WRVS4400N Does it support EAP-TLS

Similar Messages

• Cisco 7921 - Does anyone Use EAP-TLS in their VoWLAN Deployments?

  Hi Guys,
  I am looking at making a technology decision, in regards to VoWLAN and authentication.
  For our Data Deployment, we use EAP-TLS with a PKI infrastructure and ACS. The ACS passes fields from the certs to AD for verification.
  Can I do exactly the same for the Voice Deployment?
  Has anyone used EAP-TLS with Voice? Are there any problems? Or should I just go ahead and get some certs minted for the phones, setup some AD accounts and whey hey, its time to party?
  Many thx indeed,
  Ken

  Hi Michael,
  So looking at the deployment guide, this is worded (imho) in a confusing manor? Sorry.
  CCKM is listed under authentication, where i though CCKM is an authentication "key managment" protocol?
  It also says 802.1x authentication with AES encrytion, under the authentication heading?
  It says eap-tls, should this not say 802.1x eap-tls or collapse this with the 802.1x authentication?
  ahh, when it says 802.1x, does that mean 802.1x dynamic wep?
  Would it be correct to say, that I want to use 802.1x eap-tls with tkip and CCKM?
  Sorry, this hurts :)
  Thx,
  Ken
  Wireless Security
  When deploying a wireless LAN, you must provide security. The Cisco Unified Wireless IP Phone 7921G supports the following wireless security features.
  Authentication
  - Cisco Centralized Key Management (CCKM)
  - 802.11i (802.1x authentication + TKIP encryption)
  - 802.11i (802.1x authentication + AES encryption)
  - 802.11i (Pre-Shared key + TKIP encryption)
  - 802.11i (Pre-Shared key + AES encryption)
  - Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
  - Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
  - Protected Extensible Authentication Protocol (PEAP)
  - Lightweight Extensible Authentication Protocol (LEAP)
  - Open and Shared Key
  Encryption
  - Advanced Encryption Scheme (AES)
  - Temporal Key Integrity Protocol (TKIP) / Message Integrity Check (MIC)
  - 40-bit and 128-bit Wired Equivalent Protocol (WEP)
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time. TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

• Does this support EAP? LEAP? PEAP? Web Authentication?

  I am trying to access my college network at Baruch, and its not letting me get pass the authentication. Safari just freezes. Is the iPAD EAP compliant? The iPhone works fine. If its not, is Apple working on a fix?
  Honestly for a an app to promote keynotes, logging into a clients network before a presentation, I see huge problems with this. What if the client uses web authentication to have to access Wifi. Is there a fix around this?
  Thanks

  i assume eap types are supported just like on an iphone. if you manually configure to connect to a wireless network are wpa/2 enterprise choices listed? if so that implies eap support.
  i believe i saw other complaints about web auth not working. i assume that's an issue with ipad safari not being able to interpret the web auth page coming from the wireless access point/controller.
  i'm unclear on what your trying to connect to. a wlan using web auth or leap/peap/etc? they are usually not used together.

• Does E71 support EAP Enterprise?

  I'm trying to connect my E71 to work's network. It uses a WPA/WPA2 with EAP-Enterprise authentication method.
  My colleague uses an iPhone and setup was easy enough to choose 'EAP-Enterprise' and enter user + password. The certificate get sent to his phone and its all done.
  How is this done with the E71?

  20-Dec-2008 06:15 AM
  sanjaymehta wrote:
  3. Even if you do get the certificate and have the right EAP support, you might not be able to log on to the network. I've tried to log in using EAP-GTC and the phone just doesn't give me
  enough time to enter the password.
  I think that the reason why you are not getting enough time to enter your EAP-GTC password on the phone UI is more likely caused by the impatient WLAN access point behaviour than something being wrong on the phone side.
  Some WLAN access points are by default configured to expect EAP authentication response packets from the client within a few seconds from the request that AP sends to client. Typically after AP's EAP response timeout occurs AP will trigger new EAP authentication sequence towards the client, causing yet another EAP-GTC password query on the client that user has again not enough time to answer properly.
  This type of AP behaviour will cause a loop of consecutive password queries on the client side, which is especially problematic for such EAP authentication methods requiring user to enter their username/password credentials (i.e. GTC as well as MSCHAPv2 and LEAP in case credentials were not saved in advance in to the IAP settings).
  Depending on the WLAN access point you might be able to adjust your AP's EAP timeout (sometimes referred as 802.1x) parameters so that AP will provide EAP clients more time to respond before initiating new (retry) authentication sequence. You could check your WLAN AP for a setting named something like "EAP timeout", "802.1x timeout" or similar and try increasing this value assuming such configuration parameter is available.
  Another potential workaround (if your authentication infrastructure supports it and you are not using one-time-passwords) is to use PEAP or TTLS with MSCHAPv2 instead of EAP-GTC and save your MSCHAPv2 username/password credentials into the phone's IAP settings beforehand, which removes the need of password entry during the EAP authentication process.

• Apple macosx machine authentication with ISE using EAP-TLS

  Hello,
  On a ongoing setup we are using eap-tls authentication with account validation against AD. We have our own CA (microsoft based). ISE version 1.2.1 patch 1.
  With windows machines all is working well. We are using computer authentication only.
  Now the problem is that we wish to do the same with MAC OSX machines.
  We are using casper software suite and are able to push certificates into macosx, and are doing machine authentication.
  in ISE the certificate authentication profile is being set to look at the subject alternative name - DNS name of the machines. Whenever we set it to the UPN (hostname$) windows accounts are not found in ad.
  When MAC OSX authenticate as machines (they have a computer account in AD) they present themselves with RADIUS-Username = hostname$ instead of host/hostname.
  The consequence is that by lacking the host/, ISE considers that this is a user authentication, instead of a computer one, and when it sets off to find the account, it searches in User class instead of Computer - which obviously returns no results.
  Is anybody aware of any way to force MAC OSX to present a host/hostname RADIUS-Username when authenticating?
  Any similar experiences of authenticating MAC OSX with ISE and machine/computer authentication are welcome.
  Thanks
  Gustavo Novais

  Additional information from the above question.
  I have the following setup;
  ACS 3.2(3) built 11 appliance
  -Cisco AP1200 wireless access point
  -Novell NDS to be used as an external database
  -Windows 2003 enterprise with standalone Certificate Authorithy Services Installed
  -Windows XP SP2 Client
  My Goal is to use Windows XP Native Wlan Utility to connect to AP using EAP-TLS authentication against Novell NDS.
  Tried to connect using Cisco compatible wlaN utility and authenticate using EAP-GTC against Novell NDS for for users, it works fine and perfectly.
  When connecting using EAP-TLS, I am getting an error from ACS failed attempt "Auth type Not supported by External DB". But in the ACS documentation says that it supports EAP-TLS. How true is this? Is there anybody have the same problem? Do I need to upgrade my ACS? What should I do? What other authentication type could be used to utilize native WinXP Wlan Utility?
  Please help...
  Thanks

• EAP-TLS w/freeradius failing. Phone doesn't present Client certificate.

  Hello,
  I'm currently on the first phases of deploying a Cisco IPT 802.1X based proof of concept using freeradius, Cisco switching infrastructure (4500's).
  The requirements are to use EAP-TLS authentication for the phones, and freeradius as Radius Server.
  While trying out the concept in lab using an ISE Radius server, the configuration was straightforward and I did manage to authenticate IP phones using their MIC certificates to the ISE.
  Going to actual testing with freeradius, EAP-TLS authentication keeps looping, the phones keep sending RADIUS Access requests, but not being rejected or allowed.
  What was done:
  - set up freeradius with EAP-TLS configuration, trusting both cisco CA root  and manufacturing root.
  - freeradius has a server certificate generated by Thawte SSL CA certificate, where EKU fields are properly set for server authentication (and also client authentication)
  - Phone had 802.1X enabled (and it does support EAP-TLS, as verified with the ISE test)
  What I can see while running a wireshark trace on freeradius is:
       - both parties negotiate properly that they will engage in EAP-TLS.
       - they  start the TLS handshake
       - Server sends its certificate on a Server Hello to the phone (which is meant to not validate it)
       - Client (phone) never sends its certificate (MIC) to the server.
       - Client restarts EAP-TLS negotiation and goes on and on.
  Unfortunately the debugs/Captures on freeradius do not allow to verify if the server certificate exchange is finished, or if it is failing somewhere (like a fragment being dropped).
  Does anyone have an idea on what might be happening? I find it very strange that the phone, on a freeradius deployment, would behave differently than one on a ISE deployment, especially because it doesn't validate the server certificate, so it shouldn't matter what is presented to the phone.
  Phone firmware is 9.2(3) and callmanager 8.6
  Thanks
  Gustavo Novais

  Found the problem. Apparently ADU can't access certificate store if client is not part of the AD domain

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• 7921 or 7921G - Is there a Difference - Want to use EAP-TLS

  Hi All,
  I have a Cisco 7921G and there is conflicting info about the phones supporting eap-tls.
  Some docs say yes it does, some say it does not?
  Many thx indeed,
  Ken
  I dont have the option on my phones (under wlan config), and was wondering if I need to order a different phone?
  Also, As just posted in another thread, can you use MS AD to manage the phones, like you can have data devices doing a compare of SAN/CN/Binary to MS AD?
  Many thx indeed,
  Ken

  thx dude.
  this is almost real-time :)))
  Top-man
  A question out to all else, does anyone use MS AD to manage phones? Like you can with laptops running windows, or is this a no-go
  Thx
  Ken

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

  Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

  SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

• Nokia E66 EAP-TLS error

  Hi, I am configuring a Nokia E66 (wich is v4 in Cisco Compatible Extensions, so it supports EAP-TLS) with WPA2 EAP-TLS against IAS in a Cisco Wireless Network and I always obtain the same error in the IAS event viewer.
  denied accesss
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 16
  Reason = Authentication was not successful because an unknown user name or incorrect password was used.
  Has anybody tried E66 with EAP-TLS?
  Any experiences?

  Yes, this is my setup
  - hidden network
  - infraestructure
  - security: WPA/ WPA2
  - EAP
  - Plug -ins: EAP-TLS. I select the user certificate and the CA certificate. User name from the certificate, domain from the certificate
  - WPA2 only mode
  In the IAS log, the username is correct, but always appear this strange error. The certificates and infraestructure I use it works well in a notebook
  Thanks

• EAP-TLS not working on WinXP client, but does work on W2k?

  Hi
  So I've got EAP-TLS setup using a W2K IAS server as RADIUS, W2K certificate server and cisco 1100 APs. I've got computer certs on four notebooks of which 2 are W2k and the other two are XP. On the W2k PCs I am able to pop in my wireless 350 card and get an IP before logging in (as seen via the dhcp server) and then once logged in, the user cert is used to further authenticate and remain connected to the network (as seen via the IAS logs). Yet when I try to pop in my wireless card on the XP PCs, I get no IP address and nothing ever shows up in the IAS logs...the 1100 ap says that its associated but nothing more. Does anyone have any ideas. Thanks
  Jason

  Jason,
  Can you authenticate from the XP clients using LEAP or something other then EAP-TLS?
  If not i would look at upgrading the 350 card drivers on the XP machines to the latest.
  I have had problems before using the cardbus pcmcia adapters on XP, when i installed the latest drivers it worked.
  Let me know how you get on?
  Rgds,
  Paddy

• Can ACS support multiple Active Directory Domains for 802.1x EAP-TLS?

  Hi
  I'm looking to implement ACS 5.2 using 802.1X, we have two seperate AD domains.
  Now.. this is the tricky part...
  A single switch will need to support both ADs, so if a machine in AD1 is connected, it will be authenticated to the ACS using AD1 and applied to VLAN1, while a machine that is in AD2 will be authenticated to AD2 and applied to VLAN 2.
  I'm looking at machine authentication, not user authentication, so I assume that I will need to import two certs from each AD.
  Can any expert please let me know if they think that this will be possible please??
  Many thanks

  Yes ACS can support multiple AD domains but you will have to configure one as your AD domain and the other as an LDAP database and this will work since you are planning to use eap-tls.
  The question I have is which version of ACS are you using? If you are using ACS 5.x then you can setup and identity store sequence so if the user is not found you can move to the next store and this will prevent you from installing two certificates on every machine.
  You can then setup an authorization rule for the seperate containers on where the workstations are located (this is assuming machine authentication is being used) for the AD database or the LDAP database and then assign the vlan based off that.
  Thanks and I hope this helps!
  Tarik Admani

• Pandora message "Pandora believes your browser does not support modern SSL/TLS" and everything seems disabled on the site-how fix?

  I have been using Firefox for a long time as my browser and typically play Pandora while at my office most days. For the first time today I received a pop up message "Pandora believes your browser does not support modern SSL/TLS. Consider upgrading your browswer" when I logged on to Pandora. I checked and I am on the latest version of Mozilla Firefox. I am unable to control volume or log out of Pandora now. I did some google searches and found Mozilla disabled ssl3.0 due to a "Poodle" attack. Does that mean that I can no longer use Firefox as my browser when I want to listen to music on Pandora or is there "a fix"? Thanks!

  Mozilla Firefox as of Firefox 34 has the vulnerable SSL 3.0 disabled and only allows for TLS 1.0 at minimum to 1.2 now.
  https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
  So Pandora is incorrect if they believe Firefox is not safe to use.
  Actually Pandora potentially needs to do a bit of upgrading themselves.
  https://www.ssllabs.com/ssltest/analyze.html?d=www.pandora.com&s=208.85.40.50