IPhone and EAP-TLS with ACS & 5508

Similar Messages

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• ACS 4.2 and EAP-TLS with AD and prefix problem

  Hi there
  we have the following situation:
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
  First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
  Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
  This is the normal output of the Remote Agent, it finds the host but then nothing happens:
  CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
  CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
  CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
  CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
  So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
  test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
  CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
  CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
  Could this be the problem or does someone see any other problem?
  Best Regards
  Dominic

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• Access connection​s 5.50 and EAP TLS with Computer certificat​e

  Hello,
  I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
  I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
  OS is windows XP with SP3 and all the windows update (as of today).
  On my Radius server this is what I get:
  If I use WZC I get this in the authentication:
  Security ID: DOMAIN\R61WXP$ (this is my computer name)
  Account name: host/R61WXP.domain.local
  Account Domain: DOMAIN
  FQDN: DOMAIN\R61WXP$
  When I use Access Connections:
  Security ID: DOMAIN\Guest
   Account name: 
  Account Domain: DOMAIN
  FQDN: DOMAIN\Guest
  My Access connection profile is set this way:
  IEEE802.1x => Authenticate as Computer when the information is available.
  I hope someone can help !
  Thanks!

  Hi,
  try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
  Make also sure, that the profile connection is correctly configured in the AC profile settings.
  This mighe the the root cause.
  I can tell you, that there must be something missconfigured, as this configuration will surelly work .
  Cheers

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• 'Could not find user' with EAP-TLS in ACS

  Hi all,
  we are running ACS 4.2(1) Build 15 on a Win2003 member server and use the ACS for EAP-TLS with certificates (Microsoft-PKI) for WLAN authentication (WLC 4402, 6.0 and 4.2). We are using both machine and user authentication.
  Sometimes machine authentications fail with following message in AUTH.log:
  AUTH 11/01/2010 09:11:28 E 1395 1904 0x31cb External DB [NTAuthenDLL.dll]: Could not find user host/<xxxxxxxx>.com (0x5012)
  But some minutes/hours later the same machine can authenticate successful. Other machines never have this problem, no problems at all with user authentications.
  Does anyone have an idea where I can proceed with troubleshooting? I haven't found any related messages in server event logs. Are there any other logs where I can find reasons for these problems that are occuring only sometimes?
  Thanks
  Kai

  AUTH.log and RDS.log are two log file you need to look into on ACS side. Make sure the log level is set to "Full"
  You might need to check the log on AD side to see why it could not find this host.
  Comparing the logs between the working and non-working cases might be helpful.

• EAP-TLS with ISE 1.1.2 and WLC 7.0.228

  Hi,
  I'm on process of implement Cisco ISE with Wireless LAN Controller. According to my post, I would like to know that if Supplicant Provisioning and EAP-TLS does support on this type of firmware code.
  WLC running on 7.0.228 since most of production APs are 1230
  ISE running on the latest version.
  I have to use EAP-TLS and Supplicant Provisioning on these platforms.
  Is this possible to do about this ?
  Thanks,
  Pongsatorn Maneesud

  Please check the below compatibility matrix  link for Cisco ISE along with a link for client provisioning which might  be helpful:
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_61_byod_provisioning.pdf
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_client_prov.html

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• EAP-TLS with IAS

  Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
  Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
  Any suggestions?

  Hi,
  I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
  Regards,
  Davy

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!

• EAP-PEAP and EAP-TLS on same switched network

  Hello,
  I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
  The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
  I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
  Thanks,
  Guy

  You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
  Good Luck,
  --Jean Paul

• If you registrate one Apple ID for each iPhone/iPad, you'll get 5GB on iCloud for each Apple ID, right? I have two iPhones and one iPad  with the same Apple ID, why can't I get 5 GB fo each of them?

  If you registrate one Apple ID for each iPhone/iPad, you'll get 5GB on iCloud for each Apple ID, right? I have two iPhones and one iPad  with the same Apple ID, why can't I get 5 GB fo each of them?

  Actually, everyone missed one point, when a device is priced, the cost of icloud storage space for that device is also included in it that is why they are able to give you 5gb each for each user ID, in nutshell there is nothing free coming with apple device purchase, it is paid for.  What they are trying by giving only 5gb per user ID irrespective of the number of devices used is pure broadlight looting, they take money from you when you buy each device and give you nothing, This is a case of goods and services bought but not fully deliverd ie apple can be suied for discreminatory treatment towards it's users. I wonder why no one tried this yet in America where everyone sue everyone for petty things..... there is no one to take up this issue? . if tim got any love for the guys who shell out money for the devices his company makes, he should be implimenting this as priority before someone wake up from sleep and sue him.