Description:
When using certificates with the MD5 signature algorithm, some devices do not respond to the request from the RADIUS server during 802.1x authentication. This is the case with Apple iPhones and iPads, for example.
LANCOM Systems does not recommend the use of MD5 because of vulnerabilities and recommends using SHA-256 instead.
Since the EAP-TLS certificate was generated by the device CA, all certificates must be deleted and then re-created.
This document describes how you reset certificates on a LANCOM WLAN controller. New certificates are created using the signature algorithm SHA-256.

The CA of the WLAN controller is deleted and re-initialized, so the access points have to obtain new certificates from the WLAN controller. For this purpose, the access points should be reset to the factory settings.



Requirements:




Procedure:
Step 1: Checking the used signature algorithm
1.1) Open an SSH session on the LANCOM WLAN controller and login with administrator user rights.
1.2) Enter the command show eap (as of LCOS 10.70 the command is show eaptls). If Signature Algorithm is set to the algorithm md5WithRSAEncryption, then the EAP-TLS certificate was created with the signature algorithm MD5. This means that you are affected by the problem.

Alternatively, this analysis can be performed using a RADIUS server trace on the WLAN controller. If the Challenge Request contains the string md5WithRSAEncryption, you are affected by the problem.



Step 2: Reset/turn off the certificate tree

2.1) Switch to the Certificates directory with the command cd /Setup/Certificates.
2.2) Enter the command default -r.
2.3) Enter the command cd\ to return to the root directory.


Step 3: Delete SCEP and EAP-TLS files from the file system
3.1) Switch to the Contents directory with the command cd /Status/File-System/Contents.
3.2) Enter the command ls to display the contents of the file system.
3.3) Using the command del <File-name>, delete all files with the term “scep” and “eaptlsin the file name (e.g. del scep_crl).
3.4) Also delete the file controller_pkcs12_int with the command del controller_pkcs12_int.


Step 4: Restart device
4.1) Enter the command do /Other/Cold-Boot to restart the WLAN controller.


Step 5: Test whether a general challenge password has been entered
5.1) In LANconfig, open the configuration of the LANCOM WLAN controller and make sure that a password is entered in the menu Certificates → Certificate handling → General challenge password.
If no password is entered here, close LANconfig and then reopen the configuration in LANconfig. After reopening, an automatically generated base challenge password will have been entered.


Step 6: Enable the certificate authority
6.1) Go to the menu Certificates → Cert. authority (CA) and make sure that the CA is enabled.


Step 7: Checking the newly created EAP-TLS certificate
7.1) On the CLI, enter the command show eap (as of LCOS 10.70 the command is show eaptls). If sha256WithRSAEncryption is shown, the EAP-TLS certificate was created with the signature algorithm SHA-256.