How to configure EAP-TLS OTA

Similar Messages

• How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

  Hi Team,
  We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
  Thanks

  I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
  Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
  Hope this helps!
  Thank you for rating helpful posts! 

• How to install EAP-TLS certificate?

  Hi All,
  Our wireless network requires EAP-TLS certificate installation.
  We use a MS 2003 server as a CA server.
  I tried to brows to the issuing website (http://CAserver/certsrv) but when I get to the section where I need to choose the strength of the key, somehow the phone's browser is not showing the options...
  So, I tried to issue a certificate from the issuing station and got a file called certnew.cer .
  From what I read this is the right certificate type, so I copied the file to the phone and tried to open it...
  But it only open it with the Notes application...
  Any help????
  10x in advanced,
  Naor. 

  The certificate needs to be in .der format. You probably have it in .cer (PEM) format right now.
  You can convert it using openssl. Change the filenames appropriately:
  openssl x509 -outform der -in MYCERT.pem -out MYCERT.der 
  Then send the .der file to the phone and open it. The phone should offer to install it as a certificate.
  Message Edited by sanjaymehta on 06-Aug-2009 09:22 PM
  Message Edited by sanjaymehta on 06-Aug-2009 09:23 PM
  Sanjay Mehta
  Motorola "Brickphone" circa 1996, Alcatel One Touch, Ericsson R380, Sony Ericsson T220, Sony Ericsson T630, Nokia E50, Nokia E61i, Nokia 9300i, Nokia E71,Nokia X6, Google Nexus S, iPhone 4S

• EAP-TLS Questions....

  Hi all,
  My setup is like this..
  Laptop - LWAPP - WLC - ACS - AD
  I m using CA to generate certificate.. I have configured EAP-TLS on WLC & ACS SE. Everything is working fine ie when i issue a certificate from CA on my AD login name & install that certificate i m able to connect to WLAN.. For security on WLC i have enable WPA & 802.1x...
  What i want is that when i boot up the laptop it should directly get connected to Wireless network & whne i try to login using my user name & password it should prompt for if my password is expired or something & get connected to AD. But this is not happening which use to happen when we were using peap as it ask for username & paswword to connect but not in case of EAP_TLS it only check for valid certificates....
  Thanks in advance..
  regards,
  piyush

  Hi Fella,
  i had one more issue ie want to do perform machine authentication as the laptops boot up along with the user authentication hen the users logs in.
  I had set AuthMode value to 1 for it. But how should i check on my ACS SE that the machine is authenticated or not & is it possible that during login using username & password the WLAN should get connected as it is for ethernet LAN.
  Thanks for ur reply..
  Piyush

• EAP-TLS and EAP-FAST

  Hi NetPro.
  EAP-TLS is working now, but how to configure EAP-FAST as the backup in case TLS is failure then user still able to use FAST as the second choice ?
  your reply will be highly appreciated.
  thanks heaps.
  Jack

  All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.

• EAP-TLS and getting a new user to log in on a wireless network

  I have setup EAP-TLS using AP1232 + ACS + CA + Active Directory + some wireless client machines. Works fine.
  My issue is when I have a new user, who has never logged onto the client workstation. I know that if I attach the workstation to a wired network and have the user login, request a cert, issue it, and install it, the wireless will work once I have the wired connection disabled and wireless enabled. However, that kinda defeats the purpose of a WLAN.
  How can I get my new users in? After all, getting associated to the AP depends on the user cert, which depends on the ability to get to the network in the first place to request/install a cert.
  After further reading and research, I believe that my delima will be fixed by configuring EAP-TLS Machine Authentication. What I'd like to know is whether the CA in this scenario MUST be an Enterprise Root CA or can it be a Standalone CA?
  Paras

  check the below link and read server requirements.
  http://support.microsoft.com/default.aspx?scid=kb;en-us;814394
  The stanalone ca needs to be trusted by AD
  http://groups.google.co.uk/group/microsoft.public.win2000.security/browse_thread/thread/1cf098c0dfa97ca0/b964dd05c12fd3fb?lnk=st&q=eap-tls+certificates+standalone+root&rnum=2&hl=en#b964dd05c12fd3fb
  What windows are you using? The default behaviour of windows is it do user authentication.You would need to play with registry to make systems to do only machine authentication.
  You would need connectivity when you want install the ca certificate, or else allow open authentication on the access point to have the connectivity and once the certificates are installed disable it.
  Please rate the post if it helps

• EAP-TLS with Novell NDS

  I configured EAP-TLS for the wireless LAN in the Novell 6 environment. However encountered a problem on the ACS with Novell NDS. Attached is the error messge, any advice on how to overcome ? I have generated the server key and the client key from Windows 2000 server. The error message is 'AUth type not supported by Ext DB'

  EAP-TLS is not supported with Novell NDS as per the compatability matrx shown in the following document,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm

• EAP-TLS and ISE 1.1 with AD certificates

  Hello,
  I am trying to configure EAP-TLS authentication with AD certificates.
  All ISE servers are joined to AD
  I have the root certificate from the CA to Activie Directory installed on the ISE servers
  I created the certificate authentication profile using the root certificate
  I have PEAP\EAP-TLS enabled as my allowed protocol
  I am getting the following error for authentication:
  "11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12301  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12814  Prepared TLS Alert message
  12817  TLS handshake failed
  12309  PEAP handshake failed"
  I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
  Any other issues I am missing?
  Thanks,
  Michael Wynston
  Senior Solutions Architect
  CCIE# 5449
  Email: [email protected]
  Phone: (212)401-5059
  Cell: (908)413-5813
  AOL IM: cw2kman
  E-Plus
  http://www.eplus.com

  Please review the below link which might be helpful :
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

• ISE: advising users that only EAP-TLS can be used

  A large school board accepts only EAP-TLS connections.  This requirement is easily dissiminated to teachers, however not to students whose personal devices keep trying to connect using PEAP.   Once users connect with EAP-TLS, they are authenticated on AD.
  1. Could we from the Switch port block PEAP but let EAP-TLS go through? I couldn't find a command for this.
  2. If we can't stop PEAP requests from reaching ISE, could we treat the PEAP connections as CWA, but have a special Authorization Rule that would say if inner tunnel is PEAP then do CWA-nonEAP-TLS web authentication which would be a customized web page that would have a message instructing the students how to use EAP-TLS? would that make sense?
  3. Do you have better suggestion how to either block PEAP before it reaches ISE or a way using ISE to let users know that they must use EAP-TLS, not PEAP if they wish to connect?
  Thanks.
  Cath.

  Hi Tarik,
  Of course, I know about the Allowed Protocol which currently has only Host Lookup and EAP-TLS enabled.  But that technique, of not allowing PEAP in ISE Authentication policies, doesn't stop thousands of students devices from hitting ISE with PEAP traffic.  Students have heard that they are allowed to connect to the school network using dot1x, so they turn it on on their PC without regards of to which EAP flavour they are supposed to use.  Thus, the ISE box getitng hit with PEAP requests which it drops.  The school board would like to deal with that PEAP traffic. 
  To alliviate this problem, of the ISE box getting constantly PEAP traffic from the same device over and over again in the course of a day, I was wondering:
  1. can we stop PEAP traffic before it arrives to ISE?  is there a way for the switch to differentiate that it's a PEAP and not EAP-TLS and to drop it before passing it to ISE? I don't think so.
  2. if the switch can't stop PEAP , how is the best way to have ISE process the PEAP traffic?   because if ISE only reject the PEAP traffic, it is constantly hit back that the same device sending over and over PEAP traffic to ISE. 
  I suggested to the client the two following possible ways:
    a. authorization rule based on Network Access: Tunnel PEAP that provides CWA with customized webpage telling the students to use EAP-TLS and not PEAP (this technique is explained in para 2. of my original posting).
    b. create a blackhole VLAN where the students personal PC that are arriving with PEAP are put.  This VLAN doesn't go anywhere, but at least the PC has stopped hitting ISE with PEAP traffic for a few minutes, until the student decides to restart his/her connection.   
  I also recommended to the client that they have a better technique to inform the students that only EAP-TLS is available, like posters on the wall, blast email, on School FB page, etc .  but information dissimination is not an IT problem, it's a communication problem. 
  Looking forward to your suggestions.

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected]
  = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP-TLS config - No certificates found on your computer.

  Howdy,
  With Aironet client 3.6, it complains that I have no certificates on my computer when I attempt to configure EAP-TLS. As far as I know, I do have certs on my computer. They were created with OpenSSL and appear to comply with the requirements in the EAP-TLS deployment guide.
  I'm stuck!

  Please check the cert on the client pc.
  Open MMC --->Certificate--->Personal , Do you see user cert here ?
  Regards,
  ~JG

• EAP/TLS on PPC2002&WinCE3.0.11171

  Hi
  I'm trying to configure EAP-TLS on Pocket2002 , I installed the necessary Cisco software and it's working fine but I have a great problem. Windows CE only lets me to install certificates with .cer extension . But with this format I can't export the private key . Is there any solution? Anybody has found this problem?
  Thanks for your help

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• EAP-TLS with IAS

  Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
  Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
  Any suggestions?

  Hi,
  I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
  Regards,
  Davy

• EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.

  We have: ap Cisco AiroNet350 with WPA-EAP, Freeradius with configured EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2.
  This problem discribed at http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
  Maybe to solve this problem we need a fix ( http://support.microsoft.com/kb/885453/en-us ), but microsoft support tells to contact with notebook manufacturer.
  Can anybody help me with this problem?

  Hmmm Im not expert on this field but it seems that the MS OS update is need. (I hope)
  The preinstalled Windows OS is a simply OEM version and usually every updates should be possible. However, if the MS guys told you to contact the notebook manufacture so you can contact the Toshiba authorized service provider in your country for more details.
  But I have investigated a little bit in the net and found this useful site:
  http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci945257,00.html
  1. 802.1X depends on communication between your wireless router and a RADIUS authentication server. Whether you're using WPA2, WPA, or WEP with dynamic keys, the following 802.1X debugging hints can be helpful:
  a. Re-enter the same RADIUS secret into your wireless router and RADIUS server.
  b. Configure your RADIUS server to accept RADIUS request from your router's IP address.
  c. Use ping to verify router-to-server reachability.
  d. Watch LAN packet counts to verify that RADIUS requests and responses are flowing.
  e. Use an Ethernet analyzer like Ethereal to watch RADIUS success/failure messages.
  f. For XP SP2, turn on Wzctrace.log by entering "netsh ras set tracing * enabled"
  2. If RADIUS is flowing but access requests are being rejected, you may have an 802.1X Extensible Authentication Protocol (EAP) mismatch or credential problem. Fixing this depends on EAP Type. For example, if your RADIUS server requires EAP-TLS, then select "Smart Card or other Certificate" on your wireless adapter's Network Properties / Authentication panel. If your RADIUS server requires PEAP, then select "Protected EAP" for the adapter. If your RADIUS server requires EAP-TTLS, then you'll need a third-party wireless client like AEGIS or Odyssey.
  Make sure that EAP-specific properties match for your adapter and server, including server certificate Trusted Root Authority, server domain name (optional but must match when specified), and client authentication method (e.g., EAP-MSCHAPv2, EAP-GTC). When using PEAP, use the CHAP "Configure" panel to prevent Windows from automatically re-using your logon.