Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

EAP-TLS - 802.1x - Certificate renewal


I want to implement EAP-TLS as realised in Document "EAP-TLS under Unified Wireless Network with ACS 4.0 and Windows 2003". Everything thing works fine.

Though our customer wants to FW the Data WLAN/ VLAN and allow only data traffic between WLAN Client to a the terminal server within his secure LAN.

By blocking all other traffic(except Terminal Server sessions) we experienced that the MS WinXP Client cannot renew its` EAP_TLS Certificate (in this case both user and machine)when its` Time expires.

Could somebody give me a hint if there are other Cisco solutions for this issue.

I have also read something about Cisco Virtual office. Does this deployement coupe up to solve this issue?


Re: EAP-TLS - 802.1x - Certificate renewal

I guess it's more a Microsoft issue. I guess you login to a Domain on the client. If you block everything between the client and the LAN (except the TS session), the client won't be able to establish a Domain connection. I guess the login is still working because of cached credentials on the client. I guess the FW between client and Windows Domain Controllers has to be a little bit more open.

New Member

Re: EAP-TLS - 802.1x - Certificate renewal

Thanks johannes for your prompt reaction.

you`re right. It is actually an MS issue but what I needed to know is, if there is some sort of Cisco Solution to get this issue worked around. For example some sort of agent which could issue the Cerificate in the unsecure WLANs. What about the Secure ACS Agent? I could not find any information whether this could play the roll as a sub-CA.

Re: EAP-TLS - 802.1x - Certificate renewal

The purpose Cisco ACS agent is, that ACS 4.x appliance (non-Windows2003 server) is capable to do Windows user authentication. I guess that won't help your issue.

What I don't get is the following:

Are you using WPA2(AES) as encryption? Then the WLAN is not considered as unsecure over the air.

The CA enrollment is a pure Windows issue. I haven't heard of Cisco mechanisms to cover that case. The only way I see is to open the FW for the needed MS services or to use another EAP-type (like PEAP).

New Member

Re: EAP-TLS - 802.1x - Certificate renewal

Encryption over the air is for some people a little bit abstract and therefore risky!

So you have confirmed that this issue could only be solved through a MS Solution like by placing a Read only Domain Controller (RODC) in the "unsecure" WLAN.

Thanks allot for your help.

CreatePlease login to create content