ISE - EAP-TLS authentication with multi-tier PKI

Hi Cisco Support Community,
and again I'm struggling with my ISE understanding. It's kind of frustrating - daily more and more questions arise :)
Here's the thing and I hope some of the ISE experts here know the answer:
I want to authenticate my wired and wireless clients using 802.1X. I'm using a multi-tier PKI (see picture below)
The ISE uses a certificate from the "Signing CA1" (Chain: Root CA - Signing CA1).
The clients uses a certificate from the "Signing CA2" (Chain: Root CA - Intermediate CA1 - Signing CA2).
Do I have to add the complete client certificate chain (Signing CA2, Intermediate CA1, Root CA) to the ISE trusted certificates in order to authenticate the client? Or is it enough for example just to add the root CA or the intermediate CA? I couldn't find any hints in the admin guide (1.3)
Thanks in advance!

Hello Johannes-
You will need to add the root and all/any intermediate certificates in the trusted certificate store of ISE. 
Thank you for rating helpful posts!

Similar Messages

  • EAP-TLS authentication with ACS 5.2

    Hi all,
    I have question on EAP-TLS with ACS 5.2.
    If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
    Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
    If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
    And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
    And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
    Hope you guys can help on this. THanks.

    Yes, you can configure:
    machine authentication only
    user authentication only
    Machine and user authentication.
    Machine or user authentication
    So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
    PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
    host/computer.domain
    If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
    Regards,
    Jatin

  • Eap tls authentication fails if bluetooth device connected

    Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
    Has anyone come across this elsewhere?
    Thanks

    I have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.

  • Cisco ISE - EAP-TLS - Machine / User Authentication - Multiple Certificate Authentication Profiles (CAP)

    Hello,
    I'm trying to do machine and user authentication using EAP-TLS and digital certificates.  Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
    In ISE, I can define multiple Certificate Authentication Profiles (CAP).  For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
    Problem is how do you specify ISE to check both in the Authentication Policy?  The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.  
    Any way to resolve this?
    Thanks,
    Steve

    You need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
    an example (uses user/pass though, but same concept)
    http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

  • ISE - EAP-TLS and then webAuth?

    Hello everyone!
    I have a little bit of a complex dilemma in an ISE deployment and I am trying to lean more on how it works technically. Long story short: I am trying to do both machine and user authentication / authorization (per requirements from our Security department) on a wireless network using iDevices (iPads, iPhones, iTouches) that are shared between users. Just an FYI, I know Apple devices are not intended for “multiple users”; hence, why it is a problem I am trying to solve with CWA.
    Hardware:
    Cisco ISE VM running 1.1.3.124
    WLC 5508 running 7.4.100.0
    AP 3602I running 7.4.100.0 / IOS 15.2(2)JB$
    iPod Touch version 6.1.3(10B329)
    Senario:
    •- User Authenticates to SSID that is 802.1x WPA2 AES,
    •- Machine is checked by having valid Cert issued by CA and given access to ISE CWA
    •- User open’s their browser
    •- WLC redirects them to ISE CWA
    •- User provides credentials on the portal
    •- User to CoA’d to full access network
    Rules, NSP is a limited profiling access network. CWA is a limited access network with redirect to centeral web auth on ISE. Standard rule 2 & 3 (which are disabled in this screen shot) are the rules that prove the CWA works on an open SSID.
    I have gotten the CWA to work great on an open SSID, however when the process involves EAP-TLS everything works but the redirect. The iPod is properly authorized to the CWA (which is the redirect permission), but when I open a browser the iPod just spins searching for the website; it is never redirected to the ISE. My question is, is this even possible? Is there a trick or order of sequence that needs to be changed? I have been told from a Cisco NCE that specializes in ISE that this “may” or “may not” work, but not given an explanation as to why or why not. And if it’s not possible, why not?
    Thank you in advance!
    Example, now the user is authorized for CWA, but when a user opens the browser it just sits there spinning.
    I checked the WLC “Clients>Details” (from the monitoring page) and I noticed something interesting:

    Please review the below link which might be helpful :
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

  • EAP-TLS authentication failure

    We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
    Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
    This situation is as follows:
    WLAN infrastructure with:
    1 x
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    AIR-WLC2112-K9 (IP address = 10.10.10.10)
    8 x
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    AIR-LAP1142N-E-K9
    Data for the WLC:
    Product Version.................................. 6.0.199.4
    RTOS Version..................................... 6.0.199.4
    Bootloader Version.............................. 4.0.191.0
    Emergency Image Version................... 6.0.199.4
    The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
    The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
    The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
    The problem: no wireless client (Windows XP) is able to go past the initial authentication.
    I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
    On the RADIUS side we find these error messages:
    Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
    NAS-IP-Address = 10.10.10.10
    NAS-Identifier = XX-002_WLAN
    Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
    Calling-Station-Identifier = 00-1c-bf-7b-08-xx
    Client-Friendly-Name = xxxxxxx_10.10.10.10
    Client-IP-Address = 10.10.10.10
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 2
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless LAN Access
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 22
    Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
    On the WLC side, the error messages are:
    TRAP log:
    RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
    SYSLOG:
    Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
    Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
    Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
    Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
    Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
    WLC Debug:
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
    *Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
    *Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
    *Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
    *Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
    *Jan 07 19:31:42.711:     Callback.....................................0x87e1870
    *Jan 07 19:31:42.712:     protocolType.................................0x00140001
    *Jan 07 19:31:42.712:     proxyState...................................58:94:6B:15:F5:D0-9B:00
    *Jan 07 19:31:42.712:     Packet contains 12 AVPs (not shown)
    *Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
    *Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
    *Jan 07 19:31:42.788:     structureSize................................145
    *Jan 07 19:31:42.788:     resultCode...................................255
    *Jan 07 19:31:42.788:     protocolUsed.................................0x00000001
    *Jan 07 19:31:42.788:     proxyState...................................58:94:6B:15:F5:D0-9B:00
    *Jan 07 19:31:42.788:     Packet contains 4 AVPs (not shown)
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
    *Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
    *Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
    *Jan 07 19:31:42.806:     Callback.....................................0x87e1870
    *Jan 07 19:31:42.806:     protocolType.................................0x00140001
    *Jan 07 19:31:42.807:     proxyState...................................58:94:6B:15:F5:D0-9B:01
    *Jan 07 19:31:42.807:     Packet contains 13 AVPs (not shown)
    *Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00                               ..
    *Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
    *Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
    *Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
    *Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
    Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
    ******************** WIRESHARK CAPTURE ********************
    No.     Time        Source                Destination           Protocol Info
          1 0.000000    10.10.10.10        15.15.15.15           RADIUS   Access-Request(1) (id=125, l=280)
    Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
    Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
    Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 308
        Identification: 0x501f (20511)
        Flags: 0x02 (Don't Fragment)
        Fragment offset: 0
        Time to live: 64
        Protocol: UDP (17)
        Header checksum: 0x4aee [correct]
        Source: 10.10.10.10 (10.10.10.10)
        Destination: 15.15.15.15 (15.15.15.15)
    User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
        Source port: filenet-rpc (32769)
        Destination port: radius (1812)
        Length: 288
        Checksum: 0xe8e0 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Radius Protocol
        Code: Access-Request (1)
        Packet identifier: 0x7d (125)
        Length: 280
        Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
        Attribute Value Pairs
            AVP: l=27  t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
            AVP: l=19  t=Calling-Station-Id(31): 00-21-6a-29-80-xx
            AVP: l=27  t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
            AVP: l=6  t=NAS-Port(5): 2
            AVP: l=6  t=NAS-IP-Address(4): 10.10.10.10
            AVP: l=13  t=NAS-Identifier(32): XX-002_WLAN
            AVP: l=12  t=Vendor-Specific(26) v=Airespace(14179)
            AVP: l=6  t=Service-Type(6): Framed(2)
            AVP: l=6  t=Framed-MTU(12): 1300
            AVP: l=6  t=NAS-Port-Type(61): Wireless-802.11(19)
            AVP: l=89  t=EAP-Message(79) Last Segment[1]
                EAP fragment
                Extensible Authentication Protocol
                    Code: Response (2)
                    Id: 3
                    Length: 87
                    Type: EAP-TLS [RFC5216] [Aboba] (13)
                    Flags(0x80): Length
                    Length: 77
                    Secure Socket Layer
            AVP: l=25  t=State(24): 1d68036a000001370001828b38990000000318a3088c00
            AVP: l=18  t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
    No.     Time        Source                Destination           Protocol Info
          2 0.060373    15.15.15.15        10.10.10.10          IP       Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
    Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
    Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
    Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 44
        Identification: 0x2935 (10549)
        Flags: 0x01 (More Fragments)
        Fragment offset: 0
        Time to live: 122
        Protocol: UDP (17)
        Header checksum: 0x58e0 [correct]
        Source: 15.15.15.15 (15.15.15.15)
        Destination: 10.10.10.10 (10.10.10.10)
        Reassembled IP in frame: 3
    Data (24 bytes)
    0000  07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae   .....i...}.al...
    0010  d0 75 05 c3 56 29 a7 b1                           .u..V)..
    No.     Time        Source                Destination           Protocol Info
          3 0.060671    15.15.15.15        10.10.10.10          RADIUS   Access-challenge(11) (id=125, l=1377)
    Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
    Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
    Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 1381
        Identification: 0x2935 (10549)
        Flags: 0x00
        Fragment offset: 24
        Time to live: 122
        Protocol: UDP (17)
        Header checksum: 0x73a4 [correct]
        Source: 15.15.15.15 (15.15.15.15)
        Destination: 10.10.10.10 (10.10.10.10)
        [IP Fragments (1385 bytes): #2(24), #3(1361)]
    User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
        Source port: radius (1812)
        Destination port: filenet-rpc (32769)
        Length: 1385
        Checksum: 0xe8f5 [validation disabled]
            [Good Checksum: False]
            [Bad Checksum: False]
    Radius Protocol
        Code: Access-challenge (11)
        Packet identifier: 0x7d (125)
        Length: 1377
        Authenticator: 6c8300aed07505c35629a7b14de483be
        Attribute Value Pairs
            AVP: l=6  t=Session-Timeout(27): 30
                Session-Timeout: 30
            AVP: l=255  t=EAP-Message(79) Segment[1]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[2]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[3]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[4]
                EAP fragment
            AVP: l=255  t=EAP-Message(79) Segment[5]
                EAP fragment
            AVP: l=33  t=EAP-Message(79) Last Segment[6]
                EAP fragment
                Extensible Authentication Protocol
                    Code: Request (1)
                    Id: 4
                    Length: 1296
                    Type: EAP-TLS [RFC5216] [Aboba] (13)
                    Flags(0xC0): Length More
                    Length: 8184
                    Secure Socket Layer
    [Malformed Packet: SSL]
        [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
            [Message: Malformed Packet (Exception occurred)]
            [Severity level: Error]
            [Group: Malformed]
    ******************** COMMVIEW CAPTURE ******************
    Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
    Ethernet II
        Destination MAC: 1C:DF:0F:55:20:xx
        Source MAC: F8:66:F2:62:63:xx
        Ethertype: 0x0800 (2048) - IP
    IP
        IP version: 0x04 (4)
        Header length: 0x05 (5) - 20 bytes
        Differentiated Services Field: 0x00 (0)
            Differentiated Services Code Point: 000000 - Default
            ECN-ECT: 0
            ECN-CE: 0
        Total length: 0x0135 (309)
        ID: 0x2B26 (11046)
        Flags
            Don't fragment bit: 1 - Don't fragment
            More fragments bit: 0 - Last fragment
        Fragment offset: 0x0000 (0)
        Time to live: 0x40 (64)
        Protocol: 0x11 (17) - UDP
        Checksum: 0x6FE6 (28646) - correct
        Source IP: 161.86.66.49
        Destination IP: 15.15.15.15
        IP Options: None
    UDP
        Source port: 32769
        Destination port: 1812
        Length: 0x0121 (289)
        Checksum: 0x5824 (22564) - correct
    Radius
        Code: 0x01 (1) - Access-Request
        Identifier: 0x8D (141)
        Packet Length: 0x0119 (281)
        Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
        Attributes
            Attribute
                Type: 0x01 (1) - User-Name
                Length: 0x1A (26)
                Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
            Attribute
                Type: 0x1F (31) - Calling-Station-Id
                Length: 0x11 (17)
                Calling id: 58-94-6b-15-5f-xx
            Attribute
                Type: 0x1E (30) - Called-Station-Id
                Length: 0x19 (25)
                Called id: f0-25-72-70-65-c0:WLAN-XX
            Attribute
                Type: 0x05 (5) - NAS-Port
                Length: 0x04 (4)
                Port: 0x00000002 (2)
            Attribute
                Type: 0x04 (4) - NAS-IP-Address
                Length: 0x04 (4)
                Address: 10.10.10.10
            Attribute
                Type: 0x20 (32) - NAS-Identifier
                Length: 0x0B (11)
                NAS identifier: XX-002_WLAN
            Attribute
                Type: 0x1A (26) - Vendor-Specific
                Length: 0x0A (10)
                Vendor id: 0x00003763 (14179)
                Vendor specific:  
            Attribute
                Type: 0x06 (6) - Service-Type
                Length: 0x04 (4)
                Service type: 0x00000002 (2) - Framed
            Attribute
                Type: 0x0C (12) - Framed-MTU
                Length: 0x04 (4)
                Framed MTU: 0x00000514 (1300)
            Attribute
                Type: 0x3D (61) - NAS-Port-Type
                Length: 0x04 (4)
                NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
            Attribute
                Type: 0x4F (79) - EAP-Message
                Length: 0x57 (87)
                EAP-Message
            Attribute
                Type: 0x18 (24) - State
                Length: 0x17 (23)
                State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
            Attribute
                Type: 0x50 (80) - Message-Authenticator
                Length: 0x10 (16)
                Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
    Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
    Ethernet II
        Destination MAC: F8:66:F2:62:63:xx
        Source MAC: 1C:DF:0F:55:20:xx
        Ethertype: 0x0800 (2048) - IP
    IP
        IP version: 0x04 (4)
        Header length: 0x05 (5) - 20 bytes
        Differentiated Services Field: 0x00 (0)
            Differentiated Services Code Point: 000000 - Default
            ECN-ECT: 0
            ECN-CE: 0
        Total length: 0x002C (44)
        ID: 0x4896 (18582)
        Flags
            Don't fragment bit: 0 - May fragment
            More fragments bit: 1 - More fragments
        Fragment offset: 0x0000 (0)
        Time to live: 0x7A (122)
        Protocol: 0x11 (17) - UDP
        Checksum: 0x397F (14719) - correct
        Source IP: 15.15.15.15
        Destination IP: 10.10.10.10
        IP Options: None
    UDP
        Source port: 1812
        Destination port: 32769
        Length: 0x0569 (1385)
        Checksum: 0x2FE4 (12260) - incorrect

    Hi,
    We spent many hours trying to solve this problem.
    Our setup:
    Cisco wireless setup, using windows NPS for 802.1x authentication.
    Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
    Auth was failing with "reason code 22, The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
    It turned out to be a GPO setting on the server, that was enforcing key protection.
    There is this note on the below technet article:
    Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
    http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
    Hopefully this helps someone out, if you have the same annoying error.

  • EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication

    Hi All,
    We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
    We have the leap as well as eap-tls in the authentication part.
    We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
    5/3/2011
    23:16:38
    Authen failed
    [email protected]
    EAP-TLS users
    0023.1413.de18
    (Default)
    EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
    21356
    10.121.198.38
    13
    EAP-TLS
    ap-1242b4 
      Bangalore APs
    We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
    Could anyone help me out in this?
    Regards
    Karthik

    Hi,
    Looks like the CA Cert is not installed on the ACS.
    The following link will help you install the CA cert.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
    Also trust the CA certificate in the Edit trust list list.
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • EAP/TLS authentication Issue

    I have several Aironet 1100 AP's which are configure to use EAP/TLS to authenticate against a Cisco ACS server.
    We are using Aironet 350 pcmcia cards. This setup had been working up until friday when we moved the ACS server to a new IP address. Since then if I try to connect using the Cisco software bundled with the 350 pcmcia card it fails authentication. If I use the windows wireless config it works perfectly. Unfortuantley most of the pcs are running win 2000 so I need to get the cisco software working again.
    In ACS failed Auth logs I get the following message "Invalid message authenticator in EAP request" but from the other AP's I see nothing in the logs.
    I have checked the keys are correct and the user certificate is ok as I can connect using the inbuilt Win XP config util.
    I'm at a bit of a loss as to what to do next.

    Try this link
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

  • EAP-TLS problems with Cisco AP541N and Server 2008 NPS

    Hi,
    I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
    I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
    Oct 18 15:42:58
    info
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
    Oct 18 15:42:58
    warn
    hostapd
    wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
    Oct 18 15:42:58
    info
    hostapd
    The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
    NPS logs this:
    Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
    Netzwerkrichtlinienname: XXXXXX
    Authentifizierungsanbieter: Windows
    Authentifizierungsserver: XXXXX
    Authentifizierungstyp: EAP
    EAP-Typ: -
    Kontositzungs-ID: -
    Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
    Ursachencode: 22
    Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
    I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
    I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
    Did anybody encounter something like this before? Or just knows what to do?
    Thanks in advance
    Lenni

    Joe:
    Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
    EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
    PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
    for PEAP-MSCHAPv2, Your options are:
    - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
    - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
    - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
    You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • EAP TLS authentication failed during SSL handshake

    We see this message, trying to set up EAP TLS. Anyone come across this ?

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • ISE & EAP-TLS Wired document

    All,
    Is there a document out there that explicitly shows wired authentication via EAP-TLS and explains the steps?
    I have a good handle on what's needed, but I had trouble finding relevant documentation.

    Please review the below link:
    http://http://www.cisco.com/en/US/docs/solutions/SBA/August2012/Cisco_SBA_BN_LANAndWirelessLAN802.1xAuthenticationDeploymentGuide-Aug2012.pdf

  • EAP-TLS authentication failed

    I have recently purchased the E71 and am trying to connect to my WLan at work. It uses 802.1x authentication and I have now installed the correct security certificate. It seems that no matter what EAP plugin I use, TLS TTLS PEAP FAST etc I get an authentication error. There are a whole lot of settings that I don't understand. Can anyone walk me through the setup who has been there before.
    Much appreciated
    ian S
    Christchurch, NZ

    I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
    The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
    Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
    Hope this helps.

  • Apple macosx machine authentication with ISE using EAP-TLS

    Hello,
    On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
    With windows machines all is working well. We are using computer authentication only.
    Now the problem is that we wish to do the same with MAC OSX machines.
    We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
    in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
    When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
    The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
    Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
    Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
    Thanks
    Gustavo Novais

    Additional information from the above question.
    I have the following setup;
    ACS 3.2(3) built 11 appliance
    -Cisco AP1200 wireless access point
    -Novell NDS to be used as an external database
    -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
    -Windows XP SP2 Client
    My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
    Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
    When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
    Please help...
    Thanks

  • EAP-TLS and ISE 1.1 with AD certificates

    Hello,
    I am trying to configure EAP-TLS authentication with AD certificates.
    All ISE servers are joined to AD
    I have the root certificate from the CA to Activie Directory installed on the ISE servers
    I created the certificate authentication profile using the root certificate
    I have PEAP\EAP-TLS enabled as my allowed protocol
    I am getting the following error for authentication:
    "11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12301  Extracted EAP-Response/NAK requesting to use PEAP instead
    12300  Prepared EAP-Request proposing PEAP with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version 0
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12814  Prepared TLS Alert message
    12817  TLS handshake failed
    12309  PEAP handshake failed"
    I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
    Any other issues I am missing?
    Thanks,
    Michael Wynston
    Senior Solutions Architect
    CCIE# 5449
    Email: [email protected]
    Phone: (212)401-5059
    Cell: (908)413-5813
    AOL IM: cw2kman
    E-Plus
    http://www.eplus.com

    Please review the below link which might be helpful :
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

  • EAP-TLS and MS AD auth problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

Maybe you are looking for

  • Parsing Non English characters from OPEN DATASET

    Hi Team, I'm try to download the .txt file using the OPEN DATASET in the windows environment from application server, system language is set up for English. The problem is, in the .txt file some times I will be getting the non-English characters (Spa

  • Problem with the progress line in MS Project

    Hi there, I have a question about the progress line in MS Project.  My boss asked me to see how far we were with the work, so I inserted the column '% Complete' and then the progress line. Now my boss has a problem with the layout and I don't know h

  • Download acrobat is in windows formant, how to get the mac ver?

    hi, im hopping that someone in here will tell me how to get the acrobat 9 for the mac, the trial verison. All I see is windows format. Please help me.

  • How many situation will Aggregate Error occurs in Content Services?

    Hi while uploading files into content services its giving Aggregare error ? but no category, have the full access and no exceeds to library quota? how many situalltion will aggregate error occurs in content services while uploading? how can i resolve

  • Fatrat: Missing libgloox.so

    Hi! After the last update the libgloox.so is missing. I cantt find any similar in the repost or in AUR, and I can't find anything in Google, except gloox, which is installed. This occurs when I try to start fatrat. fatrat: error while loading shared