Cisco ACS with External DB - EAP-TLS

Answered Question
Aug 27th, 2008

Hi Guys,

I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.

Let say both user and computer certs are employed:

1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.

2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?

2b. Wot is the paramater that is checked against the AD database?

I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

Client Certificates

Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:

CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.

SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.

Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".

3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?

Please can someone help me with these points.

I am so lost in this stuff :)) I think.

Many thx and many kind regards,

Ken

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 8 years 3 months ago

only TLS *handshake* is completed/succcessful, but because user authentication fails,

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully

EAP: EAP-TLS: Handshake succeeded

EAP: EAP-TLS: Authenticated handshake

EAP: EAP-TLS: Using CN from certificate as identity for authentication

EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'

pvAuthenticateUser: authenticate 'jatin' against CSDB

pvCopySession: setting session group ID to 0.

pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.

pvAuthenticateUser: authenticate 'jatin' against Windows Database

External DB [NTAuthenDLL.dll]: Creating Domain cache

External DB [NTAuthenDLL.dll]: Loading Domain Cache

External DB [NTAuthenDLL.dll]: No UPN Suffixes Found

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Domain cache loaded

External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]

External DB [NTAuthenDLL.dll]: User jatin was not found

pvCheckUnknownUserPolicy: setting session group ID to 0.

Unknown User 'jatin' was not authenticated

So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).

And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

HTH

Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
Premdeep Banga Wed, 08/27/2008 - 03:20

you are right, either CN, SAN or Binary comparison is done with the certificate/user information stored on the AD database.

1 & 2 are only name comparisons

In 3, the certificate stored in binary format is checked against the certificate available with the AD for the user/machine.

HTH

Regards,

Prem

Please rate if it helps!

kfarrington Wed, 08/27/2008 - 03:45

Hi Prem, Many many thx for your reponse. This is all a minefield :))

So, when the EAP-TLS stuff is going on, and if we could look at the Cisco diagram on the following URL

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39068

Lets say that only CN or SAN is being checked agaist AD.

The certificates are exchanged between the client and the server. This itself performs a public/private key exchange and verification (SEPERATE from an active directory checking correct) ??

then, is it after the certiciates are exchanged, the ACS then consults the AD and then based on this result, it carries on with the EAP-TLS exchange buy sending a radius/eap sucess message back to the client?

or

is the eap-radius sucess based on the authentication alone of each others certs so once the certs are verified correct, the eap-radius sucess message is sent, and THEN the ACS consults AD?

Does this make sense? and if anyone can help futher that would be fantastic.

Kind regards,

Ken

Premdeep Banga Wed, 08/27/2008 - 04:40

Please also refer to,

http://www.ietf.org/rfc/rfc5216.txt

the EAP-TLS conversation will typically

begin with the authenticator and the peer negotiating EAP. The

authenticator will then typically send an EAP-Request/Identity packet

to the peer, and the peer will respond with an EAP-Response/Identity

packet to the authenticator, containing the peer's user-Id.

From this point forward, while nominally the EAP conversation occurs

between the EAP authenticator and the peer, the authenticator MAY act

as a pass-through device, with the EAP packets received from the peer

being encapsulated for transmission to a backend authentication

server. In the discussion that follows, we will use the term "EAP

server" to denote the ultimate endpoint conversing with the peer.

Eap-radius success is based on both the existence of the userid and the TLS exchange(certificate validation). But first userid is sent, then TLS exchange takes place.

Regards,

Prem

Please rate if it helps!

kfarrington Wed, 08/27/2008 - 04:59

Prem, we are getting there. Again anothe r5 as the information you have posted is extreamly helpful.

I still have one last question.

So, I have the following:

wireless client ----------> ACS ---------> AD

And I am so sorry if i have mis-interpreted anything here :)

The Certificate exchange is between the client and the ACS yes? not the client and AD.

but when the eap-tls identity packet is sent to the ACS with the user ID, this is sent to the AD for verification.

The rest of the eap-tls exchange is just between the client and ACS right, ie the cert exchange?

Please can you confirm this?

Also, please can you confirm that 1. The EAP-TLS exchange still happens, EVEN if the identity packet that goes to AD is not validated, ie, not on the AD server, but the cert exchange will happen regardless, or does the eap-tls session terminate if user ID is not seen in AD and thus, no certs get exchanged?

2. It is impossible to do a full eap-tls exchange between client and a "backend authentication server" ie, the Radius server passes all traffic it sees from a client to AD for user id, cert exchange etc etc?

I think if I can get these few points clarified, I am there and I owe you a HUGE HUGE BEER ::)))

Once again,

Many thx indeed,

Ken

kfarrington Wed, 08/27/2008 - 23:25

Hi Prem,

I really apprieciate that. Its hard for us to know exactly how this works, and you are being a great help.

Many thx indeed,

Ken

kfarrington Thu, 08/28/2008 - 01:27

Hi Prem,

I have tried to get this in my mind and have done the following. Please could you comment on this?

Many thx indeed mate,

Ken

1. Laptop starts with EAPOL start

2. WLC (not AP as we have a wireless switch) sends an EAP Request Identity

3. Laptop sends either the user or device name in this reponse packet to the WLC which passes this to the Radius server.

NOTE: At this stage, it is not clear if the radius server forwards this request onto AD for verification and waits for a repsonse back from AD before starting the EAP-TLS process. As EAP-TLS options state in Cisco documentation show that the verification from Radius to AD can us either of the following three companents, SAN (Subject Alternative Name), CN (Common Name) or Binary (compare of actual cert with local AD cert store), it would be safe to assume that this does not get passed onto AD at this point. (please confirm)

So it is not the actual eap response identity packet that gets forwarded to the Radius server (please confirm)

4. At this point, EAP-TLS is started and certificates are exchanged.

5. The certificates public, private key, CA chain and other cert stuff is check and verified.

6. Now the Radius server has the clients certificate, and it either passes to AD, the SAN (Subject Alternative Name), CN (Common Name) or Binary (the actual cert), to AD for comparison

7. Based on step 5 and 6, now the EAP-Radius success or failure happens.

Premdeep Banga Thu, 08/28/2008 - 06:55

Sorry it took so long. Its TLS that is completed first, then the userid's are actually verified against the backend database.

In case the user id does not exist on the AD, still TLS will be completed, and then existence will be checked. I wanted to collect some logs for you =)

Please find them attached.

Pass-logs.txt - ACS log for successful auth

debug-pass.txt - debug from AP for Pass

Fail-logs.txt - ACS log for failed auth

debug-fail.txt - debug from AP for fail

Regards,

Prem

Please rate if it helps!

Attachment: 
kfarrington Thu, 08/28/2008 - 07:06

Wow!!!!!!! You have been brilliant.

When you say "In case the user id does not exist on the AD, still TLS will be completed, and then existence will be checked"

Do you mean an eap-tls success message is sent back to the client before AD is checked? or eap-tls success message is sent after AD existence checking?

Really, if I could rate these posts out of 100 you would get 110!!!!

Please if you can confirm the final point and I will mark this as resolved.

I hope that other people read this and look at what you have done here :)

Many thx indeed Prem,

Ken

kfarrington Thu, 08/28/2008 - 07:14

Hi Prem,

I think I see in your logs that EAP-TLS sucess happens before AD existence, but I am not an expert on ACS so am not sure.

If EAP-TLS does send success before AD check, the laptop will success TLS and not AD,

SO

The laptop would not be able to gain access to network resources correct?

Thx, soo much,

Ken

Correct Answer
Premdeep Banga Thu, 08/28/2008 - 07:20

only TLS *handshake* is completed/succcessful, but because user authentication fails,

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully

EAP: EAP-TLS: Handshake succeeded

EAP: EAP-TLS: Authenticated handshake

EAP: EAP-TLS: Using CN from certificate as identity for authentication

EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'

pvAuthenticateUser: authenticate 'jatin' against CSDB

pvCopySession: setting session group ID to 0.

pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.

pvAuthenticateUser: authenticate 'jatin' against Windows Database

External DB [NTAuthenDLL.dll]: Creating Domain cache

External DB [NTAuthenDLL.dll]: Loading Domain Cache

External DB [NTAuthenDLL.dll]: No UPN Suffixes Found

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Domain cache loaded

External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]

External DB [NTAuthenDLL.dll]: User jatin was not found

pvCheckUnknownUserPolicy: setting session group ID to 0.

Unknown User 'jatin' was not authenticated

So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).

And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

HTH

Regards,

Prem

kfarrington Thu, 08/28/2008 - 07:37

Many thx mate, I see it

AUTH 08/28/2008 17:45:09 I 2856 3712 0x588 pvCheckUnknownUserPolicy: setting session group ID to 0.

AUTH 08/28/2008 17:45:09 I 3017 3712 0x588 Unknown User 'jatin' was not authenticated

AUTH 08/28/2008 17:45:09 I 4270 3712 0x588 Final group map: 0.

AUTH 08/28/2008 17:45:09 I 1806 3712 0x588 eapAuthenticate:AuthenAuthenticateEapUser returns UDB_USER_NOT_FOUND

AUTH 08/28/2008 17:45:09 I 0526 3712 0x588 EAP: EAP-TLS: <-- EAP Failure

AUTH 08/28/2008 17:45:09 I 0366 3712 0x588 EAP: EAP state: action = send_done

AUTH 08/28/2008 17:45:09 I 1151 3712 0x588 [AuthenProcessResponse]:[eapAuthenticate] returned -2125

AUTH 08/28/2008 17:45:09 I 1198 3712 0x588 EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=18, seq_id=6)

AUTH 08/28/2008 17:45:09 I 5501 3712 0x588 Done UDB_SEND_RESPONSE, client 50, status UDB_USER_NOT_FOUND

AUTH 08/28/2008 17:45:09 I 5862 6516 0x586 Worker 2 processing message 39.

AUTH 08/28/2008 17:45:09 I 2802 6516 0x586 Start UDB_LOG, client 2 (127.0.0.1)

AUTH 08/28/2008 17:45:09 I 5501 6516 0x586 Done UDB_LOG, client 2, status UDB_OK

Brill, Many thx and if ever you are in Canary Wharf, I owe ya a beer :)

Cheers fella,

Ken

kfarrington Thu, 08/28/2008 - 07:48

Just out of interest, the pass was on an internal ACS DB correct and the fail was on an external DB?

Just as one said consulting the external DB and one did not?

Ta fella

Ken

Premdeep Banga Thu, 08/28/2008 - 08:01

When authentication passed the userid was on Ext. database (AD). I see where you are looking, the ACS debugs somehow did not provided enough information, when it actually checked against the AD database. But the userid was on AD.

Another, proof that user was checked against the AD is, the user ID would be cached dynamically on the ACS database, under "User Setup" section on ACS, and its password authentication would be automatically selected as "Windows Database".

HTH

Regards,

Prem

kfarrington Tue, 03/03/2009 - 08:38

Hey Prem, and all,

Long time no speak.

Saw this thread and thought this was very cool :))

I have one last question here.

On the ACS, there is the concept of using setting username during authentication.

Select one of the following options for setting username during authentication:

Use Outer Identity

Use CN as Identity

Use SAN as Identity

I dont fully understand this part of the eap-tls setup, as you are setting the comparison type before these options, ie just above on the ACS where you use CN/SAN/Binary?

Cany anyone confirm what this bit actually does?

Many thx indeed,

Kind regards,

Ken

ansalaza Tue, 03/03/2009 - 14:24

Some related documentation:

You can specify which user identity ACS uses when sending an authentication request after the EAP-TLS authentication handshake is completed. use this option to search for a user in the database based on the identity you chose. By default, outer identity is used for EAP-TLS authentication. Select one of the following options:

•Use Outer Identity-The outer identity is taken as the username to search for in the database.

•Use CN as Identity-The Certificate Name is taken as the username to search for in the database.

•Use SAN as Identity- The Subject Alternative Name from the user certificate is taken as the username to search for in the database.

Note SAN and CN outer identities cannot be used for EAP TLS machine authentication.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wpmkr468336

kfarrington Wed, 03/04/2009 - 02:02

Hi There,

I am really sorry her, that I dont understand.

So, the way I understand it to work.

EAP-TLS auth happens. At this point, certs exhchanged, we use with SAN or CN to compare from cert, to active directory and then auth is sent back from AD to ACS and ACS sends eap-sucess/fail message to client.

That is dictated in the first config section of the ACS for eap-tls.

Now, the second part, I am still lost on? when does eap-tls do authentication outside or after eap-tls has been acheived?

I am confused?

Many Thx, once again,

Ken

Actions

This Discussion