EAP-TLS - 802.1x - Certificate renewal

Unanswered Question
Feb 17th, 2009
User Badges:

Hello


I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.

Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.

By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.

Could somebody give me a hint if there are other Cisco solutions for this issue.

I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Johannes Luther Tue, 02/17/2009 - 11:34
User Badges:

I guess it's more a Microsoft issue. I guess you login to a Domain on the client. If you block everything between the client and the LAN (except the TS session), the client won't be able to establish a Domain connection. I guess the login is still working because of cached credentials on the client. I guess the FW between client and Windows Domain Controllers has to be a little bit more open.

rayborg Wed, 02/18/2009 - 01:04
User Badges:

Thanks johannes for your prompt reaction.


you`re right. It is actually an MS issue but what I needed to know is, if there is some sort of Cisco Solution to get this issue worked around. For example some sort of agent which could issue the Cerificate in the unsecure WLANs. What about the Secure ACS Agent? I could not find any information whether this could play the roll as a sub-CA.

Johannes Luther Wed, 02/18/2009 - 02:17
User Badges:

The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.


What I don't get is the following:

Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.


The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

rayborg Wed, 02/18/2009 - 08:56
User Badges:

Encryption over the air is for some people a little bit abstract and therefore risky!


So you have confirmed that this issue could only be solved through a MS Solution like by placing a Read only Domain Controller (RODC) in the "unsecure" WLAN.


Thanks allot for your help.



Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode