NAC - EAP-TLS - Username is not diplayed if CN equals MAC

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
Hi Community,

I have a little issue withe NetSight / NAC 6.3 with EAP-TLS.

If the CN in the client certificate equals the MAC address, then the username field is empty.


Otherwise the the filed is filled:


RADIUS / Certificate Diagnostics (CN=MAC):
User-Name = "00-1A-E8-27-76-8A"
Service-Type = Framed-User
Called-Station-Id = "20-B3-99-0B-6A-94"
Calling-Station-Id = "00-1A-E8-27-76-8A"
NAS-Identifier = "Demokit D2"
NAS-IP-Address = 192.168.10.10
NAS-Port = 8
NAS-Port-Id = "ge.1.8"
Framed-MTU = 1500
NAS-Port-Type = Ethernet
State = 0x7077081978e6055d5931c04285fc9f93
EAP-Message = 0x029100060d00
Message-Authenticator = 0xa8aaa0067409760bc450db9db1a2a7c4
ETS-Outer-Tunnel-Username = "00-1A-E8-27-76-8A"
ETS-NTLM-Auth-Allowed = 0
ETS-Cleartext-Password =
EAP-Type = EAP-TLS
TLS-Cert-Serial := "11ab00d3000700000039"
TLS-Cert-Expiration := "200801150226Z"
TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA"
TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA"
TLS-Cert-Common-Name := "Demokit Issuing CA"
TLS-Client-Cert-Serial := "610f05e900010000001f"
TLS-Client-Cert-Expiration := "170806112608Z"
TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify Deutschland GmbH & Co. KG/OU=PSS UCC 3.2/CN=00-1A-E8-27-76-8A"
TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA"
TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A"
TLS-Client-Cert-X509v3-Subject-Key-Identifier += "5A:60:B4:7E:F7:36:B7:22:F1:39:31:8C:B1:6B:61:BF:BE:85:BE:7D"
TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n"
TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"

RADIUS / Certificate Diagnostics (CN!=MAC):
User-Name = "00-11-22-AA-BB-CC"
Service-Type = Framed-User
Called-Station-Id = "20-B3-99-0B-6A-94"
Calling-Station-Id = "00-1A-E8-27-76-8A"
NAS-Identifier = "Demokit D2"
NAS-IP-Address = 192.168.10.10
NAS-Port = 8
NAS-Port-Id = "ge.1.8"
Framed-MTU = 1500
NAS-Port-Type = Ethernet
State = 0xda612f8ad24a226d68a952489ecc2114
EAP-Message = 0x022b00060d00
Message-Authenticator = 0xf9175123bf64dac6666667d70b4d4fae
ETS-Outer-Tunnel-Username = "00-11-22-AA-BB-CC"
ETS-NTLM-Auth-Allowed = 0
ETS-Cleartext-Password =
EAP-Type = EAP-TLS
TLS-Cert-Serial := "11ab00d3000700000039"
TLS-Cert-Expiration := "200801150226Z"
TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA"
TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA"
TLS-Cert-Common-Name := "Demokit Issuing CA"
TLS-Client-Cert-Serial := "6153011a000100000020"
TLS-Client-Cert-Expiration := "170806124023Z"
TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify/OU=PSS UCC 3.2/CN=00-11-22-AA-BB-CC"
TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA"
TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC"
TLS-Client-Cert-X509v3-Subject-Key-Identifier += "54:7C:C6:4A:3C:D5:F0:C0:F0:D3:14:40:67:33:79:E5:F6:AF:29:0D"
TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n"
TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"

Hope anyone has an idea why the username is not extracted correctly.

Best Regards
Michael
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,640 Points 5k badge 2x thumb
Hi Michael,
1. Is the behavior different than in 6.2.x.x?
2. The radius output attribute user-name and TLS-client-Cert-Common name are mac's in both cases. Are you certain that the second one displayed the username, and the first did not?
3. The conflicting info looks that the screenshot shows the host MAC-address as "76-7A" in both cases.
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Mike,

thanks for your reply.
1. I can't tell you for sure - my LAB equipment is running NetSight 6.3.0.142 right now.
2. Yes, first case was MAC=CN and with the second case I was trying a username which is a MAC but does not eual the MAC of the device.
-> Yes I'm certin. I checked with serveral certificates issued by different CAs.
3. Yes, both cases were the same device (phone). Just the certificates were different.

Case 1:
CN=MAC e.g. CN=00-1A-E8-27-76-8A or CN=001AE827768A or CN=00:1A:E8:27:76:8A

Case 2:
CN!=MAC e.g, CN=00-1A-E8-27-76-8A.demo.com or any other CN

Hope that helped to clear things up.

I came across that issue while I was testing our Phone Certificate Deployment in my lab.

Regards
Michael
Photo of Mike Thomas

Mike Thomas, Employee - GTAC - NMS

  • 7,640 Points 5k badge 2x thumb
Which case displays the username? Which is the mac of the device? Both show the mac as the same, but username is different in the pics. case 2 appears to work, correct?
first
User-Name = "00-1A-E8-27-76-8A"
TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A"

second
User-Name = "00-11-22-AA-BB-CC"
TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC"

The source appears to be 76-8A in both cases, so it's confusing. We may need to open a case so you can send in those certificates I guess, traces and some debug which don't belong here, but maybe we are actually not looking at the right info.
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Mike,

Case 2 displays the username but that username "00-11-22-AA-BB-CC" is not correct. It was just for testing purpose to see wheter or not NAC ignors MAC like usernames in general or only if they equal to the MAC address.

The MAC address of the device is: 00-1A-E8-27-76-8A
The username which should be in the certificate is: 00-1A-E8-27-76-8A

But as you see NAC does not display the username if the CN equals the MAC.

Alright I will open a case.

Thanks a lot :)

Best Regards
Michael
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 48,894 Points 20k badge 2x thumb
My goal was to see whether I run into the same issue with EAP PEAP.
Setup: 802.1X WLAN service, NAC 6.3, Win AD/LDAP, EWC 9.21.

So instead of my normal username "dvorakr" I've done a copy of the user in AD and used the MAC as the username = "2477033BD329"

In that case I can't connect to the WLAN.
NAC client state is "reject" and the reason is that the authentication is MAC EAP-MD5 instead of 802.1X PEAP.

I've tried it with Cisco Anyconnect and also the build in Win7 client and both are set to PEAP.

So I've created another account on my AD with the MAC but changed the last digit to an 8 = not my WLAN MAC anymore and I'm able to connect.

Looks like there is something going wrong if the username = MAC.

I can't tell whether that is related to the WIN AD/LDAP or the controller or NAC.

-Ron
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Hi Ron,

I also hat the issue with MAC EAP-MD5. I had to disable MAC EAP-MD5 in the Advanced AAA Config. After that I successfully authenticated via EAP-TLS.

If you're not using MAC EAP-MD5 for MAC Authentication you could also disable it and give it a try.

Best Regards
Michael