- This topic has 9 replies, 2 voices, and was last updated 2 years, 2 months ago by
Jim Lathan.
-
AuthorPosts
-
May 4, 2022 at 8:43 am #107582
Greetings,
I have WTOS 5070 9.1.6 wired with 8021x open for testing.
I request a SCEP cert with only the common name $TN and MD5. Certs install themselves as (scep_cert_$TN.crt) and (scep_ca_root.crt). Chain shows ok.
I then enable 8021x and choose $TN which shows (scep_cert_$TN.crt) once selected. Additionally, I installed the issuing cert from ISE. I get these errors below.
SSL: SSL3 alert: read (remote end reported an error):fatal:unsupported certificate
SSL:SSL3 alert: openssl_handshake-SSL_connect error:14094413 alert unsupported certificate
WLAN EAP ***** authentication failed
————————————————————————–
The ISE server shows these errors:
What am I doing wrong?
May 4, 2022 at 8:56 am #107583What happens when you close the port?
I understand the error messages, but try closing the port.
Also, I’m assuming you have an AD object created for $TN with the terminal name for Cisco ISE to authenticate against?
May 4, 2022 at 9:31 am #107585Tried to edit my post and it timed out
In WMS
Under Privacy and Security>SCEP:
Common Name: Use $TN or $SN, don’t add .crt or .cer or .pfx
Under Network Configuration>Ethernet Settings>802.1x Authentication Settings
- Enable EAP Authentication: ON
- Validate Server: OFF
- Check Server: OFF
- Server Name: blank (empty)
- EAP Type: EAP-TLS (or whatever you use)
- Client Certificate Filename: scep_cert_$SN.crt
- Client Certificate Type: Machine
This is what works in my environment. What I’ve found is leaving the Common Name as $SN or $TN don’t designate a certificate type (pfx, crt, cer). My certificates import at SN.pfx or TN.pfx, but when I tell it to authenticate using the Client Certificate Filename it needs to be in the format of scep_cert_$SN.crt (or $TN) regardless that the imported cert is showing as SN.pfx (or $TN) in my list. I think this is a legacy bug from earlier version of ThinOS 9 when the certificate actually got imported with the common name scep_cert_$SN.crt
Try that and see if it works for you.
May 4, 2022 at 9:48 am #107586Thanks Brian I’ve spent an entire day back and forth on this.
1) No I did not create a computer name in AD. Is that a requirement for EAP/TLS?
2) Close the port? My port is open aka not authenticating me. I can give the exact details once I speak to the network guy.
3) Servername “blank” I get an error “domain suffix mismatch”. I fix this just by typing in the same name.FQDN of the ISE server and it shuts up.
4) I do not append a .crt or pfx on anything. The details I gave above is exactly what the I have. The system appends .crt to both and installs. 8021x cert shows up as pfx when browsing to it but changes to scep_cert_$TN.crt when reviewing the settings.
I’m not 100% following you in the last paragraph but I think we’re on the same path.
May 4, 2022 at 10:10 am #107589RE: 1) No I did not create a computer name in AD. Is that a requirement for EAP/TLS?
I’m not sure if its required for your environemnt, it is for mine. Our Cisco ISE server is setup to look at a specific AD group to see if the object SN is listed, if its listed and matches the certificate SN it passes 802.1x
When you do 802.1x enrollment in WMS under Privacy and Security do you have “Select Install CA Certificate” ON? Check with your network guys that the Cisco ISE is looking at the correct certificate chain and any intermediate certificates needed for the authentication process and that you have them installed. The error looks like there is an unsupported certificate.
Also make sure the time on the thin client is sync’d with whatever your internal time server is, if the time is off the certificates will be out of sync. I’ve seen that before too where time/date resets itself to sometime in 2012 and the certificates are at a time in the future and not valid.
May 4, 2022 at 10:29 am #107590My network guy says ISE is not checking for AD objects.
I have a screenshot of a list of certificates within ISE. The blue highlighted certs are the ones I have installed on the ThinPC. It’s the issuing and the root. (My root was from SCEP but they look the same to me). The issuing was copied straight from ISE.
Also note, I’ve been testing these settings on the local ThinPC but I do have WMS set to install certs automatically.
May 4, 2022 at 10:47 am #107592Maybe try the root certificate from the ISE and adjust “Select Install CA Certificate” to OFF
Not sure what the issue is but the errors seem to point to something in the certificate chain.
May 4, 2022 at 10:49 am #107593Time/date is spot on.
May 4, 2022 at 10:50 am #107594I’ll give that a shot.
May 5, 2022 at 3:53 am #107603No luck. I added the ISE server cert NMP and the issuing cert that it was issued by “issuing CA” into the ThinPC. The ISE server is setup for EAP Authentication shown in the screen shot.
-
AuthorPosts
- You must be logged in to reply to this topic.