Installing ACS Certificates for EAP-TLS Does not work

Answered Question
Sep 15th, 2008

Hi all,

I have two problems.

I Generated a ACS CSR and sent this to my windows people and they issued my ACS with a certificate. Cool.

I go to download it onto the ACS and I have to put a "Private key file" in?

What is this file? and where do I get it from? Is it that long string of characters that the CSR generate, that I sent to the windows boys?

Also, I did manage to just put any old rubbish in there? and I was suprised it accepted it.

Restarted the IS service and tried to enable eap-tls on the "global authentication setup" page to only get the message

Failed to initialize PEAP or EAP-TLS authentication protocol because CA

certificate is not installed. Install the CA certificate using "ACS

Certification Authority Setup" page"

Now I am a little confused, as is this because if have setup the ACS incorrectly, because of my mis-understanding of what this private key file is and how it relates to whatever?

Many thx indeed,

Ken

I have this problem too.
0 votes
Correct Answer by Scott Fella about 8 years 2 months ago

Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Just make a note of this when you request a cert it is in the above doc.

Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.

Here is a doc for ACS and EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

Correct Answer by ben.gordon about 8 years 2 months ago

I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
ben.gordon Mon, 09/15/2008 - 13:23

I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.

Anonymous (not verified) Mon, 09/15/2008 - 14:17

Anonymous (not verified) Mon, 09/15/2008 - 14:17

Anonymous (not verified) Mon, 09/15/2008 - 14:17

Correct Answer
Scott Fella Mon, 09/15/2008 - 18:03

Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Just make a note of this when you request a cert it is in the above doc.

Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.

Here is a doc for ACS and EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

kfarrington Wed, 09/17/2008 - 00:03

Hi, Fella and Ben,

Excellent stuff. took the peap stuff and tool out the appliance only details and it all worked.

Its all about not double clicking on the private key stuff when installing the cert and a couple of other little funnies as described in the red notes.

Many thx to all of you :)

Now just have to get it all working and client authenticated to the ACS. One thing at a time :))

Kind regards,

Ken

kfarrington Wed, 09/17/2008 - 02:59

thx mate, now just investigating why the windows laptop says a message

"Windows was unable to find a certificate to log you on to the network"

On a packet capture, I see the WLC send an EAP identity request packet (many times) but no EAP idenetity response packet from the client.

Gotta be a cert issue on the laptop and me and the windows boys are working on this bit.

Thern, once this is done, Im assume that the client/acs via the WLC will attempts to form an SSL/TLS tunnel and hand off the CN/SAN/Binary comparison to the ACS for authentication.

This is good fun, and feels like a blog of the progress :)

I will keep updated and thx for the help.

Cheers

Ken

kfarrington Wed, 09/17/2008 - 10:26

So, As I mentioned earlier, the laptop is receiving a eap-identity-request from the WLC but is not generating an eap-identity-response packet.

So looks odds on that the laptop is not doing sommat it should. Its gotta be certs right?

So looking at the windows XP debugs for eapol, we get the following (please look at last line)

[1424] 15:49:07:437: ElEapMakeMessage entered

[1424] 15:49:07:437: ElParseIdentityString: DisplayString =

[1424] 15:49:07:437: ElParseIdentityString: LocalIdString = networkid=TestWLAN,nasid=MY-WLC,portid=29

[1424] 15:49:07:437: ElParseIdentityString: LocalIdString Length = 44

[1424] 15:49:07:437: ElParseIdentityString: NetworkID Size = 7

[1424] 15:49:07:437: Got NetworkId = TestWLAN

[1424] 15:49:07:437: Got NASId = MY-WLC

[1424] 15:49:07:437: ElParseIdentityString: For PortId, length = 2

[1424] 15:49:07:437: Got PortId = 29

[1424] 15:49:07:437: ElParseIdentityString: End of String reached

[1424] 15:49:07:437: ElParseIdentityString: Out of while loop

[1424] 15:49:07:437: ElParseIdentityString: Out of while loop: NO ERROR

[1424] 15:49:07:437: ElParseIdentityString: Calling NLARegister_802_1X with params {network windows id xxx.xx.xx.} and networkid=TestWLAN,nasid=MY-WLC,portid=29

[1424] 15:49:07:437: NLARegister_802_1X: Entered

[1424] 15:49:07:437: NLARegister_802_1X: g_hNLA_LPC_Port != NULL

[1424] 15:49:07:437: NLARegister_802_1X: Completed with status = 0

[1424] 15:49:07:437: ElParseIdentityString: Returned after calling NLARegister_802_1X

[1424] 15:49:07:437: ElGetIdentity: Userlogged, Prev !Machine auth

[1424] 15:49:07:437: ElGetIdentity: Userlogged,

[1424] 15:49:07:437: ElGetUserIdentity entered

[1424] 15:49:07:437: ElGetEapUserInfo: Error in RegOpenKeyEx for base key, 2

[1424] 15:49:07:437: ElGetCustomAuthData: SSIDLen=<6>, EapTypeId=<13>, Offset=<52/106>, dwAuthData=<42>

[1424] 15:49:07:437: ElGetCustomAuthData: SSIDLen=<6>, EapTypeId=<13>, Offset=<52/106>, dwAuthData=<42>

[1424] 15:49:07:437: ElGetUserIdentityOptimized: Error in calling GetIdentity = 798

[1424] 15:49:07:437: Identity: Couldnt find a certificate

So, we have loaded the certs into the following places

Certificates - Current User

- Personal

- Intermediate CAs

- Trusted root CAs

Did it in all variations, even putting all certs in all directories, but alas, nowt coming out :(

Any ideas chums? Arsenal are playing soon, so better go and drink beer and watch the gunners :)

PS, look at the attached MS Docs. I will go thru these, but is excellent information on the MS DIAGS.

http://technet.microsoft.com/en-us/library/bb457018.aspx

Many thx

Ken

kfarrington Wed, 09/17/2008 - 23:38

Hi Fella and all :)

Arsenal drew 1-1 BTW :(

We are running windows XP SP (version "who knows") Will find out. This windows stuff is all a bit confusing :)

So,

We have the following only currently (for phase one of the testing)

Wifi LT ------ LWAP ------ WLC ------- ACS (appliance) ------- Romote Agent ------ AD DC

At the moment, we are just using the internal DB on the ACS rather than using the remote AD DB to keep things simple. Get that working first and then progress onto the AD auth buit.

We are using EAP-TLS and on the ACS all three comparison types are enabled and all certs are loaded.

The WLC sends the EAP-Identity packet to the wifi LT but the wifi LT does not send a response, so not even a packet gets to the ACS.

Please see Phase 2 for where we are stopping.

(I hope this doc helps people)

Let me know if you can be of further assistance.

Kind regards,

Ken

kfarrington Fri, 09/19/2008 - 01:01

yes we have :)

I think it is either complaining the the SAN is not populated on the cert or the placement of the cert itself. will update :)

gonna use a util call certreg.exe as this has been a problem before. I did not know that windows had such debugging features :)

Thx man

Ken

knik-knik Fri, 09/19/2008 - 04:09

It's nice to have an EAP-TLS implementation in your WLAN. But not until your clients' certificate expire. You will have to re enroll them again ONE by ONE, what if you got hundreds of users in your company, it is really quite difficult to maintain.

Does anyone knows how to overcome this?

Thanks.

Actions

This Discussion

 

 

Trending Topics - Security & Network