Connecting Cisco WLC9800 to TekRadius 5.7 for 802.1x ONLY

[Daniel Weatherman]

I am looking for any assistance on connecting Cisco Wireless Lan Controllers to the Radius for 802.1x Certificate Authentication ONLY. I currently have an existing Meraki infrastructure using our Certificate that we uploaded into the Meraki dashboard. I am using TekRadius 5.7 on a Windows 2019 Server which required a pfx or p12 key, neither of which I have. The Key we uploaded to Meraki is a PEM with no Private Key. I want to transfer the cert into the Windows server, however it looks like the TekRadius 5.7 app only recognizes certs with private and public keys in the Windows Certificate store. Is there a solution for this?

Secondly, is there a document on how to configure TekRadius 5.7 for 802.1x ONLY. The server I host on is in AWS with one network adapter. The closest instructions I found were for EAP-TLS and required the server to have a Wireless network card (which is just silly). 

Any help would be greatly appreciated. 

Thanks,

Daniel 

[Yasin KAPLAN]

Hi,

You need to have a server certificate for EAP-TLS, EAP-TTLS or PEAP authentication methods. This means you need to have a X509 certificate with its associated private key. You can use any certificate created/signed for server authentication purpose by a certificate authority recognized by your clients. Please note that Windows clients does not accept wildcard server certificates. You can consider using some other certificate or a new certificate if you do not have the private key of the existing certificate.

EAP-TLS also requires clients to have their own certificate created/signed for client authentication. Clients certificates must be signed by a certificate authority recognized by the TekRADIUS installed server. This means root CA and related intermediate certificates must be installed Windows Certificate Store / Local Machine / Trusted Root Certification Authorities folder. 

EAP-TLS does require a special configuration in TekRADIUS. You need to create client entries for your access devices (WLAN controllers, Ethernet switches etc.) in the Clients tab of the TekRADIUS Manager. You can limit allowed certificate authorities for the client certificates by adding TLS-Allowed-CA attribute as a check attribute to the Default user group in TekRADIUS:

You can also limit allowed authentication method to EAP-TLS only as shown above.

Best regards,

Yasin KAPLAN

[Daniel Weatherman]

Here are the screen shots of my configuration: 

On Thu, Apr 11, 2024 at 1:25 PM Daniel Weatherman <daniel.w...@procore.com> wrote:

This is the error I receive in the logs from the Radius Server when attempting to connect now, Any suggestions?

_______________________________

11.04.2024 18:22:02.124 - TLS session is established [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS version: 1.2] (default, User: 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com').

11.04.2024 18:22:02.124 - EAP-TLS Challenge sent for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' [4 (67), 327611f692977c33da29178ef52e4c4e].

11.04.2024 18:22:02.186 - EAP-TLS Authentication is successful

11.04.2024 18:22:02.186 - RadAuth req. from 172.16.163.8:61112 [UDP]

 Size             : 518
 Identifier       : 68
 Unknown or Dis.  : (14179)|1
 Attributes       :

 User-Name = host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com
 Service-Type = 2
 Cisco-AVPair = service-type=Framed
 Framed-MTU = 1485
 NAS-IP-Address = 172.16.163.8
 NAS-Port-Type = 19
 NAS-Port = 200018
 State = 327611f692977c33da29178ef52e4c4e
 Called-Station-Id = 60-b9-c0-02-33-40:lab-test
 Calling-Station-Id = 4c-77-cb-aa-98-9e
 NAS-Identifier = austin1-18-wlc-1
 WLAN-Group-Cipher = 1027076
 WLAN-Pairwise-Cipher = 1027076
 WLAN-AKM-Suite = 1027075
 WLAN-Group-Mgmt-Cipher = 1027078

11.04.2024 18:22:02.186 - No local user profile is found for 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com', looking for the default user profile (A).

11.04.2024 18:22:02.186 - Cached check attributes for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' read - (default).

11.04.2024 18:22:02.186 - EAP-TLS Authentication commencing for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' [7 (68)]

11.04.2024 18:22:02.186 - Check items control for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' - Start (TLS) [Group: 'default'].

11.04.2024 18:22:02.186 - EAP-TLS authentication is failed for 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' since certificate authority '' for the client certificate is not allowed.

11.04.2024 18:22:02.186 - Check items control for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' - Stop (Failure) [Group: 'default'].

--
You received this message because you are subscribed to a topic in the Google Groups "KaplanSoft TekRADIUS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tekradius/DPO_GKPln6M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tekradius+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tekradius/a1d7a65a-a334-4f29-8014-8e02e23a5a4bn%40googlegroups.com.

--

Daniel Weatherman
Principal Network Engineer
  |  daniel.w...@procore.com  |  procore.com

LinkedIn  |  Facebook  |  Instagram  |  Twitter  |  YouTube

We’re honored to be on Glassdoor’s 2024 list of  Best Places to Work.

This email is intended only for the person(s) named in the message header and, unless otherwise indicated, contains confidential and/or privileged information. If you have received this message in error, please notify the sender of the error and delete the message.

--

Daniel Weatherman
Principal Network Engineer
  |  daniel.w...@procore.com  |  procore.com

LinkedIn  |  Facebook  |  Instagram  |  Twitter  |  YouTube

We’re honored to be on Glassdoor’s 2024 list of  Best Places to Work.

This email is intended only for the person(s) named in the message header and, unless otherwise indicated, contains confidential and/or privileged information. If you have received this message in error, please notify the sender of the error and delete the message.

[Daniel Weatherman]

--

You received this message because you are subscribed to a topic in the Google Groups "KaplanSoft TekRADIUS" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tekradius/DPO_GKPln6M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tekradius+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tekradius/a1d7a65a-a334-4f29-8014-8e02e23a5a4bn%40googlegroups.com.

[Yasin KAPLAN]

Please replace existing TekRADIUSLT.exe under TekRADIUS application directory with the one in https://www.kaplansoft.com/tekradius/release/TekRADIUSLT.exe.zip and try again. Send me TekRADIUS log entries if the authentication attempt is failed. 

[Daniel Weatherman]

I performed the upgrade as requested. Here are the latest logs from the server. 

________________________

 Size             : 477
 Identifier       : 82

 Unknown or Dis.  : (14179)|1
 Attributes       :

 User-Name = host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com
 Service-Type = 2
 Cisco-AVPair = service-type=Framed
 Framed-MTU = 1485
 NAS-IP-Address = 172.16.163.8
 NAS-Port-Type = 19
 NAS-Port = 200018

 State = 47a92dd3a062a5dcd60939516f9d1992

 Called-Station-Id = 60-b9-c0-02-33-40:lab-test
 Calling-Station-Id = 4c-77-cb-aa-98-9e
 NAS-Identifier = austin1-18-wlc-1
 WLAN-Group-Cipher = 1027076
 WLAN-Pairwise-Cipher = 1027076
 WLAN-AKM-Suite = 1027075

11.04.2024 19:28:37.987 - No local user profile is found for 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com', looking for the default user profile (A).

11.04.2024 19:28:37.987 - Cached check attributes for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' read - (default).

11.04.2024 19:28:37.987 - EAP-TLS Authentication commencing for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' [7 (82)]

11.04.2024 19:28:37.987 - Check items control for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' - Start (TLS) [Group: 'default'].

11.04.2024 19:28:37.987 - EAP-TLS authentication is failed for 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' since certificate authority '' for the client certificate is not allowed.

11.04.2024 19:28:37.987 - Check items control for user 'host/4eedb8f7-5fbd-4c8a-b89e-24ace5540385.intune.procore.com' - Stop (Failure) [Group: 'default'].

To view this discussion on the web visit https://groups.google.com/d/msgid/tekradius/ea60904a-0a36-4a3d-a0ce-c8921ea72750n%40googlegroups.com.

[Yasin KAPLAN]

Can you check TekRADIUSLT.exe under the TekRADIUS application directory? You should see when you right click on it and select properties:

Can you also send public portion of the CA certificate directly to me in .der format?

[Daniel Weatherman]

Okay here is the screen shot and certificate info. 

The cert is attached. 

thanks,

Daniel

To view this discussion on the web visit https://groups.google.com/d/msgid/tekradius/56680611-cd52-4a66-a753-7ae5bf14fca0n%40googlegroups.com.

[Yasin KAPLAN]

It looks like TekRADIUSLT.exe was not updated, it still show 5.8.0.4 not 5.8.0.5 Please try https://www.kaplansoft.com/tekradius/release/TekRADIUSLT.exe.A.zip