EAP - TLS uses WEP?
Why do you need to configure WEP as a data encryption when you use EAP - TLS?
'Ensure that the data encryption is set to WEP.
You cannot use WPA2?
Gr.
Remco
Remco,
1. what should I do to configure EAP - TLS?
In order to configure EAP - TLS, the only configuration on the WLC is selection of 802. 1 x 2 layer security screen.
2. users must have a certificate of the user and computers need a computer certificate. IAS server needs a server certificate.
You RADIUS server must have a certificate and this must be added to the list of trusted certificates on each client. There is no configuration required on the side of the controller for this.
3. I want to use WPA/PWA2 enterprise with AES encryption. In all the documents, you can see that the client is configured with WEP.
By default, if you choose 801.x on layer 2 security, WEp is used as the encryption. You must understand that these are two different things. One is the encryption (TKIP/AES and the other is the 801.x authentication). So if you want to use WPA2 with EAP - TLS, you must select WPA1 + WPA2 as layer 2 security, then 802. 1 x on the same screen in "Auth key Mgmt" select 802. 1 x
Let me know if that answers your question.
--
Pushkar
Tags: Cisco Wireless
Similar Questions
-
[Cisco ACS 5.2] EAP - TLS authentication failure
What we are e
Hello
I set up a WiFi connection on Windows XP and Windows 7 with EAP - TLS (using Cisco WLC 7.0.235.3 and Cisco ACS 5.2.0.26.10). It is configured with the authentication of the computer and computer certificates are automatically registered for Microsoft PKI.
It works well!
Now, I configured Windows 8 with the same configuration.
First authentication works, but if I manually disconnect and reconnect, I got this error on ACS: 22047 username main attribute is missing from the client certificate
In the EAP packets, we could see that Windows 8 sent a TLS session but ticket session has not properly taken over by ACS...
Configuration of the ACS, we checked the option "enable EAP - TLS Session resume' with the session timeout"7200 ".
I found this bug
http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId= CSCtn26538& from = summary
It seems to be my problem but the reboot does not work in my case...
It is set at 5.3 (0.40.2).
I plan to install version 5.4.
Do you know if this fix is supported by 5.4?
Thanks for your help,
Patrick
Hi Patrick,
What is set in point 5.3 must be set in point 5.4.
Even if the same issue appeared with 5.4 there an ID different bug and identified as an independent issue (with different causes, usually)
HTH
Amjad
Rating of useful answers is more useful to say "thank you".
-
ISE 1.4 using EAP - TLS can´t identify user in an ad group
Hello
I have a client who wishes to use the EAP - TLS on his Wifi authentication and he wants users in a separate AD Group for the SSID to cooperate.
I found the solution of operation or with PEAP with EAP - TLS authentication, it does that without the policy of 'ad group.
Any idea on what I can do to get it to work?
George
I found the problem, I had to adapt the 'certificate of authentication Profile' for the AD client
What made your dot1x in your PC configuration? How the ISE journal watch, when it works?
-
Authorization of EAP - TLS machine uses ACS 5.2
Hi all
I've been struggling with this during a few days now and I think there must be something I'm not quite understand.
We strive to deploy new wireless infrastructure using windows, APs from Motorola (with switches RFS) wireless clients and using a Cisco ACS as Radius Server 5.2.
Trying to get EAP - TLS to work, I can get customers to connect if no actual authorization is used, but when I try to validate if the name of the computer in the client certificate belongs to a particular group, the authorization fails. I don't see how to get the ACS to use the RADIUS "Username" it receives via the certificate allowing the machine. The value of the Radius user name attribute is the name of the machine. I would like the ACS to check to determine if this computer name belongs to a group, especially in the Windows AD.
We started with PEAP-MSCHAPv2, but security wanted machine authorization so we thought that EAP - TLS was the only way to get it. Now I'm not sure.
I would like if someone can guide me in obtaining the ACS to validate if the computer belongs to a group in Active Directory using
(1) EAP - TLS
(2) PEAP-MSCHAPv2
Thank you!
Hello.
Just check something here:
You have in your policy, in terms of identity, AD1 (or certain Sequences of identity store with inside AD1) listed as Source of identity?
-
Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS
I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it. 5.2 model is much more different than what I expected. We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it. I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:
1. integrated AD
2 EAP - TLS
3 certificates
4 Microsoft CA
5. the applicant is XP SP 3
6 non-Cisco 802.1 x compatible switches (switches are not the question)
I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :). Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)? Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?
Thanks in advance.
Hello, Christopher.
I'll try to give you some tips to achieve what you want.
Additional info can be found in the user guide:
1. in the identity store / Active directory, check "enable machine authentication.
2 import a certificate for ACS
Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.
Select how you want to import the certificate, and then verify the Protocol EAP
3. Add your switches as aaa clients
Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.
4-go to access policies > Access Services and click on create a new access service.
Select the selected Type of Service and network access in the list.
Verify the identity, group mapping and authorization
5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.
You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.
If all your switches RADIUS will make eap - tls, you can change the rule
Rule-1 Ray game Default network access While in the result, you choose your service of access created in step 3.
6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS
7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity
8. check that the 'Allowed access' rule is selected in the authorization to access your service
These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.
Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.
ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.
-
ISE: advise users that EAP - TLS can only be used
A large School Board accepts only EAP - TLS connections. This requirement is easily disseminated to teachers, but not students whose personal devices continue to try to connect using the PEAP Protocol. Once users connect with EAP - TLS, they are authenticated on AD.
1 can we through the switch block PEAP but leave the EAP - TLS to cross? I could not find a command for it.
2. If we cannot stop the PEAP requests to ISE, could treat us like CWA PEAP connections, but have a special authorization rule that would say If inner PEAP tunnel is then the CWA-nonEAP-TLS do web authentication that would be a custom web page which would have a message instructing students how to use EAP - TLS? This would make sense?
3. do you have better suggestion how to block before PEAP that it reaches EHT or a way using ISE to indicate to users that they should use EAP - TLS, PEAP not if they want to connect?
Thank you.
Cath.
Usually at the start of the eap negotiation, there is an agreement between the applicant and the radius server on which eap types are negotiated. If you have that suggested the client to eap - tls and the supplicant is misconfigured and uses the PEAP Protocol, he must drop off.
You can consider a strict exclusion policies so that if a customer fails to authenticate after 3 attempts you can exclude them for a few minutes.
You can create a homepage (url redirection) that when type mschapv2 authentication and the authentication status set to 'failed' a self-help html page is presented to the end user to use eap - tls, keep in mind that port and ip will authorized in forwarding ACL.
What do you see in the failed attempts?
Thank you
Tarik Admani
* Please note the useful messages *. -
PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem
We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.
This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
Can someone help me with this problem?Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.But I studied a bit on the net and found this site useful:
http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
c. use ping to check the accessibility of router-server.
d. package watch LAN account to verify that RADIUS and answers queries are fluid.
e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection. -
C4402 and ACS5.2 for EAP - TLS
Hello
I'm putting in place ACS5.2 to authentic my portable computer clients with automatic certificates to an ad group.
Cisco 4402 is successfully allowing them to network on WEP. Now, I need to use EAP - TLS and CERT to authentic.
I'm fighting with the ACS5.2 config. I ' ve worked through added a cert CA, added to the AD domain, I have now configured Athen profiles and Access Services. "
With each step any help would be greatly appreciated.
Thank you
Phil
Hello
If you only need configuraiton side ACS, right?
I think you need to move your thread on security identity and AAA forum here: https://supportforums.cisco.com/community/netpro/security/aaa.
However, here are some links that you might find useful:
https://supportforums.Cisco.com/docs/doc-21679
https://supportforums.Cisco.com/docs/doc-24868
None of them show exactly EAP - TLS configuratoin, but you can follow the configuraiton PEAP with AD, then you change your settings to allow the EAP - TLS and configure the necessary certificates on the client and the server.
If you still have concerns, please ask. But if you move the thread on security forums you can find more people help ot.
Good luck.
Amjad
-
WiFi with EAP - TLS works on the Xoom?
Did anyone had success with using the Wifi requiring user certificates? I try to get my Xoom to connect to the corporate network (EAP - TLS) and followed the instructions for the IPad and imported my homologated in Android correctly. But when I connect, it hangs to the connection state minutes before finally giving up.
Thank you
Yale
-
Hello
We plan on implementing eap - tls for our iPads company and in the past, I've successfully tested it authentication with the ACS5.3, but now that we moved to ISE (1.1.1.24) I get an error.
I tried two different profiles, one with a certificates and credentials of the AD and the other with just the certificates but the error message are the same for both.
EAP - TLS is enabled in the result of the 'Access to the network by default' authentication.
Anyone can shed some light on where I'm wrong?
Thank you
Martin
Yes that's right, the certificate that is presented to the ISE does not include the identity of the client, this is the reason why the attempt fails.
Thank you
Tarik Admani
* Please note the useful messages *. -
Error Windows 7 IPsec IKEv2 VPN EAP - TLS
I Strongswan Server Setup Ubuntu 14.04 since the official package with IKEv2 and eap - tls = rightauth repo using our public KEY infrastructure. I can connect correctly to Android and Linux but not Windows. I have installed my personal certificate in the certificate store, but when trying to connect it throws this error in the image. I have also attached my certificate (without the private key of course) personal - certificate rsa public only
Hello Vyronas,
The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums.
TechNet Forum
http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itproHope this information helps.
-
EAP - TLS with WLC 4404 (choose which layer option 2)
Hi all
I want to install a WLAN that uses EAP - TLS.
WiFi PC <----->LWAP <------>WLC <---->Radius Server
Should the layer tab 2 for security on the WLC which option I use for the following: -.
Security Layer 2 (I'm assuming that WPA + WPA2 than what laptops will use)
Key auth Mgmt?
I'm a little confused by the 802. 1 x in two of these fields, a security layer two and one for Auth key Mgmt?
Thx a lot indeed guys,.
Ken
You would choose layer 2 security: WPA + WPA2
Then in the settings WPA + WPA2 choose political WPA2 with WPA2 encryption. Under authentication key Mgmt select 802.1 x.
Now if you need the use of WPA policy, then also choose TKIP for this.
Choose your radius servers so for your AAA server tab.
That's all.
-
Install certificates for EAP - TLS does ACS does not work
Hi all
I have two problems.
I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.
I'm going to download the GBA and I put a 'private key file?
What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?
Also, I managed to just put any old rubbish in there? and I was surprised he accepted.
Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message
Could not initialize authentication PEAP or EAP - TLS because that Protocol
certificate is not installed. Install CA using "ACS."
«Configuration of CA page»»
Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?
Thx a lot indeed.
Ken
I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml
I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.
-
Hi all
My setup is like this...
Laptop - LWAPP - WLC - ACS - AD
I m using CA to generate the certificate... I set up EAP - TLS on WLC & ACS SE. everything works fine it is to tell when I issue a CA on my AD login name & install this certificate I m able to connect to the WLAN... For safety on WLC I activate WPA & 802.1 x...
What I want is that when I start the laptop it should directly connect to the wireless network & whne I try to sign in using my user name & password that he should ask if my password is expired or something & connect to AD. But this is not case allowing to happen when we were using peap as it ask for username and paswword connect but not in the case of EAP_TLS it only to verify valid certificates...
Thanks in advance...
Kind regards
Piyush
EAP - TLS does not use a name of user and password only PEAP:
-
I read the Cisco ISE for BYOD and try to create an authentication policy for the EAP - TLS protocol. When I create the new policy and add a new condition, and then go to network access, EAPAuthentication is not an option. And I went to the element of strategy and created a new authentication, compond to condition added to the library. When I try to add to my authentication policy it does not choose it and said only the relevant conditions are selectable. Am I missing a step somewhere?
Any help is greatly appreciated and thanks in advance!
Hello
If you want to use a different identity for BYOD devices store, all you have to do is change the dot1x default rule and add a condition above you by default of State/identity store.
Add an attribute value of certificate - SAN/transmitter, etc., depending on what's your differentiator between the BYOD devices and active.
Please see attached printscreen.
Maybe you are looking for
-
The tabs in Mozilla ux are barely visible (half upper appears only). How to solve this problem?
I tried to restart the browser without ad - donations. The problem occurred after update to the last nights.
-
HP 2009v: monitor going to sleep after connecting to a new PC
My parents have an old pc (HP Pavilion g3770l) that runs on windows XP and a relatively old monitor (HP 2009v). They work perfectly fine, but since his Win XP in most applications no longer work and is not fast enough to support new BONE. So I bought
-
What elements can be listened to by another part of me while I'm on my computer or closed.
I think that there is anyone look at me one while I'm on the computer, either by remote control or in any other way. Is this possible? I need to know all the options that I can see to see who's watching. Thank you
-
Vista business 32-bit installation hangs on how to complete the installation...
I have a laptop Acer Aspire 5532 with Windows 7 64 bit. I want to install Vista 32 bit Business in a dual-boot configuration. (This configuration uses a commercial software test system) I created a partition logic, then booted from the Vista DVD, in
-
Re-uploaded Suite if I have a serial number?
Hello! I recently replaced my hard drive on my macbook pro. Before replacing, I disabled my Adobe creative suite. I have a serial number, but not the original disk my product provided with to download. Is it possible for me to return to my programs?