Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

UAC - IC6500 - EAP-TLS and certificate verification

papageno_
Contributor
‎08-28-2012 05:54:AM
‎08-28-2012 05:54:AM

UAC - IC6500 - EAP-TLS and certificate verification

Hi all

 

I have a number of Alcatel phones authenticating to UAC with 802.1X, using EAP-TLS.  This works fine if I disable certificate checking on the user realm and role.  However, if I enable certificate checking, client certificates are rejected, even though I have installed the root certificate (provided by Alcatel) into the Trusted Client CA.  Have I missed something?

 

Here is the installed Trusted Client CA page:

 

TrustedClientCAs.JPG

 

The root-level CA in the tree above looks like this in detail on the IC6500:

 

 Issued To:  Alcatel Enterprise Solutions      CN: Alcatel Enterprise Solutions  OU: PKI Authority  O: Alcatel  C: FR    Issued By:  Alcatel Enterprise Solutions      CN: Alcatel Enterprise Solutions  OU: PKI Authority  O: Alcatel  C: FR    Valid Dates:   Sep 28 10:03:42 2005 GMT - Sep 28 10:11:08 2055 GMT  Details:  Other Certificate Details      Version: 3  Serial: 4d:04:21:18:6d:70:a1:8b:42:b0:cc:df:37:da:51:c8  Signature Algorithm: sha1WithRSAEncryption  Public Key Algorithm: rsaEncryption  Public Key Type: RSA  Public Key Bits: 2048  Public Key: Modulus (2048 bit):     00:a8:5b:e4:6d:08:25:78:6d:51:72:6a:34:64:1d:     7e:a6:72:2d:96:fe:f9:05:a9:8c:b4:39:93:85:28:     ef:3a:21:b4:ab:a3:a8:97:5e:26:3c:0a:70:46:0b:     a6:14:3e:0e:4e:b0:1a:b0:41:c2:85:ae:95:fb:83:     17:77:eb:20:c6:8e:7e:e8:78:85:87:7b:a4:98:8f:     e2:c9:37:87:59:c2:ba:2e:b7:6c:7a:3f:78:20:a5:     80:88:c5:22:67:eb:53:aa:65:56:e5:b7:c5:05:71:     dd:b7:88:be:08:4e:81:e0:c7:33:d4:46:1f:8a:48:     7c:0c:e2:f9:9f:2f:cf:4f:a3:b1:86:a8:2c:29:77:     33:ff:48:03:28:ec:c6:c5:b0:b4:b5:60:ed:4e:10:     9a:7d:c7:f2:d1:25:8e:fa:03:42:a0:6b:b6:50:02:     8c:8c:e3:dd:b2:96:6c:76:01:b3:84:9c:8c:a9:2f:     fa:3c:45:81:fc:04:71:60:09:f7:82:c1:dc:2c:0e:     0a:47:dc:50:2a:e2:27:0b:7e:2e:30:c3:e1:2b:9c:     11:c4:96:4a:47:40:86:69:ef:6b:01:0e:2b:30:83:     73:02:bf:25:6b:81:f8:7b:9b:18:73:25:c6:0d:2a:     c5:12:df:1e:66:83:d1:a2:9e:f3:a5:bb:2a:3c:4e:     90:8d Exponent: 65537 (0x10001)    Key Usage: Certificate Sign, CRL Sign  Basic Constraints: CA:TRUE  Subject Key Identifier: B7:1F:4E:45:B5:00Smiley Very HappyD:F3:C7:9A:97:62:04:08Smiley Very Happy1:9A:4C:BA:4A:0D  1.3.6.1.4.1.311.21.1:   Certificate Policies: Policy: 1.3.12.2.1006.73.0.0.1   User Notice:     Explicit Text:     Thumbprint Algorithm: SHA1  Thumbprint: FA:40:F1:F2:03:AA:7C:40:35:69:4F:24:69:84:50:3C:6D:35:1

 

 

And here is the certificate received from the 802.1X supplicant, as seen in Wireshark:

 

CertificateOnWire.JPG

 

 

0 Kudos
7 REPLIES 7
kalagesan_
Super Contributor
‎08-29-2012 03:57:AM
‎08-29-2012 03:57:AM

Re: UAC - IC6500 - EAP-TLS and certificate verification

Hi,

 

We need to see the radius troubleshooting logs  under monitoring section and  user access logs  in IC to see why the 

authentication is rejected. This will help us to way forward.

 

Regards,

Kannan

0 Kudos
papageno_
Contributor
‎08-29-2012 05:10:AM
‎08-29-2012 05:10:AM

Re: UAC - IC6500 - EAP-TLS and certificate verification

Hi Kalagesan

 

I attach three radius log files for you.  The difference is in the realm...authentication...certificate configuration.  Hopefully, the file titles help idetify which is which, but if you need me to explain, let me know.

 

Many thanks for taking an interest!

 

 

0 Kudos
kalagesan_
Super Contributor
‎08-29-2012 09:15:PM
‎08-29-2012 09:15:PM

Re: UAC - IC6500 - EAP-TLS and certificate verification

Hi,

 

Thanks for providing the logs.

 

Iwill have a look on this today and get back soon with my findings

 

Regards,

Kannan

0 Kudos
kalagesan_
Super Contributor
‎08-29-2012 10:29:PM
‎08-29-2012 10:29:PM

Re: UAC - IC6500 - EAP-TLS and certificate verification

Hi,

I had looked in to the uploaded logs where we see authentication failing with both EAP-TLS and EAP-MD5
with certficate restriction enabled.

Based on my findings I suspect that the EAP authentication based on certificate is failing due to
the certficates and the way you are using it.

Please follow the below 2 KB's and see if that helps.IF this doesn't help please provide IC User access and
IC event logs as well.

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB10482&cat=SECURITY_PRODUCTS&actp=LIST&s...

 

http://support.microsoft.com/kb/814394


info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Could not set the auth anchor from SbrAuth
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP MD5-Challenge sub-protocol received response
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Authenticating user ALCIPT with authentication method EAP-MD5-Challenge
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Request::Authenticate called. Username is ALCIPT
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Client supplies CHAP password
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)ChapRequest::ForwardCredentials
minor - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Missing or invalid client certificate
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)User ALCIPT firmly rejected by EAP-MD5-Challenge auth method
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Incorrect answer to EAP MD5 challenge ... password must have been specified incorrectly
point method .
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)-----------------------------------------------------------
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Authentication Response (reject)
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Packet : Code = 0x3 ID = 0xee
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Vector =
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)000: 5f7ea434 c2c65725 4e099858 63f61a7c |_~.4..W%N..Xc..||
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP-Message (Failure, id=2) : Value =
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)000: 04020004


info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Could not set the auth anchor from SbrAuth
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP-TLS authentication succeeded
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP-TLS performing secondary authorization for user 00809F5B68DC
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Authenticating user 00809F5B68DC with authentication method EAP-TLS
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP-TLS: Asked to begin authenticating user 00809F5B68DC
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP-TLS: Credential type must be EAP
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Authenticating user 00809F5B68DC with authentication method EAP-TLS Secondary Auth
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Request::Authenticate called. Username is 00809F5B68DC
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)Client supplies NONE password
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)ClientCertRequest::ForwardCredentials
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)User 00809F5B68DC firmly rejected by EAP-TLS Secondary Auth auth method
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)EAP-TLS protocol succeeded, but no authentication method claimed ALCIPT user
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)User ALCIPT ultimately failed challenge sequence
info - [127.0.0.1] - System()[] - 2012/08/29 12:45:16 - node1 - (afdc7250)User ALCIPT being passed to Auth-Final-Response

NOTE:
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Regards,
Kannan

0 Kudos
mlovellette_
Not applicable
‎05-14-2014 01:45:PM
‎05-14-2014 01:45:PM

Re: UAC - IC6500 - EAP-TLS and certificate verification

I was able to get the root and IP Touch certs from Alcatel but having a hard time finding the wired phones cert.  When downloading from Alcatel's website it redirects to a blank page.  How did you get yours?

0 Kudos
papageno_
Contributor
‎05-15-2014 02:12:AM
‎05-15-2014 02:12:AM

Re: UAC - IC6500 - EAP-TLS and certificate verification

My customer requested them through their Alcatel account.  If it helps, I attach the file I received.

 

 

kalagesan_
Super Contributor
‎05-20-2014 07:14:PM
‎05-20-2014 07:14:PM

Re: UAC - IC6500 - EAP-TLS and certificate verification

Yes this might help

 

Regards,

Kannan

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.