WIFI Certificate EAP-TLS Authentication - Windows 8

colinbarnard · ‎03-18-2014

We have setup Wireless certificate authentication using ACS 5.3. It uses a stand alone certificate chain and all certificates were installed and correctly setup on the ACS. We have rules setup that look for a specific common name in the User personal certificate(not AD). When we deploy the certificates to a Windows 7 client and connect to the specified SSID, it connects successfully and the log states that it authenticated using the Common name of the certificate using X509_PKI.

We have problems when the same certificates are deployed to a Windows 8 client, as it then states that the connection failed using EAP-TLS authentication Method. The error says "12519 EAP-TLS failed SSL/TLS handshake because of an unsupported certificate in the client certificate chain", but how can this be when we are setting up the windows 8 client in exactly the same way as the windows 7 client, certificates and wifi profiles match exactly.

Any advice?

Amjad Abdullah · ‎03-18-2014

Hi,

what is your WLC version? what is your AP model?

Are you using default windows 8 wireless supplicant?

Maybe the issue is with the supplicant. please try using cisco anyconnect NAM to connect to wireless and let me know if it shows same issue.

Rating useful replies is more useful than saying "Thank you"

colinbarnard · ‎03-19-2014

Hi,

I tried the anyconnect NAM, but no joy. I got the same error. i'm not sure what relevance the version and model of the WLc and AP has to do with it. The connection gets all the way through to the Cisco ACS and its there where the error is occuring. The ACS handles the authentication with the certificates and the ACS is rejecting the client due to an unsupported certificate in the client chain. I must stress that this works fine with Windows 7 clients.

Amjad Abdullah · ‎03-19-2014

Hi,

wlc may not be relevant. just to check if any known bugs that may be related from WLC side.

Now, there is probably a difference between windows7 and windows8 machines that we need to find. this difference is making something missing in windows8 so auth fails.

- How do you provision the certs to windows7 and windows8 machines?

- Do windows 7 and windows 8 machines both have same CA certificat in the certificate chain in their trust list? (you know that the machine should trust intermediate and root CAs of the cert. otherwise the auth fails). I would suspect that by default windows8 comes with one intermediate and/or root CA cert missing. please check and let us know.

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

nigel doe · ‎03-19-2014

Does it work using another method like PEAP?

How are you generating your certificate, openssl or your ca?

colinbarnard · ‎04-14-2014

I have found the fix for this -

All the advice on how to setup certificates for Wireless authentication, whether that was Cisco, Juniper, etc, all stated that the client certificate only needed Client Authetication OID. Whilst this worked in Windows 7, this does not work in Windows 8. Windows 8 requires that the client certificate has both Server and Client Authentication OID's. When i did this, my Windows 8 clients began to connect.

colinbarnard · ‎04-28-2014

Sorry need to correct the solution for this - It wasn't to do with the Enhanced Key Usage (OID), it can just be set to "Client Authentication"

The problem was the CSP type that was being used - It must be set to "Microsoft Enhanced RSA and AES Cryptographic Provider" This will include the additional key usage elements: Digital Signature, Non-repudiation, Key Encipherment, Data Encipherment

ciscosupport99 · ‎07-15-2014

I had a very similar issue and this creating the certificate with "Microsoft Enhanced RSA and AES Cryptographic Provider" resolved my issue as well.