlaidat server certificate should only be cheked if the CA is in the Trusted Server Certificate Store. The CA must be trusted on the domain controller and the IAS, NPS server also.

EAP-TLS with IAS

Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
Any suggestions?

Hi,
I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
Regards,
Davy

APP-AR-12022: A cash receipt with this number,date,amount and customer alre

Hi,
There is a caution(Warning message) of Duplicate receipt entery in Oracle AR Receipts entry window which pops up while creating the receipts.
APP-AR-12022: A cash receipt with this number,date,amount and customer already exists.
Normally it comes when we enter similar receipt number, net receipt amount and receipt date towice.
Is it possible to customize the criteria for this caution.
Thanks.

You cannot customise this. If you want additional validation at the time of entry/update from forms, you can code special logic in custom pll. But you cannot change the standard functionality.

802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

Hello
[Env on my lab investigation]
supplicant - W7 with cert
authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
authentication server 2x - W2008/NPS like a RADIUS server
[Config some part of authenticator]
interface FastEthernet0/1
switchport access vlan 34
switchport mode access
authentication event fail retry 1 action authorize vlan 47
authentication event server dead action authorize vlan 35
authentication event no-response action authorize vlan 47
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
dot1x timeout quiet-period 15
dot1x timeout tx-period 15
spanning-tree portfast
[Symptoms]
After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
[Summary]
The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
[The question]
What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
[Logs]
During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
1. supplicant and authenticator orderflow at wireshar:
- supplicant EAPOL Start
- authenticator EAP Request Identity
- supplicat Response Identity, 3 times
- supplicant EAPOL Start
- authenticator EAP Failure
- authenticator EAP Request Identity x2
- supplicat Response Identity x2
and again, more detail about flow from whireshar chart at the end
2. authenticator console saw like this:
*Mar 1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
krasw8021x>
*Mar 1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
*Mar 1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
and finaly
*Mar 1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
*Mar 1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
3. Authentication server:
- NPS doesn'e recived any RADIUS Access-Request/Response.
[supplicant EAPOL flow chart, source wireshark]
|Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
|         |                   | Nearest           |
|0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|0,051    |                   |         Start     |                   |EAPOL: Start
|         |                   |(0)      <------------------ (0)      |
|0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------ (0)      |
|0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------ (0)      |
|18,063   |                   |         Start     |                   |EAPOL: Start
|         |                   |(0)      <------------------ (0)      |
|18,065   |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------> (0)      |                   |
|18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------ (0)      |
|18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
|         |                   |(0)      <------------------ (0)      |
|37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
|         |(0)      ------------------> (0)      |                   |
|67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
|         |(0)      ------------------> (0)      |                   |
|98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
|         |(0)      ------------------> (0)      |                   |
|129,684 |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------> (0)      |                   |
|144,697 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|160,125 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|175,561 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|190,996 |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------> (0)      |                   |
|206,002 |         Failure   |                   |                   |EAP: Failure
|         |(0)      ------------------> (0)      |                   |
|206,204 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|212,103 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|227,535 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
|242,970 |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
|         |(0)      ------------------> (0)      |                   |
/regards Piter

Hi,
Did you ever try to configure re-authentication?
Is the client is up and running if you connect it to the switch?
Sent from Cisco Technical Support iPad App

WLC 5508 Web Auth and EAP / PEAP

Morning all, I'm looking for some clarification.
Current setup:
I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
In line with child protection policies I need an 'auditable' trail when students access wireless resources.
Planned setup:
I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
Clarification:
With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
Many thanks.

If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
Check the following link which contain couple of EAP config examples:
http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
Please make sure to rate correct answers

ACS 4.2 and EAP-TLS with AD and prefix problem

Hi there
we have the following situation:
- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
This is the normal output of the Remote Agent, it finds the host but then nothing happens:
CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB: Creating Domain cache
CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB: Creating Domain cache
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
Could this be the problem or does someone see any other problem?
Best Regards
Dominic

Hi Colin
thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
Regards
Dominic

Trouble with EAP-TLS with Wireless before Windows logon

Ill start with a list of equipment;
5508 WLC
3502i AP's
Cisco ACS 5.3
Windows 7 clients
WLAN is configure with WPA2/AES with 802.1x for key management.
Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication. The client is configured to use a certificate on the computer. "It only works if user or computer auth is seected." If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
ACS is configured to only allow for protocol EAP-TLS.
We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials. Once I log off the Windows 7 client, I lose connection to the WLAN. We would like to stay logged on to the WLAN. PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
Any ideas??
Thanks in advanced,
Ryan

Hi Ryan,
You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
Richard

EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

Similar Messages

Maybe you are looking for