Novell NDS CA and EAP - TLS

Similar Questions

• Configuration of LEAP and EAP - TLS on ACS 4.2

  Hi all

  I am starter to wirless lan, I'm 3.3 ACS ACS 4.2 migration, I must define LEAP & EAP - TLS for authentication of the end-user wireless, how to set up LEAP and EAP - TLS on Version 4.2 ACS.

  Similalry for EAP - TLS its requires a certificate to be migrated from old ACS 3.3 to 4.2 ACS, kindly tell me here.

  Hi Santosh,

  I am attaching a copy of the link because you could not access the link.

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

• ISE and EAP - TLS

  Hello

  We plan on implementing eap - tls for our iPads company and in the past, I've successfully tested it authentication with the ACS5.3, but now that we moved to ISE (1.1.1.24) I get an error.

  Result of the strategy of the 22045 identity is configured for password based authentication methods but received certificate authentication request

  I tried two different profiles, one with a certificates and credentials of the AD and the other with just the certificates but the error message are the same for both.

  EAP - TLS is enabled in the result of the 'Access to the network by default' authentication.

  Anyone can shed some light on where I'm wrong?

  Thank you

  Martin

  Yes that's right, the certificate that is presented to the ISE does not include the identity of the client, this is the reason why the attempt fails.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• 4.2 of the ACS and EAP - TLS with AD and prefix problem

  Hello

  We have the following situation:

  -2 X ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain

  -2 x ACS (ACS SE 4.2 1 x and 1 x 4.2 ACS) for domain b.

  First of all, there is a problem to have an ACS SE and a CBS work together for an area, I do not? When we haven't had that one area and the two SE ACS were responsible for domain A, it worked.

  Now after the changes, authentication of machine with EAP - TLS is no longer in effect. In the newspapers, it always says that "external user DB is unknown" for a username (machine) as host/abc.domain.ch

  This is the normal output of the Remote Agent, he finds the host but then nothing happens:

  CSWinAgent 2009-11-30 16:32:13 0140 3672 0x0 customer who connects from x.x.x.x:2443
  CSWinAgent 2009-11-30 16:32:14 0507 3512 0x0 CPP: NT_DSAuthoriseUser received
  CSWinAgent 2009-11-30 16:32:14 0474 3512 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 16:32:14 0549 3512 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 16:32:14 0646 NTLIB 3512 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 16:32:14 0735 3512 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 16:32:14 2355 3512 0x0 NTLIB: user "host/abc.domain.ch" found [FIELD]
  CSWinAgent 2009-11-30 16:32:14 0584 0 x 3512 0 RPC: NT_DSAuthoriseUser response sent

  So I did a test of the ASA to see if the host is a problem (until changes have been made it was not a problem):

  AAA authentication RADIUS host 10.3.1.9 username host/abc.domain.ch to test (the ASA becomes the host / entry for the correct Windows scheme with the $):

  CSWinAgent 2009-11-30 15:39:23 0140 3672 0x0 customer who connects from x.x.x.x:1509
  CSWinAgent 2009-11-30 15:39:23 0390 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 2009-11-30 15:39:23 0474 3728 0x0 NTLIB: Creating Domain cache
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 0646 NTLIB 3728 0x0: none of the trusted domains found
  CSWinAgent 2009-11-30 15:39:23 0735 3728 0x0 NTLIB: cache loaded field
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0373 3728 0x0 NTLIB: retry authentication to the domain
  CSWinAgent 2009-11-30 15:39:23 0549 3728 0x0 NTLIB: domain Cache loading
  CSWinAgent 2009-11-30 15:39:23 1762 3728 0x0 NTLIB: had WorkStation CISCO
  CSWinAgent 2009-11-30 15:39:23 1763 3728 0x0 NTLIB: Windows authentication attempts for user ABC$
  CSWinAgent 2009-11-30 15:39:23 1815 3728 0x0 NTLIB: Windows authentication FAILED (Error 1326 L)
  CSWinAgent 2009-11-30 15:39:23 0456 0 x 3728 0 RPC: NT_MSCHAPAuthenticateUser response sent

  It is clear that the test failed because of the bad 'past to a computer' but it's a different output as before. I saw that in ACS 4.1, you can change the prefix of send_break_action for nothing, but in 4.2 it is no longer possible.

  This could be the problem, or if someone sees no other problem?

  Best regards

  Dominic

  Hello

  I encounter the same problem with my acs. I have all of the attempts failed for the default group. For the default group made configuration is not available. Is - this thereason behind all this?

• Cisco ISE - eap-peap and eap - tls

  Hello

  Does anyone have an example of a policy of ISE, where from a WLC authentication requests can be processed by TLS and PEAP?

  I don't seem to get that working, I however do the accident of ISE application with my config that is not the idea.

  If peap uses this identity source, if tls uses 'this profile of authentication certificate '.

  THX

  Don't need to do in politics

  Can create a sequence identity and understand that it contains a certificate OmniPass profile and identity store

  Administration > identity management > identity Source sequences

  Can then select and define the Certfiicate authentication profile for OmniPass based certificate and a list of authentication search

• Error Windows 7 IPsec IKEv2 VPN EAP - TLS

  I Strongswan Server Setup Ubuntu 14.04 since the official package with IKEv2 and eap - tls = rightauth repo using our public KEY infrastructure. I can connect correctly to Android and Linux but not Windows. I have installed my personal certificate in the certificate store, but when trying to connect it throws this error in the image. I have also attached my certificate (without the private key of course) personal - certificate rsa public only

  

  Hello Vyronas,

  The question you posted would be better suited in the TechNet Forums. I would recommend posting your query in the TechNet Forums.
  TechNet Forum
  http://social.technet.Microsoft.com/forums/Windows/en-us/home?category=w7itpro

  Hope this information helps.

• Machine based authentication using EAP - TLS, MS CA and 5.2 of the ACS

  I use ACS 4.2 for Windows for a couple of years now and I'm pretty comfortable with it.  5.2 model is much more different than what I expected.  We downloaded the trial in our laboratory for 90 days, and I try to get 802. 1 x wired works so we can be sure that we want to buy it.  I've looked everywhere and I have been unable to find some basic instructions on how to configure the following in a step by step process scenario:

  1. integrated AD

  2 EAP - TLS

  3 certificates

  4 Microsoft CA

  5. the applicant is XP SP 3

  6 non-Cisco 802.1 x compatible switches (switches are not the question)

  I got GANYMEDE to work fairly easily, but I am confident the issues I have are user based :).  Does anyone know of a doc somewhere that goes on a scenario like this (in addition to the user manual and docs of migration ISBN)?  Also, we have the assurance of software on our box 4.2 - TAC support questions we have on the 5.2 box while we are it do demonstrations?

  Thanks in advance.

  Hello, Christopher.

  I'll try to give you some tips to achieve what you want.

  Additional info can be found in the user guide:

  http://www.Cisco.com/en/us/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/acsuserguide.html

  1. in the identity store / Active directory, check "enable machine authentication.

  2 import a certificate for ACS

  Go to System Administration > Configuration > Local Server Certificates > Local certificates and click the Add button.

  Select how you want to import the certificate, and then verify the Protocol EAP

  3. Add your switches as aaa clients

  Access network resources > network hardware and the AAA Clients, click on create and add configure address IP + shared secret for the RADIUS.

  4-go to access policies > Access Services and click on create a new access service.

  Select the selected Type of Service and network access in the list.

  Verify the identity, group mapping and authorization

  5 - go to the access policies > rules of selection and select "Rule based selection result" if not already done, then click Customize at the bottom right of the screen, and then add the properties that allows you to match your device with which you want to do TLS.

  You can use the IP address of devices, or you can create a NDG (in network resources), assign devices to the NDG and match this NDG in your rule.

  If all your switches RADIUS will make eap - tls, you can change the rule

  Rule-1

  Ray game

  Default network access

  While in the result, you choose your service of access created in step 3.

  6 - go to the access policies and click on the access service that you created in step 3. In the allowed Protocols tab, see EAP - TLS

  7. unfold your access service menu, and then click identity. Select your ad as being the source of the identity

  8. check that the 'Allowed access' rule is selected in the authorization to access your service

  These measures define your devices, and then create a rule to say that ACS must use an individual service for this access devices and set this access service to use AD as authentication.

  Again, what are the basic steps, he may miss some things to do depending on your configuration, but I hope this will help you.

  ACS 5 may be difficult at first, but once you get your hands on it, you will see that it is powerful.

• C4402 and ACS5.2 for EAP - TLS

  Hello

  I'm putting in place ACS5.2 to authentic my portable computer clients with automatic certificates to an ad group.

  Cisco 4402 is successfully allowing them to network on WEP. Now, I need to use EAP - TLS and CERT to authentic.

  I'm fighting with the ACS5.2 config. I ' ve worked through added a cert CA, added to the AD domain, I have now configured Athen profiles and Access Services. "

  With each step any help would be greatly appreciated.

  Thank you

  Phil

  Hello

  If you only need configuraiton side ACS, right?

  I think you need to move your thread on security identity and AAA forum here: https://supportforums.cisco.com/community/netpro/security/aaa.

  However, here are some links that you might find useful:

  https://supportforums.Cisco.com/docs/doc-21679

  https://supportforums.Cisco.com/docs/doc-24868

  None of them show exactly EAP - TLS configuratoin, but you can follow the configuraiton PEAP with AD, then you change your settings to allow the EAP - TLS and configure the necessary certificates on the client and the server.

  If you still have concerns, please ask. But if you move the thread on security forums you can find more people help ot.

  Good luck.

  Amjad

• PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem

  We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.

  This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
  Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
  Can someone help me with this problem?

  Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
  The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.

  But I studied a bit on the net and found this site useful:
  http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html

  1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
  a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
  b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
  c. use ping to check the accessibility of router-server.
  d. package watch LAN account to verify that RADIUS and answers queries are fluid.
  e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
  f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.

  2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
  Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection.

• WiFi with EAP - TLS works on the Xoom?

  Did anyone had success with using the Wifi requiring user certificates? I try to get my Xoom to connect to the corporate network (EAP - TLS) and followed the instructions for the IPad and imported my homologated in Android correctly. But when I connect, it hangs to the connection state minutes before finally giving up.

  Thank you

  Yale

  
  

• EAP - TLS uses WEP?

  Why do you need to configure WEP as a data encryption when you use EAP - TLS?

  'Ensure that the data encryption is set to WEP.

  You cannot use WPA2?

  Gr.

  Remco

  Remco,

  1. what should I do to configure EAP - TLS?

  In order to configure EAP - TLS, the only configuration on the WLC is selection of 802. 1 x 2 layer security screen.

  2. users must have a certificate of the user and computers need a computer certificate. IAS server needs a server certificate.

  You RADIUS server must have a certificate and this must be added to the list of trusted certificates on each client. There is no configuration required on the side of the controller for this.

  3. I want to use WPA/PWA2 enterprise with AES encryption. In all the documents, you can see that the client is configured with WEP.

  By default, if you choose 801.x on layer 2 security, WEp is used as the encryption. You must understand that these are two different things. One is the encryption (TKIP/AES and the other is the 801.x authentication). So if you want to use WPA2 with EAP - TLS, you must select WPA1 + WPA2 as layer 2 security, then 802. 1 x on the same screen in "Auth key Mgmt" select 802. 1 x

  Let me know if that answers your question.

  --

  Pushkar

• EAP - TLS with WLC 4404 (choose which layer option 2)

  Hi all

  I want to install a WLAN that uses EAP - TLS.

  WiFi PC <----->LWAP <------>WLC <---->Radius Server

  Should the layer tab 2 for security on the WLC which option I use for the following: -.

  Security Layer 2 (I'm assuming that WPA + WPA2 than what laptops will use)

  Key auth Mgmt?

  I'm a little confused by the 802. 1 x in two of these fields, a security layer two and one for Auth key Mgmt?

  Thx a lot indeed guys,.

  Ken

  You would choose layer 2 security: WPA + WPA2

  Then in the settings WPA + WPA2 choose political WPA2 with WPA2 encryption. Under authentication key Mgmt select 802.1 x.

  Now if you need the use of WPA policy, then also choose TKIP for this.

  Choose your radius servers so for your AAA server tab.

  That's all.

• Install certificates for EAP - TLS does ACS does not work

  Hi all

  I have two problems.

  I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.

  I'm going to download the GBA and I put a 'private key file?

  What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?

  Also, I managed to just put any old rubbish in there? and I was surprised he accepted.

  Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message

  Could not initialize authentication PEAP or EAP - TLS because that Protocol

  certificate is not installed. Install CA using "ACS."

  «Configuration of CA page»»

  Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?

  Thx a lot indeed.

  Ken

  I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

  I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.

• EAP - TLS Questions...

  Hi all

  My setup is like this...

  Laptop - LWAPP - WLC - ACS - AD

  I m using CA to generate the certificate... I set up EAP - TLS on WLC & ACS SE. everything works fine it is to tell when I issue a CA on my AD login name & install this certificate I m able to connect to the WLAN... For safety on WLC I activate WPA & 802.1 x...

  What I want is that when I start the laptop it should directly connect to the wireless network & whne I try to sign in using my user name & password that he should ask if my password is expired or something & connect to AD. But this is not case allowing to happen when we were using peap as it ask for username and paswword connect but not in the case of EAP_TLS it only to verify valid certificates...

  Thanks in advance...

  Kind regards

  Piyush

  EAP - TLS does not use a name of user and password only PEAP:

  http://TechNet.Microsoft.com/en-us/library/cc739638.aspx

• ISE 1.4 using EAP - TLS can´t identify user in an ad group

  Hello

  I have a client who wishes to use the EAP - TLS on his Wifi authentication and he wants users in a separate AD Group for the SSID to cooperate.

  I found the solution of operation or with PEAP with EAP - TLS authentication, it does that without the policy of 'ad group.

  Any idea on what I can do to get it to work?

  George

  I found the problem, I had to adapt the 'certificate of authentication Profile' for the AD client

  What made your dot1x in your PC configuration? How the ISE journal watch, when it works?