Re: eap-tls wireless machine authentication without AD

Lam Hung Chung · ‎07-21-2011

Hi all,

I'm having problems getting EAP-TLS to work when a client machine needs to connect to a WLAN (before logon)

I can make the user get a cert from my CA, login as local & connect to WLAN through EAP-TLS without any problem.

With admin account I can get windows to put user's cert into the machine store (Machine Account Personal Certificate Store),

but when it comes to a login attempt the RADIUS UserName lookS like "host/username" instead of "username" as user authenticate.

My question is that do I need to configure an Identity Store (like AD) for machine authentication on ACS or I can make use of the configuration as for user previously (on ACS for user authentication, the Identity Store is Certificate Authentication Profile --> Certificate CN value)

Clients are WinXPSP3, and I'm using CiscoACS 5.2, MS Certificate Services CA, WLC 4402, LAP 1252

Note: in my case, each user will have their own laptop so it's best if the machine is authenticated under user's name.

Thanks for your help,

Nicolas Darchis · ‎07-22-2011

The only difference between machine and user authentication is the username format and credentials used.

If ACS is capable of verifying the cert that you placed in the machine store and if the username is known as well (in case you check for it on ACS), then I don't see the problem.

Lam Hung Chung · ‎07-23-2011

Hi Nicolas,

Thanks for the answer. I'm new to ACS so I think I'll need your help on ACS as well :->

User's certificate got CN = MYNAME

When doing user authentication, ACS receive the Radius Username = MYNAME, but when

doing machine authentication, ACS got the Username = host\MYNAME. That's where the problem happens.

What I think is that if we can make ACS to ignore host\ part, then it should be OK. Do you know how can we manipulate

that radius value? If it's not possible, then is there another way to make it works?

Thanks for the help,

ibrunello · ‎07-25-2011

Assuming you're using the stock XP wifi client.

When running XPSP3, you need to set two things:

1) force one registry setting.

According to

http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps

You need to force usage of machine cert-store certificate:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"AuthMode"=dword:00000002

2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".

- show available wireless networks

- change advanced settings

- wireless networks tab

- select your SSID, and then hit the "properties" button

- select authentication tab, and then hit "properties" button

- search for your signing CA, and check the box.

I did with a not-so-simple autoIT script, using the "native wifi functions" addon.

Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.

please cross reference to

https://supportforums.cisco.com/message/3280232

for a better description of the whole setup.

Ivan

Lam Hung Chung · ‎09-06-2011

Hi,
Thanks for all the responses. I did follow all the suggestions posted, unfortunately I still couldn't make it work.

I've attached a debug log retrieve from the controller for your information.
In the machine certificate CN = CU019936NBP (machine name)

Note that if I moved the certifcate to User Store, then it's fine.

It seems to me that when the ACS send EAP request with User-Name = host/CU019936NBP, then the supplicant (my winxp sp3 host) don't understand & couldn't find the certificate with this name. Thus, it just hanged.

I'd like to sit back and take a look of the whole process in order to understand it thoroughly.
There're some questions below which I hope someone can help me to sort it out.

1. If we use AD, what's User-Name in the EAP request that ACS will send back to supplicant? (does it includes host/...)

2. If we want to get rid of the host/ part in ACS's EAP request, what should we do?
- we must have an AD for ACS authenticate it first before ACS will remove the host/ part ?
- OR can we somehow create this machine infor in local store ?

Thanks for the help.

ibrunello · ‎09-07-2011

Just a quick check.

On my XP SP3 I had to force the registry entry.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]

"AuthMode"=dword:00000002

Without such config, the XP box always FAILS to retrieve the certificate (which should be placed in machine store).

1. If everything is fine, the Subject Alternate Name attribute of the certificate should be used as login name, without the host\ prefix

2. see 1.

As far as I saw, the host prefix is used when the SSID tries to use PEAP-MSCHAP (default on Windows boxes)

You should play around with client wireless configuration.

hope this may help.

Ivan

Lam Hung Chung · ‎09-08-2011

Hi Ivan,

Thanks for the response.

- Just confirm that I did set "AuthMode"=dword:00000002.

- Can you please double confirm with me that the machine certificate content in my case should have:

Subject CN = CU019936NB AND Subject Alternative Name (SAN) = CU019936NB. At the moment, the certificate doesn't

have the SAN attribute, but as I mentioned before, if I moved the certificate from Computer Store to User Store then it works.

- For the last sentence, is that you mean if the machine uses PEAP-MSCHAP then host/ prefix will be sent. But if it uses

EAP-TLS then the host/ prefix should not there?

Thanks,