EAP-TLS on ACS v4 for wireless users

balsheikh · ‎11-08-2006

Hi,

I?m trying to deploy EAP-TLS authentication method on ACS v4.0 for my local wireless users; really I stuck with the certificate issue and need your assistance to understand the required procedures to accomplish the task.

As mentioned on the ACS configuration guide I have to have CA server to generate certificates for both ACS and wireless users, but I found an option on the ACS under System configuration tab then ACS Certificate Setup a Generate Self-Signed Certificate, I generated a certificate and uploaded a copy to my PC, installed and followed the recommended steps to configure the Microsoft XP client configuration but still I got the error ?Windows was unable to find a certificate to log you on to the network SSID? . Honestly I don?t know if this is possible but I gave it a try but failed.

Kindly advice what is the appropriate and easiest way to accomplish the task, if you could provide me with helpful documents I?ll appreciate it.

Regards,

Belal

jverkerke · ‎11-08-2006

I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...

Setup a Microsoft Certificate server as my

CA. You can use same machine wih your ACS and CA.

Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.

On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.

At that poit you should be able to connect you r wireless client using EAP-TLS.

balsheikh · ‎11-10-2006

Hi,

First of all thx for your assistance..

I need more clarification from your side plz, kindly be noted that I have stand alone ACS appliance but I arranged a CA server. Once I generated certificate signing request from ACS I got it on the right half page with the header said (Now your certificate signing request is ready. You can copy/paste it to any certification authority enrollment tool) what is the next step here!!

I managed to get both certificates for ACS and the supplicants and the EAP-TLS certificate was enabled but how I could upload the Server certificate to the ACS and install it !!

Appreciate your feedback..

Regards,

Belal

jverkerke · ‎11-20-2006

When you see the message copy and paste certificate signing request, caopy all those info(that is you servers info to request certificate from CA. Then open up a browser to access the CA (http://CA-address/certsrv), do that in ACS, then select "request a certificate'then advance cert request' then submit certificate request using ...'... from there follow the on screen instruction up to installing the certificate to the server...

mmmoookkk · ‎11-23-2006

Hi

this is the guide to build the 802.1x for wired lan but it covers the CA configuration and certificare creation process in detail. I hope this helps.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#p15

http://technet2.microsoft.com/WindowsServer/en/library/d7a495c3-5e46-4b35-a236-34a4d4ad0f091033.mspx?mfr=true

best regards

Motti

balsheikh · ‎11-25-2006

Hello,

Thanks for all of you..

I did it successfully.

Attached the exact required document for installing and configuring the CA root, the server certificate & client certificate.

Regards,

Belal

mmmoookkk · ‎11-26-2006

hello

the self signed certificate is mostly used to allow the HTTPS administration of the acs and allow peap authentication. the certificate the ACS created does cannot be used as a client certificate since the usage key of the certificate doesn't allow this and cause your pc probably doens't recognize the ACS as a trusted CA server.

you should check if the laptop you are using shows the acs certificate in the ca server list in the NIC configuration under authentication. if so then just mark the V beside it and the winXP should be able to use it.

hope you find what im talkig about... I've attached a picture for you.