802.1x & windows Authentication

Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
and what are the challenges if windows user accounts password changed frequently..
can any body explain adv & dis adv of 802.1x before I deploy it in network..

There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

Similar Messages

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

    Hi
    My company has implemented 802.1x Wired authentication, we use GPO to specify a
    Wired Profile that uses a COMPUTER certificate.
    We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
    This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
    I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
    KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
    issue still occurs.

    Hi,
    From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
    Meanwhile, I found the following hotfix which may related to this issue.
    No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
    Next Action Plan:
    1.Clean Boot
    a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
    b. In the Startup tab, click the "Disable All" button.
    c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
    ======================================================
    Clean Boot + binary search
    In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
    You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
    we find out the root cause. Please let me know if this action plan is OK for you.
    2.Collect etl trace on the problematic client.
    netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
    ****Try to reproduce this issue****
    netsh trace stop
    Please send the net.etl to us for underlying analysis.
    For any concerns, please let us know.
    Best regards,
    Steven Song
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • 802.1x port authentication and Windows Radius, possible?

    Hello,
    I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
    Thanks

    Andy:
    Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
    If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
    See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • VWLC 802.1x NPS authentication Fails

    Hi Guys,
    Hopefully someone can help me with the following problem i'm facing...
    I've a vWLC running 7.3 deployed in our HQ site.
    At the HQ we have a W2k8 R2 NPS deployed at works fine for VPN, Router and Switch Authentication
    In a few remote branch offices which are connected to the HQ over DMVPN we have a couple of 3500's running in flexconnect mode with local switching.
    These AP's register just fine through the VPN link back to the vWLC.
    We deployed a few SSID's that are bound to AP groups.
    All SSID's that use WPA2 with PSK work fine
    All SSID's that use WPA2 with 802.1x Fail
    The Security Settings for the failing SSID's are:
    WPA2 Policy
    WPA2 Encryption AES
    Key Man 802.1x
    AAA Server is pointing to the right NPS for Auth and Accounting
    Radius overwrite IF is disabled
    The settings of the NPS are:
    Conditions:
    Win Group: DOMAIN\Groupxx
    NAS Port Type: Wireless - IEEE 802.11
    Settings:
    EAP Conf: Configured
    Access Perm: Granted
    EAP Method: MS PEAP
    Auth Method: EAP
    NAP Enforcement: Allow full access
    Update non complient: True
    Service Type: Login
    When a laptop (Mac os 10.8) tries to connect to a 802.1x SSID It Prompts for a username and passwd.
    Using DOMAIN\user + passwd the client tries to authenticate for a couple of times and fails
    On the vWLC i can see trap:
    AAA Authentication Failure for UserName:user  User Type: WLAN USER
    At the NPS i can see:
    Network Policy Server denied access to a user.
    Contact the Network Policy Server administrator for more information.
    User:
    Security ID:                              DOMAIN\user
    Account Name:                              user
    Account Domain:                              DOMAIN
    Fully Qualified Account Name:          dom.com/OU/OU/OU/USER full name
    Client Machine:
    Security ID:                              NULL SID
    Account Name:                              -
    Fully Qualified Account Name:          -
    OS-Version:                              -
    Called Station Identifier:                    34-a8-4e-70-0b-90:test.sec
    Calling Station Identifier:                    10-40-f3-8f-ac-62
    NAS:
    NAS IPv4 Address:                    IP vWLC
    NAS IPv6 Address:                    -
    NAS Identifier: VWLC001
    NAS Port-Type:                              Wireless - IEEE 802.11
    NAS Port:                              1
    RADIUS Client:
    Client Friendly Name: vWLC001
    Client IP Address:                              IP vWLC
    Authentication Details:
    Connection Request Policy Name:          Use Windows authentication for all users
    Network Policy Name:                    Cisco WiFi
    Authentication Provider:                    Windows
    Authentication Server:                    FQDN NPS server
    Authentication Type:                    PEAP
    EAP Type:                              -
    Account Session Identifier:                    -
    Logging Results:                              Accounting information was written to the local log file.
    Reason Code:                              23
    Reason:                                        An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
    Hopefully someone can point me in the right direction.
    Cheers,
    JP

    Find below the output of the debug:
    (Cisco Controller) >
    (Cisco Controller) >*Dot1x_NW_MsgTask_4: May 27 10:08:51.567: 00:21:6a:72:3c:ec apfMsRunStateInc
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *apfMsConnTask_1: May 27 10:09:41.389: 10:40:f3:8f:ac:62 apfMsAssoStateInc
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:41.428: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:41.429: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:41.429: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:41.429: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:41.429: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.471: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:41.472: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.473: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.474: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.526: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:46.527: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 5)
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000000: 02 00 00 32 01 05 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Reached Max EAP-Identity Request retries (3) for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.528: 10:40:f3:8f:ac:62 Not sending EAP-Failure for STA 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Station 10:40:f3:8f:ac:62 setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000000: 01 00 00 0e 02 05 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:51.686: 10:40:f3:8f:ac:62 Received EAP Response packet with mismatching id (currentid=0, eapid=5) from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Processing RSN IE type 48, length 20 for mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Received RSN IE with 0 PMKIDs from mobile 10:40:f3:8f:ac:62
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 Setting active key cache index 8 ---> 8
    *apfMsConnTask_1: May 27 10:09:54.637: 10:40:f3:8f:ac:62 unsetting PmkIdValidatedByAp
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 1)
    *dot1xMsgTask: May 27 10:09:54.676: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *dot1xMsgTask: May 27 10:09:54.676: 00000000: 02 00 00 32 01 01 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *dot1xMsgTask: May 27 10:09:54.676: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *dot1xMsgTask: May 27 10:09:54.676: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *dot1xMsgTask: May 27 10:09:54.676: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 01 00 00 0e 02 01 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Received Identity Response (count=1) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=1) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 00000000: 02 01 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:54.717: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 4) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 01 01 00 00 ....
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Received EAPOL START from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending EAP-Request/Identity to mobile 10:40:f3:8f:ac:62 (EAP Id 3)
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 10:40:f3:8f:ac:62 Sending 802.11 EAPOL message to mobile 10:40:f3:8f:ac:62 WLAN 5, AP WLAN 3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000000: 02 00 00 32 01 03 00 32 01 00 6e 65 74 77 6f 72 ...2...2..networ
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000010: 6b 69 64 3d 73 65 63 75 72 65 2c 6e 61 73 69 64 kid=secure,nasid
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000020: 3d 45 49 4e 44 2d 56 57 4c 43 30 30 31 2c 70 6f =EIND-VWLC001,po
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.717: 00000030: 72 74 69 64 3d 31 rtid=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received 802.11 EAPOL message (len 18) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 01 00 00 0e 02 03 00 0e 01 6a 65 61 6e 70 61 75 .........jeanpau
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000010: 6c 73 ls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received EAPOL EAPPKT from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Received Identity Response (count=2) from mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_USER_NAME(1) index=0
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLING_STATION_ID(31) index=1
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_CALLED_STATION_ID(30) index=2
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT(5) index=3
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_VAP_ID(1) index=7
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_SERVICE_TYPE(6) index=8
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_FRAMED_MTU(12) index=9
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_EAP_MESSAGE(79) index=11
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Adding AAA_ATT_MESS_AUTH(80) index=12
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 AAA EAP Packet created request = 0x13a375e4.. !!!!
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Sending EAP Attribute (code=2, length=14, id=3) for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 00000000: 02 03 00 0e 01 6a 65 61 6e 70 61 75 6c 73 .....jeanpauls
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *Dot1x_NW_MsgTask_2: May 27 10:09:59.756: 10:40:f3:8f:ac:62 Unable to send AAA message for mobile 10:40:F3:8F:AC:62
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:11.489: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *radiusTransportThread: May 27 10:10:24.729: 10:40:f3:8f:ac:62 Filtering AAA Response with invalid Session ID - proxy state 10:40:f3:8f:ac:62-02:00
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
    *radiusTransportThread: May 27 10:10:41.513: 10:40:f3:8f:ac:62 [BE-resp] AAA request requeued OK
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] AAA response 'Timeout'
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Radius EAP/Local WLAN 5.
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-req] Local EAP not enabled on WLAN 5. No fallback attempted
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 [BE-resp] Requeue failed. Returning AAA response
    *radiusTransportThread: May 27 10:11:11.529: 10:40:f3:8f:ac:62 AAA Message 'Timeout' received for mobile 10:40:f3:8f:ac:62
    *Dot1x_NW_MsgTask_2: May 27 10:11:11.529: 10:40:f3:8f:ac:62 Processing AAA Error 'Timeout' (-5) for mobile 10:40:f3:8f:ac:62

  • 802.1x and Authentication Methods

    Hi,
    I have ACS 5.2, Cisco 4507 switches and AD domain environment.
    Planning on performing only machine authentication and not user authentication.
    I have the following type of devices:
    1. Windows XP SP3 and higher on the AD Domain
    2. Devices to be with installed with third-party supplicants as they natively don't
    support 802.1x.
    If I ignore device type 2, and only consider device type 1, am I able to simply configure
    802.1x for authentication based on machine against AD, without having to use any
    certificates at all?
    Taken device type 2 into account, given the devices are not on the domain and I don't
    want to manually enter details into ACS, will I need to use certificate for authentication?
    Thanks

    Hi,
    > Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
    [ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    > I was thinking for devices that not on the domain, to load certificate on the machine.
    If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
    [ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
    In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Help Please :) LInksys WRVS4400N 802.1X port authentication setup

    HI all,
    I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
    1x Linksys WRVS4400N
    1x Microsoft Server 2003 with IAS and Active Directory services
    1x Dell Laptop (Used for testing Radius Athentication)
    I Created 4 VLAN(s) to test with this LAB
    VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
    VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
    VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
    VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
    This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
    Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
    Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
    Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
    Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
    VLAN 1: Default
    Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
    VLAN 10: Servers
    Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
    VLAN 20: IT
    Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
    VLAN 30: Design
    Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
    This is how my Radius is setup
    Mode: Enabled
    RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
    UDP Port: 1812
    Secret: Password1
    Port(s) 1 & 2: Force Authorized
    Port(s) 3 & 4: Force UnAuthorized
    On the Server this is what I have configured
    1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
    2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
    Tunnel-Medium-Type: 802
    Tunnel-PVT-Group-ID: 20
    Tunnel-Type: Virtual LAN
    My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
    I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
    If anybody can help me out that would be great!
    Cheers
    Graham

    1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
    2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
    3. The VLAN configuration looks very odd to me. If I see it correctly you have:
    Port 1: General mode, PVID 1, 1U
    Port 2: General mode, PVID 10, 1T, 10U
    Port 3: Access mode, PVID ???, 20U, 30U
    Port 4: Access mode, PVID ???, 20U, 30U
    I wonder why you are even able to set this up...
    a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
    b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
    c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
    4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
    5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
    6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
    7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything?

  • Radius server for 802.1x port authentication

    Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
    Thanks

    Check connectivity between the PIX and the server.
    If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
    aaa-server group_tag (if_name) host server_ip key timeout 5
    If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
    If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
    Ensure that the secret key is correct.
    Check the server logs for failed attempts. All servers have some kind of logging function.

  • Pb 802.1X Computer authentication

    Hello
    I want to know if some GPO parameters can prevent computer authentication 802.1X ?
    Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
    And certain PC works fine and other not
    And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
    If you have a solution to prevent out/in PC in the domain ?
    Thanks for your help

    Hello
    When i do the command csagent -v the result is:
    ACSRemoteAgent version 4.1(3.12)
    and I have an Appliance ACS:
    Cisco Secure ACS 4.1.3.12
    Appliance Management Software 4.1.3.12
    Appliance Base Image 4.1.1.4
    CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
    and in the file cswinAgent i have this error
    CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
    CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
    CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
    CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    I don't know if this that you want
    I have just change the domain name (DOMAIN-TEST) to confidential resaon
    Thanks

  • 802.1x wired authentication to AD

    Wired authentication:
    This is what I want to accomplish:
    Switch - ACS 4.0 -> Active Directory
    Assume a new user is logging into the network for the first time and he starts his computer which has been configured for 802.1x PEAP. I have checked off the option 'Automatically use my Windows logon name and password' in LAN properties
    Now, after the computer starts, the user is presented with the regular Windows dialog logon box to which he hits Ctrl+Alt+Del and enters his Windows AD credentials. I want those credentials to be sent to the switch as part of the 802.1x logon. After the port is authorized, those same credentials should be passed onto Active Directory to become authenticated to the Windows network.
    Possible? I'm assuming this is the way it should & can work

    Hi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.

  • 802.1x Wireless Authentication

    Hello
    I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
    The windows says
    801x Authentication
    The Server Certificate could not be validated becuase the root certificate is missing.
    Thanks

    No, CA wasn't changed with R2.
    Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
    In the login keychain, when looking at the Users certificate, does it show as valid?

  • NAP / 802.1x wired authentication issues

    NAP/NPS Server = 2012R2 NPS Role installedClient Swiches: HP Proliant 5400 seriesSupplicant: Windows 7 Pro domain joined, built in Windows 802.1x suplicant.We are using user and machine based authentication (to accomodate RDP sessions) with health checks (AV installed and Firewall enabled on all network profiles). User authentication policies are above Machine authentication policies in NPS so that when a user logs in, it superceedes the machine's authentication and switches VLANs based on the user's AD group membership. If a user or machine fails authentication, or fails the health check, they are quarantined on our 666 VLAN (We call it the Leper Colony!).Everything pretty much works...except one small thing...PROBLEMWhen a computer first boots up (maybe other times, I dont know), before presenting a user with a login screen, it gets...
    This topic first appeared in the Spiceworks Community

    Hi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.

  • ADFS 3.0 Windows Authentication not working

    I recently upgraded from ADFS 2.1 and TMG 2010 as the reverse proxy to ADFS 3.0 and Web Application Proxy as the reverse proxy.  I have upgraded to ADFS 3.0 successfully and it is working without anything changing to the end users.  This is still
    using TMG 2010 as the reverse proxy. 
    When I make the changes to use WAP as the reverse proxy, I get prompted with a forms based authentication page instead of the usual windows authentication screen.  This poses a problem since this creates an extra step for people when logging on to our
    sites that use SSO since there's no "save password" box.  I can move the traffic back to TMG and it's back to working like it should but we are looking to remove TMG very soon.
    When I am on the "inside" network connecting to ADFS without the reverse proxy, it works just fine.  However, ALL of our users are "outside" of the network will be using the reverse proxy.  None of the computers are domain joined.
    The issue seems to only be when using Web Application Proxy server to service ADFS SSO requests.....TMG servicing these requests does not have this issue.
    What's the difference?  How can I get this functionality back with WAP?

    Hi Eric,
    Based on my research, when publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users
    to the published application.
    To use Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain.
    More information for you:
    Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain
    http://technet.microsoft.com/en-us/library/dn464299.aspx
    Best Regards,
    Amy

  • My MacBook Pro Retina's Bluetooth chipset unknown/odd login message on the login screen states Login Window Authentication Login window Name edit text has keyboard focus. In addition, the login screen is not remembering me

    I have been experiencing several issues with my MacBook Pro Retina mid 2012. My MBPR is scheduled to go into the depot. However, I am wondering if anyone may be able to shed light on a few issues as this is the third "official" time my MBPR is going back for service ("one depot" trip; "one authorized" dealer; several in-store visits).
    My Bluetooth is stating that the Bluetooth Chipset is Unknown (0). I also have had Bluetooth Preferences mysteriously change on me. In addition, while Bluetooth is off there are two serial modems turning on. I have turned them off, but they continue to pop up.
    In addition, when I log in, my MBPR is not remembering me and my login name is not appearing on the slate-gray screen. The name and password are blank and the following message appears in the lower left hand corner. "login window authentication login window Name edit text has keyboard focus."  As a side note, I am the only user. The login issue is a recent occurrence as we just totally wiped it again via a Command + R, and I don't believe I have an accessibility setting set to anything that would cause this, but wanted to check.
    Should I be concerned here? Has anyone else had issues like this? I don't want to worry if I don't have to. I have had so many issues over the course of nine months. 5-6 wipes. Airport card replaced and I am about to pull my hair out if my MBPR doesn't come back worldly like clock work this time. I just can't send my days trying to get a $2300 product to work for me any longer. No idea what is wrong with it, but it is driving me insane. Cross your fingers for me and any guidance you have or thoughts would be welcomed. Thank you. EMM

    A few more issues...
    In Console, the following is greyed out:
    User and Diagnostic reports
    Com.apple.launchd.peruser.0
    Com.apple.launchd.peruser.88
    Com.apple.launchd.peruser.89
    Com.apple.launchd.peruser.92
    Com.apple.launchd.peruser.97
    Com.apple.launchd.peruser.200
    Com.apple.launchd.peruser.201
    Com.apple.launchd.peruser.202
    Com.apple.launchd.peruser.212
    *[user logs are accessible]
    Krb5kdc
    Radius
    My guest files are locked, but again I am the administrator of MBPR.
    I am worried about a keystroke logged or at least, trying to rule it out.
    Also:
    Mdworker32(225) [and other mdworker numbers] are sandboxing; stating deny Mach-lookup
    Com.apple.Powermanagement.control, etc. long attachment with those files with version: ??? (???).
    Postinstall: removing applications/Microsoft Office 2011/Microsoft Outlook.app
    WARNINGS in Console include:
    [NSImage compositeToPoint:fromRect:operation:fraction:] is deprecated in MacOSX 19.8 and later. Please use -[NSImage drawAtPoint:fromRect:operation:fraction] instead.
    There are a ton of other warnings. Before I go through this again, can someone tell me if this is normal (all of it -- above too); or if these are symptoms is a keystroke logger or hardware issues? 
    I ask because originally, when my computer went in for diagnostics (more than once), Apple stated the hardware was fine (other than Airport Card -- finally). However, if I've done 5-6 total wipes; created new users; do not have sharing set-up; have not played around in Terminal; and am up-to-date with versions -- and various issues KEEP COMING BACK -- I am left wondering if a keystroke logger would be possible here?!? I thought maybe a faulty logic board, but why would diagnostics be okay, then? Not trying to be hyperbole, just desperate.
    Please help me rule keystroke logger out or at least, tell me so I know, so I can take appropriate action. If you think it could be the logic board with symptoms above, that would be a great too.
    All I want to do is use the computer as intended, but I can't seem to get a real answer, so after nine months -- I am turning to the communities to see if anyone -- anyone at all -- can help. The last thing I can do is have the MBPR come back from the depot and the same thing occur. Any guidance or advice would be so gratefully appreciated.

  • How to resolve a windows authenticated orphaned user in Sql Server 2008 R2?

    Hi,
     We have some orphaned windows authenticated  users(domain) in the database while it had been
    migrated from Sql Server 2005 to Sql Server 2008 R2, because there are no corresponding
    logins for the users. Will just adding the logins would be sufficient or after adding the
    logins should we also run sp_change_users_login @Action='update_one' to resolve any sid
    conflict. Thanking you in advance,
    With regards
    Binny Mathew

    Binny
    You have issue with orphaned users if you use Mixed Authentication.  If you use Windows and move the db to the new server the Windows Login should be exist on the new server already.
    Best Regards,Uri Dimant SQL Server MVP,
    http://sqlblog.com/blogs/uri_dimant/
    MS SQL optimization: MS SQL Development and Optimization
    MS SQL Consulting:
    Large scale of database and data cleansing
    Remote DBA Services:
    Improves MS SQL Database Performance
    SQL Server Integration Services:
    Business Intelligence

Maybe you are looking for

  • Store XML Publisher report in the database

    Hi all, Is is possible to generate an XML Publisher report in the background and store the report as a blob in the database. I have an APEX application that needs to generate the report when the user clicks an 'Update' button. This report can then be

  • Query Output to CSV file

    Hi, I am trying to export a Query result to CSV in comma-delimited tab format. In SBO it is allowing to save the query results as CSV file; but when I opened it is in 'Text Unicode' filetype. Is there anyway save it directly as  CSV in comma-delimite

  • The best Quality for HTPC

    Hello from Spain: I am looking for the best MSI card to reproduce DVD. Is very important for me the quality 2D and the quality TV Out. For example: is better the RX9800 pro or the fx5900xt? thanks for your advice, and sorry for my english! AMD xp 280

  • Need to send an SMS from SAP ( by writing a custom report ) System.

    Hi All, I am with a requirement like sending SMS after generating some random number . Like I will collect the mobile number from HR mastr data and thereafter I need to send an SMS. I am not aware of this SMS sending concepts. For this I have to deve

  • Dropping datafiles

    Can I drop datafiles individually, or do I need to drop the entire tablespace? The ALTER TABLESPACE command doesn't appear to have a drop datafile clause. I've dropped enough objects in the tablespace to reduce the amount of space used to 1%, but the