Good detective work! Though the bug isnt for ADU, you took the implication of the bug and applied it to ADU. Thinking like a CCIE J
Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Yuri Mecca Sent: Tuesday, August 16, 2011 8:02 PM To: [email protected] Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Hi Guys! I discover whats happened! I'm running in this bug: CSCsk59988 EAP-FAST [ TLS ] does not work for Cross forest user authentication. Symptom Occurs when doing EAP-FAST authentication with the CSSC client. Conditions <http://www.cisco.com/en/US/i/templates/blank.gif> Client is sends inner-identity without domain markup. Workaround <http://www.cisco.com/en/US/i/templates/blank.gif> This is not a bug since CSSC can be customized to send inner-identity in UPN format. My ADU isn't configured to validate the Server certificate and don't send the domain. When I set this option it work fine: Validate Server Identity: Enable Trust Root Certificate Authority: <Any> Select a Certificate: User1 Certificate. Server/Domain: proctorlabs.com Login Name: User1 Without Validade Server Identity the Server/Domain box remain grey and disable! Thanks for the replies again! Best Regards, Yuri _____ From: [email protected] To: [email protected] Date: Tue, 16 Aug 2011 17:39:01 -0300 Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Hi Guys, Thanks for the replies. So, I did some tests and still can't make it to works: 1) Enabled Require client certificate for provisioning: Don't Work LOG: EAP_TLS Type not configured 2) Disable EAP-GTC and EAP-MSCHAPv2: Don't Work and I had to disable Anonymous PAC provisioning. LOG: EAP-TLS or PEAP authentication failed during SSL handshake 3) Create a static user in ACS Database with Password Authentication "ACS Internal Database": Don't Work LOG: EAP_TLS Type not configured 4) Create a static user in ACS Database with Password Authentication "Windows Database": Don't Work LOG: EAP_TLS Type not configured Just for clarify, this certificate is working fine, because I tested it with EAP-TLS and PEAP. Any another idea? Best Regards, Yuri > From: [email protected] > To: [email protected]; [email protected]; [email protected] > Date: Tue, 16 Aug 2011 15:41:29 +0000 > Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) > > Thanks Dion, but this link is ACS 5.1. We don´t care about that as the LAB blueprint is ACS 4.2 :D > > I take back what I said about the user having to be in ACS (windows database , not ACS internal database) > I forgot to fail unknown attempts to external database (AD) and I deleted the internal ACS user and > made ADU connection again which worked and the user was cached afterwards in ACS. > > I had problems in the past with EAP-TLS and CSSC client and I usually had to > enter the outer identity username (same user that had the certificate) to the ACS > before EAP-TLS worked. > > Now when I do another test with EAP-TLS and delete the ACS cached user. I still am authenticated > properly. So it seems I can do without the static user entered in the ACS now. At least with ADU ! > The funny thing this time the ACS does not cache the user when doing EAP-TLS as it did with EAP-FAST and inner EAP-TLS. > > > regards. Kristjan > > > -----Original Message----- > From: Dion Rupert [mailto:[email protected]] > Sent: 16. ágúst 2011 15:21 > To: Kristján Ólafur Eðvarðsson; 'Jason Boyers'; [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) > > Great... then this may help. > > https://supportforums.cisco.com/docs/DOC-15587 > > Dion > > -----Original Message----- > From: Kristján Ólafur Eðvarðsson [mailto:[email protected]] > Sent: Tuesday, August 16, 2011 10:16 AM > To: Dion Rupert; 'Jason Boyers'; [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > In my case the server is part of the domain > and the ADU desktop aswell. > > regards. Kristjan > > -----Original Message----- > From: Dion Rupert [mailto:[email protected]] > Sent: 16. ágúst 2011 15:12 > To: Kristján Ólafur Eðvarðsson; 'Jason Boyers'; > [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > Is the server part of the domain? > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kristján > Ólafur Eðvarðsson > Sent: Tuesday, August 16, 2011 9:28 AM > To: Jason Boyers; [email protected] > Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > Sorry I wasn´t clear. > > I use AD external database for authentication. > However I have never made it work unless the user > exists on ACS before I make the ADU connection. > So I have the habit of just creating it (password does > not matter as it isn´t used) > > If the ACS user isn´t there (not cached or never cached) > I get "ACS user unknown" under failed attempts. > > The ADU client browsed to the AD CA /certsrv page > to get its certificate and authenticated with > its username on that webpage. > > -----Original Message----- > From: Jason Boyers [mailto:[email protected]] > Sent: 16. ágúst 2011 14:06 > To: Kristján Ólafur Eðvarðsson; [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > So, to confirm, you used the internal ACS database for authentication. Is > that correct? If so, then there may be something going on with the match > between the user certificate and AD, since Yuri is using AD for > authentication. At least it narrows things down a bit! > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert, Inc. > Mailto: [email protected] > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kristján > Ólafur Eðvarðsson > Sent: Tuesday, August 16, 2011 9:41 AM > To: [email protected] > Subject: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate > (Yuri Mecca) > > Hey Yuri, > > I did a quick test. And I managed to make it work. > I even tried to disable eap-chapv2 and eap-gtc as inner methods on ACS and > only allow EAP-TLS as EAP-Fast inner method. > > I first enrolled the ACS with CA. got a cert for the client from the ADU pc. > congigured the ADU with that EAP-FAST TLS certificate for client. The user > has to exist in ACS aswell to my knowledge. > > And it seems to work for me on ADU. > > regards. Kristjan > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: 16. ágúst 2011 01:00 > To: [email protected] > Subject: CCIE_Wireless Digest, Vol 29, Issue 10 > > Send CCIE_Wireless mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of CCIE_Wireless digest..." > > > Today's Topics: > > 1. EAP-FAST authenticating with Certificate (Yuri Mecca) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 Aug 2011 22:00:11 -0300 > From: Yuri Mecca <[email protected]> > To: <[email protected]> > Subject: [OSL | CCIE_Wireless] EAP-FAST authenticating with > Certificate > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > Hi Guys, > I'm working with EAP Authentication and I had a problem to connect the > laptop (Cisco ADU) with ACS 4.2 using EAP-FAST with inner method as TLS > (Certificate). > Its work fine with PEAP Inner TLS, EAP-TLS, and other EAP-FAST methods like > MS-CHAP or GTC. > In the ACS Reports I see this message: "EAP_TLS Type not configured" > Follow attached my EAP-FAST config. > Had anyone make this auth works? I'm using External Database. > Thanks for the replies! :-) > Yuri > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </archives/ccie_wireless/attachments/20110815/328305f3/attachment.html> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: fast.JPG > Type: image/jpeg > Size: 102566 bytes > Desc: not available > URL: </archives/ccie_wireless/attachments/20110815/328305f3/attachment.jpe> > > ------------------------------ > > _______________________________________________ > CCIE_Wireless mailing list > [email protected] > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > > > End of CCIE_Wireless Digest, Vol 29, Issue 10 > ********************************************* > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
