Solved

Juniper SBR EAP-TLS

Posted on 2013-10-24
3
678 Views
Last Modified: 2014-03-12
I have set up a SBR Enterprise to use EAP-TLS for authenticating laptop user certificates on our wireless network. These certificates are issued by a in-house CA. The SBR has a device certificate issued by the same CA. This works great.

We also have mobile units that has user certificates from another in-house CA, this authetication is not so great. The reject log entry has this reject-reason: "TLS handshake failed". For me this looks like the radius does not recognise the user certificate.

Both in-house CA's have the same root server.
The root certificate and both CA certificates are added to Trusted Root Certificates on the SBR.

On a Juniper MAG with RADIUS license there is a possibility specify that it should recognise certificates from both CA's even if there is only a device certificate from one of them.

Does anyone know how I can make the SBR to recognise the certificates from both CA's?
0
Comment
Question by:ted_loc
  • 2
3 Comments
 
LVL 62

Expert Comment

by:btan
ID: 39599161
There are two types of certificate authorities (CAs), root CAs and intermediate CAs. In order for a certificate to be trusted, and often for a secure connection to be established at all, that certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
 
If the certificate was not issued by a trusted CA, the connecting device (e.g., a web browser) will then check to see if the certificate of the issuing CA was issued by a trusted CA, and so on until either a trusted CA is found (at which point a trusted, secure connection will be established) or no trusted CA can be found (at which point the device will usually display an error).
To facilitate this process of verifying a "chain" of trust, every certificate includes the fields "Issued To" and "Issued By". An intermediate CA will show different information in these two fields, showing a connecting device where to continue checking, if necessary, in order to establish trust.

i am also thinking if CRL check in SBR will be another cause e.g. You can click Flush CRL Caches to purge all information in the TLS and TTLS CRL caches immediately. This removes all CRL entries for registered clients from the in-memory cache and deletes all files from the CRL cache directories.

When EAP-TLS is deployed as an automatic EAP helper, you must list TLS in the EAP-Type list of an authentication method. When EAP-TLS is triggered, the tlsauth authentication goes through the TLS handshake required by the EAP-TLS specification. Assuming the user provides a certificate that the server can verify against a list of trusted root certificates, the EAP-TLS part of the exchange concludes successfully.

For the SBR

EAP-TLS Authentication Protocol
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/EAP-023.html

Configuring a CRL Distribution Point
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-admin/html/Policies7.html#305121

EAP Configuration Files - These files are loaded at startup time and reside in the Steel-Belted Radius Carrier directory.
http://www.juniper.net/techpubs/software/aaa_802/sbrc/sbrc70/sw-sbrc-reference/html/EAP.html

For the MAG

Using Multiple Secure Access Service Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-device-multiple-using.html

When using multiple Secure Access Service device certificates, each certificate handles validation for a separate host name or fully qualified domain name (FQDN) and may be issued by a different CA.

Enabling Client CA Hierarchies
http://www.juniper.net/techpubs/en_US/sa/topics/reference/general/secure-access-certificates-hierarchies.html

With a user license, you cannot install a chain whose certificates are issued by different CAs. The CA that signs the lowest-level certificate in the chain must also sign all other certificates in the chain.

Using Intermediate Server CA Certificates
http://www.juniper.net/techpubs/en_US/sa/topics/concept/secure-access-certificates-intermediate-server-about.html

If you are securing traffic using chained certificates, you must ensure that the Secure Access Service and Web browser together contain the entire certificate chain.
0
 

Accepted Solution

by:
ted_loc earned 0 total points
ID: 39912100
This was actually confirmed from Juniper. The SBR does not have the capability of doing this. This is only possible on the MAG with UAC feature, which requires a RADIUS server license.

Thanks for your reply though.
0
 

Author Closing Comment

by:ted_loc
ID: 39922874
The answer provided by breadtan had links that provided informastion about certificates, but it did not answer the question.

My solution is not a good solution, but it is the correct solution.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Outlook keeps opened file locked 2 58
forward schedule of change 1 27
display iPhone Wifi network name 19 82
Sonicwall blocks a site 49 58
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now