ACS 5.1, PEAP (EAP-GTC) Machine Authentication with LDAP

cuellar52 · ‎08-20-2012

Hi,

I have a

Cisco 5508 wireless controller
Cisco ACS 5.1
LDAP connection

I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.

I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.

Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.

Can someone please explain a way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.

So it will be a two form authentication one with certificates and the other ldap.

Can anyone help me out with the certificate aspect? to incorprate this into my already working LDAP setup?

Tarik Admani · ‎08-21-2012

Edgardo,

You will need the anyconnect supplicant in order to set certificate authentication (eap-tls) for machines for example. And then set the user authentication via password (peap). Current windows supplicants (native supplicants) do not allow this flexibility.

To create eap-tls authentication on the radius side, all you need is the chain that is used to sign the machine or user cert, for example if the certificate path is: user, intermediate, root, you will have to upload intermediate and root and set them to trust for eap-tls authentication:

here is more informatoin -

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1124651

Thanks,

Tarik Admani
*Please rate helpful posts*

cuellar52 · ‎08-22-2012

Hi Tarik,

would you recommend using the EAP-TLS authentication method with the LDAP setup on the ACS or the Active Directory setup on the ACS?

I found this docoument online and was going to follow this to try have Active directory user authentication and certificate based authentication. But this setup is with Active Directory setup in the ACS as LDAP doesn't support MS-CHAP in ACS.

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

would this be the ideal setup? it has auto enrollment of the clients so it would check the user that is logged into the PC is currently in AD, and that the machine has the certificates required.

Also the supplicant is a standard on a windows 7 box?

Any throughts?

Tarik Admani · ‎08-22-2012

I suggest using AD setup since its easier to configure, you can use the GUI options to search for groups, and build policies.

With lap you only have the option of adding two leap servers per instance, with AD you have the entire domain.

If this is a new setup please consider upgrading to 5.3 with the latest patch, Cisco has worked hard in making the acs to AD integration resilient and it's good to stay up to date.

Windows 7 has the native supplicant but you may need to turn on the services (wireless zero and wired autoconfig).

Hope that helps,

Sent from Cisco Technical Support iPad App

cuellar52 · ‎08-27-2012

Hi Tarik,

thanks for the information, I will be trying to implement an AD setup, Are you able to recommend the upgrade path I should take to reach ACS 5.3

My current verison is

Cisco Secure ACS

Version : 5.1.0.44.3

I am using the ACS appliance and I wouldnt want to revert back in case I did the upgrade incorrectly.

Tarik Admani · ‎08-27-2012

I would recommend the following path documented in the upgrade notes (make sure you install the latest patch on 5.1).

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1199421

Thanks,

Tarik Admani
*Please rate helpful posts*

cuellar52 · ‎08-29-2012

Hi Tarik,

I have now upgraded my ACS to the latest version

Cisco Secure ACS

Version : 5.3.0.40.6

I have been given 3 certificates from the server and systems team, I have imported all 3 of these certificates to

Users and Identity Stores >

Certificate Authorities

I am using Cisco Peap on the windows 7 supplicant Security type WPA2-entireprise AES. I validate the server certificate select my companies certificate in the trusted root cerificate authority field.

I then connect to my wireless network, it prompt for username and password......... it access my LDAP setup on the ACS using GTC that i still currently have in place and allows me to connect. Each time I connect it comes up saying do I trust the ACS certificate which is stored here

System Administration >

Configuration >

Local Server Certificates >

Local Certificates

and lets the client connect.

I want the client to only connect if it trusts the Company domain certificate, not the local ACS certifcate that came with the server.

Are you able to help with intructions on what I am met to do? Cause I am lost........ ideally I would like it to use the certificates that i put here

Users and Identity Stores >

Certificate Authorities

Happy to take this convo offline really appertice some help.

thanks

Tarik Admani · ‎08-29-2012

Edgardo,

The ACS will need to be signed by a CA for the clients to trust the cert without flagging the user. Since you are using eap-tls for machine auth, you need a signed cert mapped to the eap interface.

With that said for the ACS to trust the machine certificates you need to import these certs into another section:

Make sure you create a certificate authentication profile and that is mapped to the correct access policy.

In the end your admins are right all you need is the intermediate and root certs imported in the section that you mentioned. If you only have a self signed certificate for the ACS then you need to get this fixed in order to help move things along from the client's perspective, it will not trust the ACS certificate for eap-tls handshake (if ACS has a self signed cert and you have the "validate server certificate" enabled on the supplicant".

Tarik Admani
*Please rate helpful posts*

cuellar52 · ‎08-29-2012

Hi Tarik,

Thanks for that information, I am trying to remove the local ACS certificate that I generated by accident awhile ago, as this is not needed and it might be conflicting, when i try remove the certificate I get this error.

This System Failure occurred: Certificate is associated with a protocol. Hence it cannot be deleted.. Your changes have not been save. Click OK to return to the list page.

Is it Ok to leave this certificate or should I be removing this? I dont want this to clash with the intermediate and root certs that I have imported.

Tarik Admani · ‎08-29-2012

If you are trying to remove the ACS local certificate you will not succeed if this is the only certificate installed. If you have the correct certificate present, then make sure the cert want to keep is used for both eap and https interfaces and then this will let you delete the certificate.

If this is your only certificate then you will have to generate another CSR and submit it to your CA for them to sign it and have the revoke the old one.

I hope this helps.

Thanks,

Tarik Admani
*Please rate helpful posts*

cuellar52 · ‎09-17-2012

Hi Tarik,

I am very close to completing this project but I have ran into a hurdle can you help me out?

I have sent this docoument to my CA team (ACS cert setup for EAP export cert and installation.pdf)

The only problem is when in this docoument it says select template ACS using your 2003 serverm, we aren't running 2003 server we are running 2008 R2 server, This doesn't have the option to select the ACS template?

is there anyway we can import this template into 2008 R2 server?

any help would be great

Anim Saxena · ‎09-17-2012

Hi Edgardo

I also encountered same sort of issue while integrating ACS 4.2 with AD (Active Directory) on Win 2008 R2 platform. I lowered down the functional level of AD from WIN 2008 R2 to WIN 2003 and integration was smooth.

This workaround worked in my scenario.

Below mentioned link can give you more insight of the functional levels.

http://technet.microsoft.com/en-us/library/cc787290%28v=ws.10%29.aspx

You may have a look at the information available and you can decide course of action for your scenario.

Tarik Admani · ‎09-18-2012

Edguardo,

Just use a web certificate template and that will working fine. Here are guidelines of the template you need for authenticating clients to the network:

Please look at section 5.2.2

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/admin_operations.html#wp1076238

thanks,

Tarik Admani
*Please rate helpful posts*

cuellar52 · ‎09-18-2012

Hi Tarki and Anim,

Anim, thankyou for that information about functional levels, I am still looking into that.

Tarki, are you sure it's section 5.2.2 I have looked all over and didn't find anything relevant can you copy and paste the first few lines and I will do a search on the link?

Thanks for your help guys

Anim Saxena · ‎09-18-2012

Hi Edgardo,

Kindly have a look at the below mentioned link. It might be helpful for you in case of issue related to certificates.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/eap_pap_phase.html#wp1030126

Regards

Anim Saxena

*kindly rate helpful posts"