PEAP & EAP-TLS together on ACS

We have recently deployed lightweight APs/WLCs in my organization and the authentication mechanism for WLANs is PEAP. We plan to add a new wireless LAN and want to use certificate based authentication, EAP-TLS for this new wlan. Our authenticating server is Cisco ACS, and want to use the same authenticating server for authenticating these two wlans. I haven't found a way to configure exclusively to assign a particular authentication mechanism for a wlan on ACS. Neither the sub authentication be specified in WLC. Any clues?
Thanks,
Vijay

In ACS 5.x, you can specify both EAP type and then also have a condition to grant access to a certain AD OU.  If users are in a different OU, then you create two policies that look at conditions for EAP type, SSID and OU.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html

Similar Messages

  • PEAP, EAP-TLS & EAP-MD5

    Hi
    Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?

    Hello,
    There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
    Regards,
    Belal

  • ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?

    We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
    The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
    Any suggestions?

    Matt,
    How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
    Scott

  • PEAP & EAP TLS

    Hi We have controller based wireless network we are running PEAP till date now we want to go for EAP-TLS along with PEAP. I have configured the EAP-TLS but not PEAP is not working as well as EAP-TLS. Can any body tell me can both work together. I have ACS running with version 4.1. We had self signed generated cert on ACS for PEAP now we have installed certificate from CA.
    but now PEAP is stopped working & EAP-TLS is also not working.
    Please help me to fix this.

    Hi friend,
    first hint: You will need one SSID per protocoll.
    Since these kind of problems may base a very wide variety of issues have a look in these documents:
    http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html
    These docs gave me the right direction.
    Good Luck.
    Frank

  • EAP-TLS authentication with ACS 5.2

    Hi all,
    I have question on EAP-TLS with ACS 5.2.
    If I would like to implement the EAP-TLS with Microsoft CA, how will the machine and user authentication take place?
    Understand that the cert are required on both client and server end, but is this certificate ties to the machine or ties to individual user?
    If ties to user, and I have a shared PC which login by few users, is that mean every user account will have their own certificates?
    And every individual user will have to manually get the cert from CA? is there any other method as my environment has more than 3000 PCs.
    And also if it ties to user, all user can get their cert from CA with their AD login name and password, if they bring in their own device and try to get the cert from CA, they will be able to successfully install the cert into their device right?
    Hope you guys can help on this. THanks.

    Yes, you can configure:
    machine authentication only
    user authentication only
    Machine and user authentication.
    Machine or user authentication
    So machine authentication only is quite common scenarion. Correct, as long as machine is a part of a domain, you will be authenticated via machine authentication.
    PEAP-based machine authentication uses PEAP (EAP-MS-CHAPv2) and the password for the computer established automatically when it was added to the Microsoft Windows domain. The computer sends its name as the username and the format is:
    host/computer.domain
    If the machine is a valid machine in the domain then during the boot process, once the HAL is loaded, the system begins loading device drivers to support the various hardware devices configured on the client in question. After loading the device drivers, the network interface is initialized. At this point, machine start getting ip address and once it done, the user may have access to most of the network.
    Regards,
    Jatin

  • Meaning of EAP-TLS errors in ACS

    Hi Guys,
    I'm trying to get a device authenticated to my wireless network using certificates. I get the generic error in ACS (4.2.0.124):
    EAP-TLS or PEAP authentication failed during SSL handshake
    Looking in the Auth log I get:
    AUTH 12/09/2013 15:56:40 E 2255 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL send alert fatal:handshake failure
    AUTH 12/09/2013 15:56:40 E 2258 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse: SSL ext error reason: c7 (Ext error code = 0)
    AUTH 12/09/2013 15:56:40 E 2297 3096 0x8b7ea5 EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2120
    AUTH 12/09/2013 15:56:42 E 3159 297052 0x0 AuthenReaper thread : Session Timed out since challenge not provided, freeing it
    Can anyone help me with the reason codes or point me in the right direction?
    Thanks,
    John.

    Hi John,
    This is mostly due to improper certificate installed on either the server or on the client machine.
    Considering the issue with only one client I guess the server is clean.
    Can you verify if proper root certificate, intermediate certificate and the id certificates are installed on client?
    You can also regenerate a new machine ID cert for the client and give a try.
    Thanks.

  • EAP-TLS + CA MICROSOFT + ACS 3.2 APPLIANCE = Problem

    I have a Wireless Lan platform composed by equipment Access Points Cisco 1100 with ACS 3,1 and CA Microsoft.The security scheme is EAP-TLS (certificates).This architecture was completely functional. The problem took place when replacing the ACS 3,1 by the ACS 3,2 APPLIANCE, for which new certificates they were emitted by the CA of the infrastructure. The problem appears when a wireless client tries to connect to the wireless network,without obtaining the objective ,being in a state of "trying to authenticate" in networks adapters, in addition the ACS Logs appear the following message "NAS duplicated authentication attempt".
    If somebody knows the reason of this problem, can be contacted to my mail ([email protected]).

    A hint i could give you that in such a scenario you need an Trusted boundary between the ACS Appliance and the MS AD/PDC. This we be realized trough an PC/Host who is a regitered member or user of the AD/PDC. This relay Computer then communicates with the MS CA. The SW that Cisco Provides is the Cisco Secure ACS Agent. Hope this helps as we found the same problem in leap authentication as the ACS Appliance could not be set into a AD/PDC Domain. This has to be realized trough this smal piece of SW installed on an PC/Host etc. wich is a active AD/PDC Member.

  • EAP-TLS witch Cisco Secure ACS

    Hi everyone,
    we have implemented wpa/leap in our WLAN. We would use certificates for machine authentication. There is a Cisco Secure ACS Server 3.3 installed.
    Is it possible to use the ACS self generated certificate without a CA ?
    The examples I found on the web describes only the configuration with CSACS with Microsoft CA.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html
    We use Cisco AP1231/AP1232 with 12.3.4JA.
    I think for machine authentication we have to install a CA. Let me know, how you think about that issue.
    Armin

    There are no much options on Client side: MS PEAP, EAP-TLS, EAP-MD5. ACS version 3.3 can generate self-signed certificate (for itself) without the need to install separate CA server. So I'd recommend you to use MS PEAP (PEAP MS-CHAPv2) with self-signed certificate on ACS.

  • Cisco ACS with External DB - EAP-TLS

    Hi Guys,
    I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
    Let say both user and computer certs are employed:
    1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
    2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
    2b. Wot is the paramater that is checked against the AD database?
    I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
    Client Certificates
    Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
    CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
    SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
    Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
    3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
    Please can someone help me with these points.
    I am so lost in this stuff :)) I think.
    Many thx and many kind regards,
    Ken

    only TLS *handshake* is completed/succcessful, but because user authentication fails,
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
    CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
    EAP: EAP-TLS: Handshake succeeded
    EAP: EAP-TLS: Authenticated handshake
    EAP: EAP-TLS: Using CN from certificate as identity for authentication
    EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
    pvAuthenticateUser: authenticate 'jatin' against CSDB
    pvCopySession: setting session group ID to 0.
    pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
    pvAuthenticateUser: authenticate 'jatin' against Windows Database
    External DB [NTAuthenDLL.dll]: Creating Domain cache
    External DB [NTAuthenDLL.dll]: Loading Domain Cache
    External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
    External DB [NTAuthenDLL.dll]: Domain cache loaded
    External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
    External DB [NTAuthenDLL.dll]: User jatin was not found
    pvCheckUnknownUserPolicy: setting session group ID to 0.
    Unknown User 'jatin' was not authenticated
    So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
    And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
    HTH
    Regards,
    Prem

  • EAP-TLS Questions....

    Hi all,
    My setup is like this..
    Laptop - LWAPP - WLC - ACS - AD
    I m using CA to generate certificate.. I have configured EAP-TLS on WLC & ACS SE. Everything is working fine ie when i issue a certificate from CA on my AD login name & install that certificate i m able to connect to WLAN.. For security on WLC i have enable WPA & 802.1x...
    What i want is that when i boot up the laptop it should directly get connected to Wireless network & whne i try to login using my user name & password it should prompt for if my password is expired or something & get connected to AD. But this is not happening which use to happen when we were using peap as it ask for username & paswword to connect but not in case of EAP_TLS it only check for valid certificates....
    Thanks in advance..
    regards,
    piyush

    Hi Fella,
    i had one more issue ie want to do perform machine authentication as the laptops boot up along with the user authentication hen the users logs in.
    I had set AuthMode value to 1 for it. But how should i check on my ACS SE that the machine is authenticated or not & is it possible that during login using username & password the WLAN should get connected as it is for ethernet LAN.
    Thanks for ur reply..
    Piyush

  • EAP-TLS machine authentication problems

    Well..
    I have the following devices:
    WCS
    Wlan controller 4402
    AP 1130 LWAPP
    Workstation XP sp2
    Secure ACS 4.0
    Windows CA
    Windows AD
    Everything else is working properly, except EAP-TLS. Server certificate is installed in ACS and trust list is OK. Client certificate is installed in workstation machine store. PEAP-MsCHAPv2 working OK, ACS logging prompts successful authentication. I tried to use the certificate authentication from windows wlan properties, but the log was still empty.
    Which clarifications do I have to do in ACS and AD?
    Can someone help me and give me very detailed instructions on how to make it work.

    Hi,
    We had a same problem until we ran 2 windows hotfixs. Those are: WindowsXP-KB893357-v2-x86-ENU.exe and WindowsXP-KB890046-x86-ENU.exe Have you tried to do this. Our EAP-TLS machine authentication is working fine now.
    Have you enabled EAP-TLS authentication in ACS? ACS-> System configuration: Mark Allow EAP-TLS

  • EAP-TTLS support in ACS v4?

    Hi,
    Does anyone know if there are any support for EAP-TTLS in the upcoming release 4 of ACS? We have invested heavilly in ACS but now we really need EAP-TTLS support (both auth and proxing).
    Cheers
    Anders Nilsson
    UMDAC

    Hi,
    EAP-TTLS along with PEAP is one of the prefered EAP:s used for EduRoam (www.eduroam.org) which is gaining more and more acceptance around the educational community. I'm really suprized that Cisco isn't up to date on whats going on around the many Universities. I estimate the only in Europe there will be more than 1000 universities using Radius servers and proxies. Australia is online and soon the US will join in. Here in Sweden (SUNET) we are now locking at but ACS product but if EAP-TTLS and Radius Proxing of all the protocols (PEAP, EAP-TLS, EAP-TTLS) are not supported we will have to look elseware (Freeraduis or Radiator). :(
    We here in Sweden strongly suggest that Cisco implements EAP-TTLS and better Raduis Proxy functionallity. (Version 4.1 maybe? ;) )
    Best Regards
    Anders Nilsson
    UMDAC

  • EAP-TLS and ISE 1.1 with AD certificates

    Hello,
    I am trying to configure EAP-TLS authentication with AD certificates.
    All ISE servers are joined to AD
    I have the root certificate from the CA to Activie Directory installed on the ISE servers
    I created the certificate authentication profile using the root certificate
    I have PEAP\EAP-TLS enabled as my allowed protocol
    I am getting the following error for authentication:
    "11507  Extracted EAP-Response/Identity
    12500  Prepared EAP-Request proposing EAP-TLS with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12301  Extracted EAP-Response/NAK requesting to use PEAP instead
    12300  Prepared EAP-Request proposing PEAP with challenge
    11006  Returned RADIUS Access-Challenge
    11001  Received RADIUS Access-Request
    11018  RADIUS is re-using an existing session
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
    12318  Successfully negotiated PEAP version 0
    12800  Extracted first TLS record; TLS handshake started
    12805  Extracted TLS ClientHello message
    12814  Prepared TLS Alert message
    12817  TLS handshake failed
    12309  PEAP handshake failed"
    I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
    Any other issues I am missing?
    Thanks,
    Michael Wynston
    Senior Solutions Architect
    CCIE# 5449
    Email: [email protected]
    Phone: (212)401-5059
    Cell: (908)413-5813
    AOL IM: cw2kman
    E-Plus
    http://www.eplus.com

    Please review the below link which might be helpful :
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

  • ISE - dot1x EAP TLS for Cisco IP Phones

    Hi Gents,
    I have a question about the CA configs for ISE or ACS.
    As I understand, LSC certificate is issued by the CUCM by its Certificate Authority Proxy Function. If an IP Phone needs to be authenticated by its LSC (Locally Significant Certificate), which of the following CA we need to trust:
    1. Cisco CA Certificate
    2. CUCM Locally signed Certificate or CUCM Identity Certificate
    And if these certificates are imported into ISE/ACS, will the ISE/ACS will be able to authenticate the IP Phone if the dot1x EAP-TLS authentication is enabled for IP Phones?
    Is there any other configs needed?
    I would highly appreicate if someone can clearify me this process.
    Regards,

    I got the answer, for the first part of the EAP TLS authentication: Phone authentication
    In an IEEE 802.1X authentication, the AAA server  is responsible for validating the certificate provided by the phone. To  do this, the AAA server must have a copy of the root CA certificate that  signed the phone's certificate. The root certificates for both LSCs and  MICs can be exported from the CUCM Operating System Administration  interface and imported into your AAA server
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-605524.html#wp9000412
    As this is EAP TLS, Server (ISE/ACS) is also required to authenticate itself to the phone.
    What is needed for this?

  • EAP-TLS with machine certificate

    Hello all,
    I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
    Thanks a lot.
    Best regards.

    Hi Alfonso, 
    Certificate Retrieval for EAP-TLS Authentication
    ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
    ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
    After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
    Configuring CA Certificates
    When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
    If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
    You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
    Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
    Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
    Also check the below link,  
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

Maybe you are looking for