1200 AP and IAS authentication

I am just trying to verify that a Cisco access point will not allow windows clients to authenticate to a Microsoft IAS server without using a certificate. It looks as if you have two choices PEAP and SmartCard/Digital Certificate and that is it, am I correct?

The AP itself doesn't actually care about the protocols - it approves the authentication based on the instructions of the radius server, in your case IAS. You are correct, in that when using IAS and the built-in supplicant on windows your only choices are essentially EAP-TLS and EAP-PEAP.
Since the 802.1x authentication itself isn't encrypted or protected, its up to the EAP protocols to build in credential and privacy protections to its authentication method - the easiest way to do this is with certificate-based methods.
- mike

Similar Messages

  • WDS and IAS Authentication

    Hello !
    I'm trying to configure 15 Access Points AP1231 as follow :
    SSID1 mapped to VLAN 1 (also management VLAN) for Laptops. Encryption is WEP128 and Mac-authentication with Microsoft IAS server.
    SSID2 mapped to VLAN 10 (phone VLAN)for phones 7921. Encryption is WEP128 and there is no authentication fo the phones.
    I configure 1 AP as a WDS Master (priority 254). WDS registration works fine for all the 15 APs.
    My problem :
    it seems that when i activate WDS, MAC-authentication for ESSID1 doesn't work anymore (authentication failed for all the laptops).
    Can you help me ?

    WDS checks its local list for authentication . If the Mac address is not present it uses configured Radius server for authentication. Make sure Mac address is either in the Local list or Radius server. If you are using Radius server make sure Mac address is configured as user

  • 1200 AP and Proxy authentication?

    Hello,
    I currently have radius (Linux FreeRadius) working to authenticate admin access to the AP.
    Is it possible to authenticate user web requests through the 1200 AP using a radius server and the stock IOS? The current version is Version 12.2(13).
    I am setting up a hotspot for my office and want users to authenticate via radius before accessing the net.

    We can use virtual http (or telnet)
    All traffic from inside to outside on port 80 will be blocked by default.
    Users will have to http (or telnet) to a virtual ip and after authentication, a access-list will be downloaded from the radius server allowing traffic on port 80.
    Cut-through proxy (as in PIX) cannot be done on IOS.

  • MAC authentication, 1200 WAP's, IAS

    I am setting up WPA and MAC authentication on a number of 1200 series access points. In my testing, I've got WPA/EAP working fine with username and password, but I'd like to add MAC filtering as well using IAS, but can't get it to work.
    I think the problem lies with the MAC "username" and "password" that the AP passes to IAS. Is both the username AND password the MAC of the wireless client NIC?
    Thanks,
    Jason

    Thanks, but I've searched Google quite a bit and not found the answer. I've also read the article you posted. In fact it is that article I used to create the initial setup.
    The article, however, states that the Cisco AP passes the shared secret to IAS/AD as the password for the MAC "username" in AD, but that does not appear to be the case. I am getting bad username or password in my IAS logs, but I know the username is set correctly as the AP passes it to the IAS logs and it matches what I've created in AD for username, so I believe it is a password issue.

  • IAS and MAC authentication

    Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
    Any idea how can I solve this problem??
    Thansk

    I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

  • Cisco ACS 4.2 and Radius authentication?

    Hi,
    I have a Cisco ACS 4.2 installed and using it to authenticate users that log on to switches using TACACS+, when I use local password database, everything is working. But if i try to use external database authentication using a windows 2008 radius server, I have problem that I can only use PAP, not CHAP. Anyone who know if it's possible to use CHAP with external radius authentication?

    To access network devices for administrative purpose, we have only three methods available :
    [1] Telnet : Which uses PAP authentication protocol between client and the NAS device. So the communication between Client and NAS is unencrypted,  and when this information flows from NAS to IAS server gets encrypted using the shared secret key configured on device/IAS server.
    [2] SSH : Which uses  public-key cryptography for encrypting information between client and the NAS device, i.e, information sent between client 
    and NAS is fully secure. And the communication between NAS and IAS is encrypted using shared secret same as above. Good point on SSH side is that commincation channel is secure all the time.Again the authentication type would remain same that is PAP.
    [3] Console:Which is also the same it will not allow to use MSCHAP as there is no need to secure it as you laptop is connected directly to the NAS and then if you are using TACACS it will encrypt the payload .
    Summarizing, we cannot use CHAP, MS-CHAP, MS-CHAP V2 for communication between client and NAS device or administrative access.
    And the most secure way to administer a  device is to use SSH.
    Rgds, Jatin
    Do rate helpful post~

  • Portal Drive Single Sign On and Kerberos Authentication

    Hi,
    We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
    1. Can Kerberos and NTLM authentication be configured together.
    2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
    3. Any other approach to make Portal Drive SSO work.
    Helpful answers will be rewarded.
    Regards,
    Chandra

    Hi Gregor,
    I did two things:
    first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
    second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
    Again, this only worked after installing the latest vesion.
    Hope this helps
    Marcel

  • Graphics builder and os authentication

    I'm running on NT 4 sp6. I'm trying to get OS authentication working with graphics. It works great for forms and reports, but I cannot get graphics builder or the graphics runtime to work with os authentication. I've tried it with developer 2000 r2 and 6i release 2. Thanks is advance.
    null

    Is the state of OCCI and OS Authentication still the same? Or has it changed in the 2.5 years since this question was first asked and answered?
    I've yet to find any indication that it is now supported, but could I confirmation of that fact?
    If it is not, what is the Oracle recommended method for accomplishing this?

  • Remote users sending email - RBL and SMTP authentication

    I've read about the problem of using RBL's with remote Outlook IMAP/SMTP users who may be using dynamically assigned IP addresses. There is a good chance that they will be appear on the RBL and so not be able to send email via the GWIA.
    One work around is to have them send their email via their ISP's SMTP server, but this is a pain, because when they are back in the office, then need to switch their SMTP server back to the inhouse one.
    So on the GW 7.0.3 server running on SLES 10, I wondered if the one host could handle multiple GWIA's??
    1st existing GWIA:
    To handle the regular in/out email with RBL's protection on it.
    2nd new GWIA on a separate port but same IP address to handle just inbound email. This would be used by remote users and require authentication so no need for an RBL on it.
    Is this a sound approach?
    Any gotchas for setting up two gwia's on the one server and IP address besides separate ports?
    I am aware there is the option of using the Groupiwse client or webmail, but firstly these users don't want to change from 'LookOut" due to their address book synch with their mobile phones and secondly sometimes they like to use their smart phones for remote email synchronisation.

    Maybe I should simplify this a little...
    Can the one host handle multiple GWIA's??
    1st existing GWIA:
    To handle the regular in/out email with RBL's protection on it.
    2nd new GWIA on the same host and IP address, but on a separate port to handle just inbound email. This would be used by remote users and require authentication.

  • I am very disappointed with iTunes.  I have 1200 songs and I can't play them.  I try to play them and before one song finish a song starts playing. This then results in hearing two songs at the same time. I will like to know if you can fix this. I feel li

    I am very disappointed with iTunes.  I have 1200 songs and I can’t play them.  I try to play them and before one song finisha song starts playing. This then results in hearing two songs at the same time.I will like to know if you can fix this. I feel like listening with the iTunesplayer is useless.

    I don't know man I too hope apple will do something this new I-tunes blow my top lost my whole tune!!!

  • Can we provide UN and pwd Authentication 4r SMTP Mail Configuration

    Dear All,
    Previously we are able to send the mails from SAP to Outside World. After chaning the Mail Server to MS Exchange 2003
    We enabled the Port the 25.
    We are facing a problem While configuring a mail via SMTP for Exchange Server 2003.
    Throws an Error Message:
    Internal error: CL_SMTP_RESPONSE ESMTP error code is not known. 554 554 > : Recipient add
    As per network Team :
    Unless we provide a Username and password, the Send/Receive process does not happen.
    Is there any option in SAP - SMTP Mail Configuration to Provide user and password Authentication.
    I searched in SDN as well as in market place. but i could not succeed. Please guide me the process.
    Regards
    SNB.

    Hi we are configuring Google SMTP getting below error..
    No delivery to xxx.com, authentication required
    Message no. XS856
    Diagnosis
    The message was processed successfully in the SAP system. The mail server that is to receive the message for further processing requires authentication. Probably there is no logon data specified in the SAPconnect configuration.
    Information from external system (if available)
    smtp.gmail.com:587
    530 5.7.0 Must issue a STARTTLS command first. i91sm11178241qgd.25 - gsmtp
    Procedure
    Enter the logon data in the SAPconnect node.
    Using Gmail SMTP server using "smtp.gmail.com" with port 587
    Please advise.
    Regards,
    Sudarshan

  • XI 3.1 Client Tools and LDAP Authentication

    I have Business Objects XI 3.1 SP2 installed.  For the web clients (InfoView) single sign on and LDAP authentication are working correctly.  However when a user tries to log in using LDAP authentication to one of the client tools (Universe Designer, Webi Rich Client, etc) the error "Cannot access the repository (USR0013)" occurs with the following details:
    [repo_proxy 13] SessionFacade::openSessionLogon with user info has failed(Security plugin error: Failed to set parameters on plugin.(hr=#0x80042a01)
    Are there troubleshooting or setup guides dealing specifically with LDAP authentication with the various client tools?

    Make sure that the File and Printer Sharing for Microsoft Networks component is installed and enabled on your clients.
    Take a look at note 1272536 (http://service.sap.com/notes)
    Regards,
    Stratos

  • Username and Password authentication

    Hi,
    I am new to both JDBC and MSSQL. I've been connecting to msSQL server without providing username and password (DriverManager.getConnection(String url)). I am wondering how to enforce the username and password authentication so that username and password have to be verified before a connection is made. Thanks in advance.

    but where can I get the username & password? I can get
    the connection even with any username & password, why?Hi WeiHang,
    This is regarding the options you have set in the SQL Server. You have to choose from Windows NT authentication and SQL Server Authentication. If you give SQL Server authentication you have mentioned the username and password and you can connect to database simple using DSN(if you are using JDBC-ODBC). However if you choose WindowsNT authentication you donot specify the user name and password there and you have to enter the same at runtime.
    Hope this can help you

  • Get an error for changing the windows authentication mode to the both SQL and windows authentication mode

    I installed the SQL server Express 2008 R2 and then SQL Server Management Studio 2008 R2 . But during the installation, I could not choose the both SQL and windows authentication mode and an error accrued so I did that just with windows authentication mode. 
    Now, I want to change the windows authentication mode account to the SQL authentication mode but it shows me an error which is you do not have permission (Although I am the administrator in windows), what can I do?
    Following steps are the steps that I went but I got an error:
    Server properties >> security >> choose the option of SQL Server and Windows Authentication mode 
    and the error that I got is attached(access is denied)  
    Can you please help me?

    You can change the setting after you gain admin rights to your SQL Server. You don't admin rights automatically, you have to explicitly add yourself during the install
    Here's a guide on how to (re)gain those rights:
    http://v-consult.be/2011/05/26/recover-sa-password-microsoft-sql-server-2008-r2/

  • Cisco ISE (1.3) Posture and re-authentication

    Hello,
    With posture and re-authentication, during the re-authentication the posture status swithes to pending. This results in a redirect to client provisioning and a temperorly but unwanted state with no access to network resources.
    Is there a way to work around this?
    Regards,
    Dennis

     24423  ISE has not been able to confirm previous successful machine authentication  
    Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
    first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
    log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

Maybe you are looking for