ACS 5.2 / WLC - EAP-TLS Certificate from 2 CA

networksoglist · ‎12-01-2010

Hello,

I'm Newbie with ACS equipment, i'm trying to implement it to secure our WIFI environment.

One wifi SSID is broadcasted on a site, I would like to authenticate WIFI client through machine certificate.

The big deal is that some client computer belong to an AD (AD1) and having its own CA1. Other client computer belong to another AD (AD2) also having its own CA (CA2). (With no relation or between the 2 CA)

So computer1 having machine certificate from CA1 and computer2 having machine certificate from CA2

I have imported the root certificate from the both CA into the "certificate authorities" store of the ACS.

I have generated certificate signing request, one for each CA. Then I have binding the CA signed certificate.

After configuring... the access services (identity, authorization...) and so on I have the following issue:

- Computer with certificate from the CA1 can connect without any problem.

- Computer with certificate from the CA2 can NOT connect:

- After investigation: the client computer do not trust the server ACS and reject the connection

- Error return :

RADIUS Status:Authentication failed 11514 Unexpectedly received empty TLS message; treating as a rejection by the client

- (If i get ridd of the option "verify server identity" on wifi optionof the client, the computer can conect: but this option is not acceptable)

- It seems that the ACS sends only its certificate signed by the CA1

The questions are:

1- How can I configure the ACS to send the right certificate signed by the right CA corresponding to the computer that is intenting to authenticate

2- I could see in documentation:

"For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"

--> Does it mean that we can only configure one local certificate to allow the ACS to authenticate to client for all the EAP-TLS protocol used ?

--> How can I choose it ?

--> For the current configuration, I have only the certificate signed by the CA which is configure "EAP: Used for EAP protocols that use SSL/TLS tunneling" (i don't know if this option has an impact with the certificate presented by the ACS when it authenticate itself to the client")

Thanks for your helk and your information.

Guillaume

Bastien Migette · ‎12-01-2010

Hello Guillaume,

EAP-TLS is mutual cert authentication, so you have to add the CA Certificate as trusted cert on ACS, but you have to create a certificate signed by your CA on ACS too so the user can trust it.

You can find procedure and explanations of all the steps here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/common_scenarios.html#wp1052872

networksoglist · ‎12-01-2010

Hi Bastien,

it is actually what i did.

The point here i have 2 CA involved, with no relation between them.

So I did the operation twice for each CA :

-> making a certificate signing request, sent it to the CA, signed to by the CA and then imported/binded into the ACS

-> I have added the root CA of each CA into the ACS as well.

The point is when a computer, try to connect, it try to verify ACS server identity. And the ACS server only seems to present the certificate signed from CA1.

So when a computer with certificate machine CA2, try to connect, it doesn't trust the ACS server has the ACS sent its certificate signed by CA1.

I don't know how to allow the ACS to present the right signed certificated depending on the cleint that try to connect.

Then another conf I do not understand is the option:

EAP: Used for EAP protocols that use SSL/TLS tunneling --> in local cetificate, when you add a local certificate to the ACS

I do not undestand what does this option stand for ?

Then I culd see into Cisco do :

"For TLS related EAP protocols, a single local certificate is used to authenticate the server for all the TLS related protocol"

Doest it means that the ACS can use only one single certificate for All the TLS protocol configured in the ACS, to authenticate itself to the client?

Or does the ACS can use a diferent local certificate from each dedicated eap-tls protocol?

thx

Bastien Migette · ‎12-01-2010

Hi guillaume,

I suggest to run a wireshark capture on client's computer so that you can be sure of which certificate ACS is sending.

The ACS local certificate store are the cert that concerns the ACS server, so it's here basically that you will upload the ACS certificates signed by both of your CA, and this will be these certs ACS will use to authenticate itself to client for EAP/HTTPS.

Anyway, I juste checked the doc, and it appears that you can't have ACS configured to send only one certificate chain to user, so the only two options I see would be to add CA1 cert on client of CA2, or have the CA1 cert signed by CA2 so CA2 Users will trust it.

Hope this help

networksoglist · ‎12-01-2010

Hi Bastien,

It is also what i did ... using whireshark

And that's why i undesrtood, the ACS does not send the right certificate to the client that try to verify the identity of the server

As I was also not an ACS expert I was thinking/hoping that ACS could handle such configuration (besides he was sold to us by Cisco who ensure us that ACS could handle such feature)

As I'm not expert in ACS, I'm just thinking some configuration /optimisation culd help me to fixed that issue.

But actually, more the time past, and more I think i will have to go for the option you described (perfomring changes on CA/clientCA..)

and adding the CA1 root cert into the the client of CA2 certificate repository (I think this solution is not acceptable either as the only interest we had to get this equipement that it was suppose to manage such job)...