APC UPS Data Center & Enterprise Solutions Forum
Schneider, APC support forum to share knowledge about installation and configuration for Data Center and Business Power UPSs, Accessories, Software, Services.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2024-09-16 09:35 PM
Hello,
I am configuring 802.1X / EAP-TLS in our network, and both NMC2 and 3 cards refuse to cooperate. Every time i try to import a Private Key in EAPOL configuration wizard, i get "Bad key / Certificate" error. Tried different formats, names, everything i could think of with the same result.
Cards i've tried to configure: AP9631 (v7.1.2) and AP9641 (v2.5.0.6 / 2.5.0.8)
I've configured a number of different devices before, from printers to nvr and ipcams, and i never had a problem like this.
I've seen a topic here about the same problem marked "Solved", but there was no working solution in it. Or, perhaps, i failed to see it.
Is there any known solution to this? Thank you.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2025-02-11 10:45 PM
Hello,
I have not tried this myself due to the available resources that we have. However, we have shared the document attached to end-users/customers to configure this and they were able to successfully configure EAPoL/802.1x.
One difference I noticed from these instructions from what the customer has done is how the certificates are loaded to the NMC (web vs FTP), as well as enabling it via CLI.
ensure updating NMC firmware as per the below :
Removing bag attributes from the public certificate:
If you are using NMC Security Wizard CLI to generate certificate , ensure to download the latest version from our website ,you can try to use version 1.0.0 and see if the issue the same
you can always contact your local CCC team and register case for more investigation if the issue still persists
Regards,
Karim
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2025-02-10 07:15 AM
Did you ever find a solution here? I had a go at it last year but couldn't get it to take the client cert and key regardless of formats for the certs. I was seeing the same errors as you also running v2.5.0.6 for NMC3's
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2025-02-11 10:45 PM
Hello,
I have not tried this myself due to the available resources that we have. However, we have shared the document attached to end-users/customers to configure this and they were able to successfully configure EAPoL/802.1x.
One difference I noticed from these instructions from what the customer has done is how the certificates are loaded to the NMC (web vs FTP), as well as enabling it via CLI.
ensure updating NMC firmware as per the below :
Removing bag attributes from the public certificate:
If you are using NMC Security Wizard CLI to generate certificate , ensure to download the latest version from our website ,you can try to use version 1.0.0 and see if the issue the same
you can always contact your local CCC team and register case for more investigation if the issue still persists
Regards,
Karim
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2025-02-13 01:54 AM
I tried the steps from the document but still face issues with the certs. NMC3 is up to date v2.5.3.2
I can upload certs and key over FTP or SCP and seems the CA cert is OK (Says its OK in web gui and CLI) but it will just not accept private key and client cert. Normally the private key will stay in the directory but client cert immediately disappears after copying, then I reboot the NMC the private key file is gone too.
Is there any more info you have around how the private keys are generated? I'm using openssl OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
Or do you have any more information on how the clients that have this working generated the private key and certs?
I don't think the NMC Security Wizard CLI can be used here as the private keys it generates are .p15 format
Here is what I use to create private key and csr
openssl req -new -nodes -newkey rsa:4096 -keyout privatekey.key -out cert-csr.csr
It's then signed by windows CA.
I've tried converting said private key to both der and pem format with .key extension. Also when adding the key via web i get different errors depending on if its PEM or DER formatted key. Both are rsa and not encrypted.
PEM private key error in web
Active EAPoL Settings
--------------------
Status: disabled
Supplicant Name: EU-NLDOE-IDF3-UPS01
Passphrase: <not set>
CA file Status: Valid Certificate
Private Key Status: File not found
Public Key Status: File not found
Result: Failed
apc>eapol -S enable
E108: EAPoL disabled due to invalid/encrypted certificate
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2025-02-17 08:07 AM
Hi @fiwi221,
I haven't worked with this for some years, but I did keep some notes from testing this with openssl & freeradius:
# Create a private key
# Doing this separately from REQ so we can specify the pkcs format
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -des3 -out testcard.key -pass pass:supersecretpassword
# Create a signing request
openssl req -new -out testcard.csr -key testcard.key -config conf/eap-client.cnf
My memory is hazy on exactly why this was done in two steps instead of using `--keyout` during `req` - but I am lazy enough that I'm positive it wasn't for fun.
my eap-client.conf has:
[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = supersecretpassword
output_password = supersecretpassword
req_extensions = v3_req
[ v3_req ]
extendedKeyUsage = clientAuth
crlDistributionPoints = URI:http://example.com/crl.pem
[client]
countryName = IE
stateOrProvinceName = Galway
localityName = Galway
organizationName = Lab
emailAddress = user@example.org
commonName = "Test Supplicant"
I don't recall how much of this was so I could automate CSRs without input, and how much was actually necessary - but I suspect `clientAuth` is there for a good reason because my CA scripts go to some effort to propagate v3_req into the signing, which again isn't something I'd do for fun.
I also believe I had problems with 4096-bit client certs (not CA certs) and was using 2048 for a reason. This was approx. 5 years ago, so I don't know if that's changed.
Hopefully these notes are of some use.
Link copied. Please paste this link to share this article on your social media post.
Link copied. Please paste this link to share this article on your social media post.
Posted: 2025-02-24 02:09 AM
Thanks, your example of how to create the key has helped progress. When following your example with generating the key separately and using the "v3_req" in the config file I can now load the certs in via the web interface and they are all accepted! I also tried with 4096-bit certs too and that seems to work and the certs upload and show accepted.
I'm still facing issues with the NAC giving some ssl/handshake errors but I think that's more something on the NAC configuration side that I am working through now.
Link copied. Please paste this link to share this article on your social media post.
Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.
With achievable small steps, users progress and continually feel satisfaction in task accomplishment.
Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.
of