cancel
Showing results for 
Search instead for 
Did you mean: 

NAC - EAP-TLS - Username is not diplayed if CN equals MAC

NAC - EAP-TLS - Username is not diplayed if CN equals MAC

Michael_Kirchne
Contributor
Hi Community,

I have a little issue withe NetSight / NAC 6.3 with EAP-TLS.

If the CN in the client certificate equals the MAC address, then the username field is empty.

ca24e4bf12f34b85824c86d33267d1fa_RackMultipart20150806-8471-13j970z-username_empty_inline.png



Otherwise the the filed is filled:

ca24e4bf12f34b85824c86d33267d1fa_RackMultipart20150806-18413-1pz05kc-username_filled_inline.png



RADIUS / Certificate Diagnostics (CN=MAC):
User-Name = "00-1A-E8-27-76-8A" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0x7077081978e6055d5931c04285fc9f93 EAP-Message = 0x029100060d00 Message-Authenticator = 0xa8aaa0067409760bc450db9db1a2a7c4 ETS-Outer-Tunnel-Username = "00-1A-E8-27-76-8A" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "610f05e900010000001f" TLS-Client-Cert-Expiration := "170806112608Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify Deutschland GmbH & Co. KG/OU=PSS UCC 3.2/CN=00-1A-E8-27-76-8A" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "5A:60:B4:7E:F7:36:B7:22:F1:39:31:8C:B1:6B:61:BF:BE:85:BE:7D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
RADIUS / Certificate Diagnostics (CN!=MAC):
User-Name = "00-11-22-AA-BB-CC" Service-Type = Framed-User Called-Station-Id = "20-B3-99-0B-6A-94" Calling-Station-Id = "00-1A-E8-27-76-8A" NAS-Identifier = "Demokit D2" NAS-IP-Address = 192.168.10.10 NAS-Port = 8 NAS-Port-Id = "ge.1.8" Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xda612f8ad24a226d68a952489ecc2114 EAP-Message = 0x022b00060d00 Message-Authenticator = 0xf9175123bf64dac6666667d70b4d4fae ETS-Outer-Tunnel-Username = "00-11-22-AA-BB-CC" ETS-NTLM-Auth-Allowed = 0 ETS-Cleartext-Password = EAP-Type = EAP-TLS TLS-Cert-Serial := "11ab00d3000700000039" TLS-Cert-Expiration := "200801150226Z" TLS-Cert-Subject := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Cert-Issuer := "/DC=com/DC=demo/DC=unify/CN=Unify Demo Root CA" TLS-Cert-Common-Name := "Demokit Issuing CA" TLS-Client-Cert-Serial := "6153011a000100000020" TLS-Client-Cert-Expiration := "170806124023Z" TLS-Client-Cert-Subject := "/C=DE/ST=BW/L=Stuttgart/O=Unify/OU=PSS UCC 3.2/CN=00-11-22-AA-BB-CC" TLS-Client-Cert-Issuer := "/C=DE/DC=com/DC=demo/DC=unify/CN=Demokit Issuing CA" TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC" TLS-Client-Cert-X509v3-Subject-Key-Identifier += "54:7C:C6:4A:3C:D5:F0:C0:F0:D3:14:40:67:33:79:E5:F6:AF:29:0D" TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:07:F3:A1:4C:98:90:42:58:9A:FB:B2:67:A5:09:25:E1:76:16:77:06\n" TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Server Authentication, TLS Web Client Authentication"
Hope anyone has an idea why the username is not extracted correctly.

Best Regards
Michael
6 REPLIES 6

Michael_Kirchne
Contributor
Hi Ron,

I also hat the issue with MAC EAP-MD5. I had to disable MAC EAP-MD5 in the Advanced AAA Config. After that I successfully authenticated via EAP-TLS.

If you're not using MAC EAP-MD5 for MAC Authentication you could also disable it and give it a try.

Best Regards
Michael

Ronald_Dvorak
Honored Contributor
My goal was to see whether I run into the same issue with EAP PEAP.
Setup: 802.1X WLAN service, NAC 6.3, Win AD/LDAP, EWC 9.21.

So instead of my normal username "dvorakr" I've done a copy of the user in AD and used the MAC as the username = "2477033BD329"

In that case I can't connect to the WLAN.
NAC client state is "reject" and the reason is that the authentication is MAC EAP-MD5 instead of 802.1X PEAP.

I've tried it with Cisco Anyconnect and also the build in Win7 client and both are set to PEAP.

So I've created another account on my AD with the MAC but changed the last digit to an 8 = not my WLAN MAC anymore and I'm able to connect.

Looks like there is something going wrong if the username = MAC.

I can't tell whether that is related to the WIN AD/LDAP or the controller or NAC.

-Ron

Michael_Kirchne
Contributor
Hi Mike,

Case 2 displays the username but that username "00-11-22-AA-BB-CC" is not correct. It was just for testing purpose to see wheter or not NAC ignors MAC like usernames in general or only if they equal to the MAC address.

The MAC address of the device is: 00-1A-E8-27-76-8A
The username which should be in the certificate is: 00-1A-E8-27-76-8A

But as you see NAC does not display the username if the CN equals the MAC.

Alright I will open a case.

Thanks a lot 🙂

Best Regards
Michael

Mike_Thomas
Extreme Employee
Which case displays the username? Which is the mac of the device? Both show the mac as the same, but username is different in the pics. case 2 appears to work, correct?
first
User-Name = "00-1A-E8-27-76-8A"
TLS-Client-Cert-Common-Name := "00-1A-E8-27-76-8A"
second
User-Name = "00-11-22-AA-BB-CC"
TLS-Client-Cert-Common-Name := "00-11-22-AA-BB-CC"
The source appears to be 76-8A in both cases, so it's confusing. We may need to open a case so you can send in those certificates I guess, traces and some debug which don't belong here, but maybe we are actually not looking at the right info.
GTM-P2G8KFN