WLAN Security - EAP-TLS EAP-Identity exposed in the clear

Similar Messages

• 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

  Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

  SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

• PEAP, EAP-TLS & EAP-MD5

  Hi
  Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?

  Hello,
  There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
  Regards,
  Belal

• EAP-TLS witch Cisco Secure ACS

  Hi everyone,
  we have implemented wpa/leap in our WLAN. We would use certificates for machine authentication. There is a Cisco Secure ACS Server 3.3 installed.
  Is it possible to use the ACS self generated certificate without a CA ?
  The examples I found on the web describes only the configuration with CSACS with Microsoft CA.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html
  We use Cisco AP1231/AP1232 with 12.3.4JA.
  I think for machine authentication we have to install a CA. Let me know, how you think about that issue.
  Armin

  There are no much options on Client side: MS PEAP, EAP-TLS, EAP-MD5. ACS version 3.3 can generate self-signed certificate (for itself) without the need to install separate CA server. So I'd recommend you to use MS PEAP (PEAP MS-CHAPv2) with self-signed certificate on ACS.

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• EAP-TLS problems with Cisco AP541N and Server 2008 NPS

  Hi,
  I want to use EAP-TLS with my shiny new certificates issued by my new Windows CA, and what happens? Nothing works.
  I don't have a clue what I should do. I try to establish a EAP-TLS connection using my Windows CE mobile device, but my cisco AP541N logs this:
  Oct 18 15:42:58
  info
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: Supplicant used different EAP type: 3 (Nak)
  Oct 18 15:42:58
  warn
  hostapd
  wlan0: STA 00:17:23:xx:xx:xx IEEE 802.1X: authentication failed - identity 'XXXXXX' EAP type: 13 (TLS)
  Oct 18 15:42:58
  info
  hostapd
  The wireless client with MAC address 00:17:23:xx:xx:xx had an authentication failure.
  NPS logs this:
  Name der Verbindungsanforderungsrichtlinie: Sichere Drahtlosverbindungen 2
  Netzwerkrichtlinienname: XXXXXX
  Authentifizierungsanbieter: Windows
  Authentifizierungsserver: XXXXX
  Authentifizierungstyp: EAP
  EAP-Typ: -
  Kontositzungs-ID: -
  Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
  Ursachencode: 22
  Ursache: Der Client konnte nicht authentifiziert werden, da der angegebene EAP (Extensible Authentication-Protokoll)-Typ vom Server nicht verarbeitet werden kann.
  I'm sorry it's german, but the gist is: The server can't process the authentication with the specified EAP type, which should be EAP-TLS.
  I think the NAK answer in my cisco AP logs is the problem. Well, not the problem, since it is the standard procedure in the EAP request / challenge, I think, but somebody messes up with it.
  Did anybody encounter something like this before? Or just knows what to do?
  Thanks in advance
  Lenni

  Joe:
  Having NPS, you have the options to configure PEAP-MSCHAPv2 or EAP-TLS.
  EAP-TLS: mandates a certificate on the server as well as a certificate on every single machine for authentication purposes.
  PEAP-MSCHAPv2: mandates a certificate on the server only. Users connecting to the wireless network must trust the certificate (or, user devices can be configured to escape this trust and connect even if the server cert is not trusted).
  for PEAP-MSCHAPv2, Your options are:
  - Buy a certificate for the server from a trusted party (Verisign for example [which was bought later by Symantec]). This way all devices will - by default - trust the server's cert.
  - Install local CA. Install a cert on the server and then push the root CA cert for your CA to all client device so they trust this issuer.
  - If both up options are not valid for you, what you can do is to configure every single client to ignore the untrusted cert and proceed with the connectoin. (This is a security concern though. not recommended unless really needed).
  You must get a cert on the server and all clients must trust that certificate's issuer. Otherwise you'll not be able to user PEAP.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• EAP-TLS error .........failed SSL/TLS handshake because of an unknown CA in client certificate chain

  Hi,
  I am using 802.1x and EAP-TLS as authentication protocol. The clients are not able to pass the authentication the error log on ACS is
  Authentication failed: EAP-TLS handshake failed SSL/TLS handshake because of an unknown CA in the client certification chain.
  I have installed certificates on the WLC and ACS, however authentication is unsuccessful.
  Can anybody help regarding this issue.

  Hi Sandeep,
  Web auth certificate is defult certificate in wlc but you can also use your own(3rd party).
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/70584-csr-wlc-00.html
  Virtual interface : This interface handles any mobility management, VPN Termination, Web authentication, and is also a DHCP relay for WLAN clients.
  Yes its interconnected, the purpose for this entry is so that the controller knows the name of the of the certificates to virtual address translation.
  1. Guest Client go to google.com
  2. Client goes to DNS (the one its is assign in DHCP)
  3. DNS resolves the DNS for google.com
  4. Client then attempts to go to google.com
  5. Controller intercepts GET and replaces it with a 1.1.1.1
  6. Controller then takes the 1.1.1.1 and translates this to the DNS name to negat the (accpet this cert screen)
  7. DNS then gets resolve to the name (example guest.xxx.com)
  8. Controller presents the guest screen
  Hope it helps.
  Regards
  Dont forget to rate helpful posts

• Wireless ISE - 12508 EAP-TLS handshake failed

  Hi guys,
  I'm in the middle of my very first wireless ISE deployment and I'm hitting issues with EAP-TLS based authentication.  In short, all EAP-TLS authentication is failing with the following error.  Below that is the relevant excerpt from the logs:
  Authentication failed : 12508 EAP-TLS handshake failed
  OpenSSLErrorMessage=SSL alert: code=0x233=563 \; source=local \; type=fatal \; message="X509 decrypt error -  certificate signature failure", OpenSSLErrorStack=   597863312:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown  message digest algorithm:a_verify.c:146:,
  Setup:
  - Single standalone ISE 3355 appliance
  - Two tier MS enterprise PKI (outside of my direct control)
  - WLC 5508
  - Windows 7 laptop\
  - The ISE has both the root and intermediate CA server certificates installed (individually, not chained) and has an identity certificate from the intermediate CA.
  - The test laptop has both the root and intermediate CA server certificates installed  (individually, not chained) and has an identity certificate from the  intermediate CA.
  Now, I'm pretty new to certs so I'm sure I'm missing something simple here.  One thing that has come to mind as I'm writing this is that all of the issued certificates are using SHA1 as the Signature hash algorithm but if I remember correctly ISE defaults to SHA-256 when generating a CSR and I can't remember actually changing that.  Could my issue be as simple as this, or does this hash algorithm only apply to the CSR process?
  This is what TAC came back with, but none of the workarounds helped
  Symptom:
  ========
  EAP-TLS auth handshake  failing with X509 decrypt error. The error presented to the ISE  administrator is "12508: EAP-TLS handshake failed"
  Conditions:
  =========
  EAP-TLS certificate based authentications ISE 1.1.2.145
  Workaround:
  ===========
  1) Reboot or restart ISE  application service 2) Recreate CAP (Certificate Authentication Profile)  3) Toggle between ID sequence and single ID source

  Hi Amjad,
  Thanks for the response.  I realise that SHA256 is highly preferable, however as per my post the PKI is outside of my direct control so that's a whole other conversation.
  Cisco actually recommends avoiding chained certs for ISE, their best practice is that the intermediate and root CA server certificates should be imported into the ISE individually (I don't have a link for this, but it was presented in the Advanced ISE session at Cisco Live this year).  On the client side the identity certificate (machine) shows the full trust chain, so I would assume that there isn't an issue there but I'm happy to be corrected.
  The certificate format has not been modified in any way.  The server and identity certs have been pushed out to the clients via GPO. Tthe root and intermediate certs were exported in DER format directly from each the respective CAs and imported directly in to the ISE
  Cheers,
  Owen

• WLC EAP-TLS

  Hi,
  My Wireless network consists of 8 WLC and 2 Cisco ACS 1113 with 4.2. I need to implement certificate authentication for Cisco Wireless Phone SSID. I tried PEAP along with certificate generated by Microsoft Cert Server, but the issue is the client can ignore the certificate and I believe only way to force is via Active Directory group policy.
  So as my Cisco IP Phones are not joined to Active Directory I think the only option is to use EAP-TLS. For this I have the following Queries.
  •1.     What will be the SSID security setting. ( I tried Layer 2 802.X with WEP 104bit encryption)
  •2.     Do I need to install any certificate on WLC if yes which Certificate (Ex root, Client)
  •3.     What Certificate should be installed on Client.
  •4.     What should be the client PC security setting for EAP-TLS
  I had gone through the following Docs for reference.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
  https://supportforums.cisco.com/docs/DOC-24723
  Thanks
  Nibin

  Dear Philip,
  Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.
  Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.
  AUTH 02/10/2013  13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS  data: SSL state=SSLv3 read  client certificate A
  AUTH 02/10/2013  13:29:58 I 2009 1756 0xb EAP: EAP-TLS:  Handshake failed
  AUTH 02/10/2013  13:29:58 E 2255 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL recv alert fatal:bad certificate
  AUTH 02/10/2013  13:29:58 E 2258 1756 0xb EAP: EAP-TLS:  ProcessResponse: SSL ext error reason: 412 (Ext error code =  0)
  AUTH 02/10/2013  13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519):  mapped SSL error code (3) to -2198
  AUTH 02/10/2013  13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code  Unknown EAP code
  AUTH 02/10/2013  13:29:58 I 0366 1756 0xb EAP: EAP state: action = send
  AUTH 02/10/2013  13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned  -2198
  AUTH 02/10/2013  13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7,  seq_id=7)
  AUTH 02/10/2013  13:29:58 I 5501 1756 0xb Done  UDB_SEND_RESPONSE, client 50, status  UDB_EAP_TLS_INVALID_CERTIFICATE
  Thanks
  Nibin Rodrigues

• ISE and EAP-TLS

  Hi
  We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
  22045  Identity policy result is configured for password based authentication  methods but received certificate based authentication request
  I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
  EAP-TLS is enabled in  the 'Default Network Access' authentication result.
  Can anyone shine a light on where I'm going wrong?
  Thanks
  Martin

  Martin,
  Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
  http://support.microsoft.com/kb/814394
  Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
  The IAS or the VPN server computer certificate is configured with the  Server Authentication purpose. The object identifier for Server  Authentication is 1.3.6.1.5.5.7.3.1.
  Here is the Cisco eap-tls deployment guide which references the same as above:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• EAP-TLS with ISE

  I have been reading the Cisco ISE for BYOD and trying to create an Authentication Policy for EAP-TLS. When I build the new policy and add a new condition, then go to Network Access, EAPAuthentication is not an option. So I went to policy element and created a new Authentication, Compond condition and added it to the library. When I try to add it to my Authentication Policy it doesnt allow me to chose it and says only relevant conditions are selectable. Am I missing a step somewhere?
  Any help is greatly appreciated and thanks in advance!

  Thanks that's what I needed thanks. I was closing out of my current policy and inserting a new above the default. Now I need to get my certs working with my phone and ISE. Currently, we are using packetfence and Mobil iron which issues the certs during registration - still working with security team to see how this is done. When I look at the certs on my phone I can see the root certs, but when I create a SSID and chose a cert the root isnt an option. Any ideas how I can connect using a new ssid with the root certs on my phone?

• Cisco ISE - eap-peap and eap-tls

  Hi,
  Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
  I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
  If peap use this identity source, if tls use 'this certificate authentication profile'.
  Thx

  OK,
  so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
  The authentication policy was allowing EAP-TLS & EAP-PEAP.
  I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
  What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
  In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
  When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
  Hope that helps.
  Mario

• WLC 4400: EAP-TLS

  Good day!
  I tried to set up the EAP-TLS according to
  - http://cciew.wordpress.com/2010/06/10/eap-tls-on-the-wlc/
  - http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080a77592.shtml
  - Jeremy video about EAP-TLS
  The main question is about certificates.
  Tell me if I am wrong -  There are two types of certificates that we need to upload to the WLC:
  1) Device certificate - this is quite clear, OpenSSL, Certificate Request and e.t.c.
  2) CA Root certificate - if there is only one CA Root than clear, but if we have the following chain
  Root CA -> Intermediate CA -> WLC
  a) Do we need to upload the whole chain "Root CA -> Intermediate CA" to the WLC ?
  b) If yes, what format is it going to be? maybe smth like this
  ------BEGIN CERTIFICATE------
  *Intermediate CA cert *
  ------END CERTIFICATE--------
  ------BEGIN CERTIFICATE------
  *Root CA cert *
  ------END CERTIFICATE------

  Nicolas, thank you for your reply!
  1)
  I've already seen the article, but now notice some interesting fact:
  "Note: Chained certificates are supported for web authentication only; they are not supported for the management certificate."
  Regarding this note, do we need to bundle any certificates for EAP-TLS scheme?
  2)
  On the WLC we have an opportunity to download two types of Certificates:
  - Vendor Device Certificate - it is made of CSR request and then uploaded to the WLC in .pem format
  - Vendor CA Certificate - this is more interesting:
    Yesterday I bundled Root and Intermediate CA Certificates in one .pem file, then uploaded it to the WLC as "Vendor CA Certificate" - the result was suсcessful! During the EAP-TLS auth process SSL Handshake completed sucessfully and I connected to my EAP WLAN!
  In the controller Client Properties I saw the EAP TLS>
  Everything seems to be ok, strange...
  May be, the chain of Root and Intermediate CA Certificates is the redundant information, but the scheme seems to be working!

• Cisco 7921 - Does anyone Use EAP-TLS in their VoWLAN Deployments?

  Hi Guys,
  I am looking at making a technology decision, in regards to VoWLAN and authentication.
  For our Data Deployment, we use EAP-TLS with a PKI infrastructure and ACS. The ACS passes fields from the certs to AD for verification.
  Can I do exactly the same for the Voice Deployment?
  Has anyone used EAP-TLS with Voice? Are there any problems? Or should I just go ahead and get some certs minted for the phones, setup some AD accounts and whey hey, its time to party?
  Many thx indeed,
  Ken

  Hi Michael,
  So looking at the deployment guide, this is worded (imho) in a confusing manor? Sorry.
  CCKM is listed under authentication, where i though CCKM is an authentication "key managment" protocol?
  It also says 802.1x authentication with AES encrytion, under the authentication heading?
  It says eap-tls, should this not say 802.1x eap-tls or collapse this with the 802.1x authentication?
  ahh, when it says 802.1x, does that mean 802.1x dynamic wep?
  Would it be correct to say, that I want to use 802.1x eap-tls with tkip and CCKM?
  Sorry, this hurts :)
  Thx,
  Ken
  Wireless Security
  When deploying a wireless LAN, you must provide security. The Cisco Unified Wireless IP Phone 7921G supports the following wireless security features.
  Authentication
  - Cisco Centralized Key Management (CCKM)
  - 802.11i (802.1x authentication + TKIP encryption)
  - 802.11i (802.1x authentication + AES encryption)
  - 802.11i (Pre-Shared key + TKIP encryption)
  - 802.11i (Pre-Shared key + AES encryption)
  - Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
  - Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
  - Protected Extensible Authentication Protocol (PEAP)
  - Lightweight Extensible Authentication Protocol (LEAP)
  - Open and Shared Key
  Encryption
  - Advanced Encryption Scheme (AES)
  - Temporal Key Integrity Protocol (TKIP) / Message Integrity Check (MIC)
  - 40-bit and 128-bit Wired Equivalent Protocol (WEP)
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time. TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.