Funny, your bug mentiones CSSC but you are running ADU :D Well anyways nice that it is solved.
Seems that in my lab I can´t break it even though I disable the check certificate. But we could be comparing oranges and apples. my labtop is XP SP3 with ADU version 3.6.0.122 PC is joined to the Domain. I will test CSSC later and confirm this bug and post the findings. regards. Kristjan -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: 17. ágúst 2011 00:37 To: [email protected] Subject: CCIE_Wireless Digest, Vol 29, Issue 16 Send CCIE_Wireless mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of CCIE_Wireless digest..." Today's Topics: 1. Re: 1. EAP-FAST authenticating with Certificate (Yuri Mecca) (Jason Boyers) ---------------------------------------------------------------------- Message: 1 Date: Tue, 16 Aug 2011 20:36:34 -0400 From: "Jason Boyers" <[email protected]> To: "'Yuri Mecca'" <[email protected]>, <[email protected]> Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Good detective work! Though the bug isn?t for ADU, you took the implication of the bug and applied it to ADU. Thinking like a CCIE J Jason Boyers - CCIE #26024 (Wireless) Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] From: [email protected] [mailto:[email protected]] On Behalf Of Yuri Mecca Sent: Tuesday, August 16, 2011 8:02 PM To: [email protected] Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Hi Guys! I discover whats happened! I'm running in this bug: CSCsk59988 EAP-FAST [ TLS ] does not work for Cross forest user authentication. Symptom Occurs when doing EAP-FAST authentication with the CSSC client. Conditions <http://www.cisco.com/en/US/i/templates/blank.gif> Client is sends inner-identity without domain markup. Workaround <http://www.cisco.com/en/US/i/templates/blank.gif> This is not a bug since CSSC can be customized to send inner-identity in UPN format. My ADU isn't configured to validate the Server certificate and don't send the domain. When I set this option it work fine: Validate Server Identity: Enable Trust Root Certificate Authority: <Any> Select a Certificate: User1 Certificate. Server/Domain: proctorlabs.com Login Name: User1 Without Validade Server Identity the Server/Domain box remain grey and disable! Thanks for the replies again! Best Regards, Yuri _____ From: [email protected] To: [email protected] Date: Tue, 16 Aug 2011 17:39:01 -0300 Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) Hi Guys, Thanks for the replies. So, I did some tests and still can't make it to works: 1) Enabled Require client certificate for provisioning: Don't Work LOG: EAP_TLS Type not configured 2) Disable EAP-GTC and EAP-MSCHAPv2: Don't Work and I had to disable Anonymous PAC provisioning. LOG: EAP-TLS or PEAP authentication failed during SSL handshake 3) Create a static user in ACS Database with Password Authentication "ACS Internal Database": Don't Work LOG: EAP_TLS Type not configured 4) Create a static user in ACS Database with Password Authentication "Windows Database": Don't Work LOG: EAP_TLS Type not configured Just for clarify, this certificate is working fine, because I tested it with EAP-TLS and PEAP. Any another idea? Best Regards, Yuri > From: [email protected] > To: [email protected]; [email protected]; [email protected] > Date: Tue, 16 Aug 2011 15:41:29 +0000 > Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) > > Thanks Dion, but this link is ACS 5.1. We don?t care about that as the LAB blueprint is ACS 4.2 :D > > I take back what I said about the user having to be in ACS (windows database , not ACS internal database) > I forgot to fail unknown attempts to external database (AD) and I deleted the internal ACS user and > made ADU connection again which worked and the user was cached afterwards in ACS. > > I had problems in the past with EAP-TLS and CSSC client and I usually had to > enter the outer identity username (same user that had the certificate) to the ACS > before EAP-TLS worked. > > Now when I do another test with EAP-TLS and delete the ACS cached user. I still am authenticated > properly. So it seems I can do without the static user entered in the ACS now. At least with ADU ! > The funny thing this time the ACS does not cache the user when doing EAP-TLS as it did with EAP-FAST and inner EAP-TLS. > > > regards. Kristjan > > > -----Original Message----- > From: Dion Rupert [mailto:[email protected]] > Sent: 16. ?g?st 2011 15:21 > To: Kristj?n ?lafur E?var?sson; 'Jason Boyers'; [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate (Yuri Mecca) > > Great... then this may help. > > https://supportforums.cisco.com/docs/DOC-15587 > > Dion > > -----Original Message----- > From: Kristj?n ?lafur E?var?sson [mailto:[email protected]] > Sent: Tuesday, August 16, 2011 10:16 AM > To: Dion Rupert; 'Jason Boyers'; [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > In my case the server is part of the domain > and the ADU desktop aswell. > > regards. Kristjan > > -----Original Message----- > From: Dion Rupert [mailto:[email protected]] > Sent: 16. ?g?st 2011 15:12 > To: Kristj?n ?lafur E?var?sson; 'Jason Boyers'; > [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > Is the server part of the domain? > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kristj?n > ?lafur E?var?sson > Sent: Tuesday, August 16, 2011 9:28 AM > To: Jason Boyers; [email protected] > Subject: Re: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > Sorry I wasn?t clear. > > I use AD external database for authentication. > However I have never made it work unless the user > exists on ACS before I make the ADU connection. > So I have the habit of just creating it (password does > not matter as it isn?t used) > > If the ACS user isn?t there (not cached or never cached) > I get "ACS user unknown" under failed attempts. > > The ADU client browsed to the AD CA /certsrv page > to get its certificate and authenticated with > its username on that webpage. > > -----Original Message----- > From: Jason Boyers [mailto:[email protected]] > Sent: 16. ?g?st 2011 14:06 > To: Kristj?n ?lafur E?var?sson; [email protected] > Subject: RE: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with > Certificate (Yuri Mecca) > > So, to confirm, you used the internal ACS database for authentication. Is > that correct? If so, then there may be something going on with the match > between the user certificate and AD, since Yuri is using AD for > authentication. At least it narrows things down a bit! > > Jason Boyers - CCIE #26024 (Wireless) > Technical Instructor - IPexpert, Inc. > Mailto: [email protected] > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kristj?n > ?lafur E?var?sson > Sent: Tuesday, August 16, 2011 9:41 AM > To: [email protected] > Subject: [OSL | CCIE_Wireless] 1. EAP-FAST authenticating with Certificate > (Yuri Mecca) > > Hey Yuri, > > I did a quick test. And I managed to make it work. > I even tried to disable eap-chapv2 and eap-gtc as inner methods on ACS and > only allow EAP-TLS as EAP-Fast inner method. > > I first enrolled the ACS with CA. got a cert for the client from the ADU pc. > congigured the ADU with that EAP-FAST TLS certificate for client. The user > has to exist in ACS aswell to my knowledge. > > And it seems to work for me on ADU. > > regards. Kristjan > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: 16. ?g?st 2011 01:00 > To: [email protected] > Subject: CCIE_Wireless Digest, Vol 29, Issue 10 > > Send CCIE_Wireless mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific than > "Re: Contents of CCIE_Wireless digest..." > > > Today's Topics: > > 1. EAP-FAST authenticating with Certificate (Yuri Mecca) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 15 Aug 2011 22:00:11 -0300 > From: Yuri Mecca <[email protected]> > To: <[email protected]> > Subject: [OSL | CCIE_Wireless] EAP-FAST authenticating with > Certificate > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > Hi Guys, > I'm working with EAP Authentication and I had a problem to connect the > laptop (Cisco ADU) with ACS 4.2 using EAP-FAST with inner method as TLS > (Certificate). > Its work fine with PEAP Inner TLS, EAP-TLS, and other EAP-FAST methods like > MS-CHAP or GTC. > In the ACS Reports I see this message: "EAP_TLS Type not configured" > Follow attached my EAP-FAST config. > Had anyone make this auth works? I'm using External Database. > Thanks for the replies! :-) > Yuri > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </archives/ccie_wireless/attachments/20110815/328305f3/attachment.html> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: fast.JPG > Type: image/jpeg > Size: 102566 bytes > Desc: not available > URL: </archives/ccie_wireless/attachments/20110815/328305f3/attachment.jpe> > > ------------------------------ > > _______________________________________________ > CCIE_Wireless mailing list > [email protected] > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > > > End of CCIE_Wireless Digest, Vol 29, Issue 10 > ********************************************* > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com -------------- next part -------------- An HTML attachment was scrubbed... URL: </archives/ccie_wireless/attachments/20110816/3e358fed/attachment.html> ------------------------------ _______________________________________________ CCIE_Wireless mailing list [email protected] http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless End of CCIE_Wireless Digest, Vol 29, Issue 16 ********************************************* _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
