cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2381
Views
20
Helpful
20
Replies

Cisco ACS with External DB - EAP-TLS

kfarrington
Level 3
Level 3

Hi Guys,

I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.

Let say both user and computer certs are employed:

1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.

2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?

2b. Wot is the paramater that is checked against the AD database?

I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517

Client Certificates

Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:

CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.

SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.

Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".

3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?

Please can someone help me with these points.

I am so lost in this stuff :)) I think.

Many thx and many kind regards,

Ken

1 Accepted Solution

Accepted Solutions

only TLS *handshake* is completed/succcessful, but because user authentication fails,

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully

EAP: EAP-TLS: Handshake succeeded

EAP: EAP-TLS: Authenticated handshake

EAP: EAP-TLS: Using CN from certificate as identity for authentication

EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'

pvAuthenticateUser: authenticate 'jatin' against CSDB

pvCopySession: setting session group ID to 0.

pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.

pvAuthenticateUser: authenticate 'jatin' against Windows Database

External DB [NTAuthenDLL.dll]: Creating Domain cache

External DB [NTAuthenDLL.dll]: Loading Domain Cache

External DB [NTAuthenDLL.dll]: No UPN Suffixes Found

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Domain cache loaded

External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]

External DB [NTAuthenDLL.dll]: User jatin was not found

pvCheckUnknownUserPolicy: setting session group ID to 0.

Unknown User 'jatin' was not authenticated

So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).

And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

HTH

Regards,

Prem

View solution in original post

20 Replies 20

Premdeep Banga
Level 7
Level 7

you are right, either CN, SAN or Binary comparison is done with the certificate/user information stored on the AD database.

1 & 2 are only name comparisons

In 3, the certificate stored in binary format is checked against the certificate available with the AD for the user/machine.

HTH

Regards,

Prem

Please rate if it helps!

Hi Prem, Many many thx for your reponse. This is all a minefield :))

So, when the EAP-TLS stuff is going on, and if we could look at the Cisco diagram on the following URL

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39068

Lets say that only CN or SAN is being checked agaist AD.

The certificates are exchanged between the client and the server. This itself performs a public/private key exchange and verification (SEPERATE from an active directory checking correct) ??

then, is it after the certiciates are exchanged, the ACS then consults the AD and then based on this result, it carries on with the EAP-TLS exchange buy sending a radius/eap sucess message back to the client?

or

is the eap-radius sucess based on the authentication alone of each others certs so once the certs are verified correct, the eap-radius sucess message is sent, and THEN the ACS consults AD?

Does this make sense? and if anyone can help futher that would be fantastic.

Kind regards,

Ken

Please also refer to,

http://www.ietf.org/rfc/rfc5216.txt

the EAP-TLS conversation will typically

begin with the authenticator and the peer negotiating EAP. The

authenticator will then typically send an EAP-Request/Identity packet

to the peer, and the peer will respond with an EAP-Response/Identity

packet to the authenticator, containing the peer's user-Id.

From this point forward, while nominally the EAP conversation occurs

between the EAP authenticator and the peer, the authenticator MAY act

as a pass-through device, with the EAP packets received from the peer

being encapsulated for transmission to a backend authentication

server. In the discussion that follows, we will use the term "EAP

server" to denote the ultimate endpoint conversing with the peer.

Eap-radius success is based on both the existence of the userid and the TLS exchange(certificate validation). But first userid is sent, then TLS exchange takes place.

Regards,

Prem

Please rate if it helps!

Prem, we are getting there. Again anothe r5 as the information you have posted is extreamly helpful.

I still have one last question.

So, I have the following:

wireless client ----------> ACS ---------> AD

And I am so sorry if i have mis-interpreted anything here :)

The Certificate exchange is between the client and the ACS yes? not the client and AD.

but when the eap-tls identity packet is sent to the ACS with the user ID, this is sent to the AD for verification.

The rest of the eap-tls exchange is just between the client and ACS right, ie the cert exchange?

Please can you confirm this?

Also, please can you confirm that 1. The EAP-TLS exchange still happens, EVEN if the identity packet that goes to AD is not validated, ie, not on the AD server, but the cert exchange will happen regardless, or does the eap-tls session terminate if user ID is not seen in AD and thus, no certs get exchanged?

2. It is impossible to do a full eap-tls exchange between client and a "backend authentication server" ie, the Radius server passes all traffic it sees from a client to AD for user id, cert exchange etc etc?

I think if I can get these few points clarified, I am there and I owe you a HUGE HUGE BEER ::)))

Once again,

Many thx indeed,

Ken

been busy will reply, please standby =)

Hi Prem,

I really apprieciate that. Its hard for us to know exactly how this works, and you are being a great help.

Many thx indeed,

Ken

Hi Prem,

I have tried to get this in my mind and have done the following. Please could you comment on this?

Many thx indeed mate,

Ken

1. Laptop starts with EAPOL start

2. WLC (not AP as we have a wireless switch) sends an EAP Request Identity

3. Laptop sends either the user or device name in this reponse packet to the WLC which passes this to the Radius server.

NOTE: At this stage, it is not clear if the radius server forwards this request onto AD for verification and waits for a repsonse back from AD before starting the EAP-TLS process. As EAP-TLS options state in Cisco documentation show that the verification from Radius to AD can us either of the following three companents, SAN (Subject Alternative Name), CN (Common Name) or Binary (compare of actual cert with local AD cert store), it would be safe to assume that this does not get passed onto AD at this point. (please confirm)

So it is not the actual eap response identity packet that gets forwarded to the Radius server (please confirm)

4. At this point, EAP-TLS is started and certificates are exchanged.

5. The certificates public, private key, CA chain and other cert stuff is check and verified.

6. Now the Radius server has the clients certificate, and it either passes to AD, the SAN (Subject Alternative Name), CN (Common Name) or Binary (the actual cert), to AD for comparison

7. Based on step 5 and 6, now the EAP-Radius success or failure happens.

Sorry it took so long. Its TLS that is completed first, then the userid's are actually verified against the backend database.

In case the user id does not exist on the AD, still TLS will be completed, and then existence will be checked. I wanted to collect some logs for you =)

Please find them attached.

Pass-logs.txt - ACS log for successful auth

debug-pass.txt - debug from AP for Pass

Fail-logs.txt - ACS log for failed auth

debug-fail.txt - debug from AP for fail

Regards,

Prem

Please rate if it helps!

Attaching the debug-fail.txt

Wow!!!!!!! You have been brilliant.

When you say "In case the user id does not exist on the AD, still TLS will be completed, and then existence will be checked"

Do you mean an eap-tls success message is sent back to the client before AD is checked? or eap-tls success message is sent after AD existence checking?

Really, if I could rate these posts out of 100 you would get 110!!!!

Please if you can confirm the final point and I will mark this as resolved.

I hope that other people read this and look at what you have done here :)

Many thx indeed Prem,

Ken

Hi Prem,

I think I see in your logs that EAP-TLS sucess happens before AD existence, but I am not an expert on ACS so am not sure.

If EAP-TLS does send success before AD check, the laptop will success TLS and not AD,

SO

The laptop would not be able to gain access to network resources correct?

Thx, soo much,

Ken

only TLS *handshake* is completed/succcessful, but because user authentication fails,

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data

CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully

EAP: EAP-TLS: Handshake succeeded

EAP: EAP-TLS: Authenticated handshake

EAP: EAP-TLS: Using CN from certificate as identity for authentication

EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'

pvAuthenticateUser: authenticate 'jatin' against CSDB

pvCopySession: setting session group ID to 0.

pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.

pvAuthenticateUser: authenticate 'jatin' against Windows Database

External DB [NTAuthenDLL.dll]: Creating Domain cache

External DB [NTAuthenDLL.dll]: Loading Domain Cache

External DB [NTAuthenDLL.dll]: No UPN Suffixes Found

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]

External DB [NTAuthenDLL.dll]: Domain cache loaded

External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]

External DB [NTAuthenDLL.dll]: User jatin was not found

pvCheckUnknownUserPolicy: setting session group ID to 0.

Unknown User 'jatin' was not authenticated

So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).

And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.

HTH

Regards,

Prem

Many thx mate, I see it

AUTH 08/28/2008 17:45:09 I 2856 3712 0x588 pvCheckUnknownUserPolicy: setting session group ID to 0.

AUTH 08/28/2008 17:45:09 I 3017 3712 0x588 Unknown User 'jatin' was not authenticated

AUTH 08/28/2008 17:45:09 I 4270 3712 0x588 Final group map: 0.

AUTH 08/28/2008 17:45:09 I 1806 3712 0x588 eapAuthenticate:AuthenAuthenticateEapUser returns UDB_USER_NOT_FOUND

AUTH 08/28/2008 17:45:09 I 0526 3712 0x588 EAP: EAP-TLS: <-- EAP Failure

AUTH 08/28/2008 17:45:09 I 0366 3712 0x588 EAP: EAP state: action = send_done

AUTH 08/28/2008 17:45:09 I 1151 3712 0x588 [AuthenProcessResponse]:[eapAuthenticate] returned -2125

AUTH 08/28/2008 17:45:09 I 1198 3712 0x588 EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=18, seq_id=6)

AUTH 08/28/2008 17:45:09 I 5501 3712 0x588 Done UDB_SEND_RESPONSE, client 50, status UDB_USER_NOT_FOUND

AUTH 08/28/2008 17:45:09 I 5862 6516 0x586 Worker 2 processing message 39.

AUTH 08/28/2008 17:45:09 I 2802 6516 0x586 Start UDB_LOG, client 2 (127.0.0.1)

AUTH 08/28/2008 17:45:09 I 5501 6516 0x586 Done UDB_LOG, client 2, status UDB_OK

Brill, Many thx and if ever you are in Canary Wharf, I owe ya a beer :)

Cheers fella,

Ken

Thanks and cheers mate =)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: