Solved

Juniper SBR EAP-TLS

Posted on 2013-10-24
3
664 Views
Last Modified: 2014-03-12
I have set up a SBR Enterprise to use EAP-TLS for authenticating laptop user certificates on our wireless network. These certificates are issued by a in-house CA. The SBR has a device certificate issued by the same CA. This works great.

We also have mobile units that has user certificates from another in-house CA, this authetication is not so great. The reject log entry has this reject-reason: "TLS handshake failed". For me this looks like the radius does not recognise the user certificate.

Both in-house CA's have the same root server.
The root certificate and both CA certificates are added to Trusted Root Certificates on the SBR.

On a Juniper MAG with RADIUS license there is a possibility specify that it should recognise certificates from both CA's even if there is only a device certificate from one of them.

Does anyone know how I can make the SBR to recognise the certificates from both CA's?
0
Comment
Question by:ted_loc
  • 2
3 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
 
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To facilitate this process of verifying a "chain" of trust, every certificate includes the fields "Issued To" and "Issued By". An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

i am also thinking if CRL check in SBR will be another cause e.g. You can click Flush CRL Caches to purge all information in the TLS and TTLS CRL caches immediately. This removes all CRL entries for registered clients from the in-memory cache and deletes all files from the CRL cache directories.

When EAP-TLS is deployed as an automatic EAP helper, you must list TLS in the EAP-Type list of an authentication method. When EAP-TLS is triggered, the tlsauth authentication goes through the TLS handshake required by the EAP-TLS specification. Assuming the user provides a certificate that the server can verify against a list of trusted root certificates, the EAP-TLS part of the exchange concludes successfully.

For the SBR

EAP-TLS Authentication Protocol
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/EAP-023.html

Configuring a CRL Distribution Point
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/Policies7.html#305121

EAP Configuration Files - These files are loaded at startup time and reside in the Steel-Belted Radius Carrier directory.
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-reference/html/EAP.html

For the MAG

Using Multiple Secure Access Service Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-device-multiple-using.html

When using multiple Secure Access Service device certificates, each certificate handles validation for a separate host name or fully qualified domain name (FQDN) and may be issued by a different CA.

Enabling Client CA Hierarchies
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-hierarchies.html

With a user license, you cannot install a chain whose certificates are issued by different CAs. The CA that signs the lowest-level certificate in the chain must also sign all other certificates in the chain.

Using Intermediate Server CA Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/concept/secure-access-certificates-intermediate-server-about.html

If you are securing traffic using chained certificates, you must ensure that the Secure Access Service and Web browser together contain the entire certificate chain.
0
 

Accepted Solution

by:
ted_loc earned 0 total points
Comment Utility
This was actually confirmed from Juniper. The SBR does not have the capability of doing this. This is only possible on the MAG with UAC feature, which requires a RADIUS server license.

Thanks for your reply though.
0
 

Author Closing Comment

by:ted_loc
Comment Utility
The answer provided by breadtan had links that provided informastion about certificates, but it did not answer the question.

My solution is not a good solution, but it is the correct solution.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now