Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎02-09-2012

EAP-TLS Authorization

In my setup the coltroller terminates the authentication and sends the username (obtained from the user certificate) to my radius serrver (IAS 2003). However, the user is not able to connect and the following error appears on the radius.

 

-----------------------------------------

Event Type:    Warning
Event Source:    IAS
Event Category:    None
Event ID:    2
Date:        4/13/2012
Time:        3:14:18 PM
User:        N/A
Computer:    IDBE1-BCK-LT2P
Description:
User testuser was denied access.
 Fully-Qualified-User-Name = dir.random.com/blah blah blah
 NAS-IP-Address = 10.13.31.10
 NAS-Identifier = <not present>
 Called-Station-Identifier = 000B866DCC84
 Calling-Station-Identifier = 183DA28613EC
 Client-Friendly-Name = 10.13.31.10
 Client-IP-Address = 10.13.31.10
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 0
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WPOLICY_NET
 Authentication-Type = Unauthenticated
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....    
-------------------------------------------------

 

 

Guru Elite
Posts: 21,587
Registered: ‎03-29-2007

Re: EAP-TLS Authorization

In your remote access policy on the server, do you have "smartcard or other certificate" selected/enabled?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎02-09-2012

Re: EAP-TLS Authorization

Yes,

the "smartcard or other certificate" is selected. 

Please see the attached screenshot.

 

Guru Elite
Posts: 21,587
Registered: ‎03-29-2007

Re: EAP-TLS Authorization

Are those machine or user certificates?  Do they exist in that group specified in your remote access policy?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎02-09-2012

Re: EAP-TLS Authorization

Those are user certificates. The user is part of the group in the AD as specified in the remote access policy. I am stuck in the part where the controller is supposed to send the Authorization to the Radius.

 

The 6.1 user guide says that:

"The client certificate is verified on the controller (the client certificate must be signed by a known CA) before the user name is
checked on the authentication server."

 

What is going on between the controller and the radius? If the controller termination is not used, the authentication happens between the Supplicant and the Authentication Server without any problem.

 

 

 

Guru Elite
Posts: 21,587
Registered: ‎03-29-2007

Re: EAP-TLS Authorization

Ok.  You are using Termination on the Controller.  Did you turn on TLS guest Access and set your Guest TLS role in the 802.1x profile to see if termination will work without Authorization first?  If not, you should try that.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Moderator
Posts: 150
Registered: ‎11-14-2011

Re: EAP-TLS Authorization

I believe the controller will initiate a RAIDUS Authorize-Only request (given there is no password associated with this request) when trying to verify the authorization of the username contained in the certificate CN contents. There is a strong possibility that this is why the IAS is complaining about the authentication method being used.

 

Hope this helps


Cam.

 

Occasional Contributor I
Posts: 8
Registered: ‎02-09-2012

Re: EAP-TLS Authorization

Found a way for authorization:

 

EAP-TLS support one-way authorization. Hence, enabling "Unauthenticated Access" under Authentication tab works. By default the guest account under windows is used(can be changed using registry edits). This feature is primarily used in microsoft implementation for issuing user/ca certificates to the client.

 

Can someone confirm if there is security concern by using this method.

 

thanks

RF

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: