When using certificates with the MD5 signature algorithm, some devices do not respond to the request from the RADIUS server during 802.1x authentication. This is the case with Apple iPhones and iPads, for example.
LANCOM Systems does not recommend the use of MD5 because of vulnerabilities and recommends using SHA-256 instead.
Since the EAP-TLS certificate was generated by the device CA, all certificates must be deleted and then re-created.
This document describes how you reset certificates on a LANCOM WLAN controller. New certificates are created using the signature algorithm SHA-256.
Important:
Hinweis
The CA of the WLAN controller is deleted and re-initialized, so the access points have to obtain new certificates from the WLAN controller. For this purpose, the access points should be reset to the factory settings
1.1) Open an SSH session on the LANCOM WLAN controllerand login with administrator user rights.
1.2) Enter the command show eap. If Signature Algorithmis set to the algorithm md5WithRSAEncryption, then the EAP-TLS certificatewas created with the signature algorithm MD5. This means that you are affected by the problem.
Image Removed
Image Added
Info:
Info
Alternatively, this analysis can be performed using a RADIUS servertrace on the WLAN controller. If the Challenge Requestcontains the string md5WithRSAEncryption, you are affected by the problem.
Step 2: Reset/turn off the certificate tree
2.1) Switch to the Certificatesdirectory with the command cd /Setup/Certificates.
2.2) Enter the command default -r.
Image Removed
Image Added
2.3) Enter the command cd\to return to the root directory.
Step 3: Delete SCEP and EAP-TLS files from the file system
3.1) Switch to the Contentsdirectory with the command cd /Status/File-System/Contents.
3.2) Enter the command lsto display the contents of the file system.
3.3) Using the command del <File-name>, delete all fileswith the term “scep” and “eaptls” in the file name(e.g. del scep_crl).
3.4) Also delete the file controller_pkcs12_intwith the command del controller_pkcs12_int.
Image Removed
Image Added
Step 4: Restart device
4.1) Enter the command do /Other/Cold-Bootto restart the WLAN controller.
Step 5: Test whether a general challenge password has been entered
5.1) In LANconfig, open the configuration of the LANCOM WLAN controller and make sure that a password is enteredin the menu Certificates
->
→ Certificate handling
->
→ General challenge password.
If no password is entered here, close LANconfig and then reopen the configuration in LANconfig. After reopening, an automatically generated base challenge passwordwill have been entered.
Image Removed
Image Added
Step 6: Enable the certificate authority
6.1) Go to the menu Certificates
->
→ Cert. authority (CA)and make sure that the CA is enabled.
Image Removed
Image Added
Step 7: Checking the newly created EAP-TLS certificate
7.1) On the CLI, enter the command show eap. If sha256WithRSAEncryptionis shown, the EAP-TLS certificatewas created with the signature algorithm SHA-256.