Lab Minutes Forum
Technical Discussion => Security => Topic started by: dong on October 02, 2014, 12:36:56 AM
-
Hi all !
I'm running on Cisco ISE 1.2. I'm trying to setup BYOD (dual SSID). I've followed your videos, and I've setup the policies and SCEP and stuff.
Here's a walkthrough of what's happening:
1. I connect to open SSID, enter username/password and register MAC
2. I download WinSPwizard, get trust root CA but WinSPwizard error
(http://i233.photobucket.com/albums/ee98/ledem64/assistant_zps0b4b954b.jpg)
This is spwprofilelog
[Wed Oct 01 11:27:17 2014] Installed [pvgas-DC-CA, hash: d0 ad c2 1e 19 b0 8b 61 8a 2d 81 88 da 8a a2 ca
da d3 ab e8
] as rootCA
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:17 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:17 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:21 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:21 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:25 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:25 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Wed Oct 01 11:27:29 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Wed Oct 01 11:27:29 2014] Failed to get certificate from server - Error: [2]
[Wed Oct 01 11:27:29 2014] Failed to generate scep request. Error code: [Wed Oct 01 11:27:29 2014] ApplyCert - End...
[Wed Oct 01 11:27:29 2014] Failed to configure the device.
[Wed Oct 01 11:27:29 2014] ApplyProfile - End...
[Wed Oct 01 11:27:32 2014] Cleaning up profile xml: success
This is SCEP RA profiles
(http://i233.photobucket.com/albums/ee98/ledem64/Cert3_zps731da9fe.jpg)
Other Cert
(http://i233.photobucket.com/albums/ee98/ledem64/Cert1_zps886cbc77.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Cert2_zpsf6c88366.jpg)
ACL On WLC
(http://i233.photobucket.com/albums/ee98/ledem64/ACL-ISE-ONLY_zpsd7287b05.png)
and policy
(http://i233.photobucket.com/albums/ee98/ledem64/Policy-set_zps84386e1b.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Auth_policy_zpsdb372f62.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Auth_profile_zpsda821f52.jpg)
Please help me fix error.
Thanks.
-
Would you be able to validate SCEP setup using router or ASA and make sure you can obtain a certificate?
-
Hi MC
Yes, I test on my router. It get cert normal
R1#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 500D03F681AB769A4B577B57BF20BD4F
Certificate Usage: Signature
Issuer:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Subject:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Validity Date:
start date: 16:40:54 UTC Sep 1 2014
end date: 16:50:53 UTC Sep 1 2019
Associated Trustpoints: pvgas-DC-CA
what wrong ? please help me fix
-
Hi MC
Yes, I test on my router. It get cert normal
R1#show crypto pki certificates
CA Certificate
Status: Available
Certificate Serial Number (hex): 500D03F681AB769A4B577B57BF20BD4F
Certificate Usage: Signature
Issuer:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Subject:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Validity Date:
start date: 16:40:54 UTC Sep 1 2014
end date: 16:50:53 UTC Sep 1 2019
Associated Trustpoints: pvgas-DC-CA
what wrong ? please help me fix
This is the CA self-signed cert, not the router cert. Can the router get a cert when you do 'crypto ca enroll' command?
-
Hi MC !
Yes, this is CA cert. When I configure for router cert it error.
R1(config)#
Oct 8 11:42:14.847: CRYPTO_PKI: Certificate Request Fingerprint MD5: 66D15A2B 8F738117 E527AB56 8F9F0E0D
Oct 8 11:42:14.847: CRYPTO_PKI: Certificate Request Fingerprint SHA1: E44DE9E2 D5BF0870 48C2F23C 6080B051 3965DC1E
R1(config)#
Oct 8 11:42:15.435: %PKI-6-CERTFAIL: Certificate enrollment failed.
R1(config)#
Time on CA the same with router
R1#show crypto pki cer
CA Certificate
Status: Available
Certificate Serial Number (hex): 500D03F681AB769A4B577B57BF20BD4F
Certificate Usage: Signature
Issuer:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Subject:
cn=pvgas-DC-CA
dc=pvgas
dc=local
Validity Date:
start date: 16:40:54 UTC Sep 1 2014
end date: 16:50:53 UTC Sep 1 2019
Associated Trustpoints: pvgas-DC-CA
R1#show clock
11:42:55.067 UTC Wed Oct 8 2014
On My CA, I configured Certificate Templates, change Registry
(http://i233.photobucket.com/albums/ee98/ledem64/CA_Templates_zps51e71ff5.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/CA_Regiter_zps1d6e80f7.jpg)
What wrong in my configured, please help me resolve problem.
Thank so much.
-
So it looks like you do not have your SCEP server properly configure. Please review the videos below.
http://www.labminutes.com/sec0009_windows_2008_ca_scep_install
http://www.labminutes.com/sec0011_windows_2008_ca_auto_enrollment
-
Hi MC !
I configure CA, NDES step by step follow your intruction, but when router pull cert from CA server.
Router received message %PKI-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority and in Failed Request on CA server received message
The Network Device Enrollment Service cannot submit the certificate request (The requested certificate template is not supported by this CA.). 0x80004005.
I duplicate IPSEC(offline request) templates and choose properties the same your configure. On my router
crypto key generate rsa modulus 1024 general-keys
crypto pki trustpoint PVGAS-ROOT-CA
enrollment url http://172.16.2.218/certsrv/mscep/mscep.dll
fqdn R2.pvgas.local
subject-name cn=R2.pvgas.local
revocation-check none
exit
crypto pki authenticate PVGAS-ROOT-CA
Please help me.
Thanks.
-
Are you using Windows 2008 Enterprise and Enterprise CA and not standalone? Make sure the NDES user is allowed to enroll those template. Worst case, you can try to start from scratch and follow the instruction video.
-
Hi MC !
I update window server and re-add role and configure CA server. My router can get certificates.
But when laptop connect to SSID open download Network Setup Assitant and start install it is not work.
spw log file is
[Fri Oct 10 15:57:42 2014] Logging started
[Fri Oct 10 15:57:42 2014] System locale is [en]
[Fri Oct 10 15:57:42 2014] Loading messages for [en]...
[Fri Oct 10 15:57:42 2014] Initializing profile
[Fri Oct 10 15:57:42 2014] Parsing profile xml - C:\Users\ADMINI~1\AppData\Local\Temp\spwProfile.xml
[Fri Oct 10 15:57:44 2014] Identifying wired and wireless network interfaces, total active interfaces: 1
[Fri Oct 10 15:57:44 2014] Network interface - mac:00-26-C6-65-5E-3C, name: Wireless Network Connection, type: wireless
[Fri Oct 10 15:57:44 2014] Wireless interface [Wireless Network Connection] will be configured...
[Fri Oct 10 15:57:45 2014] Host - [ name:pc1, mac addresses:00-26-C6-65-5E-3C;00-27-13-66-7C-33]
[Fri Oct 10 15:57:45 2014] SPW is running as High integrity Process - 12288
[Fri Oct 10 15:57:46 2014] ApplyProfile - Start...
[Fri Oct 10 15:57:46 2014] User Id: it1, sessionid: e90610ac000001d286023854, Mac: 00-26-C6-65-5E-3C, profile: WirelessSP
[Fri Oct 10 15:57:46 2014] Configuring wireless profile...
[Fri Oct 10 15:57:46 2014] ApplyCert - Start...
[Fri Oct 10 15:57:48 2014] Installed [PVGas-CA-Lab, hash: 66 64 5b fb 15 82 ce 8d c8 5d 9a 44 1b c4 1a 91
dc c4 b7 94
] as rootCA
[Fri Oct 10 15:58:10 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:10 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Fri Oct 10 15:58:10 2014] HttpWrapper::SendScepRequest - Retrying: [1] time, after: [4] secs , Error: [2]
[Fri Oct 10 15:58:14 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:14 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Fri Oct 10 15:58:14 2014] HttpWrapper::SendScepRequest - Retrying: [2] time, after: [4] secs , Error: [2]
[Fri Oct 10 15:58:18 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:18 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Fri Oct 10 15:58:18 2014] HttpWrapper::SendScepRequest - Retrying: [3] time, after: [4] secs , Error: [2]
[Fri Oct 10 15:58:23 2014] Warning - [HTTPConnection] InternetOpen() failed with code: [12038]
[Fri Oct 10 15:58:23 2014] Warning - [HTTPConnection] Abort the HTTP connection due to invalid certificate CN
[Fri Oct 10 15:58:23 2014] Failed to get certificate from server - Error: [2]
[Fri Oct 10 15:58:23 2014] Failed to generate scep request. Error code: [Fri Oct 10 15:58:23 2014] ApplyCert - End...
[Fri Oct 10 15:58:23 2014] Failed to configure the device.
[Fri Oct 10 15:58:23 2014] ApplyProfile - End...
[Fri Oct 10 15:58:32 2014] Cleaning up profile xml: success
Please for me a idea fix error. Thanks MC
-
It looks like the SCEP server at least is working since your router can now get a cert. From the log you provided, it seems to be complaining about the certificate CN so I would check the certificate template. Which cert template do you use for SCEP? Try duplicate the 'User' template and use that if not already.
-
Hi MC !
I try duplicate the "User" template and public it. But not fix problem.
This is step my configurate template.
(http://i233.photobucket.com/albums/ee98/ledem64/Create_Templates_zpsfc4fa420.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Create_Templates_User_zps53f4af94.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Create_Templates_User2_zps2454e00b.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Create_Templates_User3_zpsc4ec3447.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Create_Templates_User4_zps40144a72.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Modifi_Regitry_Step1_zps8f7613e9.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Modifi_Regitry_Step2_zpsbdea2c1a.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Modifi_Regitry_Step3_zps993ea069.jpg)
(http://i233.photobucket.com/albums/ee98/ledem64/Public_Cert_Template_zpsc0499be3.jpg)
Please for me an idea, for resolve issue.
Thanks MC
-
When it fails, what does the error message on the CA says?
-
Hi MC !
I can resolve this issue. The problem occur because missing hotfix on CA server. Need 2 hotfix installed is KB2483562,KB2633200, this is important.
Thanks
-
That would do it :). I guess the moral of this is to have the server updated before configuration. Thank you for sharing the solution. +1