C4402 and ACS5.2 for EAP - TLS

Hello

I'm putting in place ACS5.2 to authentic my portable computer clients with automatic certificates to an ad group.

Cisco 4402 is successfully allowing them to network on WEP. Now, I need to use EAP - TLS and CERT to authentic.

I'm fighting with the ACS5.2 config. I ' ve worked through added a cert CA, added to the AD domain, I have now configured Athen profiles and Access Services. "

With each step any help would be greatly appreciated.

Thank you

Phil

Hello

If you only need configuraiton side ACS, right?

I think you need to move your thread on security identity and AAA forum here: https://supportforums.cisco.com/community/netpro/security/aaa.

However, here are some links that you might find useful:

https://supportforums.Cisco.com/docs/doc-21679

https://supportforums.Cisco.com/docs/doc-24868

None of them show exactly EAP - TLS configuratoin, but you can follow the configuraiton PEAP with AD, then you change your settings to allow the EAP - TLS and configure the necessary certificates on the client and the server.

If you still have concerns, please ask. But if you move the thread on security forums you can find more people help ot.

Good luck.

Amjad

Tags: Cisco Wireless

Similar Questions

  • Test command of the AAA for EAP - TLS authentication for wireless users

    Hi all

    Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.

    If it's an authetication jump we can use the command to test the connection below

    Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
    Trying to authenticate with the server radius group
    User successfully authenticated

    But eap - tls is not delivered with the password. He insists that for the user name.

    We strive for remote location then test remotely before production.

    If someone help pls in that if we have a command to test or debug command to test this authentication.

    EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.

    The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.

    If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.

  • Requirement of CA for EAP - TLS

    Hi all

    I know there is a requirement of Cisco for "User certificates" and "AAA certificates" used in EAP - TLS. Anyone know what are the requirements for the cetificates CA in EAP - TLS please?

    Thank you.

    Hello

    You must have 2 certificates on the client and your radius server.

    First certificate is the "root" Cert which is the same on both devices.

    The second certificate is the 'user' Cert that is unique for each client-server and aaa.

    Below are more details for EAP - TLS:

    http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_white_paper0918...

    Kind regards.

  • Install certificates for EAP - TLS does ACS does not work

    Hi all

    I have two problems.

    I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.

    I'm going to download the GBA and I put a 'private key file?

    What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?

    Also, I managed to just put any old rubbish in there? and I was surprised he accepted.

    Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message

    Could not initialize authentication PEAP or EAP - TLS because that Protocol

    certificate is not installed. Install CA using "ACS."

    «Configuration of CA page»»

    Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?

    Thx a lot indeed.

    Ken

    I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

    I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.

  • Configuration of LEAP and EAP - TLS on ACS 4.2

    Hi all

    I am starter to wirless lan, I'm 3.3 ACS ACS 4.2 migration, I must define LEAP & EAP - TLS for authentication of the end-user wireless, how to set up LEAP and EAP - TLS on Version 4.2 ACS.

    Similalry for EAP - TLS its requires a certificate to be migrated from old ACS 3.3 to 4.2 ACS, kindly tell me here.

    Hi Santosh,

    I am attaching a copy of the link because you could not access the link.

    I hope this helps.

    Kind regards

    Anisha

    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • LEAP EAP - TLS on WLC

    Hello

    I need to deploy authentication of certificate based for some devices of client for Intermec for a customer. I intend to use a separate SSID for this. There are other existing SSID who based radius authentication.

    question: if I don't select any server radius for this eap tls ssid and select only "BOND", going to work? Or will the WLC always find already defined radius servers and authentication failure?

    Question2: If above is not possible, I have to go for eap tls with ACS. someone had some easy steps to get eap tls operational? (1252, wlc 4400, acs 4.1 windows CA LAP)

    concerning

    Joe

    You will be able to use local for jump car as long as you do not specify a server radius on this ssid. Then you can have a different ssid to break the eap - tls pointing to a RADIUS.

    Sent by Cisco Support technique iPhone App

  • ACS 4.0 EAP - TLS Cert does not

    Hey,.

    so, I have generated my certificate signature request, took it to my CA, a cert. "ACS Certification Authority Setup" I have installed on my device ACS, then 'Install ACS certificate' installed (he parked in the privkey and password so I guess he got that comes from the cert file). I then add the CA to "change CTL. All of this goes off without a hitch.

    However when I try to add the "certificate revocation list" I am unable to add the two LDAP:------and http://. I confirmed that the http:// is working on the certification authority, and all the possible indications are that the ldap protocol works too but I can't test with tools.

    When I go to "System Configuration"-> "Global Authentication Setup"-> "allow EAP - TLS' I get the following error.

    Could not initialize the PEAP or EAP - TLS authentication protocol because the certificate authority is not installed. Install the certification authority by using the "ACS Certification Authority Setup" page.

    Exactly, which is not installed on the certificate? It is on the ACS server, it is configured and the date range is correct.

    I've been banging my head against this all day and could use some suggestions. :)

    Hello

    For EAP - TLS to work you must use external CA installation such as Microsoft or Rapid SSL etc and auto generated in ACS certificates supports PEAP support but not EAP - TLS.

    HTH

    Ahmed

  • [Cisco ACS 5.2] EAP - TLS authentication failure

    What we are e

    Hello

    I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.

    It works well!

    Now, I configured Windows 8 with the same configuration.

    First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate

    In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...

    Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".

    I found this bug

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary

    It seems to be my problem but the reboot does not work in my case...

    It is set at 5.3 (0.40.2).

    I plan to install version 5.4.

    Do you know if this fix is supported by 5.4?

    Thanks for your help,

    Patrick

    Hi Patrick,

    What is set in point 5.3 must be set in point 5.4.

    Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)

    HTH

    Amjad

    Rating of useful answers is more useful to say "thank you".

  • ISE and EAP - TLS

    Hello

    We plan on implementing eap - tls for our iPads company and in the past, I've successfully tested it authentication with the ACS5.3, but now that we moved to ISE (1.1.1.24) I get an error.

    Result of the strategy of the 22045 identity is configured for password based authentication methods but received certificate authentication request

    I tried two different profiles, one with a certificates and credentials of the AD and the other with just the certificates but the error message are the same for both.

    EAP - TLS is enabled in the result of the 'Access to the network by default' authentication.

    Anyone can shed some light on where I'm wrong?

    Thank you

    Martin

    Yes that's right, the certificate that is presented to the ISE does not include the identity of the client, this is the reason why the attempt fails.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

  • 4.2 of the ACS and EAP - TLS with AD and prefix problem

    Hello

    We have the following situation:

    -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

    -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

    First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

    Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

    This is the normal output of the Remote Agent, he finds the host but then nothing happens:

    CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
    CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
    CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
    CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
    CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
    CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
    CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
    CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

    So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

    AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

    CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
    CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
    CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
    CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
    CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
    CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
    CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
    CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
    CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
    CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
    CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
    CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
    CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
    CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

    It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

    This could be the problem, or if someone sees no other problem?

    Best regards

    Dominic

    Hello

    I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

  • 802. 1 x EAP - TLS for wired users with ACS 5.5

    Hi all

    We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.

    We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.

    Please suggest on how to get certificates for clients both manually and automatically?

    Thank you

    Vijay

    Hi Vijay,

    for Wired 802.1 x (EAP - TLS) you must have the following certificates:

    Intermediate server on ACS - Root CA, CA certificate,

    The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)

    I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.

    In the case of Microsoft, there will be a user certificate template. You can select and create user certificate

    This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:

    http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

    In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user

    See you soon

    Mohammed (rate useful message)

  • For EAP-FAST (inner EAP - TLS) authorization rule

    We have a deployment of ISE, where we seek to use EAP-FAST as our method of inner EAP - TLS authentication method. We check the computer and user certificate. We initially had the following condition in our AuthZ-> EapChainingResult = user and also successful machine rule, but we found that initially succeeded machine and the user fails after windows logon. If we change the condition of EapTunnelType = EAPFAST, then it works fine, logs show that although that initially user fails and machine is successful, after the windows shell login then log message has managed the user and the machine is visible. My preference would be to work with the first requirement, because it is a more valid check but it does not work due to the initial failure, anyone got the EAP-FAST (EAP - TLS) work.

    Concerning

    I have executed him at a client, and you've discovered only machine auth succeeded initially, it's because the user to store where the certificate of users is not open until they have logged ind, this does not work as expected.

    What you can do is to have two different authz, one for eapchainingresult = rules machine succeeded and the user has failed and another when both are successful. This way you can give a granular access by using another for the machine, so the machine does not receive full access to the network before a user is connected.

  • Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS

    I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it.  5.2 model is much more different than what I expected.  We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it.  I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:

    1. integrated AD

    2 EAP - TLS

    3 certificates

    4 Microsoft CA

    5. the applicant is XP SP 3

    6 non-Cisco 802.1 x compatible switches (switches are not the question)

    I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :).  Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)?  Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?

    Thanks in advance.

    Hello, Christopher.

    I'll try to give you some tips to achieve what you want.

    Additional info can be found in the user guide:

    http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

    1. in the identity store / Active directory, check "enable machine authentication.

    2 import a certificate for ACS

    Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.

    Select how you want to import the certificate, and then verify the Protocol EAP

    3. Add your switches as aaa clients

    Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.

    4-go to access policies > Access Services and click on create a new access service.

    Select the selected Type of Service and network access in the list.

    Verify the identity, group mapping and authorization

    5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.

    You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.

    If all your switches RADIUS will make eap - tls, you can change the rule

    Rule-1 Ray game Default network access

    While in the result, you choose your service of access created in step 3.

    6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS

    7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity

    8. check that the 'Allowed access' rule is selected in the authorization to access your service

    These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.

    Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.

    ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.

  • Novell NDS CA and EAP - TLS

    Hi all

    I configured an ACS Server 4.1 with Novell CA authentication certificate. internal to the ACS server works very well and the group maps also works without problems.

    Now, the customer wants to use eap - tls in the wlan configuration. Authentication with user name and password works fine. If I activate the validate the certificate of the server in the windows xp wireless configuration settings, that I do not have access to the network. I get an error message on the client and in the journal of the CSA, I see an error with eap - tls ssl handshake!

    Are there problems with certificates of AC novell and novell?

    Any ideas?

    Thanks for help

    René

    Hello

    Mark this thread as solved, so that others can enjoy.

    Thank you

    Prem

  • PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem

    We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.

    This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
    Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
    Can someone help me with this problem?

    Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
    The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.

    But I studied a bit on the net and found this site useful:
    http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html

    1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
    a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
    b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
    c. use ping to check the accessibility of router-server.
    d. package watch LAN account to verify that RADIUS and answers queries are fluid.
    e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
    f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.

    2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
    Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection.

Maybe you are looking for

  • Qosmio F30: Utility of Qosmio Player available 1.70

    Qosmio Player 1.70 utility Date November 22, 2006 for Qosmio F30 http://EU.computers.Toshiba-Europe.com/cgi-bin/ToshibaCSG/download_drivers_bios.jsp?service=EU Laptop - Qosmio - Qosmio - Qosmio F30 - F, WinXP MCE - Qosmio player utility Also check th

  • shared library problem MathScript

    I have a shared library of labview created in labview 8.2.1.  This labview dll contains a three functions, having to turn a number of mathscript embeded nodes inside of them.  The reason for their compilation in a shared library dll is because I want

  • Windows Vista won't load: 0x800701E7 error code

    I built this PC using a year from a friend. He put a valid XP pro OS on the computer. It worked fine until the beginning of this year when he died. I took it to my local PC repair shop and they replaced the motherboard you PSU and CPU. I tried since

  • How do you think I uninstall history

    I tried to uninstall a program and I don't know if I accidentally chose a bad program. I tried to cancel the uninstall but I got a notification fast "(vous voulez redémarrer l'ordinateur)." I don't know what program has been accidentally uninstalled.

  • delete messages in mail server Oracle

    HelloI have my e-mail running server: Oracle Communications e-mail Server 7.0.5.31.0 64bits (built may 5, 2014)And I want to locate the deleted messages in my store.For example, I have a 'user' with 100 msg in his '00' directory, I logged as a 'user'