This is part 3 of my blog series on rapid prototyping in ISE without requiring any networking equipment. This time we’re going to perform EAP-TLS (X.509 certificate based) authentication.

 

This scenario is very similar to EAP-PEAP, but in addition, we need to perform mutual certificate exchange, and hence we need to first create a client certificate.  More on that later.  For now let’s assume we have a client certificate as would be found in a real supplicant (iOS/Android/Windows/OSX device) – then the configuration and command syntax would look as follows.

I called my configuration file eaptls.conf – and it contains:

 

network={

         ssid="example"

         key_mgmt=WPA-EAP

         eap=TLS

         identity="wedontcare"

         ca_cert="/home/abier/Downloads/MegaRootCert.cer"

         client_cert="/home/abier/ca/client.cert.pem"

         private_key="/home/abier/ca/client.key.pem"

         private_key_passwd="MyCl1entKey"

         eapol_flags=3

}

 

NB: Remember that the ca_cert shown above is the Root certificate that issued the ISE Server cert (and not to be confused with the CA that issued the client certificate!!!).  Obviously we need to install the Client's Root CA cert in ISE as a trusted certificate.

 

Below is the command to send one request to 192.168.21.101 with a client Wireless MAC address of 00:00:00:00:00:FF, and Service-Type=Framed (which is standard for Cisco/HPE WLC’s).  To simulate an Aruba AP you can substitute the value with 1 (Service-Type=Login)

 

eapol_test -c eaptls.conf -s RadiusS3cret -a 192.168.21.101 -M '00:00:00:00:00:ff' -N '6:d:2'

 

Job done.

Wow – that was easy!  But Arne, you skilfully skirted around the client certificate creation process. Please explain …

Ok.  This should be an entirely separate blog entry but I will condense it here and rely on you to research the rest.  To create a client certificate I reckon you have three options:

 

1. Ask a friend who can deliver one on a silver platter for you (e.g. a Microsoft PKI security admin)
2. Build your own Windows 2012 R2 lab VM (using the free 180 day Microsoft eval license) and conquer your fear of the CA server.  This is the route I chose in my own lab because this is what I face in the Enterprise all the time.  It was a steep learning curve for me but now I can have sensible discussions with other Microsoft engineers about these things.  I tackled this with the help of Google searches and now I can almost do it blindfolded.  There are many hurdles regarding the IIS server and AD permissions, template creations, etc.  It’s messy to begin with but it has real life applicability.
3. Use openssl tools and do it all via cli or xca (GUI front end to openssl http://xca.sourceforge.net/ ).  This is not for the faint hearted, but in my humble opinion is the cleanest and most instructive approach to this topic – it exposes X.509 warts and all – and if you can master this method then you can master anything.   So buckle up and get ready for some openssl action!

 

The openssl method is easiest to document and quickest to implement (no Windows Server required). There are excellent articles on the web about how to setup an OpenSSL CA server – my intention here is to make the process as quick and simple as possible – this subject deserves a better explanation than what I am about to do.  But you will be able to follow this I hope, as long as you’re not afraid of the Linux cli.

 

 

Using your Linux terminal create a directory called ‘ca’ and use it as your current directory.  In my case I landed up in /home/abier/ca

 

I chose two relatively simple and weak pass phrases - please use something stronger and make sure you apply the correct phrase when prompted by openssl (it will complain if you get it wrong)

 

 

Create the Root CA private key

openssl genrsa -aes256 -out ca.key.pem 4096

 

Output below

 

Generating RSA private key, 4096 bit long modulus

Enter pass phrase for ca.key.pem:  MyCertPr1vateKey

Verifying - Enter pass phrase for ca.key.pem: MyCertPr1vateKey

 

Create the Root CA root certificate

openssl req -key ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out ca.cert.pem

 

Output below

 

Enter pass phrase for ca.key.pem: MyCertPr1vateKey

Country Name (2 letter code) [XX]:AU

State or Province Name (full name) []:QLD

Locality Name (eg, city) [Default City]:BNE

Organization Name (eg, company) [Default Company Ltd]:Acme

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:AcmeCorp

Email Address []:

 

 

 

Create the Client private key

openssl genrsa -aes256 -out client.key.pem 2048

 

Output below

 

Generating RSA private key, 2048 bit long modulus

Enter pass phrase for client.key.pem:  MyCl1entKey

Verifying - Enter pass phrase for client.key.pem: MyCl1entKey

 

Create client certificate signing request

openssl req -key client.key.pem -new -sha256 -out client.csr.pem

 

Output below

 

Enter pass phrase for client.key.pem:  MyCl1entKey

Country Name (2 letter code) [XX]:AU

State or Province Name (full name) []:QLD

Locality Name (eg, city) [Default City]:BNE

Organization Name (eg, company) [Default Company Ltd]:Acme

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []:abier

Email Address []:

Please enter the following 'extra' attributes to be sent with your certificate request

A challenge password []:

An optional company name []: An optional company name []:.

 

 

 

 

Create the client cert

First prepare the OpenSSL CA repository (requires root elevation privileges)

 

touch /etc/pki/CA/index.txt

echo '1000' > /etc/pki/CA/serial

touch /etc/pki/CA/serial.new

touch /etc/pki/CA/index.txt.new

touch /etc/pki/CA/index.txt.attr.new

 

In your home working directory create a small file called extensions.txt containing the certificate extensions you need

 

[ext]

basicConstraints=CA:FALSE

nsCertType                      = client

keyUsage = digitalSignature, keyEncipherment

extendedKeyUsage = clientAuth

 

 

 

Perform the client cert creation

Since I am using all the defaults here, openssl wants to write in directories that need root access – it’s easier to run the command with sudo to allow it to write in the /etc/pki/CA directory.

 

sudo openssl ca -extfile extensions.txt  -extensions ext -days 365 -notext -md sha256 -in client.csr.pem -cert ca.cert.pem -keyfile ca.key.pem  -outdir . -out client.cert.pem

 

[Update: This worked previously, but if you receive an error, then consider moving the CA created above, to your local directory. e.g.]

sudo cp -r /etc/pki/CA ./demoCA

Then run the openssl command again.

Produces the output below

 

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key.pem: MyCertPr1vateKey

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 4096 (0x1000)

       Validity

           Not Before: May  5 04:14:16 2017 GMT

           Not After : May  5 04:14:16 2018 GMT

       Subject:

           countryName               = AU

           stateOrProvinceName       = QLD

           organizationName          = Acme

           organizationalUnitName    = IT

           commonName                = abier

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Cert Type:

               SSL Client

           X509v3 Key Usage:

               Digital Signature, Key Encipherment

           X509v3 Extended Key Usage:

               TLS Web Client Authentication

Certificate is to be certified until May  5 04:14:16 2018 GMT (365 days)

Sign the certificate? [y/n]:y

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

View the certificate with the command

openssl x509 -in client.cert.pem -text

 

Phew!  We’re done.