Solved

Juniper SBR EAP-TLS

Posted on 2013-10-24
3
691 Views
Last Modified: 2014-03-12
I have set up a SBR Enterprise to use EAP-TLS for authenticating laptop user certificates on our wireless network. These certificates are issued by a in-house CA. The SBR has a device certificate issued by the same CA. This works great.

We also have mobile units that has user certificates from another in-house CA, this authetication is not so great. The reject log entry has this reject-reason: "TLS handshake failed". For me this looks like the radius does not recognise the user certificate.

Both in-house CA's have the same root server.
The root certificate and both CA certificates are added to Trusted Root Certificates on the SBR.

On a Juniper MAG with RADIUS license there is a possibility specify that it should recognise certificates from both CA's even if there is only a device certificate from one of them.

Does anyone know how I can make the SBR to recognise the certificates from both CA's?
0
Comment
Question by:ted_loc
  • 2
3 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39599161
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
 
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To facilitate this process of verifying a "chain" of trust, every certificate includes the fields "Issued To" and "Issued By". An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

i am also thinking if CRL check in SBR will be another cause e.g. You can click Flush CRL Caches to purge all information in the TLS and TTLS CRL caches immediately. This removes all CRL entries for registered clients from the in-memory cache and deletes all files from the CRL cache directories.

When EAP-TLS is deployed as an automatic EAP helper, you must list TLS in the EAP-Type list of an authentication method. When EAP-TLS is triggered, the tlsauth authentication goes through the TLS handshake required by the EAP-TLS specification. Assuming the user provides a certificate that the server can verify against a list of trusted root certificates, the EAP-TLS part of the exchange concludes successfully.

For the SBR

EAP-TLS Authentication Protocol
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/EAP-023.html

Configuring a CRL Distribution Point
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/Policies7.html#305121

EAP Configuration Files - These files are loaded at startup time and reside in the Steel-Belted Radius Carrier directory.
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-reference/html/EAP.html

For the MAG

Using Multiple Secure Access Service Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-device-multiple-using.html

When using multiple Secure Access Service device certificates, each certificate handles validation for a separate host name or fully qualified domain name (FQDN) and may be issued by a different CA.

Enabling Client CA Hierarchies
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-hierarchies.html

With a user license, you cannot install a chain whose certificates are issued by different CAs. The CA that signs the lowest-level certificate in the chain must also sign all other certificates in the chain.

Using Intermediate Server CA Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/concept/secure-access-certificates-intermediate-server-about.html

If you are securing traffic using chained certificates, you must ensure that the Secure Access Service and Web browser together contain the entire certificate chain.
0
 

Accepted Solution

by:
ted_loc earned 0 total points
ID: 39912100
This was actually confirmed from Juniper. The SBR does not have the capability of doing this. This is only possible on the MAG with UAC feature, which requires a RADIUS server license.

Thanks for your reply though.
0
 

Author Closing Comment

by:ted_loc
ID: 39922874
The answer provided by breadtan had links that provided informastion about certificates, but it did not answer the question.

My solution is not a good solution, but it is the correct solution.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question