802.1x Profile - PEAP/EAP-MSCHAPv2

I'm trying to connect my new retina Macbook Pro to our enterprise network, and am having trouble with the 802.1x profile. Looking at the settings on my Windows PC, I need to use PEAP/EAP-MSCHAPv2, but OSX Lion seems to default to PEAP/EAP-GTC. With these settings, I'm able to connect to the network but cannot access any network resources.
I'm using the iPhone Configuration Utility to generate the 802.1x profile package. As far as I can tell, I am unable to change the inner authentication method with this application. Anyone out there have any suggestions on how I can resolve this?

The prompt is specified when you create the profile on the machine. You can either have the user get prompt for login, save a username and password or use the cache credentials. You need to look at the errors in radius and in the wlc. One will have enough info to say what went wrong during the authentication process.

Similar Messages

  • Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

    Hello,
    I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
    The RADIUS SERVER is M$ IAS.
    Authentication is working with a laptop, but it is not with my phone
    The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
    Does somebody know what should I change in my phone's configuration to make it work ?
    Thanks,
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

    Hi,
    Sorry for the late answer since I was "out of the office" for a while
    So here is the process to get the certificate.
    Log in to you IAS Server.
    Open the IAS Service Application.
    Go to "Remote Access Policies".
    Choose the policy that apply to "Wireless Connection"
    Click "Edit Profile" button.
    Choose "Authentication" Tab.
    Click "EAP Methods"
    Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
    The Next Window will show you the Certificate Issuer Name & Expiration Date.
    Then, click "Start" Button.
    Choose "Run".
    Type "mmc" in the "Run" box.
    Click "File" & Choose "Add/Remove Snap-In".
    Click "Add" Button.
    Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
    Click "Close" & "OK" Button.
    Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
    The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
    "Right click" on the certificate, choose "All Tasks", the "Export".
    In the new window, click "Next" Button.
    Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
    Choose a suitable location.
    Click "Next" Button & "Finnish" Button.
    Certificate is now exported.
    You have to install it on your Phone now.
    The most simple way is to copy the certicate on a Web Server and access it with your phone.
    Hope that Help, if you did not already succeed.
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

  • ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

    Hello Community,
    i have a problem, one Notebook in our enviroment authenticates successfully with Host-Lookup (MAC-Adress) and get the right VLAN but then also sends permanantly  PEAP (EAP-MSCHAPv2)   requests with a diffrent Username ( Username is not an MAC-Adress) It is the Computername of Windows.
    What is the Problem here ?
    Thanks

    Hello Sebastian. A few questions:
    - How is the supplicant configured on the Windows machines?
    - Is 802.1x enabled on the supplicant?
    - If possible please attach screenshots of the supplicant's configuration
    - Is this for wireless, wired or both?
    - Can you post screenshots of the ACS log page for those events along with a screenshot of the "detailed screen" for one of those events
    Thank you for rating helpful posts!

  • EAP-PEAP & EAP-MSCHAPv2 freezes phone

    I am having trouble connecting to my schools WPA network.
    They have put up a guide that looks like this:
    http://www.lan.kth.se/kthopen/wpa/phones/S60.html
    I have also tried this:
    /discussions/board/message?board.id=connectivity&thread.id=12900
    However, everytime I try to connect through the access point my freezes at "Connecting via [name of network]". I can't press cancel, however, the power button still works and the screen saver starts.
    I appreciate any help, thanks!
    EDIT: I use a Nokia e51
    Message Edited by heinrisch on 25-Aug-2008 12:41 PM

    I am having trouble connecting to my schools WPA network.
    They have put up a guide that looks like this:
    http://www.lan.kth.se/kthopen/wpa/phones/S60.html
    I have also tried this:
    /discussions/board/message?board.id=connectivity&thread.id=12900
    However, everytime I try to connect through the access point my freezes at "Connecting via [name of network]". I can't press cancel, however, the power button still works and the screen saver starts.
    I appreciate any help, thanks!
    EDIT: I use a Nokia e51
    Message Edited by heinrisch on 25-Aug-2008 12:41 PM

  • 802.1x - EAP-MSCHAPv2 / LDAP on ACS 4.2

    Is possible to use PEAP EAP-MSCHAPv2 with LDAP ?

    No LDAP doesnt support mschapv2, here are the authentication protocols/database matrix:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
    Thanks,
    Tarik

  • 802.11X PEAP/EAP-GTC wireless problems

    I have a WPA2 wireless network that uses PEAP/EAP-GTC to authenticate. The token in this case is an RSA key, where the credentials expire after 60 seconds. I have two problems.
    First. The Macbook continuously wants to use keychain to provide cached credentials anytime it reauthenticates me. I can click Deny and it will prompt me with the login window, and this login window has a checkbox for 'Only use password once', which I check. But it still wants to use cached credentials each time. Is this fixable? I have tried deleting the entry in the keychain but it always gets recreated when I authenticate on the WLAN in question.
    Second has to do with sleep mode. If the laptop goes to sleep, it will not prompt me to reauthenticate unless I turn off the airport adapter and turn it back on, or reboot. This is a bigger problem.
    Any ideas?

    Any ideas here? The problem is getting worse. I have to fiddle with airport settings for 15 minutes sometimes to get authenticated. XP/Vista clients on the same network get on the first time, every time.

  • My internet provider use 802.1x profile with MD5 protocol.

    I want to make wireless net at home with Air port Extreme. With it I cannot connect to the internet. My provider use verification 802.1x with MD5 protocol. I was trying to make new profile with iPCU (iPhone Configuration Utility) but found that now MD5 is not supporting.
    How I can connect the Air port Extreme?

    Unfortunately but I did not found in the article how to configure profile.
    Before in Mac OS Snow Leopard or earlier it was possible to choose authentication type: TTLS, EAP, TLS, EAP-FAST, LEAP, MD5.
    At the present moment in the iPCU (iPhone configuration utility) it is possible to choose: TLS, TTLS, LEAP, PEAP, EAP-FAST, EAP-SIM.
    In the manual for iOS 5 it is written that in the new OS MD5 protocol is not supported.
    Does it mean that I cannot connect to the local provider?

  • Trouble with 802.1x profile

    Hi there,
    I work at a University, and after a recent network change all of our campus wifi networks require 802.1x authentication. This works fine for all but a couple of labs which use laptops, and thus require an 802.1x profile be built for the loginwindow so students can use their AD accounts to log in.
    I should probably also mention that the accounts are mobile accounts, and are removed after logoff (via a LogoutHook). We're running OS X 10.8.5 through 10.10.2.
    So far, I've built n-thousand variations of the 802.1x profile in ProfileManager, but am still completely unable to get this working.
    I'll start off with a rough overview our security settings, and what I've done so far:
    WPA2 Enterprise, PEAP with MSCHAPv2
    When logged in to a machine, trusting the following certificates and saving the user-supplied credentials will successfully allow a user to reconnect unprompted for credentials, but the (seemingly) same settings in the 802.1x profile don't work (or I'm configuring it incorrectly).
    Symantec Class 3 Secure Server CA - G4
    VeriSign Class 3 Public Primary Certification Authority - G5
    Also, the leaf / radius server certificate becomes trusted, but does not have to be explicitly downloaded (as far as I know- but I have tried supplying it as well).
    In the 802.1x profile, I've tried just about every permutation of settings I can think of, but I'll outline my general process (in case I'm missing something).
    I add the certificate payload with the 2 certificates listed above (I've also tried it with the leaf certificate).
    In the network payload, I
    1) enter the SSID
    2) set to AutoJoin
    3) set WPA2 Enterprise security
    4) check "Use as LoginWindow configuration"
    5) check PEAP under protocols
    6) add a 'filler' name to OuterIdentity (everything I read said it doesn't matter what's entered)
    In the Trust tab:
    7) check the 2 certificates added in the cert payload
    8) enter the FQDN of the RADIUS server (xxx-radius.xx.xxxxx.edu) in the Trusted Server Certificate Names (this is the same as the cert for the server found in Keychain Access)
    I've figuratively tried millions of variants (e.g. add the leaf cert to the cert payload / trust settings | add no cert payload, just radius server fqdn under TSCN section | etc.)
    Any tips on what I'm doing wrong?
    Thank you,
    Eric

    hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
    Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
    A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

  • PEAP EAP-MSCHAP v2

    Hi!
    Does anyone know if the router wrt320n or any other linksys router (wireless or wired) support 802.1x authentification, particularly PEAP EAP-MSCHAP v2? I'm connected to a network that provides access to the internet via ethernet cable and 802.1x authentification. I'd like now to connect several devices to the network through a router, but I'm not sure if the wrt320n can log on to the network, because of the 802.1x authentification.
    Thanks!

    No. They don't support 802.1X authentication (neither supplicant nor authenticator). The WRT and all Linksys branded routers are consumer routers. 802.1X authentication is a business feature which you may find in Cisco Small Business or better devices.

  • Use Nokia N8 to Connect 802.1X WIFI through EAP-PE...

    I have read a lot of articles on this forum, and the conclusions i get are
    In Nokia System, if you would like to connect to a 802.1X wifi with EAP-PEAP, you MUST have the CA issued from your wifi AP.
    1. My question is, if the CA is necessary?
    2. If the CA is necessary, and I really can't get the CA, is there any method to connect EAP-PEAP wifi without the CA?
    Becuase I found, most system, like windows, iOS, adndroid they can tolerate the lack of CA, why Nokia's system insist this?

    Guys did you find a workaround this?
    Anyone know if this is addressed in the up coming update "Anna".
    I am really frustrated.

  • Nokia 500 EAP-MSCHAPv2 support?

    So apparently I am trying to connect to a WLAN network (Eduroam) that needs EAP-MSCHAPv2 protocol but apparently I can't see it in EAP protocols list. 
    So is there really no EAP-MSCHAPv2 support in Nokia 500?
    And is EAP-MSCHAPv2 protcol something that can be fixed within a software or is it a hardware issue? Will it be added to Symbian Belle update which every Nokia 500 owner is so desperately waiting for?
    It's a pity, since even older models (S60v3) supported EAP-MSCHAPv2 protocol and as far as I know, all other Symbian Anna phones support it.
    Solved!
    Go to Solution.

    Hi there,
    I have same phone and same problem you described but I can not connect to wifi even after updating to Nokia Belle. I created an access point WPA EAP. I selected EAP-PEAP. I can not find EAP-mschapv2 so I selected EAP-PEAP and I selected PEAPv0 (I read somewhere that is the same thing).
    I set my username and domain but it is still saying authentication failure. With my N900 I was able to connect.
    Any idea what I am doing wrong?
    Thanks!

  • Does Updating To Lion From Snow Leopard Delete All Existing 802.1X Profiles

    Hello.
    I Was Just Wondering If I Installed Lion On My White Macbook Running The Latest Version Of Snow Leopard, Whether My 802.1x Profiles Will Be Migrated Across Or Deleted.
    Many Thanks

    I did, and my profiles are gone, and if you look at other posts, they cannot be easily added.
    I am accessing my 802.1x profiles when I start up from Snow Leopard, and my question would be how I could import the profiles from Snow Leopard?
    Helga

  • What happened to my 802.1X profiles in LION?

    Hi there,
    The 802.1X profiles I had are not only gone when I installed Lion, but now the system does not allow me to create them anymore. Why do you obligue me to use a config file? I just do not see the advantage of making things more complicated. I think that adding the config file option is nice, but just do not remove the old way, which worked perfectly.
    Best regards,
    Antonio.

    Done. I somehow did not find that forum when I posted the question (that's why I highlighted in caps the word LION: to make it clear that it was not for the SL forum.
    Thanks,
    Antonio.

  • Do I need to add a 802.1x profile to allow others to use my wifi?

    Before I upgraded to Mountain Lion visiting family members were able to use my internet. Now some cannot even though I have given them my password. Do I need to add a 802.1x profile? Does this mean my router?

    I cannot amend my initial post as I incorrectly described the display so here is an update.
    As far as I have read and experienced with purchasing two such displays, this model came with a Mini Displayport to DVI adapter not a HDMI to DVI adapter.
    I think I need an HDMI to Mini Displayport adapter so I can use the Mini Displayport to DVI adapter that came with the display.
    Here is the display:
    Apple Cinema Display 23-Inch Aluminum
    The Apple 23-Inch Cinema Display (Aluminum) (M9178LL/A), is designed match the Power Macintosh G5 and PowerBook G4 models. It features a 23-inch (1920x1200) wide-format active-matrix LCD display with 16.7 million colors, 170 degree viewing angle, and a response time of 16 ms. It sports dual FireWire 400 and dual USB 2.0 ports on the back of the display.
    Picture is here if link is allowed:
    http://www.sellyourmac.com/mac-product-guides/cinema-display.html
    http://www.sellyourmac.com/images/stories/mac-guides/apple_cinema_display_20_inc h_aluminum.jpg

  • 802.1x RADIUS with EAP-TLS/EAP-TTLS & Dynamic VLAN Assignment

    Hello, My team is looking for switches supporting 802.1x authentication on either EAP-TTLS or EAP-TLS protocols with dynamic vlan assignment enabled for these. Looking at the data sheets of the Linksys desktop switches, I found only SLM224G4PS and SLM224G4S models to support EAP-TLS or EAP-TTLS. Am I right? Do they support Dynamic VLAN Assigment for either of those protocols? This is not explicitly mentioned in the data sheets, and I happen to find switches from other manufacturers that announce to support EAP-TLS/EAP-TTLS but no dynamic vlan assignment. Thank you for any help.

    SLM switches do support 802.1x RADIUS with EAP-TLS/EAP-TTLS unlike the SRW switches which support MD5. But I don't think that they support Dynamic VLAN.

Maybe you are looking for