802.11 X port-level authentication or user-level authentication

I have read many online documents about 802.11x, all that i found they named port-level authentication.
It makes sense for a wired network, since we have got a physical port, then if the supplicant has been authenticated, his port will be open to transfer data.
And same thing with a wireless network, but we do not have physical port, we have got logical port.
I have read one document that mentioned that 802.11 is user-level authentication,,,any comment about this ?
Regards

Thanks steprodr
That means in both cases (wired. wireless) a client has to be authenticated to pass through physical port or logical port to be able to access(use)network resources,,,,,
What is my interpretation (correct me) to your reply, that with the wire we call it port level while with wireless (my conclusion, because explicitly you have mentioned that)we do not call it port level (i.e. it is called user level) ?

Similar Messages

  • AP 802.1X switched port-authentication

    Hi,
    I've setup EAP authentication (PEAP) to authenticate WLAN client on an AP.
    The AP is connected to a switch where the port is not configured for 802.1X.
    On this switched port I enabled, in multi-host, 802.1X to authenticate also the AP as a client, but since it's enabled I've not been able to authenticate anymore the WLAN client due to the fact that the port will not transition to Authorized
    If I connect on the same port a PC using 802.1X,this is working fine..
    Am I missing something to configure on the switch or AP ???
    Any suggestion are appreciated
    Regards
    Omar

    Omar,
    There's a gotcha with this...most likely a trunk issue...
    Here is a snippet for EAPOL guidelines:
    Authentication Configuration Guidelines
    This section provides the guidelines for configuring 802.1x authentication on the switch:
    802.1x will work with other protocols, but we recommend that you use RADIUS with a remotely located authentication server.
    802.1x is supported only on Ethernet ports.
    Software release 7.5(1) supports two in-band management interfaces, sc0 and sc1.
    802.1x authentication always uses the sc0 interface as the identifier for the authenticator when communicating with the RADIUS server.
    802.1x authentication is not supported with the sc1 interface.
    You cannot enable 802.1x on a trunk port until you turn off the trunking feature on that port.
    You cannot enable trunking on an 802.1x port.
    You cannot enable 802.1x on a dynamic port until you turn off the DVLAN feature on that port.
    You cannot enable DVLAN on an 802.1x port.
    You cannot enable 802.1x on a channeling port until you turn off the channeling feature on that port. You cannot enable channeling on an 802.1x port.
    You cannot enable 802.1x on a switched port analyzer (SPAN) destination port. You cannot configure SPAN destination on an 802.1x port. However, you can configure an 802.1x port as a SPAN source port.
    You cannot set the auxiliary VLAN to dot1p or untagged and the auxiliary VLAN should not be equal to the native VLAN on the 802.1x-enabled port.
    You cannot enable the multiple-authentication option on an 802.1x-enabled auxiliary VLAN port. Enabling the multiple-host option on an 802.1x-enabled auxiliary VLAN is not recommended.
    Do not assign a guest VLAN equal to an auxiliary VLAN because an 802.1x-enabled auxiliary VLAN port will not be put into the guest VLAN if the auxiliary VLAN on the port is the same as the guest VLAN.
    Here is the url for the link:
    http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_configuration_guide_chapter09186a0080121d12.html#1029697

  • 802.1x Mac-Adress Based Authentication

    I am wondering if we are going to see or now have the ability to authenticate hosts on the lan with something other than a Username / Password? I am mostly concerned with ports on my network that the end device is a non 802.1x compliant device. Anyone have any insight as to what others are doing? Currently i am running ACS 3.3.2 and I am very succesful in deploying 802.1x to ports on my LAN, however we run a mix of unix based devices which are vendor supported and printers are another source of concern.

    We had pretty good luck using a Cold Fusion front end that forces users to authenticate with their AD credentials. It pulls the MAC address and host name and user/machine details and puts them in an ODBC database.
    We modified the sample stub routine to have the CSDB stub routine add the MAC to the local database in the PAP field.
    Kind of a nice compromise of identity and machine based authentication without the complexities of PEAP/EAP-FAST etc.

  • 802.1x Blocking port (many deviсes to one port)

    Hello!
    On ports of the Cisco 3750 there is authentication on 802.1x (Mab). I connect the "stupid" switch (that doesn't work with 802.1x) to port and logs of Radius-server and Cisco show that it was authenticated. Then I connect the device (laptop or PC) to the "stupid" switch, then the port is blocked. However PC passes authentication at direct connection to the Cisco.
    I know that in 802.1x is provided blocking of port at connection of many MAC-addresses to one port. 
    "Stupid" switch must be in vlan, and the devices (that are connected to switch) must be in the same vlan. Maybe they must be authenticated on Radius-server or maybe I have to create ACL with their MAC-addresses...
    How it can be solved? Help me, please.
    P.S. Multi-auth is enabled.

    Hi,
    Along with all the other bits and pieces to invoke 802.1x on the switch
    May be try adding this to the interface to "stupid"
    interface gigabitethernet2/0/1
    description *** LINK TO STUPID ***
    dot1x port-control auto
    dot1x host-mode multi-host
    end
    from the 12.2.55 config guide
    http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/sw8021x.html#wp1271507
    Regards
    Alex

  • Port-Based Authentication on 877

    Hi 
    I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port   (  xx    0000.xxxx.xxxx    STATIC      Gi1/0/3) .  
    authentication control-direction in
    authentication event fail retry 1 action authorize vlan xx
    authentication event no-response action authorize vlan xx
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication port-control auto
    authentication violation protect
    mab
    dot1x pae authenticator
    dot1x timeout quiet-period 10
    dot1x timeout tx-period 10
    dot1x timeout supp-timeout 10
    As I remove command authentication port-control auto then sh mac address-table  command shows me DYNAMIC MAC.
    Anyone can please let explain me why it is happing 
    Regards,

    Any input?

  • HT4718 wpa2 enterprise 802.11x protocol with pap authentication.  Lion Reformat

    My school has only wpa2 enterprise 802.11x protocol with pap authentication.  Due to this I can not reinstall lion as a fresh copy.  I realized that I can download lion again from the app store.  Can it do a fresh install?

    I am having the exactly same problem as ecko04. I also tried to intall the certificate provided by my university but it failed. Could somebody help us out? Thanks

  • 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

    I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
    Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
    Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
    Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
    Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
    Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
    If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
    The ports GI1/0./1 & Gi1/02 are configured thus:
    interface GigabitEthernet1/0/1
    switchport mode access
    switchport voice vlan 20
    authentication event fail action authorize vlan 4
    authentication event no-response action authorize vlan 4
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    mab
    mls qos trust cos
    dot1x pae authenticator
    spanning-tree portfast
    sh ver
    Switch Ports Model              SW Version            SW Image
    *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
    Full config attached. Assistance will be grately appreciated.
    Donfrico

    I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
    However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
    Are there special attributes that need to be configured on the switch or IAS?

  • Help with 4506 802.1x Port Based Authentication (Wired)

    Hi all,
    I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
    I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
    I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
    I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
    The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
    dot1x port-control auto
    i've also configured the interface to be a plain L2 access port by executing
    switchport mode access
    any help will be appreciated!

    I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
    However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
    Are there special attributes that need to be configured on the switch or IAS?

  • 802.1X Port Based Authentication Security Violation

    I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
    Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
    Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
    Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
    Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
    Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
    If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
    The ports GI1/0./1 & Gi1/02 are configured thus:
    interface GigabitEthernet1/0/1
    switchport mode access
    switchport voice vlan 20
    authentication event fail action authorize vlan 4
    authentication event no-response action authorize vlan 4
    authentication event server alive action reinitialize
    authentication host-mode multi-domain
    authentication order dot1x mab
    authentication priority dot1x mab
    authentication port-control auto
    mab
    mls qos trust cos
    dot1x pae authenticator
    spanning-tree portfast
    sh ver
    Switch Ports Model              SW Version            SW Image
    *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
    Full config attached. Assistance will be grately appreciated.
    Donfrico

    I believe , you need to configure re-authentication on this switch port:
    ! Enable re-authentication
    authentication periodic
    ! Enable re-authentication via RADIUS Session-Timeout
    authentication timer reauthenticate server

  • IEEE 802.1x Port based Authentication with Restricted VLAN

    Hi all,
    I have the following configuration:
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authorization exec default local
    dot1x system-auth-control
    radius-server host 10.10.10.10 key cisco
    interface FastEthernet0/1
    switchport mode access
    authentication event fail retry 1 action authorize vlan 2
    authentication port-control auto
    dot1x pae authenticator
    spanning-tree portfast
    But it takes quite a while for the user who is not authorized to be switch to vlan 2.
    I would like to know what is best practice when using this kind of configuration  and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
    Regards,
    Laurent

    Laurent,
    Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
    thanks,
    Tarik Admani

  • 802.1x TLS (Machine certifcate) authentication in Snow Leopard

    Hi,
    In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
    We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
    We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
    I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
    <key>TTLSInnerAuthentication</key>
    <string>MSCHAPv2</string>
    Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
    Client logs:
    2010/05/14 10:37:12.872405 update_configuration
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>AcceptEAPTypes</key>
    <array>
    <integer>13</integer>
    </array>
    <key>Description</key>
    <string>Automatic</string>
    <key>EAPFASTProvisionPAC</key>
    <true/>
    <key>EAPFASTUsePAC</key>
    <true/>
    <key>TLSIdentityHandle</key>
    <data>
    [Removed]
    </data>
    <key>TLSTrustedCertificates</key>
    <array>
    <data>
    [In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
    </data>
    </array>
    <key>TLSVerifyServerCertificate</key>
    <true/>
    <key>TTLSInnerAuthentication</key>
    <string>MSCHAPv2</string>
    </dict>
    </plist>
    2010/05/14 10:37:12.968769 link up
    2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
    2010/05/14 10:37:12.972850 Receive Packet Size 77
    Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
    EAPOL: proto version 0x2 type EAP Packet (0) length 59
    EAP Request (1): Identifier 1 Length 59
    Identity (1)
    length 59 - sizeof(*rd_p) 5 = 54
    [Removed. In here there is our networkid,nasid and portid ]
    2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>ClientStatus</key>
    <integer>0</integer>
    <key>ConfigurationGeneration</key>
    <integer>2</integer>
    <key>DomainSpecificError</key>
    <integer>0</integer>
    <key>Mode</key>
    <integer>1</integer>
    <key>SupplicantState</key>
    <integer>1</integer>
    <key>Timestamp</key>
    <date>2010-05-14T08:37:12Z</date>
    <key>UniqueIdentifier</key>
    <string>[Removed]</string>
    </dict>
    </plist>
    2010/05/14 10:37:12.976795 EAP Request Identity
    2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
    2010/05/14 10:37:12.976832 Transmit Packet Size 39
    Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
    EAPOL: proto version 0x1 type EAP Packet (0) length 35
    EAP Response (2): Identifier 1 Length 35
    Identity (1)
    length 35 - sizeof(*rd_p) 5 = 30
    (Removed raw data with the SAN ]
    2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
    <key>ClientStatus</key>
    <integer>0</integer>
    <key>ConfigurationGeneration</key>
    <integer>2</integer>
    <key>DomainSpecificError</key>
    <integer>0</integer>
    <key>IdentityAttributes</key>
    <array>
    <string>networkid=[Removed our SSID]</string>
    <string>nasid=[Removed our WLANC ID]</string>
    <string>portid=29</string>
    </array>
    <key>Mode</key>
    <integer>1</integer>
    <key>SupplicantState</key>
    <integer>2</integer>
    <key>Timestamp</key>
    <date>2010-05-14T08:37:12Z</date>
    <key>UniqueIdentifier</key>
    <string>[Removed]</string>
    </dict>
    </plist>
    2010/05/14 10:37:13.022577 force renew
    2010/05/14 10:37:13.025323 stop
    * Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
    * Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
    * How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
    Thanks
    Jofre

    Hi,
    some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
    If we compare a PC and A MAc we have the follwoing.
    PC:
    1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
    2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
    3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
    4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
    5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
    6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
    7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
    8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
    Continues OK
    While on a Snow Leopard are:
    44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
    45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
    46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
    47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
    after analizin the network traces we see that the different is on the 3rd EAP Packet:
    PC:
    4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
    802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 40
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 1
    Length: 40
    Type: Identity [RFC3748] (1)
    Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
    Mac Snow Leopard:
    46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
    802.1X Authentication
    Version: 1
    Type: EAP Packet (0)
    Length: 35
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 2
    Length: 35
    Type: Identity [RFC3748] (1)
    Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
    that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
    User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
    Policy-Name = <undetermined>
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 8
    Reason = The specified user account does not exist.
    while in the PC case we have:
    PC:
    User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
    Policy-Name = Allow Wireless Lan Access With Certificate
    Authentication-Type = EAP
    EAP-Type = Smart Card or other certificate
    * Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
    * Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
    Thanks
    Jofre

  • Prevent hub on a 802.1x switch port

    Hi,
    A 802.1x port on a switch will grant a hub access if there is a 802.1x PC connected to the hub.
    Non-802.1x pc's can access the 802.1x network if they connect to the hub and spoof the mac-address of the 802.1x PC (switch port uses single-host mode).
    Does anyone know how we can prevent this access ?
    Thanks,
    Gerard van Bon

    Very true. I must have been in wonderland when I half way thought that one through.
    I am not sure that dynamic ARP inspection would be helpful in this situation or not. If the ARP tables are built within the switch based upon DHCP snooping, the second host with the same MAC address would have to have a statically entered IP address in order to function. If it tried to obtain one via DHCP, the DHCP server would see that it had issued a specific IP address to that MAC address and would reissue the same IP address to the second host. I guess the second PC could do a NACK to the DHCPOFFER. In this case you could watch you DHCP address allocation for the particular subnet and if you have more addresses issued that you have ports, that could be an indication. Of course there are a few issues with that. Mainly, it would require a fairly static environment to do something like that.
    Another problem, and this would be much easier to do from a PC standpoint, would be to setup the 802.1x authenticated PC as a NAT device and connect the second or more devices behind it. (Windows makes this pretty easy now.) If a SOHO router (ie, Linksys type device) were to support 802.1x, it could be plugged in and all devices placed behind it would be able to access the network based upon the NAT functions of the SOHO router. A user smart enough to spoof a MAC address to bypass network security will likely be aware of these methods as well.
    Steve

  • Iron Port Transparent Authentication of Mobile Devices

    Hello,
    I have an IronPort S170 WSA running 7.5.0-833 and AD Agent (v1.0.0.32.1-build-598) installed on a Windows 2008 R2 server. Transparent authentication of Windows devices is working fine, users login to their domain devices and are showing up in the cache on the server and reports within the WSA.
    I want to authenticate wireless devices such as iPads and Android phones transparently, I have configured Network Policy Server (NPS) on the Windows 2008 R2 server that has the AD Agent installed (NPS ports have been changed to 7777 and 7778 to avoid breaking the existing transparent authentication) using PEAP-MSHCHAPv2 authentication. I have updated the group policy configuration so that the NPS server generates Audit Success messages when the users logs successfully but since the 802.1x authentication happens before the user gets an IP address they are no good.
    The NPS logs the MAC address of the connecting device as the Called-Station-ID and the DHCP server also logs the MAC address to IP address mapping I was hoping that the AD Agent would be put that together. Has anyone had a similar issue and found a way to resolve it?
    Thanks.

    Hey if you get anywhere with this I would LOVE to know how to do it.
    Currently we have to put DHCP reservations in our DHCP server so that each handheld gets the same IP address all the time.
    Then there is a seperate policy in our S160 that has all of those IP addresses listed.  Its a little more of a pain to manage and in the event you wanted to do any kind of tracking, you have to do a little investigation work rather than being able to search by active directory user account name.

  • Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

    Dear all,
    Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
    Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
    Best regards,
    Piotr

    If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
    I am sorry if I am not able to help but I am not using the anyconnect for production.
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • 802.1x computer-based network authentication (machine certificate)

    Hello,
    I am using my MBP for work and want to connected to my work's network.
    We are using 802.1x network authentication, based on a computer certificate. I joined my computer to our Microsoft Active Directory and created a computer certificate, which I imported successfully to "System" store.
    Only "Error description" is, that my MBP tries to authenticate as "User".
    How do I configure my network settings, to use "computer-based authentication" and use the computer certificate?
    Regards,
    Ben

    Thanks, but in my case there is no administrator who send me that configuration profile. I have to create a configuration profile for myself.
    I could create a configuration profile for my client and basically it uses a computer certificate to authenticate with the network. But finally the process is cancelled by the client. I tried the steps at OS X Server: How To Configure RADIUS Server Trust in Configuration Profiles when using TLS, TTLS, or PEAP - Apple Suppor… but finally the authentication was cancelled by client, with error ".. server certificate not trusted"
    How should the computer certificate look like?
    Is there a manual for the CA template?
    Regards,
    Ben

Maybe you are looking for