EAP-TLS - Verify Certificate Problem and infos

Novizio · February 25, 2012, 9:03am

Hi everyone,
I'm trying to connect a Routerboard to a Cisco Access Point that forwards the request to a Windows RADIUS server.
The security profile will be EAP_TLS using certificates.

The first test was failed, so I stared investigating the problem.

I prepared a test LAB using two RB493, one configured as AP another configured as Station.
I imported the certificate tha I have to use in the final configuration.
I imported the private keys.
I imported also the certificate for the CA that issued my certificate.

Setting a Security profile EAP-TLS using certificate, but with the flag "dont verify certificate" all is OK. It works well!

I tried to set the "verify certificate" flag in the Security profile of the station, and I had a failure "TLS sent alert - unsupported certificate".
I think that the problem was originated in the station.

These are the relevant logs (please note that the time was a little bit misaligned, because I set the clock manually)
=================== SETUP 1: Station verify certificate => FAILURE unsupported certificate ======================
Station Setup1:
Security Profile
EAP
TLS Mode: verify certificate

Access Point Setup1:
Security Profile
EAP
TLS Mode: verify certificate

Station Output:
Feb/25/2012 09:12:26 wireless,debug wlan1: must select network
Feb/25/2012 09:12:26 wireless,debug 00:0C:42:65:CD:E9: on 2452 AP: yes SSID EAP_TLS_TEST caps 0x431 rates 0xff0f basic 0xf MT: yes
Feb/25/2012 09:12:26 wireless,debug 00:0C:42:65:CD:E9@wlan1: EAP method 13 requested, proceed
Feb/25/2012 09:12:26 wireless,debug 00:0C:42:65:CD:E9@wlan1: TLS sent alert - unsupported certificate

Access Point output:
Feb/25/2012 09:12:00 wireless,debug wlan1: 00:0C:42:6B:18:3E attempts to associate
Feb/25/2012 09:12:00 wireless,debug wlan1: 00:0C:42:6B:18:3E not in local ACL, by default accept
Feb/25/2012 09:12:00 wireless,debug 00:0C:42:6B:18:3E@wlan1: got identity test@testCA.lan
Feb/25/2012 09:12:00 wireless,debug 00:0C:42:6B:18:3E@wlan1: EAP proposing method 13
Feb/25/2012 09:12:01 wireless,debug 00:0C:42:6B:18:3E@wlan1: TLS received alert - unsupported certificate
Feb/25/2012 09:12:01 wireless,debug 00:0C:42:6B:18:3E@wlan1: EAP method failure

=================== SETUP 2: Station dont verify certificate => SUCCESS ======================
Station Setup2:
Security Profile
EAP
TLS Mode: dont verify certificate

Access Point Setup2:
Security Profile
EAP
TLS Mode: verify certificate

Station Output:
Feb/25/2012 09:14:21 wireless,debug wlan1: must select network
Feb/25/2012 09:14:21 wireless,debug 00:0C:42:65:CD:E9: on 2452 AP: yes SSID EAP_TLS_TEST caps 0x431 rates 0xff0f basic 0xf MT: yes
Feb/25/2012 09:14:22 wireless,debug 00:0C:42:65:CD:E9@wlan1: EAP method 13 requested, proceed
Feb/25/2012 09:14:22 wireless,debug 00:0C:42:65:CD:E9@wlan1: EAP success

Access Point output:
Feb/25/2012 09:13:54 wireless,debug wlan1: 00:0C:42:6B:18:3E attempts to associate
Feb/25/2012 09:13:54 wireless,debug wlan1: 00:0C:42:6B:18:3E not in local ACL, by default accept
Feb/25/2012 09:13:54 wireless,debug 00:0C:42:6B:18:3E@wlan1: got identity test@testCA.lan
Feb/25/2012 09:13:55 wireless,debug 00:0C:42:6B:18:3E@wlan1: EAP proposing method 13
Feb/25/2012 09:13:55 wireless,debug 00:0C:42:6B:18:3E@wlan1: EAP success

I successful tested this certificate to connect to the AP using a Windows PC.
The application Policies of the certificate that I select in EAP-TLS Secirity Profile are:
[1]Application Certificate Policy:
Policy Identifier=Client Authentication
[2]Application Certificate Policy:
Policy Identifier=Secure Email
[3]Application Certificate Policy:
Policy Identifier=Encrypting File System

Any ideas to debug this situation?
It is possibile to increase the debug level for EAP TLS and for certificate verification?

Thanks in advance.