Wireless Access

last person joined: 8 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Cannot get TLS working with Android and Microsoft AD CS

This thread has been viewed 0 times

  • 1.  Cannot get TLS working with Android and Microsoft AD CS

    Posted Mar 22, 2013 12:03 PM

    Hi Folks,

     

    I'm trying to get my Samsung S3's running Jelly Bean (4.1.1) to connect via TLS and not having any luck. I've called in to support and worked with them to create an SSID that uses EAP\TLS. I used Microsoft's AD Certificate Services to generate user certs and copied them to the phones but can't connect. This SSID will sucessfully authenticate and connect a Win7 workstation using the same cert. Support spent some time looking at the problem but didn't have a ready answer, so I let them go and decided to post here instead. Here are some further specs:

     

    Switch - 6000 running 5.0.4.7. It's an older switch with only 256 MB of RAM, and I've been told it can't run V6.

     

    The cert is generated from the standard Microsoft User cert template, issued to a machine, exported as .PFX with the private key then copied to the phone and installed. The cert does appear as a published cert for the user in AD. The phone also has the Root and issuing CA certs installed on it, as does the switch.

     

    The phone's network configuration is:

     

    EAP method: TLS

    Phae 2: None

    CA certificate: the CA for the client certificate and switch server cert

    User certificate: the client certificate

    Identity: email address, username, domain\username, or UPN

    Anonymous identity: Empty

    Password: Empty

     

    The switch's L2 auth profile for the SSID is set to terminate authentication, with Termination EAP Type set to 'eap-tls', and  Termination Inner EAP Type not selected. The server cert is selected for Server-Certificate, and I've tried selecting both the Root and Issuing server's certs for CA-Certificate.

     

    I saw this thread and tried converting the .PFX cert format to .PEM, but then the phone wouldn't recognize it at all...

     

    Here is a section of an auth trace from the Win7 workstation successfully connecting:

     

    Mar 21 20:52:34 station-down * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 - -
    Mar 21 20:55:09 station-up * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 - - wpa2 aes
    Mar 21 20:55:09 station-term-start * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 104 -
    Mar 21 20:55:09 eap-term-start -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
    Mar 21 20:55:09 station-term-start * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 104 -
    Mar 21 20:55:09 client-cert -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x 1477 3965
    Mar 21 20:55:09 client-cert -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x 1486 3965
    Mar 21 20:55:09 client-cert -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x 1002 3965
    Mar 21 20:55:09 client-cert verified * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 - -
    Mar 21 20:55:09 cert-signature-verify -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - - verified
    Mar 21 20:55:09 client-finish -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
    Mar 21 20:55:09 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61
    Mar 21 20:55:40 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61
    Mar 21 20:56:09 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61
    Mar 21 20:56:39 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61

     

    Here is a section from the phone is attempting to connect:

     

    Mar 21 21:44:59 station-down * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:42 - -
    Mar 21 21:45:00 station-up * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 - - wpa2 aes
    Mar 21 21:45:00 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 104 -
    Mar 21 21:45:31 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
    Mar 21 21:45:31 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 104 -
    Mar 21 21:46:03 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
    Mar 21 21:46:03 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 104 -
    Mar 21 21:46:09 station-down * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 - -
    Mar 21 21:46:25 station-up * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 - - wpa2 aes
    Mar 21 21:46:25 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 104 -
    Mar 21 21:46:56 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3/Phone-Cert-dot1x - -
    Mar 21 21:46:56 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 104 -
    Mar 21 21:47:28 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3/Phone-Cert-dot1x - -
    Mar 21 21:47:28 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 104 -
    Mar 21 21:47:35 station-down * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 - -

     

    Any one got any ideas? Let me know if I've not included any relevant information, and thanks!

     

    Ian