10-02-2012 12:53 AM - edited 03-10-2019 07:37 PM
Hi,
I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
I have setup ACS to connect to AD.
I have added the local certificate with my company's CA
acs.blah.com | acs.blah.com | SubCA3-1 | 09:50 28.09.2012 | 09:50 28.09.2018 | EAP, Management Interface |
I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
Authentication Summary | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
any help would be great happy to send screen shots of my setup.
Cheers
Eddy
10-03-2012 09:36 PM
Hi Eddy,
Thanks for the PM and I hope I can help you with your efforts.
First, I understand your need, you want ONLY devices that have a company certifciate
With that being said, let me take a step back and share with you a few of the basics rather then just give you the quick anwser.
There are dozens of EAP types. Each EAP is a different authentication method. PEAP, LEAP, FAST, TTLS, TLS etc are the most common EAP types used on wireless network.
PEAP, FAST, TLS,
EAP-TLS - This is a EAP that requries BOTH server side
We can talk a lot more about this but chew on the above and the below links and video ..
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml
http://www.youtube.com/watch?v=Wk_bRdmsQlA
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-04-2012 06:30 PM
Hi George,
Thanks for your reply to my discussion, we had an external company come in to install the WLC and access points and I think they have confused my company requirements.
What my company requires to meet security standard is two form factor authentication for the clients connecting to the wireless network. At first we tried RSA with AD and then we changed to AD with Certificates as each company's portable device has company certificate installed.
After reading about the protocols and what you wrote, I guess we would require to use EAP-TLS as the client side would need the certificate can this include Active Directory? I am just looking at our test client laptop now is there a native supplicant client on windows 7 for EAP-TLS for wireless?
Here are the settings i am currenly using and the supplicant clients I can choose.
any help would be great George!
10-05-2012 08:54 AM
Windows & doesnt show "EAP-TLS" per say. Its actually Microsoft: Smart Card or other certificate
Read this:
http://technet.microsoft.com/en-us/library/dd759246.aspx
yea, you can use AD and certs.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-05-2012 11:03 AM
You know what .. Ive been doing some digging and just spoke to Scott Fella and he informed me that MAR can be used for 2 factor with EAP-TLS, but he doesnt recommend it.
You may want to consider EAP-TLS as is OR if you really need two factor then next best thing i can think of is EAP-PEAP/GTC.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-05-2012 11:07 AM
Here is a support doc that was put together on how you can use MAR's on ACS.
https://supportforums.cisco.com/docs/DOC-21825
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
10-08-2012 11:54 PM
Hi Scott and George,
Thanks very much for this information, I am going to give it a quick go and see how it goes. I have read the MAR doco link you sent Scott and it does seem a few people have issues with the AD and Certificate aspect with EAP TLS.
George do you have any doco on the process for this EAP-PEAP/GTC I am intrigued and I would like to research every option available.
thanks for your help so far.
Eddy
10-09-2012 07:36 AM
Here are a few reads to get you started on GTC
http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp1008089
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
10-11-2012 11:56 PM
Hi Guys,
Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
Logged At: | October 12,2012 2:50:17.866 PM |
RADIUS Status: | Authentication failed : 15039 Selected Authorization Profile is DenyAccess |
NAS Failure: | |
Username: | blah\eddy |
MAC/IP Address: | 00-21-6a-07-31-88 |
Network Device: | -WC-5508-01 : 10.10.2.10 : |
Access Service: | WirelessAD |
Identity Store: | AD1 |
Authorization Profiles: | DenyAccess |
CTS Security Group: | |
Authentication Method: | PEAP(EAP-MSCHAPv2) |
I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Identity Policy |
15006 Matched Default Rule |
15013 Selected Identity Store - AD1 |
24430 Authenticating user against Active Directory |
24416 User's Groups retrieval from Active Directory succeeded |
24101 Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes. |
24420 User's Attributes retrieval from Active Directory succeeded |
24402 User authentication against Active Directory succeeded |
22037 Authentication Passed |
Evaluating Group Mapping Policy |
11824 EAP-MSCHAP authentication attempt passed |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response |
11814 Inner EAP-MSCHAP authentication succeeded |
11519 Prepared EAP-Success for inner EAP method |
12314 PEAP inner method finished successfully |
12305 Prepared EAP-Request with another PEAP challenge |
11006 Returned RADIUS Access-Challenge |
11001 Received RADIUS Access-Request |
11018 RADIUS is re-using an existing session |
12304 Extracted EAP-Response containing PEAP challenge-response |
12306 PEAP authentication succeeded |
11503 Prepared EAP-Success |
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory |
any ideas guys?
thanks for the help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide