Description:
When using certificates with the MD5 signature algorithm, some devices do n=
ot respond to the request from the RADIUS server during 802.1x authenticati=
on. This is the case with Apple iPhones and iPads, for example.
LANCOM Systems does not recommend th=
e use of MD5 because of vulnerabilities and recommends using SHA-256 instea=
d.
Since the EAP-TLS certificate was generated by the device CA, all certifica=
tes must be deleted and then re-created.
This document describes how you reset certificates on a LANCOM WLAN control=
ler. New certificates are created using the signature algorithm SHA-256.
Step 1: Checking the used signature =
algorithm
1.1) Open an SSH session on the LANCOM WLAN controller and=
login with administrator user rights.
1.2) Enter the command show eap (as of LCOS 10.70 the comm=
and is show eaptls). If Signature Algorithm is set to the algorithm md5WithRSAEncryption, then the =
EAP-TLS certificate was created with the signature algorit=
hm MD5. This means that you are affected by the problem.
Step 2: Reset/turn off the cert=
ificate tree
2.1) Switch to the Certificates directory with the command=
cd /Setup/Certificates.
2.2) Enter the command default -r.
2.3) Enter the command cd\ to return to the root d=
irectory.
Step 3: Delete SCEP and EAP-TLS file=
s from the file system
3.1) Switch to the Contents directory with the command cd /Status/File-System/Contents.
3.2) Enter the command ls to display the contents =
of the file system.
3.3) Using the command del <File-name>, delete all files with the term =E2=80=9Cscep=E2=80=9D=
and =E2=80=9Ceaptls=E2=80=9D in the file name (e.g. del scep_crl).
3.4) Also delete the file controller_pkcs12_int with the c=
ommand del controller_pkcs12_int.
Step 4: Restart device
4.1) Enter the command do /Other/Cold-Boot to rest=
art the WLAN controller.
Step 5: Test whether a general chall=
enge password has been entered
5.1) In LANconfig, open the configuration of the LANCOM WLAN controller and=
make sure that a password is entered in the menu =
Certificates =E2=86=92 Certificate handling =E2=86=92 General challenge pas=
sword.
If no password is entered here, close LANconfig and then reopen the configuration in LANconfig. After =
reopening, an automatically generated base challenge password will have been entered.
Step 6: Enable the certificate autho=
rity
6.1) Go to the menu Certificates =E2=86=92 Cert. authority (CA) and make sure that the CA is enabled.
Step 7: Checking the newly created E=
AP-TLS certificate
7.1) On the CLI, enter the command show eap (as of LCOS 10=
.70 the command is show eaptls). If sha256WithRSAE=
ncryption is shown, the EAP-TLS certificate was c=
reated with the signature algorithm SHA-256.
|