Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 740
  • Last Modified:

Juniper SBR EAP-TLS

I have set up a SBR Enterprise to use EAP-TLS for authenticating laptop user certificates on our wireless network. These certificates are issued by a in-house CA. The SBR has a device certificate issued by the same CA. This works great.

We also have mobile units that has user certificates from another in-house CA, this authetication is not so great. The reject log entry has this reject-reason: "TLS handshake failed". For me this looks like the radius does not recognise the user certificate.

Both in-house CA's have the same root server.
The root certificate and both CA certificates are added to Trusted Root Certificates on the SBR.

On a Juniper MAG with RADIUS license there is a possibility specify that it should recognise certificates from both CA's even if there is only a device certificate from one of them.

Does anyone know how I can make the SBR to recognise the certificates from both CA's?
0
ted_loc
Asked:
ted_loc
  • 2
1 Solution
 
btanExec ConsultantCommented:
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
 
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To facilitate this process of verifying a "chain" of trust, every certificate includes the fields "Issued To" and "Issued By". An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

i am also thinking if CRL check in SBR will be another cause e.g. You can click Flush CRL Caches to purge all information in the TLS and TTLS CRL caches immediately. This removes all CRL entries for registered clients from the in-memory cache and deletes all files from the CRL cache directories.

When EAP-TLS is deployed as an automatic EAP helper, you must list TLS in the EAP-Type list of an authentication method. When EAP-TLS is triggered, the tlsauth authentication goes through the TLS handshake required by the EAP-TLS specification. Assuming the user provides a certificate that the server can verify against a list of trusted root certificates, the EAP-TLS part of the exchange concludes successfully.

For the SBR

EAP-TLS Authentication Protocol
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/EAP-023.html

Configuring a CRL Distribution Point
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/Policies7.html#305121

EAP Configuration Files - These files are loaded at startup time and reside in the Steel-Belted Radius Carrier directory.
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-reference/html/EAP.html

For the MAG

Using Multiple Secure Access Service Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-device-multiple-using.html

When using multiple Secure Access Service device certificates, each certificate handles validation for a separate host name or fully qualified domain name (FQDN) and may be issued by a different CA.

Enabling Client CA Hierarchies
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-hierarchies.html

With a user license, you cannot install a chain whose certificates are issued by different CAs. The CA that signs the lowest-level certificate in the chain must also sign all other certificates in the chain.

Using Intermediate Server CA Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/concept/secure-access-certificates-intermediate-server-about.html

If you are securing traffic using chained certificates, you must ensure that the Secure Access Service and Web browser together contain the entire certificate chain.
0
 
ted_locAuthor Commented:
This was actually confirmed from Juniper. The SBR does not have the capability of doing this. This is only possible on the MAG with UAC feature, which requires a RADIUS server license.

Thanks for your reply though.
0
 
ted_locAuthor Commented:
The answer provided by breadtan had links that provided informastion about certificates, but it did not answer the question.

My solution is not a good solution, but it is the correct solution.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now