Security

We are currently using EAP-TLS for user authentication over wireless and it works fine, but extending that to wired ports on RAPs is causing me big problems and I can't seem to be able to authenticate a user, no matter what I try. I do admit I'm not that good with certs so it's probably something banal that's preventing me from finishing this.

Anyway I have setup the wired-port-profile with an aaa profile and the wired-ap-profile that is untrusted which I understand should force AAA authentication of a device connected on the port. And that's what it does, when I connect my MAC to a port on the AP it prompts me for a cert.

I have also setup the wired aaa profile to the same thing as the wired-port-profile

The aaa profile has am initial role set to deny all and after authentication a permit all. It also has a dot1x profile configured which I think is what needs to be setup in a proper way for it to work. The whole config is pasted below


#show ap wired-port-profile lms-untrusted_access_tunnel_Employee-wired_port_prof

AP wired port profile "lms-untrusted_access_tunnel_Employee-wired_port_prof"
----------------------------------------------------------------------------
Parameter Value
--------- -----
Wired AP profile lms-untrusted_access_tunnel_601-Employee-wired_ap_prof
Ethernet interface link profile default
AP LLDP profile default
Shut down No
Remote-AP Backup Enabled
AAA Profile lms-RAP_user-aaa_prof
Bridge Role N/A
Time to wait for authentication to succeed 20 sec
Spanning Tree Disabled


#show ap wired-ap-profile lms-untrusted_access_tunnel_601-Employee-wired_ap_prof

Wired AP profile "lms-untrusted_access_tunnel_601-Employee-wired_ap_prof"
-------------------------------------------------------------------------
Parameter Value
--------- -----
Wired AP enable Enabled
Trusted Not Trusted
Forward mode tunnel
Switchport mode access
Access mode VLAN 1
Trunk mode native VLAN 1
Trunk mode allowed VLANs 1-4094
Broadcast Broadcast


#show aaa profile lms-RAP_user-aaa_prof

AAA Profile "lms-RAP_user-aaa_prof"
-----------------------------------
Parameter Value
--------- -----
Initial role lms-RAP_user-init_role
MAC Authentication Profile N/A
MAC Authentication Default Role guest
MAC Authentication Server Group default
802.1X Authentication Profile lms-RAP_user-dot1x_auth
802.1X Authentication Default Role lms-RAP_user-post_1x_role
802.1X Authentication Server Group lms-RAP_user-svg
Download Role from CPPM Disabled
L2 Authentication Fail Through Disabled
Multiple Server Accounting Disabled
User idle timeout N/A
Max IPv4 for wireless user 2
RADIUS Accounting Server Group N/A
RADIUS Interim Accounting Disabled
XML API server N/A
RFC 3576 server N/A
User derivation rules N/A
Wired to Wireless Roaming Enabled
SIP authentication role N/A
Device Type Classification Enabled
Enforce DHCP Disabled
PAN Firewall Integration Disabled
Open SSID radius accounting Disabled


user-role lms-RAP_user-init_role
access-list session global-sacl
access-list session apprf-lms-RAP_user-init_role-sacl
access-list session blockandlog
!

user-role lms-RAP_user-post_1x_role
access-list session global-sacl
access-list session apprf-lms-RAP_user-post_1x_role-sacl
access-list session allowall
!

aaa authentication wired
profile "lms-RAP_user-aaa_prof"
!

As I mentioned the users aren't getting authenticated and there are 2 ways I have gone about this.

- First I have not set any termination in the dot1x port which causes authentication fail and the log on the server saying that the EAP type could not be determined. The EAP-Type offered to the FR server was "EAP-Type": "Identity" not "EAP-Type": "EAP-TLS". The auth-tracebuff shows an eap-failure with the certificate rejected message

- Second I enable Termination and for type choose eap-tls which causes the credentials to not even get passed to the FR server. The auth-tracebuff shows the following

Aug 15 09:29:57 station-up * MAC1 MAC2 - - wired station
Aug 15 09:29:57 station-term-start * MAC1 MAC2 1 -
Aug 15 09:30:00 client-cert -> MAC1 MAC2/lms-RAP_user-dot1x_auth 1261 5047
Aug 15 09:30:00 client-cert -> MAC1 MAC2/lms-RAP_user-dot1x_auth 1270 5047
Aug 15 09:30:00 client-cert -> MAC1 MAC2/lms-RAP_user-dot1x_auth 1270 5047
Aug 15 09:30:00 client-cert -> MAC1 MAC2/lms-RAP_user-dot1x_auth 1246 5047
Aug 15 09:30:00 client-finish -> MAC1 MAC2/lms-RAP_user-dot1x_auth - - client cert verification failed

I have a feeling I'm missing a certificate somewhere, but I don't know much about that.

Any help is welcome

My understanding of the key points to remember with certificates when doing EAP-TLS are:

- The RADIUS server must have a certificate that is trusted by the users accessing the wireless service (subject to it not being disabled on the client). If this is an internally signed certificate the root and intermediary certificates used must be trusted on the client device.

- The certificate being used for EAP-TLS user authentication (presented by the client) should be validated by the RADIUS server which usually means the RADIUS server should have the signing root and any intermediary certificates trusted.

If the user in question can successfully authenticate using EAP-TLS user authentication on the wireless but not on the wired port on the RAP it is unlikely to be certificate related.

Hope this helps.