topic Re: Does ACS 4.2 support IPSec template certificates? in Network Access Control

Does ACS 4.2 support IPSec template certificates?

aleary — Mon, 11 Mar 2019 00:34:11 GMT

I have ACS 4.2 124.12 cumulative patches installed. I have enable EAP-FAST in ACS. The CA is selected in the trusted list. When I try to authenticate with the ACS I get a rejection. Wireshark shows in the challenge that this is a 'unsupported Certificate'.

In the AUTH.log I get the following where the failure occurs:

AUTH 11/04/2010 12:01:44 I 0000 46564 0x95 CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate B

AUTH 11/04/2010 12:01:44 I 2009 46564 0x95 EAP: EAP-FAST: Handshake failed

AUTH 11/04/2010 12:01:44 E 2255 46564 0x95 EAP: EAP-FAST: ProcessResponse: SSL send alert fatal:unsupported certificate

AUTH 11/04/2010 12:01:44 E 2258 46564 0x95 EAP: EAP-FAST: ProcessResponse: SSL ext error reason: b2 (Ext error code = 0)

AUTH 11/04/2010 12:01:44 E 2297 46564 0x95 EAP: EAP-FAST: ProcessResponse(1519): mapped SSL error code (3) to -2120

The certificate template is IPSec (Offline request) (IPSECIntermediateOffline). Is there some configuration that I am not aware of?

Andy

Re: Does ACS 4.2 support IPSec template certificates?

aneelaka — Fri, 12 Nov 2010 01:25:52 GMT

As it reporting error on client certifcate, Check the client cert, client cert must
have the following: EKU = Client Authentication, KU = Digital signature,
Key Encipherment and Data encipherment.

Re: Does ACS 4.2 support IPSec template certificates?

aleary — Fri, 12 Nov 2010 01:47:43 GMT

This is from the certificate:

EKU = IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

KU = Digital Signature, Key Encipherment (a0)

Do you know how to ensure that the EKU is Client Authentication and KU is Digital signature,
Key Encipherment and Data encipherment. I don't see in the software that is generating the certReq anything about specifying the type of certificate that is needed.

Do you know how the Windows Server 2003 CA determines what certificate template to use when returning a certificate?

Re: Does ACS 4.2 support IPSec template certificates?

aneelaka — Fri, 12 Nov 2010 02:30:06 GMT

Check the

EKU : http://tinyurl.com/2dakmaw

KU = http://tinyurl.com/2aqjecq

On the below URL refer to the

6.4.1 Obtaining the Client-Side Certificate

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml

Re: Does ACS 4.2 support IPSec template certificates?

pnavratil — Mon, 11 Apr 2011 14:16:50 GMT

Hi Anthony,

did you find any solution for this issue? As I am now in exatly the same situation.

Thank you

Pavel

Re: Does ACS 4.2 support IPSec template certificates?

aleary — Wed, 13 Apr 2011 16:35:06 GMT

Pavel,

After working with Albert Sun and Igal Katz we found that IOS does not support EKU - extended Key Usage where types of certificate can be specified. So in the cert request, we won't specify any EKU. For EKU aware CA, like ACS or MS CA, it considers it as IPSEC certificate request.

There is an enhancement by the PKI team to add support for EKU (Enhanced Key Usage). Not sure of the official enhancement name (EKU for IOS). This enhancement has to be implemented before we can externally authenticate LSC certificates.

Andy