Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
5
Replies

Does ACS 4.2 support IPSec template certificates?

aleary
Level 1
Level 1

‎11-11-2010 05:11 PM - edited ‎03-10-2019 05:34 PM

I have ACS 4.2 124.12 cumulative patches installed.  I have enable EAP-FAST in ACS.  The CA is selected in the trusted list.  When I try to authenticate with the ACS I get a rejection.  Wireshark shows in the challenge that this is a 'unsupported Certificate'.

In the AUTH.log I get the following where the failure occurs:

AUTH 11/04/2010 12:01:44 I 0000 46564 0x95 CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate B

AUTH 11/04/2010 12:01:44 I 2009 46564 0x95 EAP: EAP-FAST: Handshake failed

AUTH 11/04/2010 12:01:44 E 2255 46564 0x95 EAP: EAP-FAST: ProcessResponse: SSL send alert fatal:unsupported certificate

AUTH 11/04/2010 12:01:44 E 2258 46564 0x95 EAP: EAP-FAST: ProcessResponse: SSL ext error reason: b2 (Ext error code = 0)

AUTH 11/04/2010 12:01:44 E 2297 46564 0x95 EAP: EAP-FAST: ProcessResponse(1519): mapped SSL error code (3) to -2120

The certificate template is IPSec (Offline request) (IPSECIntermediateOffline).  Is there some configuration that I am not aware of?

Andy

Labels:
0 Helpful
5 Replies 5

aneelaka
Level 1
Level 1

‎11-11-2010 05:25 PM

As it reporting error on client certifcate, Check the client cert, client cert must
have the following: EKU = Client Authentication, KU = Digital signature,
Key Encipherment and Data encipherment.

0 Helpful

aleary
Level 1
Level 1
In response to aneelaka

‎11-11-2010 05:47 PM

This is from the certificate:

EKU = IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

KU = Digital Signature, Key Encipherment (a0)

Do you know how to ensure that the EKU is Client Authentication and KU is Digital signature,
Key Encipherment and Data encipherment.  I don't see in the software that is generating the certReq anything about specifying the type of certificate that is needed.

Do you know how the Windows Server 2003 CA determines what certificate template to use when returning a certificate?

0 Helpful

aneelaka
Level 1
Level 1
In response to aleary

‎11-11-2010 06:30 PM

Check the

EKU : http://tinyurl.com/2dakmaw

KU = http://tinyurl.com/2aqjecq

On the below URL refer to the

6.4.1 Obtaining the Client-Side Certificate

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

0 Helpful

pnavratil
Level 1
Level 1

‎04-11-2011 07:16 AM

Hi Anthony,

did you find any solution for this issue? As I am now in exatly the same situation.

Thank you

Pavel

0 Helpful

aleary
Level 1
Level 1
In response to pnavratil

‎04-13-2011 09:35 AM

Pavel,

After working with Albert Sun and Igal Katz we found that IOS does not support EKU - extended Key Usage where types of certificate can be specified. So in the cert request, we won't specify any EKU. For EKU aware CA, like ACS or MS CA, it considers it as IPSEC certificate request.

There is an enhancement by the PKI team to add support for EKU (Enhanced Key Usage). Not sure of the official enhancement name (EKU for IOS). This enhancement has to be implemented before we can externally authenticate LSC certificates.

Andy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents