Re:WLC, ISE certificate authentication issue

darragh long · ‎10-14-2013

Hi Folks,

This is the setup:

Redundant pair of WLC 5508 (version 7.5.102.0)

Redundant Pair of ISE (Version 1.2.0.899)

The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)

There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.

A corporate WLAN is configured on the WLC:

L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.

This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.

The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.

I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).

The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself). I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)

Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').

I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.

After I did this, I could no longer associate to the Corp WLAN.

My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.

The ISE troubleshooting tool reported no new failed or successful authentication attempts.

Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.

It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE. Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.

Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?

Thanks in advance,

Darragh

Patrick Moubarak · ‎10-14-2013

Hi,

are you trying with the same SSID or a different one?

SSID 1: WPA2 - PEAP with MSCHAPv2 (user-authentication)

SSID 2: WPA2 - EAP-TLS (computer certificate?)

Patrick

darragh long · ‎10-14-2013

Hi Patrick,

I'm using the same ssid for both.

Thanks,
Darragh

Sent from Cisco Technical Support Android App

Lonemaker · ‎10-14-2013

Hi,

I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.

Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.

If this does not work, try to import the CA into another system and export it, then import into ISE.

Regards,

CCNP R&S