Is roaming transparent to users when authenticating with LEAP or EAP-TLS?
We are planning the installation of a number of Access Points with LEAP authentication to ACS. We want to know upfront whether the users have to reautenticate everytime they roam from one Access Point to another. Is it the same with EAP-TLS or EAP-TTLS?
Your users will have to re-authenticate to each AP but it happens automaticaly throught the client. IF all of your APs are on the same segment/subnet you shouldn't have a problem.
Similar Messages
-
Apple macosx machine authentication with ISE using EAP-TLS
Hello,
On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
With windows machines all is working well. We are using computer authentication only.
Now the problem is that we wish to do the same with MAC OSX machines.
We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
Thanks
Gustavo NovaisAdditional information from the above question.
I have the following setup;
ACS 3.2(3) built 11 appliance
-Cisco AP1200 wireless access point
-Novell NDS to be used as an external database
-Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
-Windows XP SP2 Client
My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
Please help...
Thanks -
Prompt user, when hitting with SUBMIT button
Hello folks,
I have application with student record, on 1st page user enters student's name and on 2nd page user enters students grade and their are two buttons on 3rd page saying SAVE and SUBMIT, with the hitting of both the buttons students record enterred by the user will be INSERTED into DB table.
Now I want to add a functionality saying, student_name as mandatory filled <b>only when user hits SUBMIT button</b> on 3rd page, hence user cannot submit leaving mandatory filled as empty. So I want to prompt a window on 3rd page with the student_name item where user can enter student's name and hit OK button the same prompted window which will help user to SUBMIT that particular student.
any idea how to achieve it, how to validate and prompt user, when user submits students without entering mandatory items/fields.
Thanks
Deep.Hi Dan,
Thanks for replying, yes I'm very aware about your reply but I'm having req. so was trying to implement same into my current application.
I tried a small example into apex workspace to better understand have a look into it:-
workspace :- deepapex
username :- [email protected]
password :- walubu
application "Prompt_only_for_Submit"
I kept validation on page 3 if user doesnt enters student_name(on page 1) upto here it's working perfect than I started implementing JavaScript to open a prompt, but I want to open this prompt only when user doesnt enters student_name on page 1 and not everytime, also within this prompt I was looking how to have text_box item where user can enter student_name on page 3 where he actually forgotted to enter on page 1, so this new student_name item will go into insert process and hence this will be done, I'm away of the logic but really lacking to implement it.
So if you can help little it will be glad to you.
Thanks
Deep. -
Authenticating cisco phones via EAP-TLS by LSC with Radiator
Hi everyone,
On a post from 4 years ago (https://supportforums.cisco.com/discussion/10952961/8021x-phone-authentication-eap-tls-mic-only) I read that someone managed to work authenticate phones via EAP-TLS without ACS, but rather using a Radiator server. They authenticated by MIC on each phone. I was wondering if anyone knows whether or not it's possible to do so by LSC, and if so how is it different than by MIC?
Thanks in advance!I think the default EAP-TLS session timeout is zero sec. Enter the maximum number of seconds you want the client to remain connected to the network access device before having to reauthenticate in the Session TImeout field. If you enter a number greater than 0, the lesser of this value and the remaining resumption limit is sent in a Session-Limit attribute to the RADIUS client on the RADIUS Access-Accept response.
If you enter 0, a Session-Limit attribute is not generated directly. A 0 does not prevent the authentication methods that perform secondary authorization from providing a value.
Entering a value such as 600 (10 minutes) does not necessarily cause a full reauthentication to occur every 10 minutes. You can configure the resumption limit to make most reauthentications fast and computationally efficient. -
User auth fails using 802.1x (EAP-TLS)
I'm currently testing 802.1x machine and user authentication using EAP-TLS. Right now I'm testing them separately, and machine auth works great, but user auth doesn't.
Here's what I'm using:
Smart Cards ->
Built-in Microsoft XP supplicant ->
Catalyst 4006 Switch ->
Cisco Secure ACS 3.3 ->
Microsoft Active Directory
After I log in using the smart card, an EAPOL message from the computer is sent to the switch, and the switch replies asking for the computer to identify itself, but the computer does nothing. The switch continues asking and finally gives up because of no response. The ACS server logs no traffic from the supplicant.
Is this a supplicant issue? Using PEAP MSCHAPv2 with secured passwords works fine, but not with certificates.I found my answer. The problem was with the Microsoft supplicant. It wasn't prompting me to type in the PIN to unlock the smart card, so it couldn't read the certificate and thus the EAP process was timing out.
In order for the Windows supplicant to prompt the user for the smart card PIN, the "Show icon in notification area when connected" checkbox in the Local Area Connection properties windows must be checked. They may want to think about renaming that box... :-) -
Cisco ACS with External DB - EAP-TLS
Hi Guys,
I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
Let say both user and computer certs are employed:
1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
2b. Wot is the paramater that is checked against the AD database?
I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client Certificates
Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
Please can someone help me with these points.
I am so lost in this stuff :)) I think.
Many thx and many kind regards,
Kenonly TLS *handshake* is completed/succcessful, but because user authentication fails,
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
EAP: EAP-TLS: Handshake succeeded
EAP: EAP-TLS: Authenticated handshake
EAP: EAP-TLS: Using CN from certificate as identity for authentication
EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
pvAuthenticateUser: authenticate 'jatin' against CSDB
pvCopySession: setting session group ID to 0.
pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
pvAuthenticateUser: authenticate 'jatin' against Windows Database
External DB [NTAuthenDLL.dll]: Creating Domain cache
External DB [NTAuthenDLL.dll]: Loading Domain Cache
External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
External DB [NTAuthenDLL.dll]: Domain cache loaded
External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
External DB [NTAuthenDLL.dll]: User jatin was not found
pvCheckUnknownUserPolicy: setting session group ID to 0.
Unknown User 'jatin' was not authenticated
So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Regards,
Prem -
L2TP/IPSec with PIX using EAP-TLS
Hi,
i have big problems with using my PIX515 (SW 7.2.1) for L2TP/IPSec VPN-Connections using EAP-TLS. With the option EAP-Proxy activated on PIX a RADIUS Access-Request Message reaches the configured RADIUS-SERVER (IAS2003), but the request is rejected by Radius. I did inspection of the packets with a sniffer and see following strange behavior:
- There is a Tunnel-Client-Endpoint AVP with no value and, even stranger, an existing AVP titled User-Password with an encrypted value.
I dont understand where the encrypted Password comes from in the first RADIUS Access-Request message received from the PIX, since the authentication method should be certificate-based (EAP-TLS). And I dont know either if the Tunnel-Client-Endpoint MUST be present in the message. Fact is the RADIUS responds with an Access-Reject Message.
The other AVPs in the request seem to be OK, and there is an existend AVP titled EAP-Message (79) that seems alright...
Other detail: In the event log on the IAS the request is logged as Type "PAP" (and not EAP as it should be!) and the log tells me about a problem with wrong username/password.
Tested the same client and Radius configuration using a RRAS-Server from Microsoft instead of the PIX and it worked fine! Could this be a bug of the Pix EAP-Proxy function?
EAP-Proxy should pass all EAP packets unmodified to the Radius, right? This seems not to be the case. Comparing the RADIUS Access-Request Message received from the Pix (which fails) with the RADIUS Access-Request Message received from the RRAS-Server (which successes) shows significant differences.
Every help appreciated. Please ask me for further infos if needed or if you would like me to post the Packet Capture file (Ethereal format)/Configuration information.
Thank you very much!!
Best regards,
MatthiasThe Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall -
Issues using 887 when authenticating with MER on a Fibre connection
Hello All
I've been battling for a week now to get the config correct for Cisco 887VA.
I understand Sky use MER to authenticate, however, in order to create the PPP connection, I am using PPPoE without passing any authentication, other than the username|password through option 61 (and vendor information on option 60).
I have Wiresharked the provided Sky router SR102 to obtain DHCP option 60 and 61 information and have entered these as hex values in the dialer interface.
I have also spoofed the SR102 MAC address on the dialer interface.
I have created a sub interface on e0, using dot1q to tag traffic to VLAN 101
I can indeed see traffic on interface e0.101 but the dialer receives NO ip address.
I can also see the modem is connected and in sync.
Am I correct in assuming the e0.101 interface is equivalent to the WAN connection on a seperate modem?
Config is below - please ignore local IPs, etc
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ******-ADSL
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 *********
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
memory-size iomem 10
clock timezone BST 0 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1112313640
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1112313640
revocation-check none
rsakeypair TP-self-signed-1112313640
crypto pki certificate chain TP-self-signed-1112313640
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip source-route
ip cef
ip domain name vdsl.******.net
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
username admin privilege 15 secret 5 *********
controller VDSL 0
no ip ftp passive
ip ssh authentication-retries 5
ip ssh version 2
interface Ethernet0
no ip address
interface Ethernet0.101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 1.1.1.1 255.255.0.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
interface Dialer1
mac-address ****.****.**38
mtu 1492
ip dhcp client request classless-static-route
ip dhcp client client-id hex <<HEX STRING>>
ip dhcp client class-id hex <<HEX STRING>>
ip address dhcp
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip route-cache policy
dialer pool 1
dialer-group 1
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
router ospf 1
router-id 1.1.0.1
network 1.1.0.1 0.0.0.0 area 0
default-information originate
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 9
ip flow-export destination 1.1.1.1 9991
ip flow-export destination 1.1.1.1 9991
ip nat inside source list NATACL interface Dialer1 overload
ip access-list standard NATACL
permit 1.0.0.0 0.255.255.255
logging esm config
access-list 1 permit 1.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit
control-plane
banner motd ^CCCCCCCCC
*****************AUTHORISED USERS ONLY*****************
^C
line con 0
password 7 ***************
line aux 0
password 7 ***************
line vty 0 4
session-timeout 10
exec-timeout 0 0
timeout login response 300
transport input ssh
scheduler max-task-time 5000
end
Many thanksChris,
Just wondering if you managed to get anywhere with this, or just gave up? I'm a Sky Fibre user, sadly using the bundled "Sky Hub" (aptly named, as I consider "Layer 1 Network Hubs" to be just as gash as this ), and have battled with the MER DHCP-based authentication before.
Previously, I was experimenting using a Cisco Linksys E2400 (or E4200, I forget) running Tomato USB Firmware and was getting frustrated with the hex settings.
I notice in your configs you posted the following strings, which look like they are trying to send the DHCP Vendor ID/Options that MER needs:
ip dhcp client client-id hex <<HEX STRING>>
ip dhcp client class-id hex <<HEX STRING>>
For your specified <<HEX STRING>> were you also appending the necessary "0x3d" (61) to your custom-generated User+Pass hex (i.e. full string reads "0x3d<<USER+PASS HEX>>")?
Sources as below, but curious if this could fix it?
Sources
http://www.skyuser.co.uk/forum/technical-discussion/46464-skys-mer-why-does-not-work-other-routers-22.html
https://www.cm9.net/skypass/index.cgi -
VPN Client and Clientless users not authenticating with AD
Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510. Users authenticate in AD. I am not sure if the problem is on the server or the ASA.
CPHi,
Are you using LDAP for user authentication, is this a new setup or was this working at one point?
If using LDAP please use "debug ldap 255" and reproduce, If you are using radius what are you using?
Thanks,
Sent from Cisco Technical Support iPad App -
802.1x EAP-TLS for wired users with ACS 5.5
Hi All,
We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
Kindly suggest on how to get certificates for clients both manually as well as automatically?
Thanks,
VijayHi Vijay,
for the Wired 802.1x (EAP-TLS) you need to have following certificates:
On ACS--- Root CA, Intermediate CA, Server Certificate
On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself.
In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
Cheers
Minakshi(rate the helpful post) -
Radius 802.1x authentication with computer AND users.
Hi !
I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
Therefore I created a new policy with the following conditons :
- NAS Port Type : Wireless
- Client IPv4 Address : <my cisco ip>
- Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
- Users Groups : EUROPE\MY_USER_GROUP
- Machine Groups : EUROPE\Domain Computers
When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
User:
Security ID: EUROPE\HOSTNAME$
Account Name: host/HOSTNAME.my.server.com
Account Domain: EUROPE
Fully Qualified Account Name: EUROPE\HOSTNAME$
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: My.radius.server.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
It therefore seems that it doesn't match my network policy and falls bacj to the default one.
If I remove the user rule, and let the computer rule : Connection OK
If I remove the computer rule, and let the user rule : Connection OK
but if I put both, i can't connect :s
Can someone help me with this issue ?
Thanks a lot !
GeoffreyHi Geoffrey,
I would like to know if
EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
Please try to use NPS wizard to configure 802.1x wireless connection,
and
you will find that it
creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
you
need filter by user and computer account, the log should show both authenticate user and machine account name.
EAP-TLS-based Authenticated Wireless Access Design
http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
Regards, Rick Tan -
AD Machine Authentication with Cisco ISE problem
Hi Experts,
I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
Authentication policy:
Allowed protocol = PEAP & TLS
Authorization Policy:
Condition for computer to be checked in external identity store (AD) = Permit access
Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
Switchport configuration:
===============================================
ip access-list extended ACL-DEFAULT
remark Allow DHCP
permit udp any eq bootpc any eq bootps
remark Allow DNS
permit udp any any eq domain
permit ip any host (AD)
permit icmp any any
permit ip any host (ISE-1)
permit ip any host (ISE-2)
permit udp any host (CUCM-1) eq tftp
permit udp any host (CUCM-2)eq tftp
deny ip any any
===============================================
switchport config
===============================================
Switchport Access vlan 10
switchport mode access
switchport voice vlan 20
ip access-group ACL-DEFAULT in
authentication open
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity 180
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 100
====================================================
One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
Your help will highly appreciated.
Regards,You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab. If your switch configuration is on auth failure continue to next method, then this makes sense. The question is why is the user failing auth but the machine is passing, could be something in the policy. Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched. Easy way to check is remove that rule from your policy and see if the same thing happens.
I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time. The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining. This is great because you can do two part authentication. EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet. I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy. -
EAP-TLS or PEAP authentication failed during SSL handshake
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul -
EAP-TLS on ACS v4 for wireless users
Hi,
I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.
As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.
Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.
Regards,
BelalI am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS. -
EAP-TLS with machine certificate
Hello all,
I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
Thanks a lot.
Best regards.Hi Alfonso,
Certificate Retrieval for EAP-TLS Authentication
ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute.
ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates.
After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network.
Configuring CA Certificates
When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate.
If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates.
You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs).
Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems.
Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
Also check the below link,
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404
Maybe you are looking for
-
How to access the EmbeddedFontRegistry in actionscript only code?
Hi, My name is Zach and I am trying to push outside of the flex framework, but keep the advantages of RSL's. I created my own Component/Data Library where all UI objects inherits directly from Sprite. However, when I moved this out of the Flex envi
-
My screen is cracked and black how do i get my photos off of the phone if unable to put passcode in
My screen is cracked and black how do i get my photos off of the phone if unable to put passcode in
-
Retina Display MBP - 3rd party optical drive
Hi, I have just received my retina display macbook pro. I would like to view blu-ray movies on the retina display. For this reason, I think it would be better to purchase a 3rd party bluray drive instead of the apple superdrive. Is there any reason t
-
Lots of tables in the non-SAP source systems
Hi All, Earlier I asked a question on SDN about having about 50 tables in non-SAP source systems like SQL, Oracle, etc. According to the functional/business folks here, I'm supposed to be extracting only 1 or 2 fields from many tables. So I got a rep
-
Migration 10g on Solaris with SAN
My predecessors built our database servers with the ORACLE_HOME on the SAN. When it came time to upgrade the development server, the Oracle files that were not under ORACLE_HOME were copied to the newly built Solaris server, the SAN connections swapp