This is part 3 of my blog series on rapid prototyping in ISE without requiring any networking equipment. This time we’re going to perform EAP-TLS (X.509 certificate based) authentication.
This scenario is very similar to EAP-PEAP, but in addition, we need to perform mutual certificate exchange, and hence we need to first create a client certificate. More on that later. For now let’s assume we have a client certificate as would be found in a real supplicant (iOS/Android/Windows/OSX device) – then the configuration and command syntax would look as follows.
I called my configuration file eaptls.conf – and it contains:
network={
ssid="example"
key_mgmt=WPA-EAP
eap=TLS
identity="wedontcare"
ca_cert="/home/abier/Downloads/MegaRootCert.cer"
client_cert="/home/abier/ca/client.cert.pem"
private_key="/home/abier/ca/client.key.pem"
private_key_passwd="MyCl1entKey"
eapol_flags=3
}
NB: Remember that the ca_cert shown above is the Root certificate that issued the ISE Server cert (and not to be confused with the CA that issued the client certificate!!!). Obviously we need to install the Client's Root CA cert in ISE as a trusted certificate.
Below is the command to send one request to 192.168.21.101 with a client Wireless MAC address of 00:00:00:00:00:FF, and Service-Type=Framed (which is standard for Cisco/HPE WLC’s). To simulate an Aruba AP you can substitute the value with 1 (Service-Type=Login)
eapol_test -c eaptls.conf -s RadiusS3cret -a 192.168.21.101 -M '00:00:00:00:00:ff' -N '6:d:2'
Job done.
Wow – that was easy! But Arne, you skilfully skirted around the client certificate creation process. Please explain …
Ok. This should be an entirely separate blog entry but I will condense it here and rely on you to research the rest. To create a client certificate I reckon you have three options:
- Ask a friend who can deliver one on a silver platter for you (e.g. a Microsoft PKI security admin)
- Build your own Windows 2012 R2 lab VM (using the free 180 day Microsoft eval license) and conquer your fear of the CA server. This is the route I chose in my own lab because this is what I face in the Enterprise all the time. It was a steep learning curve for me but now I can have sensible discussions with other Microsoft engineers about these things. I tackled this with the help of Google searches and now I can almost do it blindfolded. There are many hurdles regarding the IIS server and AD permissions, template creations, etc. It’s messy to begin with but it has real life applicability.
- Use openssl tools and do it all via cli or xca (GUI front end to openssl http://xca.sourceforge.net/ ). This is not for the faint hearted, but in my humble opinion is the cleanest and most instructive approach to this topic – it exposes X.509 warts and all – and if you can master this method then you can master anything. So buckle up and get ready for some openssl action!
The openssl method is easiest to document and quickest to implement (no Windows Server required). There are excellent articles on the web about how to setup an OpenSSL CA server – my intention here is to make the process as quick and simple as possible – this subject deserves a better explanation than what I am about to do. But you will be able to follow this I hope, as long as you’re not afraid of the Linux cli.
Using your Linux terminal create a directory called ‘ca’ and use it as your current directory. In my case I landed up in /home/abier/ca
I chose two relatively simple and weak pass phrases - please use something stronger and make sure you apply the correct phrase when prompted by openssl (it will complain if you get it wrong)
Create the Root CA private key
openssl genrsa -aes256 -out ca.key.pem 4096
Output below
Generating RSA private key, 4096 bit long modulus
Enter pass phrase for ca.key.pem: MyCertPr1vateKey
Verifying - Enter pass phrase for ca.key.pem: MyCertPr1vateKey
Create the Root CA root certificate
openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem
Output below
Enter pass phrase for ca.key.pem: MyCertPr1vateKey
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:QLD
Locality Name (eg, city) [Default City]:BNE
Organization Name (eg, company) [Default Company Ltd]:Acme
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:AcmeCorp
Email Address []:
Create the Client private key
openssl genrsa -aes256 -out client.key.pem 2048
Output below
Generating RSA private key, 2048 bit long modulus
Enter pass phrase for client.key.pem: MyCl1entKey
Verifying - Enter pass phrase for client.key.pem: MyCl1entKey
Create client certificate signing request
openssl req -key client.key.pem -new -sha256 -out client.csr.pem
Output below
Enter pass phrase for client.key.pem: MyCl1entKey
Country Name (2 letter code) [XX]:AU
State or Province Name (full name) []:QLD
Locality Name (eg, city) [Default City]:BNE
Organization Name (eg, company) [Default Company Ltd]:Acme
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:abier
Email Address []:
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []: An optional company name []:.
Create the client cert
First prepare the OpenSSL CA repository (requires root elevation privileges)
touch /etc/pki/CA/index.txt
echo '1000' > /etc/pki/CA/serial
touch /etc/pki/CA/serial.new
touch /etc/pki/CA/index.txt.new
touch /etc/pki/CA/index.txt.attr.new
In your home working directory create a small file called extensions.txt containing the certificate extensions you need
[ext]
basicConstraints=CA:FALSE
nsCertType = client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
Perform the client cert creation
Since I am using all the defaults here, openssl wants to write in directories that need root access – it’s easier to run the command with sudo to allow it to write in the /etc/pki/CA directory.
sudo openssl ca -extfile extensions.txt -extensions ext -days 365 -notext -md sha256 -in client.csr.pem -cert ca.cert.pem -keyfile ca.key.pem -outdir . -out client.cert.pem
[Update: This worked previously, but if you receive an error, then consider moving the CA created above, to your local directory. e.g.]
sudo cp -r /etc/pki/CA ./demoCA
Then run the openssl command again.
Produces the output below
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key.pem: MyCertPr1vateKey
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4096 (0x1000)
Validity
Not Before: May 5 04:14:16 2017 GMT
Not After : May 5 04:14:16 2018 GMT
Subject:
countryName = AU
stateOrProvinceName = QLD
organizationName = Acme
organizationalUnitName = IT
commonName = abier
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until May 5 04:14:16 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
View the certificate with the command
openssl x509 -in client.cert.pem -text
Phew! We’re done.