Novell NDS CA and EAP-TLS

Answered Question
Jun 1st, 2007

Hi all,

I have configured a ACS Server 4.1 with a certificate from a internal Novell CA. Authentication to the ACS Server works fine and the Group Mappings works also without troubles.

The customer now wants to use eap-tls in the wlan configuration. Authentication with username and password works fine. If I activate the validate server certificate in the wlan configuration settings from windows xp, than I haven't access to the network. I get an error message on the client and in the acs log I see an error with eap-tls ssl handshake !?!

Are there any problems with novell ca and novell certificates???

Any ideas???

Thanks for help

Rene

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 6 months ago

Hi,

Do mark this thread as resolved, so that others can benefit.

Thanks,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Premdeep Banga Fri, 06/01/2007 - 16:27

Hi,

Please check this,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/scauth.htm#wp326073

EAP-TLS Limitations

EAP-TLS Limitations

The limitations in the ACS implementation of EAP-TLS are:

?Server and CA certificate file format?If you install the ACS server and CA certificates from files, rather than from certificate storage, server and CA certificate files must be in Base64-encoded X.509 format or DER-encoded binary X.509 format.

?LDAP attribute for binary comparison?If you configure ACS to perform binary comparison of user certificates, the user certificate must be stored in the Active Directory or an LDAP server by using a binary format. Also, the attribute storing the certificate must be named usercertificate.

?Windows server type?If you want to use Active Directory to authenticate users with EAP-TLS when ACS runs on a member server, additional configuration is required.

Apart from that, make sure that you have installed Novell CA Root certificate from,

System Configuration > ACS Certificate Setup > ACS Certification Authority Setup,

Then check that installed Root Certificate from,

"Edit Certificate Trust List"

Regards,

Prem

rene.schmid Sun, 06/03/2007 - 23:25

hi,

thanks for the answer...

I have no active directory only a novell nds and a novell ca. I have tested this without a user certificate on the client. We only want to see, if the verification of the server certificate works....in this case I got the error message with the eap-tls ssl handshake failure...

The file formats for the server are OK.

Any other ideas??

Thanks for help

rene

Premdeep Banga Mon, 06/04/2007 - 04:45

Hi,

If you got this setup working without Client cert, then that means that your PEAP (EAP-GTC), was working at that time.

Now to look into greater detail, you can check the authentication logs on ACS server.

Increase the logging level of ACS from,

System Configuration > Service Control > Level of Detail > Full > Restart.

Then do one test authentication with client cert (EAP-TLS)

Then go to,

\CSAuth\Logs

open Auth.log,

Take the time stamp from the Failed attempts, and see the exact error message why it was rejected,

Most probable cause for this, I suspect is, something wrong with the client cert or something in that direction.

Regards,

Prem

rene.schmid Mon, 06/04/2007 - 04:49

hi,

ok thanks for the information, I have to call the customer to do some testing...

I will try this on 3:30 pm central european time.

I will write some new informations later.

thanks for your messages.

rene

Correct Answer
Premdeep Banga Mon, 06/04/2007 - 13:44

Hi,

Do mark this thread as resolved, so that others can benefit.

Thanks,

Prem

Actions

This Discussion