Authorization of EAP - TLS machine uses ACS 5.2

Similar Questions

• Cisco ACS with external DB - EAP - TLS

  Hi guys,.

  I understand how the EAP - TLS exchange works (I think), but if I have a client (with or without wire) that uses EAP - TLS with a CBS, I confirm the following.

  Let both users and computer certificates are used:

  1. customer and ACS are with each of the other automatic certificates to ensure they are known to each other. The eap - tls Exchange.

  2A. At any given time and I'm assuming until the successful eap - tls message is sent to the client, the ACS to check if the user name or computer name is in the AD database?

  2B. Wot is the parameter that is checked on the AD database?

  I read here that it can be: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

  Client certificates

  The client certificates are used to identify with certainty the user in EAP - TLS. They have no role in the construction of the TLS tunnel and are not used for encryption. A positive identification is made by one of three ways:

  CN (or name) comparison-compare CN in the certificate with the user name in the database. More information on this type of comparison is included in the description of the subject field of the certificate.

  Comparison of SAN-compare the San in the certificate with the user name in the database. It is only supported from the ACS 3.2. More information on this type of comparison is included in the description of the field another name of the subject of the certificate.

  Binary comparison - compare the certificate with a binary copy of the certificate stored in the database (only AD and LDAP for that). If you use the binary comparison of certificate, you must store the user certificate in a binary format. Also, for the generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".

  3. with the foregoing, if options 1 or 2 are used (CN or SAN comparison), I guess it's just a check between a value out the CERT of the ACS and checked with AD, is that correct? With option 3, GBA exercise a complete comparison of the certificate between what the client and a "cert stored client" on the AD DB?

  Please can someone help me with these points.

  I'm so lost in this kind of things :)) I think.

  Thx a lot and best regards,

  Ken

  TLS only * handle * is complete/successful, but because the user authentication fails.

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 client SSL read Exchange of keys A

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 read Certificate SSL check

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 read state completed A

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 write change cipher spec A SSL

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 write finished State has

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 data embedded SSL

  CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State SSL = SSL handshake completed successfully

  EAP: EAP - TLS: handshake succeeded

  EAP: EAP - TLS: authenticated handshake

  EAP: EAP - TLS: CN using the certificate as an authentication identity

  EAP: State EAP: action = authenticate, username = 'Jousset', the user identity is "jousset.

  pvAuthenticateUser: authenticate "jousset" against CSDB

  pvCopySession: assignment session group ID 0.

  pvCheckUnknownUserPolicy: Group of session ID is 0, the call pvAuthenticateUser.

  pvAuthenticateUser: authenticate "jousset' against the Windows database

  External DB [NTAuthenDLL.dll]: Cache of Creating Domain

  External DB [NTAuthenDLL.dll]: Domain for loading Cache

  External DB [NTAuthenDLL.dll]: no UPN Suffixes found

  External DB [NTAuthenDLL.dll]: could not get the domain controller for dwacs.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for enigma.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for acsteam.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: could not get the domain controller for vikram.com trust, [error = 1355]

  External DB [NTAuthenDLL.dll]: domain loaded cache

  External DB [NTAuthenDLL.dll]: could not find the user jousset [0 x 00005012]

  External DB [NTAuthenDLL.dll]: user Jousset is not found

  pvCheckUnknownUserPolicy: assignment session group ID 0.

  Unknown user "jousset" was not authenticated

  If EAP-failure (RADIUS Access-Reject (is sent, no EAP-Success(Radius Access-Accept).))

  And no matter how port will not be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

  HTH

  Kind regards

  Prem

• EAP - TLS Questions...

  Hi all

  My setup is like this...

  Laptop - LWAPP - WLC - ACS - AD

  I m using CA to generate the certificate... I set up EAP - TLS on WLC & ACS SE. everything works fine it is to tell when I issue a CA on my AD login name & install this certificate I m able to connect to the WLAN... For safety on WLC I activate WPA & 802.1 x...

  What I want is that when I start the laptop it should directly connect to the wireless network & whne I try to sign in using my user name & password that he should ask if my password is expired or something & connect to AD. But this is not case allowing to happen when we were using peap as it ask for username and paswword connect but not in the case of EAP_TLS it only to verify valid certificates...

  Thanks in advance...

  Kind regards

  Piyush

  EAP - TLS does not use a name of user and password only PEAP:

  http://TechNet.Microsoft.com/en-us/library/cc739638.aspx

• Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS

  I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it.  5.2 model is much more different than what I expected.  We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it.  I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:

  1. integrated AD

  2 EAP - TLS

  3 certificates

  4 Microsoft CA

  5. the applicant is XP SP 3

  6 non-Cisco 802.1 x compatible switches (switches are not the question)

  I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :).  Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)?  Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?

  Thanks in advance.

  Hello, Christopher.

  I'll try to give you some tips to achieve what you want.

  Additional info can be found in the user guide:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

  1. in the identity store / Active directory, check "enable machine authentication.

  2 import a certificate for ACS

  Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.

  Select how you want to import the certificate, and then verify the Protocol EAP

  3. Add your switches as aaa clients

  Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.

  4-go to access policies > Access Services and click on create a new access service.

  Select the selected Type of Service and network access in the list.

  Verify the identity, group mapping and authorization

  5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.

  You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.

  If all your switches RADIUS will make eap - tls, you can change the rule

  Rule-1

  Ray game

  Default network access

  While in the result, you choose your service of access created in step 3.

  6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS

  7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity

  8. check that the 'Allowed access' rule is selected in the authorization to access your service

  These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.

  Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.

  ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.

• 802. 1 x EAP - TLS for wired users with ACS 5.5

  Hi all

  We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.

  We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.

  Please suggest on how to get certificates for clients both manually and automatically?

  Thank you

  Vijay

  Hi Vijay,

  for Wired 802.1 x (EAP - TLS) you must have the following certificates:

  Intermediate server on ACS - Root CA, CA certificate,

  The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)

  I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.

  In the case of Microsoft, there will be a user certificate template. You can select and create user certificate

  This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:

  http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

  In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user

  See you soon

  Mohammed (rate useful message)

• Authentication EAP - TLS with ACS 5.2

  Hi all

  I have question on EAP - TLS with ACS 5.2.

  If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?

  Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?

  If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?

  And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.

  And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?

  I hope you guys can help with that. Thank you.

  Hope this will answer most of your questions:

  Client certificate or user

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T10

  Computer certificate

  http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T15

  In the case of EAP - TLS we have the certificate of computer and user installed on the machines.

  Kind regards

  Jousset

  The rate of useful messages-

• ACS supports several Active Directory domains to 802. 1 x EAP - TLS?

  Hello

  I'm looking to implement 5.2 ACS using 802. 1 X, we have two distinct areas of AD.

  Now... That's the tricky part...

  One switch must support two ads, if an AD1 computer, it will be authenticated to the ACS using AD1 and applied to the VLAN1, whereas a machine located in AD2 is authenticated to AD2 and applied to VLAN 2.

  I'm looking for machine authentication, user authentication, so I guess I'll need two certificates of import of each ad.

  Can any expert please let me know if they think that this will be possible please?

  Thank you very much

  Yes ACS can support several areas of the AD, but you need to configure one of your AD domain name and the other as a LDAP database and it will not work because you plan to use eap - tls.

  The question I have is how ACS version do you use? If you use ACS 5.x, you can set up and storage of identity of sequence, so if the user is not you can move to the next store and this will prevent you from installing two certificates on each machine.

  You can then configure an allow rule for separate containers on which there are workstations (that's assuming that the machine authentication is used) for the AD database or the Protocol LDAP database, and then assign the vlan based on that.

  Thank you and I hope this helps!

  Tarik Admani

• Install certificates for EAP - TLS does ACS does not work

  Hi all

  I have two problems.

  I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.

  I'm going to download the GBA and I put a 'private key file?

  What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?

  Also, I managed to just put any old rubbish in there? and I was surprised he accepted.

  Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message

  Could not initialize authentication PEAP or EAP - TLS because that Protocol

  certificate is not installed. Install CA using "ACS."

  «Configuration of CA page»»

  Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?

  Thx a lot indeed.

  Ken

  I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

  I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

• [ISE or ACS] EAP - TLS or profiling as the same SSID

  Hello

  I can only configure one SSID to connect 2 types of devices:

  • Devices with certificates connect on this SSID using EAP - TLS
  • Devices without the ISE profiles certificates (or ACS verifies their MAC addresses)

  Could this work?

  How can I configure this type of SSID on WLC?

  • 802. 1 X works
  • 802.1 X + MacFiltering works.
  • I failed to configure 802.1 X or MAC filtering...

  Thanks for your help,

  Patrick

  Hello Patrick.

  Unfortunately, I don't think that's currently possible in the world of wireless Cisco with a unique SSID. For your example, you will need two separate SSID. Something similar has been asked before:

  https://supportforums.Cisco.com/discussion/11941331/isewireless-nacone-SSID-MAB-and-dot1x

  I hope this helps!

  Thank you for evaluating useful messages!

• ACS 4.0 EAP - TLS Cert does not

  Hey,.

  so, I have generated my certificate signature request, took it to my CA, a cert. "ACS Certification Authority Setup" I have installed on my device ACS, then 'Install ACS certificate' installed (he parked in the privkey and password so I guess he got that comes from the cert file). I then add the CA to "change CTL. All of this goes off without a hitch.

  However when I try to add the "certificate revocation list" I am unable to add the two LDAP:------and http://. I confirmed that the http:// is working on the certification authority, and all the possible indications are that the ldap protocol works too but I can't test with tools.

  When I go to "System Configuration"-> "Global Authentication Setup"-> "allow EAP - TLS' I get the following error.

  Could not initialize the PEAP or EAP - TLS authentication protocol because the certificate authority is not installed. Install the certification authority by using the "ACS Certification Authority Setup" page.

  Exactly, which is not installed on the certificate? It is on the ACS server, it is configured and the date range is correct.

  I've been banging my head against this all day and could use some suggestions. :)

  Hello

  For EAP - TLS to work you must use external CA installation such as Microsoft or Rapid SSL etc and auto generated in ACS certificates supports PEAP support but not EAP - TLS.

  HTH

  Ahmed

• For EAP-FAST (inner EAP - TLS) authorization rule

  We have a deployment of ISE, where we seek to use EAP-FAST as our method of inner EAP - TLS authentication method. We check the computer and user certificate. We initially had the following condition in our AuthZ-> EapChainingResult = user and also successful machine rule, but we found that initially succeeded machine and the user fails after windows logon. If we change the condition of EapTunnelType = EAPFAST, then it works fine, logs show that although that initially user fails and machine is successful, after the windows shell login then log message has managed the user and the machine is visible. My preference would be to work with the first requirement, because it is a more valid check but it does not work due to the initial failure, anyone got the EAP-FAST (EAP - TLS) work.

  Concerning

  I have executed him at a client, and you've discovered only machine auth succeeded initially, it's because the user to store where the certificate of users is not open until they have logged ind, this does not work as expected.

  What you can do is to have two different authz, one for eapchainingresult = rules machine succeeded and the user has failed and another when both are successful. This way you can give a granular access by using another for the machine, so the machine does not receive full access to the network before a user is connected.

• ACS 5.5 with EAP - TLS SHA 256 certificates

  Hi all

  Well, I just want to confirm that ACS 5.5 supports EAP - TLS with certificates SHA2.

  Thank you

  Manel

  Manel salvation,

  There was a time long deposited back enhancement to support EAP - TLS SHA 256 and obtained certificates fixed ACS 5.2 leave.

  CSCtd34175    Support for SHA2 certificates

  To answer your question, ACS 5.5 does support SHA2 certificates with eap - tls.

  ~ BR

  Jatin kone

  * Does the rate of useful messages *.

• [Cisco ACS 5.2] EAP - TLS authentication failure

  What we are e

  Hello

  I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

  It works well!

  Now, I configured Windows 8 with the same configuration.

  First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

  In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

  Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

  I found this bug

  http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

  It seems to be my problem but the reboot does not work in my case...

  It is set at 5.3 (0.40.2).

  I plan to install version 5.4.

  Do you know if this fix is supported by 5.4?

  Thanks for your help,

  Patrick

  Hi Patrick,

  What is set in point 5.3 must be set in point 5.4.

  Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

  HTH

  Amjad

  Rating of useful answers is more useful to say "thank you".

• Configuration of LEAP and EAP - TLS on ACS 4.2

  Hi all

  I am starter to wirless lan, I'm 3.3 ACS ACS 4.2 migration, I must define LEAP & EAP - TLS for authentication of the end-user wireless, how to set up LEAP and EAP - TLS on Version 4.2 ACS.

  Similalry for EAP - TLS its requires a certificate to be migrated from old ACS 3.3 to 4.2 ACS, kindly tell me here.

  Hi Santosh,

  I am attaching a copy of the link because you could not access the link.

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.