Lost my Certificate for 802.x authentication
Somehow my Active Directory setting for my cerificate is missing. I had a vendor install this originally and I thought it was on the Raidus server somehwere but it is nowhere to be found. I know that because computers that don't have it tell me it is missing and it can't authenticate. If I create another cert on the same Radius server will it match the original or do I have to basically install a whole new and push that out etc.? I am using the self signed one out of the Windows Resource kit as per teh Ultimate Guide to Wireless on TechRepublic.
thanks
Gary
You can regenerate a cert for the user on AD and push it via a GPO. I don't have the procedure under my hand but that should be easily documented on microsoft side. The radius server will have no role in this
Similar Messages
-
Why Unable to identify a user for 802.1X authentication (0x50001)?
Hello,
We are trying to set up wifi single-sign-on. When logging to a laptop get a message
"Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
Server: windows server 2003 (with all updates)
laptop: windows 7 professional SP1 (with all updates)
When looking to event log i found this error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-10-10 10:38:01
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sba01-nb
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID:
Account Name: -
Account Domain: -
Logon ID: 0x0
Network Information:
Name (SSID): Pivot_Users
Interface GUID: {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
Local MAC Address: C4:85:08:12:77:44
Peer MAC Address: 00:24:97:83:8E:61
Additional Information:
Reason Code: Unable to identify a user for 802.1X authentication (0x50001)
Error Code: 0x525
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
Event Xml:
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
<EventRecordID>37791</EventRecordID>
<Correlation />
<Execution ProcessID="760" ThreadID="2224" />
<Channel>Security</Channel>
<Computer>sba01-nb</Computer>
<Security />
</System>
<EventData>
<Data Name="SSID">Pivot_Users</Data>
<Data Name="Identity">
</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">00:24:97:83:8E:61</Data>
<Data Name="LocalMac">C4:85:08:12:77:44</Data>
<Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
<Data Name="ReasonCode">0x50001</Data>
<Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
<Data Name="ErrorCode">0x525</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString">
</Data>
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Thank you for answer and help.
Regards,
TadasHi,
Thanks for your post.
Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
Here is the process that is followed.
1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
3. The Authenticator cannot validate and the authentication would fail.
4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
it will just ignore them
5. You will see event 15506 after the event 15514.
Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
0x50001 = Dec 327681
Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name:
ONEX_UNABLE_TO_IDENTIFY_USER
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
Authentication Properties button not functional for 802.1x authentication
With version 4.52 for Windows XP, Build 7TCX26WW of ThinkVantage Access Connections, the 'Authentication Properties' button doesn't work for 802.1x for Ethernet. Has anyone else been experiencing this? Had to work-around by using the Windows Network Connections properties pages for the Ethernet device. Would be nice to have this utility working fully. Found it useful for someone who shifts from one work environment to another.
Thanks in advance.Hi
Welcome To Lenovo Community
We are really sorry to hear about the issue you are facing,
Please try uninstalling the Access Connection
Restart the unit, download and install Access Connection from below link
http://support.lenovo.com/en_IN/downloads/detail.page?DocID=DS013683
Do give this a try and let us know
Hope This Helps
Cheers!!!
WW Social Media
Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
Follow @LenovoForums on Twitter!
How to send a private message? --> Check out this article.
English Community Deutsche Community Comunidad en Español -
ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP
Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
I have come up with bunch of incompatibilities between the offered support e.g.
1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.Hi,
We have tried to do the exact same setup as you and we also failed.
When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
A list with EAP protocols supported by the RSA is in attach.
Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
table "EAP Authentication Protocol and User Database Compatibility "
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy. -
Alternatives to MS workstation authentication certificates for 802.1x?
I found out recently the hard way that the Certificate Authority bundled with Windows Server 2008 won't load the 'workstation authentication' certificate template. (You need 2008 Enterprise/Datacentre or 2008 R2, or any edition of 2008 R2).
Does anyone know of alternative ways of authenticating a device using 802.1x?
thanks,
David.Hi Kirbus,
we open a TAC and we were advised for now to do the following changes:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
1. please make sure to disable Aironet extensions (if present) , on the WLAN advanced configuration
2. disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
3. on the WLC general configuration , can you please disable aggressive load balancing
4. on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
5. on the AP network configuration please disable short preamble the original standard was long preambles
6. Wireless -> disable auto-RRM channel & power assignment & try "on demand"
7. apply these modification on the WLC CLI
Config advanced eap identity-request-timeout 20
Config advanced eap identity-request-retries 10
Config advanced eap request-timeout 20
Config advanced eap request-retries 10
Save config, and see if you still face the problem.
We are still monitoring the solution, but until now we didn't face the problem again.
Let me now how it goes for you.
Thank you.
Best regards, -
Creating a certificate for 802.1x wireless access....
I know this is a complicated issue. We are trying to setup 802.1x access to our corporate WiFi using computer identity with certificates.
The video provided by apple here: http://www.apple.com/education/resources/information-technology.html#authenticat ion_on_mac at the 3:04 mark the instructors talk about importing a computer identity certificate into the key chain but doesn't mention how it's generted in the first place.
This is where we are stuck.
When we think about generating the proper certificate and click on Configure under Authenticition with TLS checked we get the following:
No Certificates Found...
We are using a Microsoft Windows Server 2008 Certificate Authority server as our in house certificate server.
Any help would be greatly appreciated. Thanks in advance!
-Paulstep 1a create Wirelesscert.mobleconfig with the following changing the defaults to match your needs
The "Certtemplate key" must match the name of the Cert template on the server.
You can use the same machine cert template as the PCs. use UUID are done in the next step
CertServer Key use http or https depending on you cert server config
Generic config file sortof :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>CertServer</key>
<string>https://Server.domain.name/certsrv</string>
<key>CertTemplate</key>
<string>Your_Computer_template_name</string>
<key>PayloadDisplayName</key>
<string>Enter_your_name_fort_the_policy</string>
<key>PayloadIdentifier</key>
<string>Create_payload_ident</string>
<key>PayloadType</key>
<string>com.apple.ADCertificate.managed</string>
<key>PayloadUUID</key>
<string>Change-me-to-a-new-UUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>deleted</key>
<false/>
</dict>
</array>
<key>PayloadDescription</key>
<string>Enter_Description_here</string>
<key>PayloadDisplayName</key>
<string>Enter_Display_name</string>
<key>PayloadIdentifier</key>
<string>Enter_paylode_name</string>
<key>PayloadOrganization</key>
<string>Enter_paylode_orgname</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>SystemConfiguration</string>
<key>PayloadUUID</key>
<string>Change-me-to-a-new-UUID</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Step 1b. Create two UUID on the mac command shell past into the file replace Change-me-to-a-new-UUID with two different UUIDs
the command is "uuidgen" You must run uuidgen once for each number. Paste the resulting numbers into Wirelesscert.mobleconfig
This must be done for every computer you install the policy on so that they are Unique to that computer.
Do these steps in a local machine admin account not logged into the domain
step 2. In Lion 7.2 (only) Turn off the Cert checking to prevent a endless loop (a known bug should be fixed in a update)
a. open Key Chain Access
b. Click on Keychain Acess in the apple tool bar
c. Select Preferences
d. Select the Certificates Tab
f. Turn off OCSP and CRL ( this can be turned back on after you get the Cert from ad)
Step 3 Connect using safari to you Microsoft AD certificate server and trust the locally self signed Cert
Step 4 copy Cert in key chain from user to system
Step 5 open a shell for steps 6 and 7
Step 6 type Sudo kinit -k (machinenamelowercase)$ ! the dollarsign is appended to the computer name
Step 7 type klist -l ! verify that a ticket in kerberos is listed under the machine name
Step 8 double click on the file Wirelesscert.mobleconfig to import the profile and create the Certificate
Step 9 Verify in the Key Chain that you have a system Certificate
In the network wireless click on the Join the ssid
Mode is EAP-TLS
Identity X509 Certificate (the one just created)
Username: host/(Your_Macs_Fully_qualified_name)
I hope this helps now I now have a Cert from ad on the machine and I think when it expires the plugin will renew.
Read the Original document this is based on at http://support.apple.com/kb/HT4784
I just need to figure out how to set a policy that uses the Cert on the machine
Message was edited by: daveBoxElderSD -
Always prompted for "802.1X Authentication" user name and password
Hi,
Just had the logic board replaced in my Macbook Pro, but that's an different story...
The most recent side effect of this is that I am always prompted for my password/user name when I connect to the wireless network at work.
Obviously, I enter the name and password. However, I didn't used to have to do this. In other words, it's not being saved.
Any suggestions on what I can do so it's saved again?
The Network preference panel reports:
Authenticated via PEAP (Inner Protocol:GTC)
The 802.1X pane shows I have 1 'User Profiles':
WPA:<network>
Which has:
my name
a password
Authentications enabled:
PEAP
TTLS
EAP-FASTHi,
it might have something to do with your logic board exchange. Your MAC address (Media Access Control, Ethernet-ID, AirPort-ID, Hardware Address or what you want to call it) has changed. Every network interface has a distinct address which looks like that: 01:23:45:ab:cd:ef
I would ask your company's admin first if it has something to with you having a new MAC address.
Alternatively you could try to remove the wlan from Sys Prefs/Network/AirPort/Options/Preferred Networks. Also remove any saved passwords of this network from your keychain and then try adding it again with the remember-checkbox on.
Björn -
Setting up FreeRADIUS and eDirectory for 802.1X Authentication
Not sure how many people know about this, but I sure didn't. Novell
actually has a TID on how to set all of this up. Just thought I share this
with you guys. Might just help someone out there.
http://www.novell.com/support/php/se...200%2083136239Hcyuan,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
Cisco ISE 1.3 using 802.1x Authentication for wireless clients
Hi,
I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
MACHINE AUTHENTICATION
match
framed
Wireless
AD group (machine)
USER AUTHENTICATION
match
framed
Wireless
AD group (USER)
was authenticated = true
Below are steps taken to authenticate any ideas would be great.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15006 Matched Default Rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24315 Single matching account found in domain
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
24432 Looking up user in Active Directory - xxx\zzz Support
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP
15048 Queried PIP
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
Cisco ISE and authentication for 802.1x printer
Hello
What is the best practice to authenticate a 802.1x printer in Cisco ISE?
The printer can store a certificate for authentication and support EAP-TLS.
Thanks for answer.
MarcoEAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports.
I hope this puts you in the right direction!
Thank you for rating helpful posts! -
802.1x Authentication for University Network Fails After 10.5.5 Update
Hi everyone, I hope that someone might be able to help me with my problem. I used to connect to the internet through my university's network at my dorm using the ethernet connection. Even before when I was using 10.5.4 I had to do the 802.1x authentication manually after every boot.
Now that I updated to 10.5.5 everytime I try to connect it tells me "802.1x Authentication has failed", does anyone have similar problems, solutions??? This is everything the IT department's homepage has to offer: http://www.unibz.it/ict/8021x_mac1/index.html?LanguageID=EN&
Thanks a lot!
Btw, it seems the update somehow messed up Timemachine as well, but that doesn't bother me as much as the internet connection.Hi,
You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
They should be able to provide you with a file for the CA and instructions.
cheers -
SCCM 2012 - 802.1x authentication for zero touch installation
Hi guys,
I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
What I did before:
- mount the SCCM modified WinPE image (boot.XXX99999.wim)
- integration of the KB972831 hotfix into the WinPE
- creation of a lan profile and eap profile file
- copy both files into the mounted image
- creation of new wim file
I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
net start dot3svc
=> The Wired AutoConfig service was started successfully
netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
=> The profile was added successfully on the interface Local Area connection
netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
=> Error setting user data for interface Local Area Connection. The operation is not supported.
Actually I can't post web links here. If the files are needed I can send them per mail.
What can I do to solve this problem?
Thanks!
Regards
BastianHi!
Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
I've followed those steps and it worked as a charm, even for WinPE 4.0.
If you have questions let me know.
Cheers. -
Use smart card for 802.1x secured WiFi authentication
Hi,
is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
and granted access.
To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
fails.
As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
the local client computer configuration or in the Safenet software on the client computer.
I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
Thanks + Best Regards
MattHi,
I found some links form technet site which can be helpful in this case
Network access authentication and certificates
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
Enable smart card or other certificate authentication
http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
Quote:
Client certificate requirements
With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
Yolanda Zhu
TechNet Community Support -
802.1x authentication for win XP2 client
HI,
I am using Aironet 1200 AP, ACS 3.3 with 802.1x authentication, when I am enabling win XP utility insted of Cisco ACU it's wait for certificate credentials.
I installed CA authority in windows 2000 server. But i am unable to accessing wireless network with 802.1x authentications
Please help on this required configuration of CA role in server side and Client side.Hi,
You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
They should be able to provide you with a file for the CA and instructions.
cheers -
OS X keeps asking for System keychain password in order to do 802.1X authentication
In order to join a corporate WLAN that uses WPA2 with 802.1X / EAP-TLS, I added the company's root certificate to the System keychain and set the trust level to always trust this certificate. I then added the client certificate that was issued for my computer. I set the trust level to always trust this certificate as well. Finally, I added the WLAN network, choosing Security: WPA2 Enterprise, Mode: EAP-TLS, Identity: the newly added client certificate, and username: the domain name of my computer. This setup works - I can connect to the WLAN network.
My problem is that the system always asks me for the System keychain password before the WLAN connection can be established. This seems to be during the 802.1X authentication phase. What do I need to change so that this is not required? Or how can I at least find out which System keychain item it is that cannot be accessed without the password?
Im using a MacBook Pro with OS X 10.10.1, but I also had the problem back on 10.9.
If I remember correctly it started whenI received a new client certificate in the summer. But I am not able to say what I might have done differently with the old certificate so that the password was not required back then.i'm having the same problem at home. i had problems with my keychain before, because i deleted the system keychain. i recently learned how to replace it, which worked. however, my computer is not remembering the password to my home wireless connection. even when i put the computer to sleep and wake it, it becomes disconnected and never automatically re-connects. i have to again select my network and then re-enter the password, every time. how do i fix this ?
+
Maybe you are looking for
-
Branch Office - Mobile Server connection problem
Branch Office is successfully installed on a XP-PC inclusive the services are started, Mobile -Server is installed on a remote Server. After login with user and password in http://localhost/webtogo/ "Branch Office Web" it takes a while (we think in c
-
Salient points: I'm using a brand new Droid Pro. This phone was provided by ProtectCell after my two-month-old phone experienced a cracked display. It is new, not factory refurbished. My service was working perfectly on my imperfect other phone. (Tex
-
Hi All, I want to know if the co area in cj20 can be changed , if it can be changed please tell me how to change the co area from 1000 to 2000
-
To load text into clob,long.
I am able to load data into clob,long.but it is not taking more than 4000 bytes.but i want to insert 10MB or more data.HOW? It is giving error ORA-01704: string literal too long Cause: A quoted string specified as a constant was too long. Action: Quo
-
Defining a veriable within if statements
hi everyone, I have a question: if (true) int a = 0; else if (true) String a = "hi"; else char a = 'u'; System.out.print(a);How come this doesn't work? It gives me 'undefined variable a' error. Is there another way to do what I am trying to