802.11 X port-level authentication or user-level authentication
I have read many online documents about 802.11x, all that i found they named port-level authentication.
It makes sense for a wired network, since we have got a physical port, then if the supplicant has been authenticated, his port will be open to transfer data.
And same thing with a wireless network, but we do not have physical port, we have got logical port.
I have read one document that mentioned that 802.11 is user-level authentication,,,any comment about this ?
Regards
Thanks steprodr
That means in both cases (wired. wireless) a client has to be authenticated to pass through physical port or logical port to be able to access(use)network resources,,,,,
What is my interpretation (correct me) to your reply, that with the wire we call it port level while with wireless (my conclusion, because explicitly you have mentioned that)we do not call it port level (i.e. it is called user level) ?
Similar Messages
-
AP 802.1X switched port-authentication
Hi,
I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.
The AP is connected to a switch where the port is not configured for 802.1X.
On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized
If I connect on the same port a PC using 802.1X,this is working fine..
Am I missing something to configure on the switch or AP ???
Any suggestion are appreciated
Regards
OmarOmar,
There's a gotcha with this...most likely a trunk issue...
Here is a snippet for EAPOL guidelines:
Authentication Configuration Guidelines
This section provides the guidelines for configuring 802.1x authentication on the switch:
802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
802.1x is supported only on Ethernet ports.
Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.
802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.
802.1x authentication is not supported with the sc1 interface.
You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.
You cannot enable trunking on an 802.1x port.
You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.
You cannot enable DVLAN on an 802.1x port.
You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.
You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.
You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.
You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.
Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
Here is the url for the link:
http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697 -
802.1x Mac-Adress Based Authentication
I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.
We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc. -
802.1x Blocking port (many deviсes to one port)
Hello!
On ports of the Cisco 3750 there is authentication on 802.1x (Mab). I connect the "stupid" switch (that doesn't work with 802.1x) to port and logs of Radius-server and Cisco show that it was authenticated. Then I connect the device (laptop or PC) to the "stupid" switch, then the port is blocked. However PC passes authentication at direct connection to the Cisco.
I know that in 802.1x is provided blocking of port at connection of many MAC-addresses to one port.
"Stupid" switch must be in vlan, and the devices (that are connected to switch) must be in the same vlan. Maybe they must be authenticated on Radius-server or maybe I have to create ACL with their MAC-addresses...
How it can be solved? Help me, please.
P.S. Multi-auth is enabled.Hi,
Along with all the other bits and pieces to invoke 802.1x on the switch
May be try adding this to the interface to "stupid"
interface gigabitethernet2/0/1
description *** LINK TO STUPID ***
dot1x port-control auto
dot1x host-mode multi-host
end
from the 12.2.55 config guide
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/sw8021x.html#wp1271507
Regards
Alex -
Port-Based Authentication on 877
Hi
I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port ( xx 0000.xxxx.xxxx STATIC Gi1/0/3) .
authentication control-direction in
authentication event fail retry 1 action authorize vlan xx
authentication event no-response action authorize vlan xx
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
As I remove command authentication port-control auto then sh mac address-table command shows me DYNAMIC MAC.
Anyone can please let explain me why it is happing
Regards,Any input?
-
HT4718 wpa2 enterprise 802.11x protocol with pap authentication. Lion Reformat
My school has only wpa2 enterprise 802.11x protocol with pap authentication. Due to this I can not reinstall lion as a fresh copy. I realized that I can download lion again from the app store. Can it do a fresh install?
I am having the exactly same problem as ecko04. I also tried to intall the certificate provided by my university but it failed. Could somebody help us out? Thanks
-
802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS? -
Help with 4506 802.1x Port Based Authentication (Wired)
Hi all,
I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
dot1x port-control auto
i've also configured the interface to be a plain L2 access port by executing
switchport mode access
any help will be appreciated!I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS? -
802.1X Port Based Authentication Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server -
IEEE 802.1x Port based Authentication with Restricted VLAN
Hi all,
I have the following configuration:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
dot1x system-auth-control
radius-server host 10.10.10.10 key cisco
interface FastEthernet0/1
switchport mode access
authentication event fail retry 1 action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
But it takes quite a while for the user who is not authorized to be switch to vlan 2.
I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
Regards,
LaurentLaurent,
Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
thanks,
Tarik Admani -
802.1x TLS (Machine certifcate) authentication in Snow Leopard
Hi,
In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
Client logs:
2010/05/14 10:37:12.872405 update_configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>Description</key>
<string>Automatic</string>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>EAPFASTUsePAC</key>
<true/>
<key>TLSIdentityHandle</key>
<data>
[Removed]
</data>
<key>TLSTrustedCertificates</key>
<array>
<data>
[In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
</data>
</array>
<key>TLSVerifyServerCertificate</key>
<true/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
</plist>
2010/05/14 10:37:12.968769 link up
2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
2010/05/14 10:37:12.972850 Receive Packet Size 77
Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 59
EAP Request (1): Identifier 1 Length 59
Identity (1)
length 59 - sizeof(*rd_p) 5 = 54
[Removed. In here there is our networkid,nasid and portid ]
2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>1</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:12.976795 EAP Request Identity
2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
2010/05/14 10:37:12.976832 Transmit Packet Size 39
Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 35
EAP Response (2): Identifier 1 Length 35
Identity (1)
length 35 - sizeof(*rd_p) 5 = 30
(Removed raw data with the SAN ]
2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>IdentityAttributes</key>
<array>
<string>networkid=[Removed our SSID]</string>
<string>nasid=[Removed our WLANC ID]</string>
<string>portid=29</string>
</array>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>2</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:13.022577 force renew
2010/05/14 10:37:13.025323 stop
* Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
* Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
* How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
Thanks
JofreHi,
some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
If we compare a PC and A MAc we have the follwoing.
PC:
1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
Continues OK
While on a Snow Leopard are:
44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
after analizin the network traces we see that the different is on the 3rd EAP Packet:
PC:
4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
802.1X Authentication
Version: 1
Type: EAP Packet (0)
Length: 40
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 40
Type: Identity [RFC3748] (1)
Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
Mac Snow Leopard:
46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
802.1X Authentication
Version: 1
Type: EAP Packet (0)
Length: 35
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 35
Type: Identity [RFC3748] (1)
Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
while in the PC case we have:
PC:
User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
Policy-Name = Allow Wireless Lan Access With Certificate
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
* Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
* Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
Thanks
Jofre -
Prevent hub on a 802.1x switch port
Hi,
A 802.1x port on a switch will grant a hub access if there is a 802.1x PC connected to the hub.
Non-802.1x pc's can access the 802.1x network if they connect to the hub and spoof the mac-address of the 802.1x PC (switch port uses single-host mode).
Does anyone know how we can prevent this access ?
Thanks,
Gerard van BonVery true. I must have been in wonderland when I half way thought that one through.
I am not sure that dynamic ARP inspection would be helpful in this situation or not. If the ARP tables are built within the switch based upon DHCP snooping, the second host with the same MAC address would have to have a statically entered IP address in order to function. If it tried to obtain one via DHCP, the DHCP server would see that it had issued a specific IP address to that MAC address and would reissue the same IP address to the second host. I guess the second PC could do a NACK to the DHCPOFFER. In this case you could watch you DHCP address allocation for the particular subnet and if you have more addresses issued that you have ports, that could be an indication. Of course there are a few issues with that. Mainly, it would require a fairly static environment to do something like that.
Another problem, and this would be much easier to do from a PC standpoint, would be to setup the 802.1x authenticated PC as a NAT device and connect the second or more devices behind it. (Windows makes this pretty easy now.) If a SOHO router (ie, Linksys type device) were to support 802.1x, it could be plugged in and all devices placed behind it would be able to access the network based upon the NAT functions of the SOHO router. A user smart enough to spoof a MAC address to bypass network security will likely be aware of these methods as well.
Steve -
Iron Port Transparent Authentication of Mobile Devices
Hello,
I have an IronPort S170 WSA running 7.5.0-833 and AD Agent (v1.0.0.32.1-build-598) installed on a Windows 2008 R2 server. Transparent authentication of Windows devices is working fine, users login to their domain devices and are showing up in the cache on the server and reports within the WSA.
I want to authenticate wireless devices such as iPads and Android phones transparently, I have configured Network Policy Server (NPS) on the Windows 2008 R2 server that has the AD Agent installed (NPS ports have been changed to 7777 and 7778 to avoid breaking the existing transparent authentication) using PEAP-MSHCHAPv2 authentication. I have updated the group policy configuration so that the NPS server generates Audit Success messages when the users logs successfully but since the 802.1x authentication happens before the user gets an IP address they are no good.
The NPS logs the MAC address of the connecting device as the Called-Station-ID and the DHCP server also logs the MAC address to IP address mapping I was hoping that the AD Agent would be put that together. Has anyone had a similar issue and found a way to resolve it?
Thanks.Hey if you get anywhere with this I would LOVE to know how to do it.
Currently we have to put DHCP reservations in our DHCP server so that each handheld gets the same IP address all the time.
Then there is a seperate policy in our S160 that has all of those IP addresses listed. Its a little more of a pain to manage and in the event you wanted to do any kind of tracking, you have to do a little investigation work rather than being able to search by active directory user account name. -
Dear all,
Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password" but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
Best regards,
PiotrIf this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
I am sorry if I am not able to help but I am not using the anyconnect for production.
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
802.1x computer-based network authentication (machine certificate)
Hello,
I am using my MBP for work and want to connected to my work's network.
We are using 802.1x network authentication, based on a computer certificate. I joined my computer to our Microsoft Active Directory and created a computer certificate, which I imported successfully to "System" store.
Only "Error description" is, that my MBP tries to authenticate as "User".
How do I configure my network settings, to use "computer-based authentication" and use the computer certificate?
Regards,
BenThanks, but in my case there is no administrator who send me that configuration profile. I have to create a configuration profile for myself.
I could create a configuration profile for my client and basically it uses a computer certificate to authenticate with the network. But finally the process is cancelled by the client. I tried the steps at OS X Server: How To Configure RADIUS Server Trust in Configuration Profiles when using TLS, TTLS, or PEAP - Apple Suppor… but finally the authentication was cancelled by client, with error ".. server certificate not trusted"
How should the computer certificate look like?
Is there a manual for the CA template?
Regards,
Ben
Maybe you are looking for
-
Mobile me does not sync all contacts
I set up my iPhone to sync with mobile me. It works for calendar and e-mail but only 50 of my contacts (out of over 200) have been synced. In groups it only says "alle contacts" it doesn't bring my different groups as I see them on my computer and in
-
STO. How to create the stock in transit if the plant has been block.
Problem with STO. How to clear the stock in transit if the plant has been block.
-
HT4262 network problem with TV only
I was watching a movie from Netflix on smart tv using Time Capsule for my network. It suddenly quit working. My laptop and printer still work fine. All the settings for my Time Capsule have changed to zeros and I can't get it to stay set to wireless
-
Can't open Messages without getting "An internal Messages error occurred."
Hey, I have tried to reinstall Mountain Lion 10.8.2 several times to try and get Messages working but with no luck at all, so I thought I would try and get some help here. This is the error message I'm getting: What I've tried to do to fix this is: R
-
How to use formula column,placeholder column in data template option
Hi All, Can you some idea on these concept with example. Thanks in adv