Migrating EAP-MSCHPv2 to EAP-TLS

Hi
I have a customer who has deployed ACS for 802.1x against active directory for their wired Cisco switch infrastructure using EAP-MSCHAPv2. Now they would like to change to EAP-TLS but if they just switch the client PCs would be locked out and could get a certificate pushed out to them from AD.
Can ACS be set to allow both autentication methods during the migration phase ? I know it supports negotiation of the EAP type but its a while since I played with ACS and dont have one to hand to try it with.
Thanks

By default ACS has peap and eap-tls authentication enabled and is part of the proposed eap types. Just remember that the certificate will have to uploaded to the ACS trusted certificate store, and once you configure the certificate authentication profile, you can map that into a Identity Sequence store, so that ACS will check the cert, and if one isnt provided it can fall back to password authenticate against AD.
Thanks,
Tarik Admani
*Please rate helpful posts*

Similar Messages

ISE EAP-FAST chaining EAP-TLS inner method - authorizing against AD

Just a question surrounding EAP-FAST chaining (EAP-TLS inner) and the ability to authorize the username in the CN field of the certificate against AD. As an example for standard EAP-TLS I am able to specifiy that the username should be in a specific AD group. WIth EAP-FAST I seem unable to get the same functionality working - I suspect it is using the combined Chained username to poll with. Any advice would be much appreciated as I would like to differentiate users in different groups whilst retaining the EAP-TLS inner method.

I have found the answer to my own question. In short my issues came down to the way that Microsoft populates the certificate subject fields in particular user certificates and the CN field.
In my deployment I am using a single SSID with the following protocols:
EAP-FAST (EAP-TLS inner) - Certs deployed via AD GPO
EAP-TLS Machine Certs - Certs deploted via AD GPO
EAP-TLS User Certs - Certs deployed via ISE and SCEP (utilising PEAP to auth the user)
EAP-PEAP for Guest and onboarding purposes (no guest portal or MAB - not using the guest portal and CWA is awesome in my opinion).
My certificate profile, created in ISE, utilised the CN field in the subject for principle username. This configuration works fine for machine certs and user certifcates generated via ISE as the CN field is acceptable for matching against AD. The problem however is that the user certs issued by AD GPO etc utilise the AD CN which as I understand cannot be used to ascertain group membership in AD.
The solution seemed obvious - create a new cert profile that utilises the SAN field of the certifcate which is populated with "other name" attributes that can be matched against AD groups. The problem however is that my authentication policy for EAP protocols only allows the selection of one cert profile.... By using the SAN cert profile my EAP-TLS authentications broke but allowed successful auth of the EAP-FAST clients - not a good result.
I figured that the a failure to match the first authentication policy (based on not matching allowed protocol) would then carry on to the next authentication policy allowing me to specifiy a different cert profile - again no dice as the first policy is matched on the wireless 802.1x condition but EAP-FAST protocol was not specified as an allowed protocol and it fails.
The way around this was, lucky in my mind, basically I now match wireless 802.1x condition and Network Access Type:EAP-Chaining which allows me to specify the SAN cert profile for EAP-FAST connections. EAP-TLS obviously does not match the first authentication policy at all as it is not chaining. The subsequent policy is matched for EAP-TLS which specifies the CN cert profile.
I know this explantion is long winded and perhaps obvious to some so for that I apologise. For those of you who are undertaking this and run into the same drama I hope it helps. Feel free to contact me for more information or clarification as this explanation is a mouthful to say the least.

EAP-PEAP and EAP-TLS on same switched network

Hello,
I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices use TLS. Over time all will be using TLS, but for now both will the there.
The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
Thanks,
Guy

You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
Good Luck,
--Jean Paul

Cisco ISE - eap-peap and eap-tls

Hi,
Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
If peap use this identity source, if tls use 'this certificate authentication profile'.
Thx

OK,
so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
The authentication policy was allowing EAP-TLS & EAP-PEAP.
I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
Hope that helps.
Mario

EAP Chaining with Machine TLS and User PEAP

We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
Thanks a lot.

http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

Authorization rule for EAP-FAST (inner EAP-TLS)

We have an ISE deployment where we are looking to use EAP-FAST as our authentication method with EAP-TLS as the inner method. We are checking both machine and user certificate. We initally had the following condition in our AuthZ rule -> EapChainingResult = User and machine both succeeded, however we found that intially machine succeeds and the user doesnt succeed until after windows login. If we change the condition to EapTunnelType = EAPFAST then it works fine, logs show that while initially user fails and machine succeeds, after login to windows shell then both user and machine succeded log message is visible. My preference would be to get it working with the first condition as it is a more valid check but it doesnt work due to the initial failure, anyone else got EAP-FAST (EAP-TLS) working.
Regards

I have it running at a customer, and as you discovered only machine auth succeeds initially, this is because the user store where the users certificate is not opened until they have logged ind, this is working as intended.
What you can do is to have two different authz rules, one for eapchainingresult=machine succeded and user failed, and another one for when both succeed. This way you can give granular access by using another ACL for the machine, so the machine doesn't get full access to the network before a user has logged in.

802.1x/EAP-TTLS and EAP Certificate Policies

Hello,
I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?

I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
Just kind of a weird problem.

EAP-TLS authentication failure

We've been struggling with this problem for weeks without a solution yet. Maybe someone can help us.
Note: some information below has been redacted and the IP addresses are not the original ones. They have been changed to fictional IP addresses but they have been adjusted to reflect an equivalent situation.
This situation is as follows:
WLAN infrastructure with:
1 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-WLC2112-K9 (IP address = 10.10.10.10)
8 x
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
AIR-LAP1142N-E-K9
Data for the WLC:
Product Version.................................. 6.0.199.4
RTOS Version..................................... 6.0.199.4
Bootloader Version.............................. 4.0.191.0
Emergency Image Version................... 6.0.199.4
The WLC is connected to a switch, Cisco Catalyst model WS-C3750X-24, sw version 12.2(53)SE2.
The idea is to have the clients/supplicants (Windows XP), who have a valid certificate, authenticate against a RADIUS server. The authentication is configured as 802.1x over EAP-TLS.
The RADIUS server is a Windows 2003 Server with IAS (IP address = 15.15.15.15). This server is accessed via a WAN link. We don't manage this server.
The problem: no wireless client (Windows XP) is able to go past the initial authentication.
I should add that the WLC and the APs were working perfectly and clients were connecting correctly to them. However this setup was moved to a new building and, since then, nothing has worked. I must add that the configuration on the WLC and APs has not changed, since the network configuration (IP subnets, etc) was migrated from the previous building to this new one. But something has changed: the WAN router (connected to the Internet and with a VPN established to the corporate network) and the LAN equipment (switches), which are all brand new.
On the RADIUS side we find these error messages:
Fully-Qualified-User-Name = XXXXXXXXXXXX/XXXX/XXXXX/XXXX/XXXXX (it shows the correct information)
NAS-IP-Address = 10.10.10.10
NAS-Identifier = XX-002_WLAN
Called-Station-Identifier = f0-25-72-70-65-xx:WLAN-XX
Calling-Station-Identifier = 00-1c-bf-7b-08-xx
Client-Friendly-Name = xxxxxxx_10.10.10.10
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
On the WLC side, the error messages are:
TRAP log:
RADIUS server 15.15.15.15:1812 failed to respond to request (ID 42) for client 00:27:10:a3:1b:xx / user 'unknown'
SYSLOG:
Jan 06 10:16:35 10.10.10.10 XX-002_WLAN: *Jan 06 10:16:32.709: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.960: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:05 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:02.961: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-ABORT_AUTH: 1x_bauth_sm.c:447 Authentication aborted for client 00:19:d2:02:76:xx
Jan 06 10:17:36 10.10.10.10 PT-002_WLAN: *Jan 06 10:17:34.110: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:2872 Max EAP identity request retries (3) exceeded for client 00:19:d2:02:76:xx
WLC Debug:
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Station 58:94:6b:15:f5:d0 setting dot1x reauth timeout = 1800
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 1)
*Jan 07 19:31:42.708: 58:94:6b:15:f5:d0 Received EAPOL START from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Connecting state
*Jan 07 19:31:42.709: 58:94:6b:15:f5:d0 Sending EAP-Request/Identity to mobile 58:94:6b:15:f5:d0 (EAP Id 2)
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.710: 58:94:6b:15:f5:d0 Received EAP Response packet with mismatching id (currentid=2, eapid=1) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Received Identity Response (count=2) from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 EAP State update from Connecting to Authenticating for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 dot1x - moving mobile 58:94:6b:15:f5:d0 into Authenticating state
*Jan 07 19:31:42.711: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.711: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.711:     Callback.....................................0x87e1870
*Jan 07 19:31:42.712:     protocolType.................................0x00140001
*Jan 07 19:31:42.712:     proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.712:     Packet contains 12 AVPs (not shown)
*Jan 07 19:31:42.712: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.712: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 231) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Access-Challenge received from RADIUS server 15.15.15.15 for mobile 58:94:6b:15:f5:d0 receiveId = 155
*Jan 07 19:31:42.788: AuthorizationResponse: 0xa345700
*Jan 07 19:31:42.788:     structureSize................................145
*Jan 07 19:31:42.788:     resultCode...................................255
*Jan 07 19:31:42.788:     protocolUsed.................................0x00000001
*Jan 07 19:31:42.788:     proxyState...................................58:94:6B:15:F5:D0-9B:00
*Jan 07 19:31:42.788:     Packet contains 4 AVPs (not shown)
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Processing Access-Challenge for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Entering Backend Auth Req state (id=3) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.788: 58:94:6b:15:f5:d0 Sending EAP Request from AAA to mobile 58:94:6b:15:f5:d0 (EAP Id 3)
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAPOL EAPPKT from mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.805: 58:94:6b:15:f5:d0 Received EAP Response from mobile 58:94:6b:15:f5:d0 (EAP Id 3, EAP Type 13)
*Jan 07 19:31:42.806: 58:94:6b:15:f5:d0 Entering Backend Auth Response state for mobile 58:94:6b:15:f5:d0
*Jan 07 19:31:42.806: AuthenticationRequest: 0xd1bc104
*Jan 07 19:31:42.806:     Callback.....................................0x87e1870
*Jan 07 19:31:42.806:     protocolType.................................0x00140001
*Jan 07 19:31:42.807:     proxyState...................................58:94:6B:15:F5:D0-9B:01
*Jan 07 19:31:42.807:     Packet contains 13 AVPs (not shown)
*Jan 07 19:31:42.807: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
*Jan 07 19:31:42.807: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:31:52.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00                               ..
*Jan 07 19:31:52.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.531: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 228) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:02.808: 58:94:6b:15:f5:d0 Successful transmission of Authentication Packet (id 232) to 15.15.15.15:1812, proxy state 58:94:6b:15:f5:d0-00:00
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 Max retransmission of Access-Request (id 228) to 15.15.15.15 reached for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.532: 58:94:6b:15:f5:d0 [Error] Client requested no retries for mobile 58:94:6B:15:F5:D0
*Jan 07 19:32:12.533: 58:94:6b:15:f5:d0 Returning AAA Error 'Timeout' (-5) for mobile 58:94:6b:15:f5:d0
*Jan 07 19:32:12.533: AuthorizationResponse: 0xb99ff864
Finally, we've also done some packet sniffing, using Wireshark and Commview. These appear to suggest that something is wrong with one of the packets and this leads to the authentication process to fail and restart again and again:
******************** WIRESHARK CAPTURE ********************
No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.10.10.10        15.15.15.15           RADIUS   Access-Request(1) (id=125, l=280)
Frame 1: 322 bytes on wire (2576 bits), 322 bytes captured (2576 bits)
Ethernet II, Src: Cisco_62:63:00 (f8:66:f2:62:63:00), Dst: Cisco_55:20:41 (1c:df:0f:55:20:41)
Internet Protocol, Src: 10.10.10.10 (10.10.10.10), Dst: 15.15.15.15 (15.15.15.15)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 308
    Identification: 0x501f (20511)
    Flags: 0x02 (Don't Fragment)
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x4aee [correct]
    Source: 10.10.10.10 (10.10.10.10)
    Destination: 15.15.15.15 (15.15.15.15)
User Datagram Protocol, Src Port: filenet-rpc (32769), Dst Port: radius (1812)
    Source port: filenet-rpc (32769)
    Destination port: radius (1812)
    Length: 288
    Checksum: 0xe8e0 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x7d (125)
    Length: 280
    Authenticator: 79b2f31c7e67d6fdaa7e15f362ecb025
    Attribute Value Pairs
        AVP: l=27 t=User-Name(1): XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
        AVP: l=19 t=Calling-Station-Id(31): 00-21-6a-29-80-xx
        AVP: l=27 t=Called-Station-Id(30): f0-25-72-70-65-c0:WLAN-XX
        AVP: l=6 t=NAS-Port(5): 2
        AVP: l=6 t=NAS-IP-Address(4): 10.10.10.10
        AVP: l=13 t=NAS-Identifier(32): XX-002_WLAN
        AVP: l=12 t=Vendor-Specific(26) v=Airespace(14179)
        AVP: l=6 t=Service-Type(6): Framed(2)
        AVP: l=6 t=Framed-MTU(12): 1300
        AVP: l=6 t=NAS-Port-Type(61): Wireless-802.11(19)
        AVP: l=89 t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 3
                Length: 87
                Type: EAP-TLS [RFC5216] [Aboba] (13)
                Flags(0x80): Length
                Length: 77
                Secure Socket Layer
        AVP: l=25 t=State(24): 1d68036a000001370001828b38990000000318a3088c00
        AVP: l=18 t=Message-Authenticator(80): 9fe1bfac02df3293ae2f8efc95de2d5d
No.     Time        Source                Destination           Protocol Info
      2 0.060373    15.15.15.15        10.10.10.10          IP       Fragmented IP protocol (proto=UDP 0x11, off=0, ID=2935) [Reassembled in #3]
Frame 2: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 44
    Identification: 0x2935 (10549)
    Flags: 0x01 (More Fragments)
    Fragment offset: 0
    Time to live: 122
    Protocol: UDP (17)
    Header checksum: 0x58e0 [correct]
    Source: 15.15.15.15 (15.15.15.15)
    Destination: 10.10.10.10 (10.10.10.10)
    Reassembled IP in frame: 3
Data (24 bytes)
0000 07 14 80 01 05 69 e8 f5 0b 7d 05 61 6c 83 00 ae   .....i...}.al...
0010 d0 75 05 c3 56 29 a7 b1                           .u..V)..
No.     Time        Source                Destination           Protocol Info
      3 0.060671    15.15.15.15        10.10.10.10          RADIUS   Access-challenge(11) (id=125, l=1377)
Frame 3: 1395 bytes on wire (11160 bits), 1395 bytes captured (11160 bits)
Ethernet II, Src: Cisco_55:20:41 (1c:df:0f:55:20:41), Dst: Cisco_62:63:00 (f8:66:f2:62:63:00)
Internet Protocol, Src: 15.15.15.15 (15.15.15.15), Dst: 10.10.10.10 (10.10.10.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1381
    Identification: 0x2935 (10549)
    Flags: 0x00
    Fragment offset: 24
    Time to live: 122
    Protocol: UDP (17)
    Header checksum: 0x73a4 [correct]
    Source: 15.15.15.15 (15.15.15.15)
    Destination: 10.10.10.10 (10.10.10.10)
    [IP Fragments (1385 bytes): #2(24), #3(1361)]
User Datagram Protocol, Src Port: radius (1812), Dst Port: filenet-rpc (32769)
    Source port: radius (1812)
    Destination port: filenet-rpc (32769)
    Length: 1385
    Checksum: 0xe8f5 [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-challenge (11)
    Packet identifier: 0x7d (125)
    Length: 1377
    Authenticator: 6c8300aed07505c35629a7b14de483be
    Attribute Value Pairs
        AVP: l=6 t=Session-Timeout(27): 30
            Session-Timeout: 30
        AVP: l=255 t=EAP-Message(79) Segment[1]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[2]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[3]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[4]
            EAP fragment
        AVP: l=255 t=EAP-Message(79) Segment[5]
            EAP fragment
        AVP: l=33 t=EAP-Message(79) Last Segment[6]
            EAP fragment
            Extensible Authentication Protocol
                Code: Request (1)
                Id: 4
                Length: 1296
                Type: EAP-TLS [RFC5216] [Aboba] (13)
                Flags(0xC0): Length More
                Length: 8184
                Secure Socket Layer
[Malformed Packet: SSL]
    [Expert Info (Error/Malformed): Malformed Packet (Exception occurred)]
        [Message: Malformed Packet (Exception occurred)]
        [Severity level: Error]
        [Group: Malformed]
******************** COMMVIEW CAPTURE ******************
Packet #6, Direction: Pass-through, Time:11:27:35,251292, Size: 323
Ethernet II
    Destination MAC: 1C:DF:0F:55:20:xx
    Source MAC: F8:66:F2:62:63:xx
    Ethertype: 0x0800 (2048) - IP
IP
    IP version: 0x04 (4)
    Header length: 0x05 (5) - 20 bytes
    Differentiated Services Field: 0x00 (0)
        Differentiated Services Code Point: 000000 - Default
        ECN-ECT: 0
        ECN-CE: 0
    Total length: 0x0135 (309)
    ID: 0x2B26 (11046)
    Flags
        Don't fragment bit: 1 - Don't fragment
        More fragments bit: 0 - Last fragment
    Fragment offset: 0x0000 (0)
    Time to live: 0x40 (64)
    Protocol: 0x11 (17) - UDP
    Checksum: 0x6FE6 (28646) - correct
    Source IP: 161.86.66.49
    Destination IP: 15.15.15.15
    IP Options: None
UDP
    Source port: 32769
    Destination port: 1812
    Length: 0x0121 (289)
    Checksum: 0x5824 (22564) - correct
Radius
    Code: 0x01 (1) - Access-Request
    Identifier: 0x8D (141)
    Packet Length: 0x0119 (281)
    Authenticator: 60 4E A6 58 A8 88 A2 33 4E 56 D0 E9 3B E0 62 18
    Attributes
        Attribute
            Type: 0x01 (1) - User-Name
            Length: 0x1A (26)
            Username: XXXXXXXXXXXXXXXXXXXXXXX (username is correct!!!)
        Attribute
            Type: 0x1F (31) - Calling-Station-Id
            Length: 0x11 (17)
            Calling id: 58-94-6b-15-5f-xx
        Attribute
            Type: 0x1E (30) - Called-Station-Id
            Length: 0x19 (25)
            Called id: f0-25-72-70-65-c0:WLAN-XX
        Attribute
            Type: 0x05 (5) - NAS-Port
            Length: 0x04 (4)
            Port: 0x00000002 (2)
        Attribute
            Type: 0x04 (4) - NAS-IP-Address
            Length: 0x04 (4)
            Address: 10.10.10.10
        Attribute
            Type: 0x20 (32) - NAS-Identifier
            Length: 0x0B (11)
            NAS identifier: XX-002_WLAN
        Attribute
            Type: 0x1A (26) - Vendor-Specific
            Length: 0x0A (10)
            Vendor id: 0x00003763 (14179)
            Vendor specific:
        Attribute
            Type: 0x06 (6) - Service-Type
            Length: 0x04 (4)
            Service type: 0x00000002 (2) - Framed
        Attribute
            Type: 0x0C (12) - Framed-MTU
            Length: 0x04 (4)
            Framed MTU: 0x00000514 (1300)
        Attribute
            Type: 0x3D (61) - NAS-Port-Type
            Length: 0x04 (4)
            NAS port type: 0x00000013 (19) - Wireless - IEEE 802.11
        Attribute
            Type: 0x4F (79) - EAP-Message
            Length: 0x57 (87)
            EAP-Message
        Attribute
            Type: 0x18 (24) - State
            Length: 0x17 (23)
            State: 1F 38 04 12 00 00 01 37 00 01 82 8B 38 99 00 00 00 03 18 A6 82 B7 00
        Attribute
            Type: 0x50 (80) - Message-Authenticator
            Length: 0x10 (16)
            Message-Authenticator: 4F 13 92 9C 10 29 C5 3A B9 AE 92 CA 74 11 6C B5
Packet #28, Direction: Pass-through, Time:11:27:36,523743, Size: 62
Ethernet II
    Destination MAC: F8:66:F2:62:63:xx
    Source MAC: 1C:DF:0F:55:20:xx
    Ethertype: 0x0800 (2048) - IP
IP
    IP version: 0x04 (4)
    Header length: 0x05 (5) - 20 bytes
    Differentiated Services Field: 0x00 (0)
        Differentiated Services Code Point: 000000 - Default
        ECN-ECT: 0
        ECN-CE: 0
    Total length: 0x002C (44)
    ID: 0x4896 (18582)
    Flags
        Don't fragment bit: 0 - May fragment
        More fragments bit: 1 - More fragments
    Fragment offset: 0x0000 (0)
    Time to live: 0x7A (122)
    Protocol: 0x11 (17) - UDP
    Checksum: 0x397F (14719) - correct
    Source IP: 15.15.15.15
    Destination IP: 10.10.10.10
    IP Options: None
UDP
    Source port: 1812
    Destination port: 32769
    Length: 0x0569 (1385)
    Checksum: 0x2FE4 (12260) - incorrect

Hi,
We spent many hours trying to solve this problem.
Our setup:
Cisco wireless setup, using windows NPS for 802.1x authentication.
Certificate base auth, with an internal PKI sending out client machine certs, and also the server cert.
Auth was failing with "reason code 22, The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."
It turned out to be a GPO setting on the server, that was enforcing key protection.
There is this note on the below technet article:
Requiring the use of strong private key protection and user prompting on all new and imported keys will disable some applications, such as Encrypting File System (EFS) and wireless (802.1X) authentication that cannot display UI. For more information, see article 320828 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=115037).
http://technet.microsoft.com/en-us/library/cc725621(v=WS.10).aspx
Hopefully this helps someone out, if you have the same annoying error.

ACS 5.2 / WLC - EAP-TLS Certificate from 2 CA

Hello,
I'm Newbie with ACS equipment, i'm trying to implement it to secure our WIFI environment.
One wifi SSID is broadcasted on a site, I would like to authenticate WIFI client through machine certificate.
The big deal is that some client computer belong to an AD (AD1) and having its own CA1. Other client computer belong to another AD (AD2) also having its own CA (CA2). (With no relation or between the 2 CA)
So computer1 having machine certificate from CA1 and computer2 having machine certificate from CA2
I have imported the root certificate from the both CA into the "certificate authorities" store of the ACS.
I have generated certificate signing request, one for each CA. Then I have binding the CA signed certificate.
After configuring... the access services (identity, authorization...) and so on I have the following issue:
- Computer with certificate from the CA1 can connect without any problem.
- Computer with certificate from the CA2 can NOT connect:
     - After investigation: the client computer do not trust the server ACS and reject the connection
     - Error return :
RADIUS Status:Authentication failed 11514 Unexpectedly received empty TLS message; treating as a rejection by the client
     - (If i get ridd of the option "verify server identity" on wifi optionof the client, the computer can conect: but this option is not acceptable)
     - It seems that the ACS sends only its certificate signed by the CA1
The questions are:
1- How can I configure the ACS to send the right certificate signed by the right CA corresponding to the computer that is intenting to authenticate
2- I could see in documentation:
    "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
     --> Does it mean that we can only configure one local certificate to allow the ACS to authenticate to client for all the EAP-TLS protocol used ?
     --> How can I choose it ?
     --> For the current configuration, I have only the certificate signed by the CA which is configure "EAP: Used for EAP protocols that use SSL/TLS tunneling" (i don't know if this option has an impact with the certificate presented by the ACS when it authenticate itself to the client")
Thanks for your helk and your information.
Guillaume

Hi Bastien,
it is actually what i did.
The point here i have 2 CA involved, with no relation between them.
So I did the operation twice for each CA :
-> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS
-> I have added the root CA of each CA into the ACS as well.
The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.
So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.
I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.
Then another conf I do not understand is the option:
EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS
I do not undestand what does this option stand for ?
Then I culd see into Cisco do :
    "For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"
Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?
Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?
thx

WLC EAP-TLS

Hi,
My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.
So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.
•1.     What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
•2.     Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
•3.     What Certificate should be installed on Client.
•4.     What should be the client PC security setting for EAP-TLS
I had gone through the following Docs for reference.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
https://supportforums.cisco.com/docs/DOC-24723
Thanks
Nibin

Dear Philip,
Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
Thanks
Nibin Rodrigues

EAP-TLS and ISE 1.1 with AD certificates

Hello,
I am trying to configure EAP-TLS authentication with AD certificates.
All ISE servers are joined to AD
I have the root certificate from the CA to Activie Directory installed on the ISE servers
I created the certificate authentication profile using the root certificate
I have PEAP\EAP-TLS enabled as my allowed protocol
I am getting the following error for authentication:
"11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12814 Prepared TLS Alert message
12817 TLS handshake failed
12309 PEAP handshake failed"
I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
Any other issues I am missing?
Thanks,
Michael Wynston
Senior Solutions Architect
CCIE# 5449
Email: [email protected]
Phone: (212)401-5059
Cell: (908)413-5813
AOL IM: cw2kman
E-Plus
http://www.eplus.com

Please review the below link which might be helpful :
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

EAP-TLS

I have been tasked to implement user certificate for mobile devices
The certificate works on my laptop but keeps failing on the S3 device.
has anyone successfully deployed this solution ?
03/25/2014
08:17:26
Authen failed
Theo-Android
Default Group
90-18-7c-66-0f-f6
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
(Cisco Controller) >*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
*apfReceiveTask: Mar 25 06:55:08.204: 38:aa:3c:d6:b0:cb Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Association received from mobile on AP 00:26:0a:ec:19:60
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying site-specific IPv6 override for station 38:aa:3c:d6:b0:cb - vapId 5, site 'default-group', interface 'secure_wifi-clients'
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb Applying IPv6 Interface Policy for station 38:aa:3c:d6:b0:cb - vlan 50, interface id 8, interface 'secure_wifi-clients'
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (8): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb STA - rates (12): 130 132 139 150 36 48 72 108 12 18 24 96 0 0 0 0
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb apfMs1xStateDec
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Change state to START (0) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Initializing policy
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.285: 38:aa:3c:d6:b0:cb 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state DHCP_REQD (7)
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Stopping deletion of Mobile Station: (callerId: 48)
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb Sending Assoc Response to station on BSSID 00:26:0a:ec:19:60 (status 0) ApVapId 5 Slot 0
*apfMsConnTask_0: Mar 25 06:55:15.286: 38:aa:3c:d6:b0:cb apfProcessAssocReq (apf_80211.c:5272) Changing state for mobile 38:aa:3c:d6:b0:cb on AP 00:26:0a:ec:19:60 from Associated to Associated
*pemReceiveTask: Mar 25 06:55:15.289: 38:aa:3c:d6:b0:cb 0.0.0.0 Removed NPU entry.
*dot1xMsgTask: Mar 25 06:55:15.290: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Connecting state
*dot1xMsgTask: Mar 25 06:55:15.291: 38:aa:3c:d6:b0:cb Sending EAP-Request/Identity to mobile 38:aa:3c:d6:b0:cb (EAP Id 1)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb Received Identity Response (count=1) from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb EAP State update from Connecting to Authenticating for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.298: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticating state
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.299: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=11) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb WARNING: updated EAP-Identifier 1 ===> 11 for STA 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.304: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 11)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.307: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 11, EAP Type 3)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.308: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=12) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.310: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 12)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 12, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.323: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=13) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.326: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.337: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 13, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.338: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.341: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=14) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.342: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 14)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 14, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.354: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.355: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=15) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.356: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 15)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 15, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.407: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.409: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=16) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.410: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 16)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 16, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.423: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Processing Access-Challenge for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Entering Backend Auth Req state (id=17) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.437: 38:aa:3c:d6:b0:cb Sending EAP Request from AAA to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAPOL EAPPKT from mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Received EAP Response from mobile 38:aa:3c:d6:b0:cb (EAP Id 17, EAP Type 13)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.443: 38:aa:3c:d6:b0:cb Entering Backend Auth Response state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Processing Access-Accept for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Resetting web acl from 255 to 255
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Setting re-auth timeout to 1800 seconds, got from WLAN config.
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Station 38:aa:3c:d6:b0:cb setting dot1x reauth timeout = 1800
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Creating a PKC PMKID Cache entry for station 38:aa:3c:d6:b0:cb (RSN 0)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.448: 38:aa:3c:d6:b0:cb Sending EAP-Success to mobile 38:aa:3c:d6:b0:cb (EAP Id 17)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending default RC4 key to mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Sending Key-Mapping RC4 key to mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5for this client
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.449: 38:aa:3c:d6:b0:cb Not Using WMM Compliance code qosCap 00
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:26:0a:ec:19:60 vapId 5 apVapId 5
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) pemAdvanceState2 4817, Adding TMP rule
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.393: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jum
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 50, IPv6 intf id = 8
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4833, Adding TMP rule
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:26:0a:ec:19:60, slot 0, interface = 1, QOS = 0
ACL Id = 255, Jumbo
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 50, IPv6 intf id = 8
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Entering Backend Auth Success state (id=17) for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.450: 38:aa:3c:d6:b0:cb Received Auth Success while in Authenticating state for mobile 38:aa:3c:d6:b0:cb
*Dot1x_NW_MsgTask_0: Mar 25 06:55:15.451: 38:aa:3c:d6:b0:cb dot1x - moving mobile 38:aa:3c:d6:b0:cb into Authenticated state
*pemReceiveTask: Mar 25 06:55:15.456: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*pemReceiveTask: Mar 25 06:55:15.459: 38:aa:3c:d6:b0:cb 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0

I presume by S3 you mean samsung galaxy S3?
We've successfully implemented eap-tls on corporate ipads and iphones but have not managed to get samsung devices to work. There doesn't seem to be consitency with googles nexus devices either, some work and some don't.

ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
Long story short, what I'd like to do is:
User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
personally owned devices only allowed to do ICA,
corporate device can use SQL, RDP, etc...
Thoughts, ideas?

Not sure i understand your response, or perhaps my original question isn't clear.
User authenticates with EAP-TLS / User cert
User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

EAP-TLS and EAP-PEAP Clients

Hi guys
I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.
I create a second policy for wired dot.1x with EAP - PEAP enabled
The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
Thanks in advance.
Sent from Cisco Technical Support iPad App

Hi,
There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
Thanks,
Tarik Admani
*Please rate helpful posts*

EAP-TLS FAILING ON WIRELSS IPPHONE CP-7925G

Hi all,
we had enabled the eap-tls authentication on our WIFI network. We are using Cisco ACS 1113 & Microsoft Certificate Server for this setup. Currently we are able to successfully authenticat EAP-TLS on computer, but the Phones are not registering the network.
On the ACS we are getting the following error.
"EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake".
Thanks
Nibin

Dear all
Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A
AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed
AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate
AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)
AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198
AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code
AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198
AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)
AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE
Thanks
Nibin Rodrigues

Migrating EAP-MSCHPv2 to EAP-TLS

Similar Messages

Maybe you are looking for