cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1743
Views
0
Helpful
16
Replies

Installing ACS Certificates for EAP-TLS Does not work

kfarrington
Level 3
Level 3

Hi all,

I have two problems.

I Generated a ACS CSR and sent this to my windows people and they issued my ACS with a certificate. Cool.

I go to download it onto the ACS and I have to put a "Private key file" in?

What is this file? and where do I get it from? Is it that long string of characters that the CSR generate, that I sent to the windows boys?

Also, I did manage to just put any old rubbish in there? and I was suprised it accepted it.

Restarted the IS service and tried to enable eap-tls on the "global authentication setup" page to only get the message

Failed to initialize PEAP or EAP-TLS authentication protocol because CA

certificate is not installed. Install the CA certificate using "ACS

Certification Authority Setup" page"

Now I am a little confused, as is this because if have setup the ACS incorrectly, because of my mis-understanding of what this private key file is and how it relates to whatever?

Many thx indeed,

Ken

2 Accepted Solutions

Accepted Solutions

ben.gordon
Level 1
Level 1

I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.

View solution in original post

Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Just make a note of this when you request a cert it is in the above doc.

Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.

Here is a doc for ACS and EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

-Scott
*** Please rate helpful posts ***

View solution in original post

16 Replies 16

ben.gordon
Level 1
Level 1

I am having the same problem. It seems that when the windows guys generate a cert it has to be exportable, which will give you the private key file also. i have tried the following document without any success. it may work for you though, http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_example09186a008020a45c.shtml

i have also tried having ACS generate a self signed certificate, which works. But on the client you have to uncheck the box that says validate the server certificate because the ACS is not a trusted certificate servers. Right now I am trying to figure out how to have AD publish the ACS as a trusted cert server so windows knows to trust the cert from ACS. Through all of this I have found that you can set it up several ways, the hard part is finding a way that works for you.

Not applicable

Not applicable

Not applicable

Have you guy's looked at this doc. This will work even though it is for PEAP. With EAP-TLS, you will do the same excep request the certificate from the client.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a0080545a29.shtml

Just make a note of this when you request a cert it is in the above doc.

Note: Microsoft has changed the Web Server template with the release of the Windows 2003 Enterprise CA so that keys are no longer exportable and the option is greyed out. There are no other certificate templates supplied with certificate services that are for server authentication and give the ability to mark keys as exportable that are available in the drop-down. Therefore, you need to create a new template that does so.

Here is a doc for ACS and EAP-TLS:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml#acs-1

-Scott
*** Please rate helpful posts ***

Many thx guys,

So with a clear head this morning and thx for the links, I have extracted exactly what I need to do and will re-attempt.

Will update all soon, and here is the ACS "Appliance" extracted info.

Thx to all, as always, what a group of people we have here!!!

Thx

Ken

Doc looks good. Let us know if you get it to work or not.

-Scott
*** Please rate helpful posts ***

Hi, Fella and Ben,

Excellent stuff. took the peap stuff and tool out the appliance only details and it all worked.

Its all about not double clicking on the private key stuff when installing the cert and a couple of other little funnies as described in the red notes.

Many thx to all of you :)

Now just have to get it all working and client authenticated to the ACS. One thing at a time :))

Kind regards,

Ken

Well that is good news. Yeah.... one thing at a time.

-Scott
*** Please rate helpful posts ***

thx mate, now just investigating why the windows laptop says a message

"Windows was unable to find a certificate to log you on to the network"

On a packet capture, I see the WLC send an EAP identity request packet (many times) but no EAP idenetity response packet from the client.

Gotta be a cert issue on the laptop and me and the windows boys are working on this bit.

Thern, once this is done, Im assume that the client/acs via the WLC will attempts to form an SSL/TLS tunnel and hand off the CN/SAN/Binary comparison to the ACS for authentication.

This is good fun, and feels like a blog of the progress :)

I will keep updated and thx for the help.

Cheers

Ken

So, As I mentioned earlier, the laptop is receiving a eap-identity-request from the WLC but is not generating an eap-identity-response packet.

So looks odds on that the laptop is not doing sommat it should. Its gotta be certs right?

So looking at the windows XP debugs for eapol, we get the following (please look at last line)

[1424] 15:49:07:437: ElEapMakeMessage entered

[1424] 15:49:07:437: ElParseIdentityString: DisplayString =

[1424] 15:49:07:437: ElParseIdentityString: LocalIdString = networkid=TestWLAN,nasid=MY-WLC,portid=29

[1424] 15:49:07:437: ElParseIdentityString: LocalIdString Length = 44

[1424] 15:49:07:437: ElParseIdentityString: NetworkID Size = 7

[1424] 15:49:07:437: Got NetworkId = TestWLAN

[1424] 15:49:07:437: Got NASId = MY-WLC

[1424] 15:49:07:437: ElParseIdentityString: For PortId, length = 2

[1424] 15:49:07:437: Got PortId = 29

[1424] 15:49:07:437: ElParseIdentityString: End of String reached

[1424] 15:49:07:437: ElParseIdentityString: Out of while loop

[1424] 15:49:07:437: ElParseIdentityString: Out of while loop: NO ERROR

[1424] 15:49:07:437: ElParseIdentityString: Calling NLARegister_802_1X with params {network windows id xxx.xx.xx.} and networkid=TestWLAN,nasid=MY-WLC,portid=29

[1424] 15:49:07:437: NLARegister_802_1X: Entered

[1424] 15:49:07:437: NLARegister_802_1X: g_hNLA_LPC_Port != NULL

[1424] 15:49:07:437: NLARegister_802_1X: Completed with status = 0

[1424] 15:49:07:437: ElParseIdentityString: Returned after calling NLARegister_802_1X

[1424] 15:49:07:437: ElGetIdentity: Userlogged, Prev !Machine auth

[1424] 15:49:07:437: ElGetIdentity: Userlogged,

[1424] 15:49:07:437: ElGetUserIdentity entered

[1424] 15:49:07:437: ElGetEapUserInfo: Error in RegOpenKeyEx for base key, 2

[1424] 15:49:07:437: ElGetCustomAuthData: SSIDLen=<6>, EapTypeId=<13>, Offset=<52/106>, dwAuthData=<42>

[1424] 15:49:07:437: ElGetCustomAuthData: SSIDLen=<6>, EapTypeId=<13>, Offset=<52/106>, dwAuthData=<42>

[1424] 15:49:07:437: ElGetUserIdentityOptimized: Error in calling GetIdentity = 798

[1424] 15:49:07:437: Identity: Couldnt find a certificate

So, we have loaded the certs into the following places

Certificates - Current User

- Personal

- Intermediate CAs

- Trusted root CAs

Did it in all variations, even putting all certs in all directories, but alas, nowt coming out :(

Any ideas chums? Arsenal are playing soon, so better go and drink beer and watch the gunners :)

PS, look at the attached MS Docs. I will go thru these, but is excellent information on the MS DIAGS.

http://technet.microsoft.com/en-us/library/bb457018.aspx

Many thx

Ken

How are you configuring the client for peap?

http://articles.techrepublic.com.com/5100-10878_11-6148574.html

-Scott
*** Please rate helpful posts ***

Hi Fella and all :)

Arsenal drew 1-1 BTW :(

We are running windows XP SP (version "who knows") Will find out. This windows stuff is all a bit confusing :)

So,

We have the following only currently (for phase one of the testing)

Wifi LT ------ LWAP ------ WLC ------- ACS (appliance) ------- Romote Agent ------ AD DC

At the moment, we are just using the internal DB on the ACS rather than using the remote AD DB to keep things simple. Get that working first and then progress onto the AD auth buit.

We are using EAP-TLS and on the ACS all three comparison types are enabled and all certs are loaded.

The WLC sends the EAP-Identity packet to the wifi LT but the wifi LT does not send a response, so not even a packet gets to the ACS.

Please see Phase 2 for where we are stopping.

(I hope this doc helps people)

Let me know if you can be of further assistance.

Kind regards,

Ken

Did you install a cert on the laptop?

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: