Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1751
Views
0
Helpful
3
Replies

ACS 5.1 802.1x EAP-TLS Machine certificate Authetication

goudier2001
Level 1
Level 1

‎07-12-2011 12:00 PM - edited ‎03-10-2019 06:13 PM

Looking for the steps to configure wired clients using certificate authentication only

- ie, once a certificate is presented to the ACS that is issued by a trusted CA, the connection is permitted.

No need to tell me about switch configuration. This is sorted.

Labels:
0 Helpful
3 Replies 3

jrabinow
Level 7
Level 7

‎07-12-2011 12:48 PM

I am assuming you have the default configuration as at installation time and will use "Default Network Access" access service for this. This access service already allows EAP-TLS. Steps are then as follows:

1) Access Policies >Access Services > Default Network Access > Identity

Select default rule. Select Identity Source and "CN Username" (description) Predefined Certificate Authentication Profile as source

2) Go to Users and Identity Stores > Certificate Authorities and add the CA you are planning to user

You should now be good to go

Try the authentications if fail go to: Monitoring and Reports > Launch Monitoring & Report Viewier. Select "Authentications - RADIUS - Today" and view details for any faiures

0 Helpful

goudier2001
Level 1
Level 1
In response to jrabinow

‎07-15-2011 07:41 AM

This is from the Report viewer - seems to be failing at the identity store for some reason. Any ideas?
11001  Received RADIUS  Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service -  802.1x
11507  Extracted  EAP-Response/Identity
12500  Prepared EAP-Request proposing EAP-TLS with  challenge
12625  Valid EAP-Key-Name attribute  received.
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12502  Extracted EAP-Response containing EAP-TLS  challenge-response and accepting EAP-TLS as negotiated
12800  Extracted first TLS record; TLS handshake  started.
12805  Extracted TLS ClientHello  message.
12806  Prepared TLS ServerHello  message.
12807  Prepared TLS Certificate  message.
12809  Prepared TLS CertificateRequest  message.
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response
12811  Extracted TLS Certificate message containing  client certificate.
12812  Extracted TLS ClientKeyExchange  message.
12813  Extracted TLS CertificateVerify  message.
12804  Extracted TLS Finished  message.
12801  Prepared TLS ChangeCipherSpec  message.
12802  Prepared TLS Finished  message.

12816  TLS handshake succeeded.

12509  EAP-TLS full handshake finished  successfully
12505  Prepared EAP-Request with another EAP-TLS  challenge
11006  Returned RADIUS  Access-Challenge
11001  Received RADIUS  Access-Request
11018  RADIUS is re-using an existing  session
12504  Extracted EAP-Response containing EAP-TLS  challenge-response

Evaluating Identity Policy

15004  Matched rule

24432  Looking up user in Active Directory -  Goudie, Richard
24412  User not found in Active  Directory
22056  Subject not found in the applicable identity  store(s).
22058  The advanced option that is configured for  an unknown user is used.
22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
12507  EAP-TLS authentication  failed

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject

0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to goudier2001

‎07-18-2011 09:24 PM

Richard,

Under your certificate authorization profile which attribute is ACS pointing to for the "Principal Username X509 Attribute:"? You will have to look at your identity cert and see if the correct username is in the email address or the Subject Alternative Name Attribute and then point this profile to use that username.

thanks,

Tarik

0 Helpful
Customers Also Viewed These Support Documents