cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
973
Views
0
Helpful
8
Replies

Novell NDS CA and EAP-TLS

rene.schmid
Level 1
Level 1

Hi all,

I have configured a ACS Server 4.1 with a certificate from a internal Novell CA. Authentication to the ACS Server works fine and the Group Mappings works also without troubles.

The customer now wants to use eap-tls in the wlan configuration. Authentication with username and password works fine. If I activate the validate server certificate in the wlan configuration settings from windows xp, than I haven't access to the network. I get an error message on the client and in the acs log I see an error with eap-tls ssl handshake !?!

Are there any problems with novell ca and novell certificates???

Any ideas???

Thanks for help

Rene

1 Accepted Solution

Accepted Solutions

Hi,

Do mark this thread as resolved, so that others can benefit.

Thanks,

Prem

View solution in original post

8 Replies 8

Premdeep Banga
Level 7
Level 7

Hi,

Please check this,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/scauth.htm#wp326073

EAP-TLS Limitations

EAP-TLS Limitations

The limitations in the ACS implementation of EAP-TLS are:

?Server and CA certificate file format?If you install the ACS server and CA certificates from files, rather than from certificate storage, server and CA certificate files must be in Base64-encoded X.509 format or DER-encoded binary X.509 format.

?LDAP attribute for binary comparison?If you configure ACS to perform binary comparison of user certificates, the user certificate must be stored in the Active Directory or an LDAP server by using a binary format. Also, the attribute storing the certificate must be named usercertificate.

?Windows server type?If you want to use Active Directory to authenticate users with EAP-TLS when ACS runs on a member server, additional configuration is required.

Apart from that, make sure that you have installed Novell CA Root certificate from,

System Configuration > ACS Certificate Setup > ACS Certification Authority Setup,

Then check that installed Root Certificate from,

"Edit Certificate Trust List"

Regards,

Prem

hi,

thanks for the answer...

I have no active directory only a novell nds and a novell ca. I have tested this without a user certificate on the client. We only want to see, if the verification of the server certificate works....in this case I got the error message with the eap-tls ssl handshake failure...

The file formats for the server are OK.

Any other ideas??

Thanks for help

rene

Hi,

If you got this setup working without Client cert, then that means that your PEAP (EAP-GTC), was working at that time.

Now to look into greater detail, you can check the authentication logs on ACS server.

Increase the logging level of ACS from,

System Configuration > Service Control > Level of Detail > Full > Restart.

Then do one test authentication with client cert (EAP-TLS)

Then go to,

\CSAuth\Logs

open Auth.log,

Take the time stamp from the Failed attempts, and see the exact error message why it was rejected,

Most probable cause for this, I suspect is, something wrong with the client cert or something in that direction.

Regards,

Prem

hi,

ok thanks for the information, I have to call the customer to do some testing...

I will try this on 3:30 pm central european time.

I will write some new informations later.

thanks for your messages.

rene

hi,

I have tested the wlan access :( no success

attached is a sample of the logentry.

rene

hi,

it works ;)

attached is a sample from the logfile.

rene

Hi Rene,

Glad it worked!

Keep playin.

Regards,

Prem

Hi,

Do mark this thread as resolved, so that others can benefit.

Thanks,

Prem

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: