Wireless Access

Reply
New Contributor
Posts: 1
Registered: ‎03-22-2013

Cannot get TLS working with Android and Microsoft AD CS

Hi Folks,

 

I'm trying to get my Samsung S3's running Jelly Bean (4.1.1) to connect via TLS and not having any luck. I've called in to support and worked with them to create an SSID that uses EAP\TLS. I used Microsoft's AD Certificate Services to generate user certs and copied them to the phones but can't connect. This SSID will sucessfully authenticate and connect a Win7 workstation using the same cert. Support spent some time looking at the problem but didn't have a ready answer, so I let them go and decided to post here instead. Here are some further specs:

 

Switch - 6000 running 5.0.4.7. It's an older switch with only 256 MB of RAM, and I've been told it can't run V6.

 

The cert is generated from the standard Microsoft User cert template, issued to a machine, exported as .PFX with the private key then copied to the phone and installed. The cert does appear as a published cert for the user in AD. The phone also has the Root and issuing CA certs installed on it, as does the switch.

 

The phone's network configuration is:

 

EAP method: TLS

Phae 2: None

CA certificate: the CA for the client certificate and switch server cert

User certificate: the client certificate

Identity: email address, username, domain\username, or UPN

Anonymous identity: Empty

Password: Empty

 

The switch's L2 auth profile for the SSID is set to terminate authentication, with Termination EAP Type set to 'eap-tls', and  Termination Inner EAP Type not selected. The server cert is selected for Server-Certificate, and I've tried selecting both the Root and Issuing server's certs for CA-Certificate.

 

I saw this thread and tried converting the .PFX cert format to .PEM, but then the phone wouldn't recognize it at all...

 

Here is a section of an auth trace from the Win7 workstation successfully connecting:

 

Mar 21 20:52:34 station-down * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 - -
Mar 21 20:55:09 station-up * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 - - wpa2 aes
Mar 21 20:55:09 station-term-start * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 104 -
Mar 21 20:55:09 eap-term-start -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
Mar 21 20:55:09 station-term-start * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 104 -
Mar 21 20:55:09 client-cert -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x 1477 3965
Mar 21 20:55:09 client-cert -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x 1486 3965
Mar 21 20:55:09 client-cert -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x 1002 3965
Mar 21 20:55:09 client-cert verified * 00:21:6a:2a:50:60 00:1a:1e:10:21:52 - -
Mar 21 20:55:09 cert-signature-verify -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - - verified
Mar 21 20:55:09 client-finish -> 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
Mar 21 20:55:09 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61
Mar 21 20:55:40 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61
Mar 21 20:56:09 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61
Mar 21 20:56:39 server-finish <- 00:21:6a:2a:50:60 00:1a:1e:10:21:52/Phone-Cert-dot1x - 61

 

Here is a section from the phone is attempting to connect:

 

Mar 21 21:44:59 station-down * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:42 - -
Mar 21 21:45:00 station-up * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 - - wpa2 aes
Mar 21 21:45:00 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 104 -
Mar 21 21:45:31 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
Mar 21 21:45:31 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 104 -
Mar 21 21:46:03 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52/Phone-Cert-dot1x - -
Mar 21 21:46:03 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 104 -
Mar 21 21:46:09 station-down * 50:cc:f8:c6:08:f7 00:1a:1e:10:21:52 - -
Mar 21 21:46:25 station-up * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 - - wpa2 aes
Mar 21 21:46:25 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 104 -
Mar 21 21:46:56 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3/Phone-Cert-dot1x - -
Mar 21 21:46:56 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 104 -
Mar 21 21:47:28 eap-term-start -> 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3/Phone-Cert-dot1x - -
Mar 21 21:47:28 station-term-start * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 104 -
Mar 21 21:47:35 station-down * 50:cc:f8:c6:08:f7 00:1a:1e:10:28:e3 - -

 

Any one got any ideas? Let me know if I've not included any relevant information, and thanks!

 

Ian

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: