Solved: AAA Test command for EAP-TLS authentication for wireless users

nkarthikeyan · ‎05-01-2011

Hi All,

Can anyone suggest me the test command to verify the eap-tls authentication for wireless in Cisco WAP's.

If it is a leap authetication we can use the below command to test the connection

Testwap-01#test aaa group radius xyzabc@abc.com o4&yJ)NoL$%0 new-code
Trying to authenticate with Servergroup radius
User successfully authenticated

But eap-tls doesn't comes with the password. It insist only for the username.

We are trying it for remote location so we have to test it remotely before putting in to production.

So anyone pls help in this if we have any test command or debug command to test this authentication.

Nicolas Darchis · ‎05-01-2011

EAP-TLS requires a client certificate. How do you want to have an easy command testing that without loading any certificate on the router/switch ? There's not. That's why eap-tls is not considered an easy eap method to deploy : because it can go wrong on several levels.

The test aaa command does a PAP authentication, so it tests basic radius connectivity and username/password.

If that works, the only thing that can break for eap-tls are certificates, so only the radius server will be able to tell you if something goes worng.

View solution in original post

Nicolas Darchis · ‎05-01-2011

EAP-TLS requires a client certificate. How do you want to have an easy command testing that without loading any certificate on the router/switch ? There's not. That's why eap-tls is not considered an easy eap method to deploy : because it can go wrong on several levels.

The test aaa command does a PAP authentication, so it tests basic radius connectivity and username/password.

If that works, the only thing that can break for eap-tls are certificates, so only the radius server will be able to tell you if something goes worng.

nkarthikeyan · ‎05-03-2011

Yeah. Nicholas that makes sense.

We cannot test in a simple way from Access Point.

I have one more query please help me on this if you have a clue on this.

We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.

We have the leap as well as eap-tls in the authentication part.

We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.

5/3/2011

23:16:38

Authen failed

nkarthikeyan@abc.com

EAP-TLS users

0023.1413.de18

(Default)

EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

21356

10.121.198.38

13

EAP-TLS

ap-1242b4

Bangalore APs

We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.

Could anyone help me out in this?

Regards

Karthik

andamani · ‎05-03-2011

Hi,

How did you migrate the database?? did u do a database restore?? if yes, then the certs should also be imported.

Also ensure that the CA cert is installed and trusted in the trust list.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

nkarthikeyan · ‎05-03-2011

Anisha,

We have upgraded the win 3.2 back up to win 4.2 version using the trail version of 3.2 s/w and uploaded in 4.2.15 Appliance version.

Rest all other stuffs working fine.

We have the leap authentication also migrated and leap is working fine with the restored database. But the eap-tls is not working in this case.

When we restored the certificates are not imported automatically. we did it manually. let me cross verify once and come back to you.