Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

WIFI Certificate EAP-TLS Authentication - Windows 8

We have setup Wireless certificate authentication using ACS 5.3. It uses a stand alone certificate chain and all certificates were installed and correctly setup on the ACS. We have rules setup that look for a specific common name in the User personal certificate(not AD). When  we deploy the certificates to a Windows 7 client and connect to the specified SSID, it connects successfully and the log states that it authenticated using the Common name of the certificate using X509_PKI.

We have problems when the same certificates are deployed to a Windows 8 client, as it then states that the connection failed using EAP-TLS authentication Method. The error says "12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain", but how can this be when we are setting up the windows 8 client in exactly the same way as the windows 7 client, certificates and wifi profiles match exactly.

Any advice?

7 REPLIES

Hi,what is your WLC version?

Hi,

what is your WLC version? what is your AP model?

Are you using default windows 8 wireless supplicant?

Maybe the issue is with the supplicant. please try using cisco anyconnect NAM to connect to wireless and let me know if it shows same issue.

 

 

Rating useful replies is more useful than saying "Thank you"
New Member

Hi, I tried the anyconnect

Hi,

 

I tried the anyconnect NAM, but no joy. I got the same error. i'm not sure what relevance the version and model of the WLc and AP has to do with it. The connection gets all the way through to the Cisco ACS and its there where the error is occuring. The ACS handles the authentication with the certificates and the ACS is rejecting the client due to an unsupported certificate in the client chain. I must stress that this works fine with Windows 7 clients.

Hi,wlc may not be relevant.

Hi,

wlc may not be relevant. just to check if any known bugs that may be related from WLC side.

Now, there is probably a difference between windows7 and windows8 machines that we need to find. this difference is making something missing in windows8 so auth fails.

- How do you provision the certs to windows7 and windows8 machines?

- Do windows 7 and windows 8 machines both have same CA certificat in the certificate chain in their trust list? (you know that the machine should trust intermediate and root CAs of the cert. otherwise the auth fails). I would suspect that by default windows8 comes with one intermediate and/or root CA cert missing. please check and let us know.

 

Regards,

 

Amjad

Rating useful replies is more useful than saying "Thank you"
New Member

Does it work using another

Does it work using another method like PEAP?

How are you generating your certificate, openssl or your ca?

 

New Member

I have found the fix for this

I have found the fix for this - 

All the advice on how to setup certificates for Wireless authentication, whether that was Cisco, Juniper, etc,  all stated that the client certificate only needed Client Authetication OID. Whilst this worked in Windows 7, this does not work in Windows 8. Windows 8 requires that the client certificate has both Server and Client Authentication OID's. When i did this, my Windows 8 clients began to connect.

New Member

Sorry need to correct the

Sorry need to correct the solution for this - It wasn't to do with the Enhanced Key Usage (OID), it can just be set to "Client Authentication"

The problem was the CSP type that was being used - It must be set to "Microsoft Enhanced RSA and AES Cryptographic Provider" This will include the additional key usage elements: Digital Signature, Non-repudiation, Key Encipherment, Data Encipherment

 

 

New Member

I had a very similar issue

I had a very similar issue and this creating the certificate with "Microsoft Enhanced RSA and AES Cryptographic Provider" resolved my issue as well.

2718
Views
5
Helpful
7
Replies
CreatePlease to create content