Requirement of CA for EAP - TLS

Similar Questions

• Test command of the AAA for EAP - TLS authentication for wireless users

  Hi all

  Can anyone suggest me the test command to verify the eap - tls authentication for the Cisco WAP's wireless.

  If it's an authetication jump we can use the command to test the connection below

  Radius of group aaa Testwap-01 #test [email protected] / * / o4 & yJ) NoL$ new-code %0
  Trying to authenticate with the server radius group
  User successfully authenticated

  But eap - tls is not delivered with the password. He insists that for the user name.

  We strive for remote location then test remotely before production.

  If someone help pls in that if we have a command to test or debug command to test this authentication.

  EAP - TLS requires a client certificate. How can you have a simple command that analysis without loading any certificate on the router/switch? It does not exist. This is why eap - tls is not considered an easy to deploy eap method: because it can go wrong on several levels.

  The aaa command test performs a PAP authentication, therefore, it tests the connectivity of the base RADIUS and name of user and password.

  If it works, the only thing that can break for eap - tls are certificates, as well as the radius server will be able to tell if something worng.

• Install certificates for EAP - TLS does ACS does not work

  Hi all

  I have two problems.

  I produced a CSR ACS and sent my people to windows this and they published my ACS with a certificate. Cool.

  I'm going to download the GBA and I put a 'private key file?

  What is this file? and where can I get a? What is this long string of characters that generate the CSR, I sent the boys of windows?

  Also, I managed to just put any old rubbish in there? and I was surprised he accepted.

  Restarted the service IS and I tried to turn it on eap - tls on the "Overall Authentication Configuration" page to get only the message

  Could not initialize authentication PEAP or EAP - TLS because that Protocol

  certificate is not installed. Install CA using "ACS."

  «Configuration of CA page»»

  Now, I'm a little confused, because if have the installer GBA incorrectly, because of my lack of understanding of what this private key file and how it relates to all which?

  Thx a lot indeed.

  Ken

  I'm having the same problem. It seems the guys from windows to generate a cert that it must be exportable, which offers also private key file. I tried the following without success document. It can work for you, however, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

  I also tried to have the ACS to generate a certificate self-signed, that works. But on the client, you must uncheck the box validate the server certificate because GBA is not a trusted certificate servers. Right now I'm trying to understand how ad to publish the ACS as a trusted cert server so windows knows to do trust the cert of the ACS. Through all this, I found that you can configure in several ways, the most difficult part is to find a way that works for you.

• C4402 and ACS5.2 for EAP - TLS

  Hello

  I'm putting in place ACS5.2 to authentic my portable computer clients with automatic certificates to an ad group.

  Cisco 4402 is successfully allowing them to network on WEP. Now, I need to use EAP - TLS and CERT to authentic.

  I'm fighting with the ACS5.2 config. I ' ve worked through added a cert CA, added to the AD domain, I have now configured Athen profiles and Access Services. "

  With each step any help would be greatly appreciated.

  Thank you

  Phil

  Hello

  If you only need configuraiton side ACS, right?

  I think you need to move your thread on security identity and AAA forum here: https://supportforums.cisco.com/community/netpro/security/aaa.

  However, here are some links that you might find useful:

  https://supportforums.Cisco.com/docs/doc-21679

  https://supportforums.Cisco.com/docs/doc-24868

  None of them show exactly EAP - TLS configuratoin, but you can follow the configuraiton PEAP with AD, then you change your settings to allow the EAP - TLS and configure the necessary certificates on the client and the server.

  If you still have concerns, please ask. But if you move the thread on security forums you can find more people help ot.

  Good luck.

  Amjad

• Configuration of LEAP and EAP - TLS on ACS 4.2

  Hi all

  I am starter to wirless lan, I'm 3.3 ACS ACS 4.2 migration, I must define LEAP & EAP - TLS for authentication of the end-user wireless, how to set up LEAP and EAP - TLS on Version 4.2 ACS.

  Similalry for EAP - TLS its requires a certificate to be migrated from old ACS 3.3 to 4.2 ACS, kindly tell me here.

  Hi Santosh,

  I am attaching a copy of the link because you could not access the link.

  I hope this helps.

  Kind regards

  Anisha

  P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

• LEAP EAP - TLS on WLC

  Hello

  I need to deploy authentication of certificate based for some devices of client for Intermec for a customer. I intend to use a separate SSID for this. There are other existing SSID who based radius authentication.

  question: if I don't select any server radius for this eap tls ssid and select only "BOND", going to work? Or will the WLC always find already defined radius servers and authentication failure?

  Question2: If above is not possible, I have to go for eap tls with ACS. someone had some easy steps to get eap tls operational? (1252, wlc 4400, acs 4.1 windows CA LAP)

  concerning

  Joe

  You will be able to use local for jump car as long as you do not specify a server radius on this ssid. Then you can have a different ssid to break the eap - tls pointing to a RADIUS.

  Sent by Cisco Support technique iPhone App

• ACS 4.0 EAP - TLS Cert does not

  Hey,.

  so, I have generated my certificate signature request, took it to my CA, a cert. "ACS Certification Authority Setup" I have installed on my device ACS, then 'Install ACS certificate' installed (he parked in the privkey and password so I guess he got that comes from the cert file). I then add the CA to "change CTL. All of this goes off without a hitch.

  However when I try to add the "certificate revocation list" I am unable to add the two LDAP:------and http://. I confirmed that the http:// is working on the certification authority, and all the possible indications are that the ldap protocol works too but I can't test with tools.

  When I go to "System Configuration"-> "Global Authentication Setup"-> "allow EAP - TLS' I get the following error.

  Could not initialize the PEAP or EAP - TLS authentication protocol because the certificate authority is not installed. Install the certification authority by using the "ACS Certification Authority Setup" page.

  Exactly, which is not installed on the certificate? It is on the ACS server, it is configured and the date range is correct.

  I've been banging my head against this all day and could use some suggestions. :)

  Hello

  For EAP - TLS to work you must use external CA installation such as Microsoft or Rapid SSL etc and auto generated in ACS certificates supports PEAP support but not EAP - TLS.

  HTH

  Ahmed

• For EAP-FAST (inner EAP - TLS) authorization rule

  We have a deployment of ISE, where we seek to use EAP-FAST as our method of inner EAP - TLS authentication method. We check the computer and user certificate. We initially had the following condition in our AuthZ-> EapChainingResult = user and also successful machine rule, but we found that initially succeeded machine and the user fails after windows logon. If we change the condition of EapTunnelType = EAPFAST, then it works fine, logs show that although that initially user fails and machine is successful, after the windows shell login then log message has managed the user and the machine is visible. My preference would be to work with the first requirement, because it is a more valid check but it does not work due to the initial failure, anyone got the EAP-FAST (EAP - TLS) work.

  Concerning

  I have executed him at a client, and you've discovered only machine auth succeeded initially, it's because the user to store where the certificate of users is not open until they have logged ind, this does not work as expected.

  What you can do is to have two different authz, one for eapchainingresult = rules machine succeeded and the user has failed and another when both are successful. This way you can give a granular access by using another for the machine, so the machine does not receive full access to the network before a user is connected.

• 802. 1 x EAP - TLS for wired users with ACS 5.5

  Hi all

  We are setting up a new configuration for wired users authentication with 802.1 x (EAP - TLS). ACS 5.5 we use as an authentication server.

  We have added the certificate (internal) CA root and certifcate for ACS signed by CA. Now, we want to check that authentication works or not. I hope that the CA root and identity certifcate also we need to install in laptop computers. But I don't know how to download the certifcates for client machine manually to CA.

  Please suggest on how to get certificates for clients both manually and automatically?

  Thank you

  Vijay

  Hi Vijay,

  for Wired 802.1 x (EAP - TLS) you must have the following certificates:

  Intermediate server on ACS - Root CA, CA certificate,

  The customer - Root CA, intermediate CA, user certificate (in the case of user authentication) or Machine certificae (in the case of authentication of the computer)

  I do not know what third-party certificate you use, if its Microsoft in the House or any other certificate server, you need to download the client certificate to the server itself.

  In the case of Microsoft, there will be a user certificate template. You can select and create user certificate

  This is an old document, but a computer certificate for the user configuration steps, you can see the steps to download the certificate user if his server from Microsoft:

  http://www.Cisco.com/c/en/us/support/docs/security/secure-access-control...

  In case you use the third serevr certificate, then you must check with them on how to download the certificate of the user

  See you soon

  Mohammed (rate useful message)

• PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem

  We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.

  This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
  Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
  Can someone help me with this problem?

  Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
  The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.

  But I studied a bit on the net and found this site useful:
  http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html

  1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
  a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
  b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
  c. use ping to check the accessibility of router-server.
  d. package watch LAN account to verify that RADIUS and answers queries are fluid.
  e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
  f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.

  2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
  Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection.

• WiFi with EAP - TLS works on the Xoom?

  Did anyone had success with using the Wifi requiring user certificates? I try to get my Xoom to connect to the corporate network (EAP - TLS) and followed the instructions for the IPad and imported my homologated in Android correctly. But when I connect, it hangs to the connection state minutes before finally giving up.

  Thank you

  Yale

  
  

• EAP - TLS uses WEP?

  Why do you need to configure WEP as a data encryption when you use EAP - TLS?

  'Ensure that the data encryption is set to WEP.

  You cannot use WPA2?

  Gr.

  Remco

  Remco,

  1. what should I do to configure EAP - TLS?

  In order to configure EAP - TLS, the only configuration on the WLC is selection of 802. 1 x 2 layer security screen.

  2. users must have a certificate of the user and computers need a computer certificate. IAS server needs a server certificate.

  You RADIUS server must have a certificate and this must be added to the list of trusted certificates on each client. There is no configuration required on the side of the controller for this.

  3. I want to use WPA/PWA2 enterprise with AES encryption. In all the documents, you can see that the client is configured with WEP.

  By default, if you choose 801.x on layer 2 security, WEp is used as the encryption. You must understand that these are two different things. One is the encryption (TKIP/AES and the other is the 801.x authentication). So if you want to use WPA2 with EAP - TLS, you must select WPA1 + WPA2 as layer 2 security, then 802. 1 x on the same screen in "Auth key Mgmt" select 802. 1 x

  Let me know if that answers your question.

  --

  Pushkar

• ISE: advise users that EAP - TLS can only be used

  A large School Board accepts only EAP - TLS connections.  This requirement is easily disseminated to teachers, but not students whose personal devices continue to try to connect using the PEAP Protocol.   Once users connect with EAP - TLS, they are authenticated on AD.

  1 can we through the switch block PEAP but leave the EAP - TLS to cross? I could not find a command for it.

  2. If we cannot stop the PEAP requests to ISE, could treat us like CWA PEAP connections, but have a special authorization rule that would say If inner PEAP tunnel is then the CWA-nonEAP-TLS do web authentication that would be a custom web page which would have a message instructing students how to use EAP - TLS? This would make sense?

  3. do you have better suggestion how to block before PEAP that it reaches EHT or a way using ISE to indicate to users that they should use EAP - TLS, PEAP not if they want to connect?

  Thank you.

  Cath.

  Usually at the start of the eap negotiation, there is an agreement between the applicant and the radius server on which eap types are negotiated. If you have that suggested the client to eap - tls and the supplicant is misconfigured and uses the PEAP Protocol, he must drop off.

  You can consider a strict exclusion policies so that if a customer fails to authenticate after 3 attempts you can exclude them for a few minutes.

  You can create a homepage (url redirection) that when type mschapv2 authentication and the authentication status set to 'failed' a self-help html page is presented to the end user to use eap - tls, keep in mind that port and ip will authorized in forwarding ACL.

  What do you see in the failed attempts?

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• ISE and EAP - TLS

  Hello

  We plan on implementing eap - tls for our iPads company and in the past, I've successfully tested it authentication with the ACS5.3, but now that we moved to ISE (1.1.1.24) I get an error.

  Result of the strategy of the 22045 identity is configured for password based authentication methods but received certificate authentication request

  I tried two different profiles, one with a certificates and credentials of the AD and the other with just the certificates but the error message are the same for both.

  EAP - TLS is enabled in the result of the 'Access to the network by default' authentication.

  Anyone can shed some light on where I'm wrong?

  Thank you

  Martin

  Yes that's right, the certificate that is presented to the ISE does not include the identity of the client, this is the reason why the attempt fails.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• EAP - TLS with WLC 4404 (choose which layer option 2)

  Hi all

  I want to install a WLAN that uses EAP - TLS.

  WiFi PC <----->LWAP <------>WLC <---->Radius Server

  Should the layer tab 2 for security on the WLC which option I use for the following: -.

  Security Layer 2 (I'm assuming that WPA + WPA2 than what laptops will use)

  Key auth Mgmt?

  I'm a little confused by the 802. 1 x in two of these fields, a security layer two and one for Auth key Mgmt?

  Thx a lot indeed guys,.

  Ken

  You would choose layer 2 security: WPA + WPA2

  Then in the settings WPA + WPA2 choose political WPA2 with WPA2 encryption. Under authentication key Mgmt select 802.1 x.

  Now if you need the use of WPA policy, then also choose TKIP for this.

  Choose your radius servers so for your AAA server tab.

  That's all.