Scripting WPA2 EAP+TLS setup (incl. cert)

Similar Messages

• 7925g plus EAP-TLS plus wildcard cert

  Hi folks,
   Has anyone managed to put a wildcard cert on a 7925G (or 9971) to use for client authentication with EAP-TLS?  It seems like one is forced to use the MIC or a cert from a csr generated by the phone... but I'd really rather not keep track of a zillion certs.
  Thanks for any help.

  Hi,
  have you read the infos from the deployment guide (page 72 - install certificates) already
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!

• HELP WPA2+EAP+TLS

  Hi! Do not have much experience in Cisco. But, there is a great desire to learn, Help me please!
  There Cisco3560-on which the DHCP network and gives 2 (Vlan667 and Vlan669) 10.30.7.0 / 24 mask and 10.30.9.0 / 24 mask - and distributes it to Ayronet Cisco 1130g /
    Please show the setting on the access point Ayronet Cisco 1130g for WPA2 + EP + TLS with certificates Radius server. And the Radius Server for Windows is already installed. I need help!???

  See whether this document is helping you
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml#wpa1
  HTH
  Rasika
  *** Pls rate all useful responses ****

• EAP-TLS not working on WinXP client, but does work on W2k?

  Hi
  So I've got EAP-TLS setup using a W2K IAS server as RADIUS, W2K certificate server and cisco 1100 APs. I've got computer certs on four notebooks of which 2 are W2k and the other two are XP. On the W2k PCs I am able to pop in my wireless 350 card and get an IP before logging in (as seen via the dhcp server) and then once logged in, the user cert is used to further authenticate and remain connected to the network (as seen via the IAS logs). Yet when I try to pop in my wireless card on the XP PCs, I get no IP address and nothing ever shows up in the IAS logs...the 1100 ap says that its associated but nothing more. Does anyone have any ideas. Thanks
  Jason

  Jason,
  Can you authenticate from the XP clients using LEAP or something other then EAP-TLS?
  If not i would look at upgrading the 350 card drivers on the XP machines to the latest.
  I have had problems before using the cardbus pcmcia adapters on XP, when i installed the latest drivers it worked.
  Let me know how you get on?
  Rgds,
  Paddy

• EAP-TLS Win2003 CA and IAS...not checking CRL?

  Hi
  I've got EAP-TLS setup and working using Win2003 CA and IAS as the RADIUS backend. I've issued certs to my wireless users, and now I want to revoke a certificate, so in the CA, I revoke the cert and then under Revoked Certs I click on publish...yet the user can still authenticate and communicate. How can I configure the IAS to check the CRL? Thanks

  Hi,
  I'm battling to setup EAP-TLS with AP1200,windows AD 2003 and IAS.Are there any funny tricks in setting up
  EAP-TLS with IAS.
  On the AP1200 I keep getting AAA unsupported.
  regds
  Johnny

• IPhone and EAP-TLS with ACS & 5508

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I have a large customer that is moving into a new building and adding some
  new wireless.
  They are using a 5508 with 1142's and an ACS server.
  They will have the following SSID's
  SSID01 -> WPA-EAP-TLS
  SSID02 -> WPA2-EAP-TLS (future use)
  SSID03 -> Guest Access (internet access only)
  They currently use this design across the enterprise which has worked well.
  The problem is to get certificates pushed down to the client for the EAP-TLS
  they always connect the machine once by wire and log on to the domain so a
  GPO pushes the cert to the machine.
  This creates a problem that I don't know how to solve as they want to use
  iPhones on the new deployment.
  Does anyone have any ideas on how to get a cert down to the iPhones for use
  with the SSID's?
  Thanks in advance for any assistance.

  I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid  from which clients can download and install cert. ?

• Nokia E66 EAP-TLS error

  Hi, I am configuring a Nokia E66 (wich is v4 in Cisco Compatible Extensions, so it supports EAP-TLS) with WPA2 EAP-TLS against IAS in a Cisco Wireless Network and I always obtain the same error in the IAS event viewer.
  denied accesss
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 16
  Reason = Authentication was not successful because an unknown user name or incorrect password was used.
  Has anybody tried E66 with EAP-TLS?
  Any experiences?

  Yes, this is my setup
  - hidden network
  - infraestructure
  - security: WPA/ WPA2
  - EAP
  - Plug -ins: EAP-TLS. I select the user certificate and the CA certificate. User name from the certificate, domain from the certificate
  - WPA2 only mode
  In the IAS log, the username is correct, but always appear this strange error. The certificates and infraestructure I use it works well in a notebook
  Thanks

• E66 EAP-TLS error

  Hi, I have configured an E66 with WPA2 EAP-TLS against IAS and I always obtain the same error in the IAS event viewer.
  denied accesss
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 16
  Reason = Authentication was not successful because an unknown user name or incorrect password was used.
  Has anybody tried E66 with EAP-TLS?
  Any experiences?

  Yes, this is my setup
  - hidden network
  - infraestructure
  - security: WPA/ WPA2
  - EAP
  - Plug -ins: EAP-TLS. I select the user certificate and the CA certificate. User name from the certificate, domain from the certificate
  - WPA2 only mode
  In the IAS log, the username is correct, but always appear this strange error. The certificates and infraestructure I use it works well in a notebook
  Thanks

• WRVS4400N Does it support EAP-TLS

  Hi our business was looking at purchasing one of these Cisco routers and were curious if it supported WPA2 EAP-TLS?

  Jon,
  According to the Data Sheet:
  Port-based RADIUS authentication (Extensible Authentication Protocol multicast distributed switching [EAP-MDS], Protected Extensible Authentication Protocol [PEAP])
  http://www.cisco.com/en/US/prod/collateral/routers/ps9923/ps9931/data_sheet_c78-496737.html

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• ACS 4.0 EAP-TLS Cert not working

  Hey,
  so i generated my certificate signing request, took it to my CA, got a cert. From "ACS Certification Authority Setup" i installed it onto my ACS appliance, then from "Install ACS Certificate" installed it (it prepopulated the privkey and password so i assume it got that from the cert file). I then add the CA from the "Edit Certificate Trust List". All this goes off without a hitch.
  However when i try to add the "Certificate Revocation List" I am unable to add both LDAP:\\\ and http://. I have confirmed that the http:// is working on the CA, and every indication is that the ldap is working too but i don't know of the tools to test that with.
  When i go into "System Configuration"->"Global Authentication Setup"->"Allow EAP-TLS" i get the following error.
  Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.
  What exactly is not installed about the Certificate? it's on the ACS server, it's configured and the date range is correct.
  I've been banging my head against this all day and could use some suggestions. :)

  Ok, i now understand it a little better. I needed to install 2 certificates. the first being the Root CA's certificate in the "ACS Certification Authority Setup" section (i mistakenly thought this was simply where i download my generated cert for the next spot.
  The second cert is the one i generated using "Generate Certificate Signing Request", i then took that to my Root CA, generated a cert and installed that along with the private key under "Install ACS Certificate".
  Thanks for pointing me in the right direction since the error i was getting wasnt helpful to me.

• ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

  Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
  Long story short, what I'd like to do is: 
  User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
  Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
  personally owned devices only allowed to do ICA,
  corporate device can use SQL, RDP, etc...
  Thoughts, ideas?

  Not sure i understand your response, or perhaps my original question isn't clear.
  User authenticates with EAP-TLS / User cert
  User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
  Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
  My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

• Will CA cert be pushed along with the sever cert to the client in eap-tls?

  Hi All,
  I'm aware of that in eap-tls, the server-side cert will be pushed to the wireless client. I'm wondering if the CA root cert of the Radius server will be pushed as well. If not, I guess the client must have the CA cert pre-installed. Is there any documentation to describe this?
  Thanks in advance.
  Robert

  Thanks Scott.
  I'm a little bit confused. Based on the following url, somebody said sever will send the server cert and the CA. Can you show me the documentation that can explain in detail.
  http://security.stackexchange.com/questions/47932/why-is-a-ca-certificate-required-for-eap-tls-clients
  When the server sends a certificate, it actually sends a certificate chain,  including the CA which issued it, and the CA above it, and so on, up to  the root (the root itself may be sent, but this is optional).

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan