WIFI Certificate EAP-TLS Authentication - Windows 8
We have setup Wireless certificate authentication using ACS 5.3. It uses a stand alone certificate chain and all certificates were installed and correctly setup on the ACS. We have rules setup that look for a specific common name in the User personal certificate(not AD). When we deploy the certificates to a Windows 7 client and connect to the specified SSID, it connects successfully and the log states that it authenticated using the Common name of the certificate using X509_PKI.
We have problems when the same certificates are deployed to a Windows 8 client, as it then states that the connection failed using EAP-TLS authentication Method. The error says "12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain", but how can this be when we are setting up the windows 8 client in exactly the same way as the windows 7 client, certificates and wifi profiles match exactly.
I tried the anyconnect NAM, but no joy. I got the same error. i'm not sure what relevance the version and model of the WLc and AP has to do with it. The connection gets all the way through to the Cisco ACS and its there where the error is occuring. The ACS handles the authentication with the certificates and the ACS is rejecting the client due to an unsupported certificate in the client chain. I must stress that this works fine with Windows 7 clients.
wlc may not be relevant. just to check if any known bugs that may be related from WLC side.
Now, there is probably a difference between windows7 and windows8 machines that we need to find. this difference is making something missing in windows8 so auth fails.
- How do you provision the certs to windows7 and windows8 machines?
- Do windows 7 and windows 8 machines both have same CA certificat in the certificate chain in their trust list? (you know that the machine should trust intermediate and root CAs of the cert. otherwise the auth fails). I would suspect that by default windows8 comes with one intermediate and/or root CA cert missing. please check and let us know.
Rating useful replies is more useful than saying "Thank you"
All the advice on how to setup certificates for Wireless authentication, whether that was Cisco, Juniper, etc, all stated that the client certificate only needed Client Authetication OID. Whilst this worked in Windows 7, this does not work in Windows 8. Windows 8 requires that the client certificate has both Server and Client Authentication OID's. When i did this, my Windows 8 clients began to connect.
Sorry need to correct the solution for this - It wasn't to do with the Enhanced Key Usage (OID), it can just be set to "Client Authentication"
The problem was the CSP type that was being used - It must be set to "Microsoft Enhanced RSA and AES Cryptographic Provider" This will include the additional key usage elements: Digital Signature, Non-repudiation, Key Encipherment, Data Encipherment
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :