PEAP not working with server certificate from Globalsign

PEAP not working with server certificate from Globalsign

Post by Thomas » Wed, 27 Jul 2005 16:13:04


Hey guys,

A customer has ordered a server certificate from Globalsign to use on his
Cisco ACS radius server.
Immediately upon receiving the server certificate, I noticed the Enhanced
Key Usage (=Server Authentication) field (OID 1.3.6.1.5.5.7.3.1) was not
there, which scared me as Microsoft list this field as a requirement for
client workstations to validate the server certificate (see
http://www.yqcomputer.com/ ;en-us;814394).

XP workstations should authenticate using PEAP-MSchapv2 but fail to do so.
Using a network sniffer, I see XP is sending an EAP message "TLS encrypted
alert".
The ACS server is responding with a RADIUS/Access/Reject & the access point
is then sending an EAP failure message.
Enabling tracing on XP, I see some interesting information in EAPOL.LOG such
as:
[2608] 10:59:29:285: ElSetEapUserInfo: Invalid blob data
[2608] 10:59:29:285: ElEapWork: Saved EAP data for user
[2608] 10:59:29:285: ElEapWork: Authentication FAILED
[2608] 10:59:29:285: Setting state AUTHENTICATING for port Carte Mini-PCI
reau sans fil TrueMobile 1300 de Dell - Packet Scheduler Miniport
[2608] 10:59:29:285: FSMAuthenticating completed for port Carte Mini-PCI
reau sans fil TrueMobile 1300 de Dell - Packet Scheduler Miniport
[2608] 10:59:29:285: TIMER: Restart PCB Time: 2097148
[2608] 10:59:29:285: ElProcessEapFail: Got EAPCODE_Failure
[2608] 10:59:29:335: FSMHeld: EAP authentication failed with error 0x30a
[2608] 10:59:29:335: FSMHeld[SSID]: Deleting user creds info on failure ...

Do you have any idea what is the problem? Is the cause of all this the
missing "Server Authentication" EKU in the server certificate?
I know MS has partnered with Verisign to deliver WLAN server certificate ...
Do you know if Globalsign is able to supply that kind of certificate too?

Thx for your attention,

Cheers,

/T
 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Thu, 28 Jul 2005 05:02:14

Somehow I think the post was never delivered. Sorry for double posting ...

 
 
 

PEAP not working with server certificate from Globalsign

Post by FenderAx » Wed, 03 Aug 2005 15:47:27

Your setup isn't clear -- you say you're using a Cisco RADIUS server? I
think you have to be using MS IAS W2K3 to use PEAP. And yes, the IAS server
cert must have the server authentication purpose in order for it to work
properly. (The customer might have bought a cert with the "All" purpose
thinking that would cover all purposes, but it doesn't work that way -- the
cert has to have the server cert purpose in EKU extensions. The All purpose
has a different OID. Not sure since you didn't mention the purposes the
cert does have.)

"Thomas K" < XXXX@XXXXX.COM > wrote in





x-- 100 Proof News - http://www.yqcomputer.com/
x-- 30+ Days Binary Retention with High Completion
x-- Access to over 1.9 Terabytes per Day - $8.95/Month
x-- UNLIMITED DOWNLOAD
 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Thu, 04 Aug 2005 06:07:38

ey,

I am indeed using Cisco radius and NO MS IAS is not required :-)
Are you aware of cert provider supporting that EKU?

/T

"FenderAxe" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

PEAP not working with server certificate from Globalsign

Post by James McIl » Fri, 05 Aug 2005 05:23:34

"Thomas K" < XXXX@XXXXX.COM > wrote in



Hi Thomas!

Verisign certs work well in this deployment scenario.



--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Sat, 06 Aug 2005 14:17:43

James,

I read MS recommends WLAN server certificate but the customer already has
one from Globalsign...
What would you think about disabling - on all wifi clients - the certificate
server check?

/T
 
 
 

PEAP not working with server certificate from Globalsign

Post by James McIl » Sun, 07 Aug 2005 04:45:11

"Thomas K" < XXXX@XXXXX.COM > wrote in



Hi Thomas --

Well if you configure clients so that they do not authenticate the IAS
server, it sort of defeats a lot of the purpose and security advantages of
deploying PEAP, so I couldn't really recommend that approach.

I think the first thing I would try is to examine the Globalsign
certificate and try to identify if or why it is not meeting the minimum
server certificate requirements for IAS. (I think you are already aware of
these from previous posts, but just in case you don't, you can find the
requirements in the IAS Help topic "Network access authentication and
certificates," which is also on the Web at
http://www.yqcomputer.com/
erHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx)

To check whether the Globalsign cert is usable by IAS, just go into the
remote access policy profile, and check the properties on the
Authentication tab. If the Globalsign cert is correctly configured, IAS
will have selected it by default to use with this remote access policy. (If
it is not there, then it is either in the wrong certificate store or it is
misconfigured. Make sure it is in the Local Computer store. If you find it
elsewhere, don't drag and drop it to the right place, export it and then
import it. Drag and drop, if you do that, will look like it works, but it
doesn't -- the private keys are not moved when you drag and drop.)

In short, to see if the cert is misconfigured for IAS server
authentication, make sure the cert has the Server Authentication purpose in
Enhanced Key Usage extensions.

In Subject name format, there should be a value other than None.

Also verify that the server certificate is configured with a required
cryptographic service provider (CSP) value of Microsoft RSA SChannel
Cryptographic provider.

In addition, if the cert uses the Subject Alternative Name (SubjectAltName)
extension, it must contain the FQDN of the IAS server.

With PEAP and EAP-TLS, IAS servers display a list of all installed
certificates in the computer's certificate store, with the following
exceptions:

-Certificates that do not contain the server Authentication purpose in EKU
extensions are not displayed.

-Certificates that do not contain a Subject name are not displayed.

-Servers do not display registry-based and smart card-logon certificates.

In closing...

If there is a problem with the cert, I would then contact Globalsign and
see if they can revoke your customer's current cert and issue a new one
that meets the IAS requirements.

I will be offline for two weeks so if you post again during that time
period I will respond when I return. (Maybe one of the other guys can help
out though.)

Good luck Thomas!



--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Tue, 09 Aug 2005 15:20:20

ello James,

Thanks for your reply,

You correctly pointed out that I read the minimum requirements for the
certificates to be used by IAS.
I also thought - correct me if I am wrong here??? - that those requirements
applied to Windows supplicants. Meaning that the minimum cert requirements
had to be met for a Windows supplicant to validate the certificate???

I am not using MS IAS as radius server but Cisco ACS. The problem is not in
the radius server itself, it is in the supplicant I believe.

I'll try & get a cert from Verisign but I would be insterested in your
feedback anyways :-)

Regards,

/Thomas

"James McIllece [MS]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Wed, 24 Aug 2005 19:51:17

ello ?
"James McIllece [MS]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

PEAP not working with server certificate from Globalsign

Post by James McIl » Thu, 25 Aug 2005 03:38:03

Thomas K" < XXXX@XXXXX.COM > wrote in
news: XXXX@XXXXX.COM :


Hi Thomas --

Sorry for the delay in my response, I was out of town.

Yeah I guess I am missing something here -- you say you are not using IAS
as a RADIUS server and you are not using Windows clients, so my previous
comments about the cert requirements do not apply; they only apply if you
are using Windows Server 2003 IAS and Windows clients.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Thu, 25 Aug 2005 04:01:16

ey,

Supplicants are XP
Server is Cisco

T

"James McIllece [MS]" < XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...


 
 
 

PEAP not working with server certificate from Globalsign

Post by James McIl » Thu, 25 Aug 2005 07:27:52

Thomas K" < XXXX@XXXXX.COM > wrote in
news: XXXX@XXXXX.COM :


OK, if the clients are XP (and if you have them configured to validate the
server cert) then they are going to examine the server certificate in order
to authenticate the server, and the cert must meet the minimum server
certificate requirements as described in that article I mentioned
previously ("Network access authentication and certificates" in Windows
Server 2003 IAS or VPN Help, or on the web at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx.)

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

PEAP not working with server certificate from Globalsign

Post by Thomas » Thu, 25 Aug 2005 14:27:09

Hello James,

That is indeed what I thought. So what I have done on the XP supplicants is
disable the validation of the server certificate (which was issued by
Globalsign without the proper EKU). This leads me to two questions:

1/ How can this disabling process be automated?
1A/ What is the regitry key controlled by this process?
1B/ What WZC be scripted? If yes, how? How long would it take, according
to you, to develop a script for WZC that does that?

2/ Microsoft has developped a partnership with Verisign regarding WLAN
server certificate? Is Verisign also able today to deliver WLAN server
certificate to non Microsoft (non IAS) radius servers such as Cisco ACS? Are
you aware of the procedure (with Verisign) to request a WLAN server
certificate for a non IAS radius server? Any contact at Verisign that you
could share?

Regards,

Thomas
 
 
 

PEAP not working with server certificate from Globalsign

Post by James McIl » Fri, 26 Aug 2005 08:59:16

"Thomas K" < XXXX@XXXXX.COM > wrote in




Hi Thomas --

I am not familiar with Verisign policies or capabilities of their products
other than their server certs.

I believe that if you are using WS03 with SP1 you can configure the
Validate server certificate option on wireless clients using Group Policy.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.