[Cisco ACS 5.2] EAP - TLS authentication failure
What we are e
Hello
I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.
It works well!
Now, I configured Windows 8 with the same configuration.
First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate
In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...
Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".
I found this bug
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary
It seems to be my problem but the reboot does not work in my case...
It is set at 5.3 (0.40.2).
I plan to install version 5.4.
Do you know if this fix is supported by 5.4?
Thanks for your help,
Patrick
Hi Patrick,
What is set in point 5.3 must be set in point 5.4.
Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
Tags: Cisco Security
Similar Questions
-
ACS 4.0 EAP - TLS Cert does not
Hey,.
so, I have generated my certificate signature request, took it to my CA, a cert. "ACS Certification Authority Setup" I have installed on my device ACS, then 'Install ACS certificate' installed (he parked in the privkey and password so I guess he got that comes from the cert file). I then add the CA to "change CTL. All of this goes off without a hitch.
However when I try to add the "certificate revocation list" I am unable to add the two LDAP:------and http://. I confirmed that the http:// is working on the certification authority, and all the possible indications are that the ldap protocol works too but I can't test with tools.
When I go to "System Configuration"-> "Global Authentication Setup"-> "allow EAP - TLS' I get the following error.
Could not initialize the PEAP or EAP - TLS authentication protocol because the certificate authority is not installed. Install the certification authority by using the "ACS Certification Authority Setup" page.
Exactly, which is not installed on the certificate? It is on the ACS server, it is configured and the date range is correct.
I've been banging my head against this all day and could use some suggestions. :)
Hello
For EAP - TLS to work you must use external CA installation such as Microsoft or Rapid SSL etc and auto generated in ACS certificates supports PEAP support but not EAP - TLS.
HTH
Ahmed
-
Test command of the AAA for EAP - TLS authentication for wireless users
Hi all
Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.
If it's an authetication jump we can use the command to test the connection below
Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
Trying to authenticate with the server radius group
User successfully authenticatedBut eap - tls is not delivered with the password. He insists that for the user name.
We strive for remote location then test remotely before production.
If someone help pls in that if we have a command to test or debug command to test this authentication.
EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.
The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.
If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.
-
Cisco ACS 5.1 and RSA Authentication Manager 6.1
Hi all
We recently had a Cisco Secure ACS 1120 and I improved the Unit 5.1 5.0 with all your support
Now, I need to integrate Cisco ACS 5.1 with RSA Authentication Manager 6.1. I have config file of RSA ACE Server successfully downloaded and exported to 1120 ACS.
I also added as NetOS Agent ACS in the RSA server during the process, I found a few warnings. The ACE Server is not able to resolve the IP address to the name (is it necessary?).
I have not created any file of secret key for communication between FAC and RSA and I used encryption is FOR.
Now, when I log into ACS and search for devices in the identity store sequences I am not able to get Sever Token RSA.
Let me know what was wrong, where can I fix and also please tell me what is the communciaction between the RSA and ACS?
Hoping that you guys help me as usual when I'm in a hurry...
Sree
Were you able to successfully create the RSA identity server. After selecting the sdconf.rec and you press on submit what happened? The RSA instance created OK?
If you go to
Users and identity stores > external identity stores > RSA SecurID Token servers, what do you see in the list?
-
Hi all
I am trying to configure wireless with 802.1 x, authetication in the EAP - TLS computer with digital certificates, but it does not work.
It runs on ACS 4.2.
The message is ACS CA is not known, but it is configured correctlry.
I have a "Wireless" accesses with identity store AD1 policy. I also tried to set up CN, SAN and a lot of identity store sequences, same results.
At the time of authentication, I also see this log message:
System encountered null or invalid message
CSCOacs_Internal_Operations_Diagnostics
31201
I could be associated to?
Can someone help me?
THX,
Andrea
I see the certificates installed have been already expired.
Regarding your second question, where do you see a mistake. I suspect a defect.
CSCtw48906 Error due to an empty message (vector buffer), sent to the enforcement process
Symptom: An Error Message is seen inlogs: message of the ERROR encountered CSCOacs_Internal_Operations_Diagnostics 31201 null or invalid system
Conditions: ACS 5.2
Solution: The issue is cosmetic. This message can be ignored.
Under the guidance of the Director, this occors error when a message empty (vector buffer) that was sent to the runtime on the message Bus and it seems to be "cosmetic" question
In default, debugging is attached. If you wish, you can activate the debbuging level performance logs and match symptoms.
Here are the steps to generate support bundle.
ACS / admin # acs - config
Escape character is CNTL/D.
Username: acsadmin
Password:
ACS/admin(config-ACS) #.
Set logging for debug mode.
ACS/admin(config-ACS) # debug level to debug-log duration
ACS/admin(config-acs) #exit
Collect the beam of support after reproducing the problem.
Jatin kone
-Does the rate of useful messages-
-
[Cisco ACS] 11036 the RADIUS Message Authenticator attribute is invalid
Hello
I had a lot of Cisco AP related to Cisco WLC 2.
On each WLC, I configured a primary and a secondary RADIUS server.
RADIUS servers are Cisco ACS 5.2.0.26 (patch 10)
ACS primary and secondary configurations are synchronized.
There is no problem between primary rules WLC and Cisco ACS (primary and secondary).
When secondary WLC asks primary Cisco ACS, I get this error "11036 the RADIUS Message Authenticator attribute is not valid.
WLC secondary contacts automatically secondary Cisco ACS and it works fine.
Cisco ACS description for this error: "this can be reason of mismatched shared Secrets."
The two Cisco ACS are synchronized, so I should have the same error on them...
Why primary ACS generates this error?
Thanks for your help,
Patrick
Patrick: The shared secret mismatch could be on the side WLC, not on the side of the ACS.
Make sure that the shared secret of the radius primary server is configured correctly on the secondary WLC.
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
Limit of Cisco ACS 4.2 Max Auth/authentication devices.
Hi guys.
Can someone tell me how many devices can an ACS works with GANYMEDE 4.2 +?.
Is there a limit? and if there is, who he is and whence Cisco publishes.
Has spent a whole morning and without success, reaching for the info.
Ty in advance.
Carlos.
Hello
I did a search for it and after that I found that GBA 4.2 Solution can support up to 35000 device. Here is the link where I got the information:
http://www.Cisco.com/en/us/prod/collateral/vpndevc/ps5712/ps5338/qa_c67-453393.html
A Cisco Secure ACS appliance server at least follows the same performance of the scalability of a server based on Windows Cisco Secure ACS. Cisco Secure ACS guidelines and performance analysis show that each ACS server can support anywhere from 20 000 to 80 000 users per server and can evolve to support up to 35 000 devices, according to configuration scenarios, the platform and its use
In-house but we have also seen that it is recommended to use a 500 by NDG.
I hope this helps.
Thank you
Waris Hussain.
-
Cisco ACS with external DB - EAP - TLS
Hi guys,.
I understand how the EAP - TLS exchange works (I think), but if I have a client (with or without wire) that uses EAP - TLS with a CBS, I confirm the following.
Let both users and computer certificates are used:
1. customer and ACS are with each of the other automatic certificates to ensure they are known to each other. The eap - tls Exchange.
2A. At any given time and I'm assuming until the successful eap - tls message is sent to the client, the ACS to check if the user name or computer name is in the AD database?
2B. Wot is the parameter that is checked on the AD database?
I read here that it can be: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
Client certificates
The client certificates are used to identify with certainty the user in EAP - TLS. They have no role in the construction of the TLS tunnel and are not used for encryption. A positive identification is made by one of three ways:
CN (or name) comparison-compare CN in the certificate with the user name in the database. More information on this type of comparison is included in the description of the subject field of the certificate.
Comparison of SAN-compare the San in the certificate with the user name in the database. It is only supported from the ACS 3.2. More information on this type of comparison is included in the description of the field another name of the subject of the certificate.
Binary comparison - compare the certificate with a binary copy of the certificate stored in the database (only AD and LDAP for that). If you use the binary comparison of certificate, you must store the user certificate in a binary format. Also, for the generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
3. with the foregoing, if options 1 or 2 are used (CN or SAN comparison), I guess it's just a check between a value out the CERT of the ACS and checked with AD, is that correct? With option 3, GBA exercise a complete comparison of the certificate between what the client and a "cert stored client" on the AD DB?
Please can someone help me with these points.
I'm so lost in this kind of things :)) I think.
Thx a lot and best regards,
Ken
TLS only * handle * is complete/successful, but because the user authentication fails.
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 client SSL read Exchange of keys A
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 read Certificate SSL check
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 read state completed A
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 write change cipher spec A SSL
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: SSL = SSLv3 write finished State has
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State = SSLv3 data embedded SSL
CryptoLib.SSLConnection.pvServerInfoCB - process of TLS data: State SSL = SSL handshake completed successfully
EAP: EAP - TLS: handshake succeeded
EAP: EAP - TLS: authenticated handshake
EAP: EAP - TLS: CN using the certificate as an authentication identity
EAP: State EAP: action = authenticate, username = 'Jousset', the user identity is "jousset.
pvAuthenticateUser: authenticate "jousset" against CSDB
pvCopySession: assignment session group ID 0.
pvCheckUnknownUserPolicy: Group of session ID is 0, the call pvAuthenticateUser.
pvAuthenticateUser: authenticate "jousset' against the Windows database
External DB [NTAuthenDLL.dll]: Cache of Creating Domain
External DB [NTAuthenDLL.dll]: Domain for loading Cache
External DB [NTAuthenDLL.dll]: no UPN Suffixes found
External DB [NTAuthenDLL.dll]: could not get the domain controller for dwacs.com trust, [error = 1355]
External DB [NTAuthenDLL.dll]: could not get the domain controller for enigma.com trust, [error = 1355]
External DB [NTAuthenDLL.dll]: could not get the domain controller for acsteam.com trust, [error = 1355]
External DB [NTAuthenDLL.dll]: could not get the domain controller for vikram.com trust, [error = 1355]
External DB [NTAuthenDLL.dll]: domain loaded cache
External DB [NTAuthenDLL.dll]: could not find the user jousset [0 x 00005012]
External DB [NTAuthenDLL.dll]: user Jousset is not found
pvCheckUnknownUserPolicy: assignment session group ID 0.
Unknown user "jousset" was not authenticated
If EAP-failure (RADIUS Access-Reject (is sent, no EAP-Success(Radius Access-Accept).))
And no matter how port will not be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
HTH
Kind regards
Prem
-
For EAP-FAST (inner EAP - TLS) authorization rule
We have a deployment of ISE, where we seek to use EAP-FAST as our method of inner EAP - TLS authentication method. We check the computer and user certificate. We initially had the following condition in our AuthZ-> EapChainingResult = user and also successful machine rule, but we found that initially succeeded machine and the user fails after windows logon. If we change the condition of EapTunnelType = EAPFAST, then it works fine, logs show that although that initially user fails and machine is successful, after the windows shell login then log message has managed the user and the machine is visible. My preference would be to work with the first requirement, because it is a more valid check but it does not work due to the initial failure, anyone got the EAP-FAST (EAP - TLS) work.
Concerning
I have executed him at a client, and you've discovered only machine auth succeeded initially, it's because the user to store where the certificate of users is not open until they have logged ind, this does not work as expected.
What you can do is to have two different authz, one for eapchainingresult = rules machine succeeded and the user has failed and another when both are successful. This way you can give a granular access by using another for the machine, so the machine does not receive full access to the network before a user is connected.
-
Cisco ACS 5.4 and VPN 3000
Hello
I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.
I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.
Any help would be much appreciated.
Concerning
AR
Hey,.
What is the report on GBA?
"RAIDUS AAuth in green"
If so, a pcap help between the two.
Concerning
Ed
-
ISE 1.4 using EAP - TLS can´t identify user in an ad group
Hello
I have a client who wishes to use the EAP - TLS on his Wifi authentication and he wants users in a separate AD Group for the SSID to cooperate.
I found the solution of operation or with PEAP with EAP - TLS authentication, it does that without the policy of 'ad group.
Any idea on what I can do to get it to work?
George
I found the problem, I had to adapt the 'certificate of authentication Profile' for the AD client
What made your dot1x in your PC configuration? How the ISE journal watch, when it works?
-
Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS
I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it. 5.2 model is much more different than what I expected. We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it. I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:
1. integrated AD
2 EAP - TLS
3 certificates
4 Microsoft CA
5. the applicant is XP SP 3
6 non-Cisco 802.1 x compatible switches (switches are not the question)
I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :). Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)? Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?
Thanks in advance.
Hello, Christopher.
I'll try to give you some tips to achieve what you want.
Additional info can be found in the user guide:
1. in the identity store / Active directory, check "enable machine authentication.
2 import a certificate for ACS
Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.
Select how you want to import the certificate, and then verify the Protocol EAP
3. Add your switches as aaa clients
Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.
4-go to access policies > Access Services and click on create a new access service.
Select the selected Type of Service and network access in the list.
Verify the identity, group mapping and authorization
5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.
You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.
If all your switches RADIUS will make eap - tls, you can change the rule
Rule-1 Ray game Default network access While in the result, you choose your service of access created in step 3.
6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS
7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity
8. check that the 'Allowed access' rule is selected in the authorization to access your service
These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.
Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.
ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.
-
Authentication EAP - TLS with ACS 5.2
Hi all
I have question on EAP - TLS with ACS 5.2.
If I want to implement the EAP - TLS with Microsoft CA, how authentication computer and user will be held?
Understand that the cert is required on the client and the server end, but is this certificate to the computer links or links to individual users?
If the links to the user, and I have a shared PC connection by few users, is that each user account will have their own certificates?
And each individual user will have to manually get the CA cert? is there another method that my environment has more than 3000 PCs.
And also if it binds to the user, any user can get their CA cert with their AD username and password, if they bring in their own device and try to get the CA certificate, they will be able to properly install the cert in their device on the right?
I hope you guys can help with that. Thank you.
Hope this will answer most of your questions:
Client certificate or user
http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T10
Computer certificate
http://www.Cisco.com/en/us/Partner/Tech/tk59/technologies_tech_note09186a00804b976b.shtml#T15
In the case of EAP - TLS we have the certificate of computer and user installed on the machines.
Kind regards
Jousset
The rate of useful messages-
-
Cisco ACS wireless authentication
Hello guys,.
I'm testing wireless authentication and authorization with my users wireless via ACS 4.2. I have version 4.2 test on Windows 2003 for the test. I also WLC 5508 and 3602i in my lab. My AD/NPS and CA are Windows 2008 R2.
Windows 2003 is part of the field; and the GBA, if I go to the external database > Database Configuration > Windows database > configure
From there, I chose my domain name, select "devices the EAP - TLS Machine authentication. I've also mapped the domain to the group I created in ACS.
I also looking default RADIUS ports 1812 and 1813 the GBA.
On my WLC 5508, I created a WLAN and define the RADIUS IP to the IP address of the ACS. However, I tried to join the wireless network. It keep the default.
I installed the cert of the user on the laptop for EAP - TLS. If I changed the server RADIUS on the WLAN and pointed to AD/NPS that I, my portable test was able to join the network wireless through EAP - TLS.
I'm a little confused on the ACS GANYMEDE +. GANYMEDE + is only used for the connection to network for managing devices or can be used for regular users for authentication and authorization?
For example, a user wireless, which is part of the domain, need to join a corporate network without wire in his office. Can I use GANYMEDE + for it or it must be the RADIUS by ACS 4.2?
Thank you
Yes it's true, and it applies as well in Wired.
On GBA, please add WLC as an AAA client with RADIUS (Cisco airespace)
Configuration of WLC and ACS for the RADIUS settings.
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml
You can visit the listed link below to install the certificate on ACS 4.2
~ BR
Jatin kone* Does the rate of useful messages *.
-
Install certificates for EAP - TLS does ACS does not work
Hi all
I have two problems.
I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.
I'm going to download the GBA and I put a 'private key file?
What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?
Also, I managed to just put any old rubbish in there? and I was surprised he accepted.
Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message
Could not initialize authentication PEAP or EAP - TLS because that Protocol
certificate is not installed. Install CA using "ACS."
«Configuration of CA page»»
Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?
Thx a lot indeed.
Ken
I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml
I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.
Maybe you are looking for
-
I don't know what that I have maybe changed, but right-click on any image, gave me the option in the Google search menu for the image. This option is gone.
-
HP 430 Notebook PC: Graphic display
Download new graphic display/display adapter of the internet? For example, mine is now Intel HD Graphics 3000 and I want to upgrade. Thanks ^_^
-
Lost iTunes Library - CAN not rebuild. Help!
Tonight I thought I had lost most of my iTunes library. It turns out that I didn't have that I can find the content itself, but iTunes can't see it. So, I followed the instructions here to try to resolve the problem: https://support.apple.com/en-gb/H
-
HP 450: Is that what this laptop contains chart AMD?
HelloI recently bought a laptop which the model has been specified as a simple "450 HP".So my question is, my computer contains AMD graphics?I tried to install the AMD driver available on the HP site, but it has not been successful. (only intel HD400
-
How to enable traditional Chinese manuscript in W700
Hi Expert, How to allow Chinese writing in my W700 (Win 8 Pro). for now, I can use phonetic new MS. Thank you