Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
4
Replies

EAP-TLS - 802.1x - Certificate renewal

rayborg
Level 1
Level 1

‎02-17-2009 11:13 AM - edited ‎07-03-2021 05:11 PM

Hello

I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.

Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.

By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.

Could somebody give me a hint if there are other Cisco solutions for this issue.

I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?

Labels:
0 Helpful
4 Replies 4

Johannes Luther
Level 4
Level 4

‎02-17-2009 11:34 AM

I guess it's more a Microsoft issue. I guess you login to a Domain on the client. If you block everything between the client and the LAN (except the TS session), the client won't be able to establish a Domain connection. I guess the login is still working because of cached credentials on the client. I guess the FW between client and Windows Domain Controllers has to be a little bit more open.

0 Helpful

rayborg
Level 1
Level 1
In response to Johannes Luther

‎02-18-2009 01:04 AM

Thanks johannes for your prompt reaction.

you`re right. It is actually an MS issue but what I needed to know is, if there is some sort of Cisco Solution to get this issue worked around. For example some sort of agent which could issue the Cerificate in the unsecure WLANs. What about the Secure ACS Agent? I could not find any information whether this could play the roll as a sub-CA.

0 Helpful

Johannes Luther
Level 4
Level 4
In response to rayborg

‎02-18-2009 02:17 AM

The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.

What I don't get is the following:

Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.

The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

0 Helpful

rayborg
Level 1
Level 1
In response to Johannes Luther

‎02-18-2009 08:56 AM

Encryption over the air is for some people a little bit abstract and therefore risky!

So you have confirmed that this issue could only be solved through a MS Solution like by placing a Read only Domain Controller (RODC) in the "unsecure" WLAN.

Thanks allot for your help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card