topic ACS 5.3 with intermediate certificate in Network Access Control

ACS 5.3 with intermediate certificate

ROBERTO GIANA — Mon, 11 Mar 2019 04:51:04 GMT

Is there a way to provide all the necessary intermediate certificates to an ACS v5.3 so that it can provide the full chain to the client during a 802.1x PEAP authentication?

Already tried to install the EAP certificate with the chain and also installed the issuing CA as trusted root. I know that installing it as trusted root shouldn't have any effect but that's the way how Cisco solved it on the ASA platforms.

Hi,ACS will never supply

edwardcollins7 — Thu, 03 Jul 2014 19:25:00 GMT

Hi,

ACS will never supply certificates to clients on a PEAP certificate challenege.

It will only propose the ACS certificate for verification (not for install).

The client should have the intermediate and root installed beforehand to make this work.

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

Hi EdIf you get a certificate

ROBERTO GIANA — Mon, 07 Jul 2014 13:54:51 GMT

Hi Ed

If you get a certificate e.g. from Verisign it will be issued from a subordinate and not from the root itself. So if you want to do PEAP-MS-CHAP with an unmanaged client who has only the root certificates installed and is configured to verify the server certificate during the PEAP TLS tunnel establishment you will need to provide the whole cert chain to the client, so it can establish the trust link up to the root. So there must be a way of providing the whole chain. Otherwise the ACS is useless for authentication with unmanaged clients who verify the server certificate.

Kind regards

Roberto

Unfortunately, any radius

edwardcollins7 — Mon, 07 Jul 2014 17:58:19 GMT

Unfortunately, any radius server (not just the ACS) will be not be able to supply the certificate (intermediate or root) for installation to the client during the PEAP tunnel process as that is not as per RFC.

There is some additional feature to facilitate this on Cisco ISE, but only an ISE expert can comment on that.

Could you elaborate, on unmanaged client?

What type of client would this be, is this a BYOD environment?

Rate if Useful 🙂

Sharing knowledge makes you Immortal.

Regards,

Hi EdIt's not about

ROBERTO GIANA — Wed, 09 Jul 2014 14:22:41 GMT

Hi Ed

It's not about INSTALLING a certificate. It's about providing the whole chain during authentication so that the client can establish itself the link to the responsible root. As any well managed webserver should do who runs on HTTPS.

Here the wireshark example of a TLS tunnel to https://supportforums.cisco.com/

And we need the ACS to behave the same during the establishment of the TLS tunnel during a PEAP authentication.

Regards

Roberto

Roberto,Do you have a capture

edwardcollins7 — Tue, 15 Jul 2014 00:06:03 GMT

Roberto,

Do you have a capture with ACS?

If not, I will test it out.

Regards

Hi EdUnfortunately I don't

ROBERTO GIANA — Tue, 15 Jul 2014 13:58:52 GMT

Hi Ed

Unfortunately I don't have a capture, as I don't have access to the network infrastructure between the ACS and the WLC. And Wireshark doesn't capture the PEAP authentication on my wireless NIC during the connection phase.

If you can give it a try it would be great. But from my current tests the ACS doesn't seem to do that, as the clients without the intermediates refuse to talk to the "RADIUS server", as they can't verify it's identity against a trusted root. With the intermediate cert locally installed they work well and trust the "RADIUS Server".

Regards

Roberto

The ICA will be only provided

regumbala — Thu, 16 Oct 2014 08:52:02 GMT

The ICA will be only provided if the ICA is added to the CA list under:

Users and Identity Stores --> Certificate Authorities

After that the correct cert chain will be present in the PEAP process.