Is roaming transparent to users when authenticating with LEAP or EAP-TLS?

Similar Messages

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• Prompt user, when hitting with SUBMIT button

  Hello folks,
  I have application with student record, on 1st page user enters student's name and on 2nd page user enters students grade and their are two buttons on 3rd page saying SAVE and SUBMIT, with the hitting of both the buttons students record enterred by the user will be INSERTED into DB table.
  Now I want to add a functionality saying, student_name as mandatory filled <b>only when user hits SUBMIT button</b> on 3rd page, hence user cannot submit leaving mandatory filled as empty. So I want to prompt a window on 3rd page with the student_name item where user can enter student's name and hit OK button the same prompted window which will help user to SUBMIT that particular student.
  any idea how to achieve it, how to validate and prompt user, when user submits students without entering mandatory items/fields.
  Thanks
  Deep.

  Hi Dan,
  Thanks for replying, yes I'm very aware about your reply but I'm having req. so was trying to implement same into my current application.
  I tried a small example into apex workspace to better understand have a look into it:-
  workspace :- deepapex
  username :- [email protected]
  password :- walubu
  application "Prompt_only_for_Submit"
  I kept validation on page 3 if user doesnt enters student_name(on page 1) upto here it's working perfect than I started implementing JavaScript to open a prompt, but I want to open this prompt only when user doesnt enters student_name on page 1 and not everytime, also within this prompt I was looking how to have text_box item where user can enter student_name on page 3 where he actually forgotted to enter on page 1, so this new student_name item will go into insert process and hence this will be done, I'm away of the logic but really lacking to implement it.
  So if you can help little it will be glad to you.
  Thanks
  Deep.

• Authenticating cisco phones via EAP-TLS by LSC with Radiator

  Hi everyone,
  On a post from 4 years ago (https://supportforums.cisco.com/discussion/10952961/8021x-phone-authentication-eap-tls-mic-only) I read that someone managed to work authenticate phones via EAP-TLS without ACS, but rather using a Radiator server. They authenticated by MIC on each phone. I was wondering if anyone knows whether or not it's possible to do so by LSC, and if so how is it different than by MIC?
  Thanks in advance!

  I think the default EAP-TLS session timeout is zero sec. Enter the maximum number of seconds you want the client to remain connected to the network access device before having to reauthenticate in the Session TImeout field. If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access-Accept response.
  If you enter 0, a Session-Limit attribute is not generated directly. A 0 does not prevent the authentication methods that perform secondary authorization from providing a value.
  Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient.

• User auth fails using 802.1x (EAP-TLS)

  I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.
  Here's what I'm using:
  Smart Cards ->
  Built-in Microsoft XP supplicant ->
  Catalyst 4006 Switch ->
  Cisco Secure ACS 3.3 ->
  Microsoft Active Directory
  After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.
  Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.

  I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.
  In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-)

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• L2TP/IPSec with PIX using EAP-TLS

  Hi,
  i have big problems with using my PIX515 (SW 7.2.1) for L2TP/IPSec VPN-Connections using EAP-TLS. With the option EAP-Proxy activated on PIX a RADIUS Access-Request Message reaches the configured RADIUS-SERVER (IAS2003), but the request is rejected by Radius. I did inspection of the packets with a sniffer and see following strange behavior:
  - There is a Tunnel-Client-Endpoint AVP with no value and, even stranger, an existing AVP titled User-Password with an encrypted value.
  I dont understand where the encrypted Password comes from in the first RADIUS Access-Request message received from the PIX, since the authentication method should be certificate-based (EAP-TLS). And I dont know either if the Tunnel-Client-Endpoint MUST be present in the message. Fact is the RADIUS responds with an Access-Reject Message.
  The other AVPs in the request seem to be OK, and there is an existend AVP titled EAP-Message (79) that seems alright...
  Other detail: In the event log on the IAS the request is logged as Type "PAP" (and not EAP as it should be!) and the log tells me about a problem with wrong username/password.
  Tested the same client and Radius configuration using a RRAS-Server from Microsoft instead of the PIX and it worked fine! Could this be a bug of the Pix EAP-Proxy function?
  EAP-Proxy should pass all EAP packets unmodified to the Radius, right? This seems not to be the case. Comparing the RADIUS Access-Request Message received from the Pix (which fails) with the RADIUS Access-Request Message received from the RRAS-Server (which successes) shows significant differences.
  Every help appreciated. Please ask me for further infos if needed or if you would like me to post the Packet Capture file (Ethereal format)/Configuration information.
  Thank you very much!!
  Best regards,
  Matthias

  The Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall

• Issues using 887 when authenticating with MER on a Fibre connection

  Hello All
  I've been battling for a week now to get the config correct for Cisco 887VA.
  I understand Sky use MER to authenticate, however, in order to create the PPP connection, I am using PPPoE without passing any authentication, other than the username|password through option 61 (and vendor information on option 60).
  I have Wiresharked the provided Sky router SR102 to obtain DHCP option 60 and 61 information and have entered these as hex values in the dialer interface.
  I have also spoofed the SR102 MAC address on the dialer interface.
  I have created a sub interface on e0, using dot1q to tag traffic to VLAN 101
  I can indeed see traffic on interface e0.101 but the dialer receives NO ip address.
  I can also see the modem is connected and in sync.
  Am I correct in assuming the e0.101 interface is equivalent to the WAN connection on a seperate modem?
  Config is below - please ignore local IPs, etc
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname ******-ADSL
  boot-start-marker
  boot-end-marker
  no logging buffered
  enable secret 5 *********
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  memory-size iomem 10
  clock timezone BST 0 0
  clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1112313640
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1112313640
  revocation-check none
  rsakeypair TP-self-signed-1112313640
  crypto pki certificate chain TP-self-signed-1112313640
  certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
  ip source-route
  ip cef
  ip domain name vdsl.******.net
  ip name-server 8.8.8.8
  no ipv6 cef
  multilink bundle-name authenticated
  archive
  log config
  hidekeys
  username admin privilege 15 secret 5 *********
  controller VDSL 0
  no ip ftp passive
  ip ssh authentication-retries 5
  ip ssh version 2
  interface Ethernet0
  no ip address
  interface Ethernet0.101
  encapsulation dot1Q 101
  pppoe-client dial-pool-number 1
  interface ATM0
  no ip address
  shutdown
  no atm ilmi-keepalive
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Vlan1
  ip address 1.1.1.1 255.255.0.0
  ip flow ingress
  ip flow egress
  ip nat inside
  ip virtual-reassembly in
  interface Dialer1
  mac-address ****.****.**38
  mtu 1492
  ip dhcp client request classless-static-route
  ip dhcp client client-id hex <<HEX STRING>>
  ip dhcp client class-id hex <<HEX STRING>>
  ip address dhcp
  no ip redirects
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  ip route-cache policy
  dialer pool 1
  dialer-group 1
  ppp ipcp dns request accept
  ppp ipcp route default
  ppp ipcp address accept
  no cdp enable
  router ospf 1
  router-id 1.1.0.1
  network 1.1.0.1 0.0.0.0 area 0
  default-information originate
  ip forward-protocol nd
  ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip flow-cache timeout inactive 10
  ip flow-cache timeout active 5
  ip flow-export version 9
  ip flow-export destination 1.1.1.1 9991
  ip flow-export destination 1.1.1.1 9991
  ip nat inside source list NATACL interface Dialer1 overload
  ip access-list standard NATACL
  permit 1.0.0.0 0.255.255.255
  logging esm config
  access-list 1 permit 1.0.0.0 0.255.255.255
  dialer-list 1 protocol ip permit
  control-plane
  banner motd ^CCCCCCCCC
  *****************AUTHORISED USERS ONLY*****************
  ^C
  line con 0
  password 7 ***************
  line aux 0
  password 7 ***************
  line vty 0 4
  session-timeout 10
  exec-timeout 0 0
  timeout login response 300
  transport input ssh
  scheduler max-task-time 5000
  end
  Many thanks

  Chris,
  Just wondering if you managed to get anywhere with this, or just gave up? I'm a Sky Fibre user, sadly using the bundled "Sky Hub" (aptly named, as I consider "Layer 1 Network Hubs" to be just as gash as this ), and have battled with the MER DHCP-based authentication before.
  Previously, I was experimenting using a Cisco Linksys E2400 (or E4200, I forget) running Tomato USB Firmware and was getting frustrated with the hex settings.
  I notice in your configs you posted the following strings, which look like they are trying to send the DHCP Vendor ID/Options that MER needs:
  ip dhcp client client-id hex <<HEX STRING>>
  ip dhcp client class-id hex <<HEX STRING>>
  For your specified <<HEX STRING>> were you also appending the necessary "0x3d" (61) to your custom-generated User+Pass hex (i.e. full string reads "0x3d<<USER+PASS HEX>>")?
  Sources as below, but curious if this could fix it?
  Sources
  http://www.skyuser.co.uk/forum/technical-discussion/46464-skys-mer-why-does-not-work-other-routers-22.html
  https://www.cm9.net/skypass/index.cgi

• VPN Client and Clientless users not authenticating with AD

  Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510.  Users authenticate in AD.  I am not sure if the problem is on the server or the ASA.
  CP

  Hi,
  Are you using LDAP for user authentication, is this a new setup or was this working at one point?
  If using LDAP please use "debug ldap 255" and reproduce, If you are using radius what are you using?
  Thanks,
  Sent from Cisco Technical Support iPad App

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• Radius 802.1x authentication with computer AND users.

  Hi !
  I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
  I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
  What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
  Therefore I created a new policy with the following conditons :
  - NAS Port Type : Wireless
  - Client IPv4 Address : <my cisco ip>
  - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
  - Users Groups : EUROPE\MY_USER_GROUP
  - Machine Groups : EUROPE\Domain Computers
  When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
  User:
      Security ID:            EUROPE\HOSTNAME$
      Account Name:            host/HOSTNAME.my.server.com
      Account Domain:            EUROPE
      Fully Qualified Account Name:    EUROPE\HOSTNAME$
  Authentication Details:
      Connection Request Policy Name:    Secure Wireless Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:       My.radius.server.com
      Authentication Type:        EAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
  Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  It therefore seems that it doesn't match my network policy and falls bacj to the default one.
  If I remove the user rule, and let the computer rule : Connection OK
  If I remove the computer rule, and let the user rule : Connection OK
  but if I put both, i can't connect :s
  Can someone help me with this issue ?
  Thanks a lot !
  Geoffrey

  Hi Geoffrey,
  I would like to know if
  EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
  Please try to use NPS wizard to configure 802.1x wireless connection,
  and
  you will find that it
  creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
  you
  need filter by user and computer account, the log should show both authenticate user and machine account name.
  EAP-TLS-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
  Regards, Rick Tan

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• EAP-TLS on ACS v4 for wireless users

  Hi,
  I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
  As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
  Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
  Regards,
  Belal

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404