Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

ISE and EAP-TLS

Hi

We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.

22045  Identity policy result is configured for password based authentication  methods but received certificate based authentication request

I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.

EAP-TLS is enabled in  the 'Default Network Access' authentication result.

Can anyone shine a light on where I'm going wrong?

Thanks

Martin

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions

ISE and EAP-TLS

Yes that is correct, the certificate that is being presented to ISE doesnt include the identity of the client, that is the reason the attempt fails.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
27 REPLIES
Cisco Employee

ISE and EAP-TLS

You need to define a certificate authentication profile and then select this as the result (Identity Source) in the authentication policy

You can create a certicate authentication profile at: Administration->Identity management->External Identity Sources->Certificate Authentication Profile

There error you are seeing occurs when trying to "authenticate" the request based on a clinet certifcate but result is an identity store (AD, LDAP etc)

New Member

ISE and EAP-TLS

Hi

If I only want to install the certificate manually on the user device does I still need a SCEP server?

Thanks,

Regards,

Re: ISE and EAP-TLS

Martin,

If you go the authentication policy page and expand your rules you can choose the result to be certificate authentication profile that you created.

If you have a mixture of peap or other password based methods, your best option is to create an identity sequence store. This allows you to use a certificate authentication profile along with a list of databases for password based authentication also. One you create this rule, go back to authentication policies and set this as the result and you should be good to go.

Thanks,

Tarik

Sent from Cisco Technical Support iPad App

Tarik Admani *Please rate helpful posts*
Bronze

ISE and EAP-TLS

Thanks for your help so far Tarik and jrabinow I'm no longer getting that message, instead I'm getting the following message when I try to connect:

12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain

We're using MS certificate services, the ipad has the root CA certificate and the active ca services server certificate as well as the user certificate. The ISE has a certificate generated on the active cert services server  and also has the root CA certificate in it's certificate store.

All the certificates seem to be valid back to the root CA certificate.

Any ideas?

Thanks

Martin

ISE and EAP-TLS

Martin,

Do you have any intermediate certificates? If so, then you will have to import those in to the ISE certificate trusted certificate store, and you will have to select the checkbox "Trust for client with eap-tls"

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html#wp1053515

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

ISE and EAP-TLS

We've got 1.1 so the options are a bit different but I've installed the root certificate and the ca server certificate on ISE in the certificate store and 'Trust for client authentication' is enabled.

There is a sub-option 'Enable Validation of Certificate Extensions (accept only valid certificate)' that I enabled when I installed the certificate but when I look at it now it's greyed out.

In addition the primary and secondary ISE certificates also has the trust option enabled.

Thanks

Martin

ISE and EAP-TLS

Can you post a screeshot of the certificate that is installed on the Ipad? Also post a screenshot of the certificate on ISE. I would like to see the serial numbers of the root to see if they are identical.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

Re: ISE and EAP-TLS

Screenshots attached

Thanks

Martin

ISE and EAP-TLS

Thanks Martin,

Can you get me the screenshot of the root certificate that is installed on the ipad, along with another screenshot of the user certificate (I will like to see the "issued to" and "issued by" attributes)

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

Re: ISE and EAP-TLS

Tarik

The root certificate on the iPad is the same as the root certificate on the ISE, see the attached images.

Thanks

Martin

ISE and EAP-TLS

Martin,

There seems to be an intermediate certificate or you have the wrong root certificate imported into the ISE. Can you click on the certificate path (top right tab). Take a look at the "issued by" field in the usercert.png and then look at the name of the root certs that you attached. The signer of your user cert is NHSG-CS-01, the root cert on the ISE node is NHSG-CS-ROOT.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

Re: ISE and EAP-TLS

Tarik

NHSG-CS-01 is the active CS server that issued the certificate, NHSG-CS-ROOT is off at the recommendation of a microsoft employee when she helped our server team setup CS an so can't issue certificates.

The NHSG-CS-01 certificate is on both the iPad and ISE and on the ISE it's enabled for authentication.

Thanks

Bronze

Re: ISE and EAP-TLS

Tarik

So I removed NHSG-CS-ROOT from both the iPad profile and the ISE certificate store leaving the ipad with only the personal certificate and the NHSG-CS-01 certificate.

The ISE certificate store now has with both primary and secondary ISE certificates and the NHSG-CS-01 certificate.

For the two ISE certificates I've unchecked the 'Trust for client authentication' check boxes so the only certificate in the certificate store that has that check box checked is NHSG-CS-01.

Authentication is still failing with the same message about the unsupported certificate.

Interestingly each time I appy the policy to the ipad and try to connect wirelessly it prompts to accept the primary ISE certificate that was issued by NHSG-CS-01, that shouldn't be happening should it?

Thanks

Martin

ISE and EAP-TLS

Martin,

Please post the certificate path using windows so I can see the whole path of the user cert and the full details of it also (I need to see the key usage and enhanced key usage). Also I need to see the full details of the NHSG-CS-01 (path and key usage and enhanced key usage). It may be that you are using a signing certificate to issue this cert and that might not be supported since we need server authentication OID to present in order to use certificate based authentication.

http://www.cisco.com/en/US/docs/security/ise/1.0/install_guide/ise10_vmware.html#wp1053064

take a look at figure 4-3 for this setting on the vmswitch.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

Re: ISE and EAP-TLS

Tarik

I've attached the path detail, etc.

There was no extended key usage in the NHSG-CS-01 certificate, key usage was Digital Signature, Certificate Signing, Off-line CRL Signing and CRL Signing (86).

In the personal certificate the key usage was Digital Signature, Key Encipherment (a0) and the enhanced key usage was Server Authentication.

Thanks

Martin

ISE and EAP-TLS

Martin,

Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:

http://support.microsoft.com/kb/814394

Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:

The IAS or the VPN server computer certificate is configured with the  Server Authentication purpose. The object identifier for Server  Authentication is 1.3.6.1.5.5.7.3.1.

Here is the Cisco eap-tls deployment guide which references the same as above:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

Re: ISE and EAP-TLS

Tarik,

Thanks for your help, that makes sense even to me now that you've pointed it out. I know very little about certificates.

I've asked one of my colleagues in our server team to add the usage to the template and once he does I'll test and update this discussion.

Thanks

Martin

Bronze

Re: ISE and EAP-TLS

Tarik,

Annoyingly we've now got a client certificate with client authentication and server authentication as the enhanced key usage but we're now hitting a different error message, 22047 "Principal username attribute is missing in client certificate".

So the client certificate has the extended attributes of Server Authentication and Client Authentication.

Thanks

Martin

ISE and EAP-TLS

Martin,

Can you please post a screenshot of you user cert. If there isnt a prinicpal username then we need to see if the subject alternative name contains the correct format of the username.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
Bronze

ISE and EAP-TLS

Tarik

You're right, there is no subject alternative name (or principal name) on my user certificate so I had a look at a certificate I generated from the User template and it does have a subject alternative name which contains:

Other Name:

     Principal Name=@

RFC822 Name=

I presume thats what should be in the personal certificate I generate for the iPad?

Thanks

Martin

ISE and EAP-TLS

Yes that is correct, the certificate that is being presented to ISE doesnt include the identity of the client, that is the reason the attempt fails.

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*
New Member

ISE and EAP-TLS

Hi,

For Windows based authentication, we usually have to use not the common name on the Certificate authentication profile, but the subject or subject alternate name.

In your case if you specify to use the Subject Alternate Name ISE, should be able to take that to authentify the user.

HTH

Gustavo

Bronze

Re: ISE and EAP-TLS

Hi Gustavo

We've already got that added.

Thanks

Martin

New Member

ISE and EAP-TLS

Hi Tarik,

I have the same error. What should be the solution?

New Member

ISE and EAP-TLS

Hi Martin,

If I only want to install the certificate manually on the user device does I still need a SCEP server?

Thanks,

Regards,

New Member

Hi Tarik,

Hi Tarik,

This post is for long time ago... I would like to have a help from you because I´ve deployed ISE 2.0 and I want to use EAP-TLS as preferred authentication with certificate based authentication for both user and workstation... but the authentication is failing with error 22056 Subject not found in the applicable identity store.

I use Identity Sequence Store with certificate profile attached.

Thanks.

New Member

ISE and EAP-TLS

Hi,

Can I have guide to setup certificate based authentication for ipad or mobile phone user with ISE?

Please help!!

14353
Views
0
Helpful
27
Replies