Solved: Re: Authentication failed using EAP-TLS and CSSC against ACS

Raul Manzano Barroso · ‎10-26-2010

Hi.

Playing with a trial version of CSSC (Cisco secure services client) I had a problem that really I don´t understand.

Any 802.1x configuration work fine but when I use anything involving the use of certificates (EAP-TLS or PEAP using a certificate instead a password to autenticate) I always see the same log message in ACS:

"Authen session timed out: Challenge not provided by client" It seems that my client supplicant does not repond to the ACS when the first one proposed an EAP method.

First I discart a certificate error because the same certificate works fine with Intel Proset Wireless supplicant and Windows Zero Configuration. EAP Fast works fine using auto provisioning or manual provisioning.

Any idea? I red the CSSC administration guide but I did not find anything that explains this behaviour or defines the right configuration for this EAP method.

I´m using Windows XP SP3, Intel Wireless 4965AGN and CSSC 5.1.1.18; My CA is a Windows CA.ACS version 4.2

Thanks in advanced.

Best regards.

Tiago Antunes · ‎10-27-2010

Please double-check if you have selected "Validate Server identity", and if yes, disable it and try again.

This options makes the client to validate the ACS certificate and in case it does not trust it it will not proceed with the authentication.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎10-27-2010

Please double-check if you have selected "Validate Server identity", and if yes, disable it and try again.

This options makes the client to validate the ACS certificate and in case it does not trust it it will not proceed with the authentication.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Raul Manzano Barroso · ‎10-27-2010

Hi Tiago.

Thanks for your answer.

Really I tried checking and unchecking this option but the behaviour was the same; I suppose this should not be the reason because if I use PEAP with password authentication and check the "validate server Identity" option I can connect without problems.

With Validate server Identity I have tried using trust any certificate in the "certificate container" of the PC or select a specific certificate (previously downloaded from my Windows CA and convert it to a .pem format); the result was se same for both scenarios

Best Regards.

bbxie · ‎10-27-2010

CSSC has some major difference than Windows regarding to certificate, pls. see following:

• Server Validation
– The Personal stores are not used for server validation.
– When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be
installed in the Local Computer\Trusted Root store.
– Any Root CA certificate included in the configuration is ignored and the configuration is
translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by
some other means.
– The certificate store is limited to Local Computer during machine authentication and user
authentications when the connection is attempted before Windows logon.

As it says "Any Root CA certificate included in the configuration is ignored ", The Root CA certification must be installed by
some other means in the Local Computer\Trusted Root store instead of Personal stores.

Check if it is your problem.

Raul Manzano Barroso · ‎10-28-2010

Thanks, I will try this afternoon and report if it works.

Best regards.

Raul Manzano Barroso · ‎10-28-2010

Today is not mmy day.

It´s still failing and maybe I will open a TAC case.

I´m looking at the log file of the CSSC and I don´t like what I have seen.

"

2125: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=344][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP suggested by server: leap
2126: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-6-INFO_MSG: %[tid=2044][mac=1,6,00:1d:e0:9f:05:ef]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP requested by client:  eapTls
2127: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: EAP methods sent : sync=8
2128: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=8
2129: portable-9b7161: oct 28 2010 20:34:29.156 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Authentication state transition: AUTH_STATE_UNPROTECTED_IDENTITY_SENT_FOR_FULL_AUTHENTICATION -> AUTH_STATE_UNPROTECTED_IDENTITY_ACCEPTED
2130: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_SERVER_VERIFY, sync=9
2131: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2132: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=9
2133: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Server verification sent : sync=9
2134: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, response sent : sync=9
2135: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Credential callback, type=AC_CRED_USER_CERT, sync=10
2136: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: Calling acCredDeferred
2137: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=344]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request deferred : sync=10
2138: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Impersonating user
2139: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Loading client certificate private key...
2140: portable-9b7161: oct 28 2010 20:34:29.171 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Calling acCertLoadPrivateKey()...
2141: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: ...acCertLoadPrivateKey() returned
2142: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 204, contact software manufacturer
2143: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: acCertLoadPrivateKey() error -20 [c:\acebuild\bldrobot_cssc_5.1.1.21_view\monadnock\src\ace\certificate\certificateimpl.cpp:239]
2144: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 4, contact software manufacturer
2145: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: CssException for function 'acCertLoadPrivateKey' => -20{error} [certificateimpl.cpp:240]
2146: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-3-ERROR_MSG: %[tid=140]: Internal error 7, contact software manufacturer
2147: portable-9b7161: oct 28 2010 20:34:29.187 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Assertion 'CSS exception - should this be logged instead?' failed at [cssexception.cpp:114]
2148: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Client certificate private key has not been loaded
2149: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=140]: Deimpersonating user
2150: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Client certificate 239f43fdcde8e190540fab2416253c5660c0d959 has been processed: ERR_INTERNAL_ERROR(7)
2151: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Certificate 239f43fdcde8e190540fab2416253c5660c0d959 is unusable
2152: portable-9b7161: oct 28 2010 20:34:29.218 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: {764C6E35-2FFF-47CF-A0CA-5B90E9483367}: Credential Request completed, no response sent : sync=10
2153: portable-9b7161: oct 28 2010 20:34:30.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2154: portable-9b7161: oct 28 2010 20:34:32.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration
2155: portable-9b7161: oct 28 2010 20:34:34.078 -0100: %CSSC-7-DEBUG_MSG: %[tid=2044]: Checking for new configuration

It seems that It found a valid certificate, starts the Authentication proccess and when it must request the ACS challenge it fails when loading the private key and crash the supplicant

Do you think the same??

Thanks.

Best Regards.

bbxie · ‎10-28-2010

Since the log says: Internal error 7, contact software manufacturer. You'd better call TAC.

If you can get a normal version(I suspect the trial version has disabled some function), you can use it to have a try.

Raul Manzano Barroso · ‎10-29-2010

I don´t have a permanent license of CSSC.

Thanks.

I will try to open a TAC case. As soon I konw which is the problem I will write in this discussion.

Best regards.