802.11x with 2008 R2 NPS

Similar Messages

• WCS Radius Authentication issue with 2008 R2 NPS

  OK, so I have my MPS working. I am  authenticating all sorts of Cisco devices and I can even authenticate  the admin login from the WCS server.  UNLESS I add more than 27 of the  custom settings in the Cisco-AV-Pair that the WCS uses to define the  logged in user rights.  Anything after the 27th setting the login times  out and the WCS denies access. I go back to 27 and it logs in fine.   There are 73 settings for the default admin user.
  Anyone have any ideas why this is happening or better yet, how to get around it?
  I  have been searching through the MS technet to see if there is a  limitation built in to the NPS, but I have yet to find anything.
  Thanks,
  Rod

  I have not gotten any other feedback and I have not been ablet to identify anything on technet about it.  It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings.  It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.

• HT4718 wpa2 enterprise 802.11x protocol with pap authentication.  Lion Reformat

  My school has only wpa2 enterprise 802.11x protocol with pap authentication.  Due to this I can not reinstall lion as a fresh copy.  I realized that I can download lion again from the app store.  Can it do a fresh install?

  I am having the exactly same problem as ecko04. I also tried to intall the certificate provided by my university but it failed. Could somebody help us out? Thanks

• 2008 R2 NPS wont connect to Cisco 1841 via Cisco VPN 5.0.03.0560

  I am migrating our IAS server from 2003 R2 to 2008 R2 NPS that we use to authenticate VPN conenctions through AD. Currently works without issue on 2003 R2 server. Does not want to work on 2008 R2 NPS server.
  We are using Cisco VPN client 5.0.03.0560 as the VPN client. Below is the log file when I try to connect. Can someone tell me what needs to be done on NPS to get this working? If more info is needed please ask and will supply.
  Cisco Systems VPN Client Version 5.0.03.0560
  Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
  Client Type(s): Windows, WinNT
  Running on: 5.1.2600 Service Pack 3
  Config file directory: C:\Program Files\Cisco Systems\VPN Client\
  1      10:55:10.906  06/05/14  Sev=Info/4 CM/0x63100002
  Begin connection process
  2      10:55:10.921  06/05/14  Sev=Info/4 CM/0x63100004
  Establish secure connection
  3      10:55:10.921  06/05/14  Sev=Info/4 CM/0x63100024
  Attempt connection with server ".com"
  4      10:55:10.921  06/05/14  Sev=Info/6 IKE/0x6300003B
  Attempting to establish a connection with x.x.x.x.
  5      10:55:10.937  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
  6      10:55:11.140  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  7      10:55:11.140  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
  8      10:55:11.140  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  9      10:55:11.140  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DPD
  10     10:55:11.203  06/05/14  Sev=Info/6 GUI/0x63B00012
  Authentication request attributes is 6h.
  11     10:55:11.140  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DWR Code and DWR Text
  12     10:55:11.140  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports XAUTH
  13     10:55:11.140  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports NAT-T
  14     10:55:11.140  06/05/14  Sev=Info/6 IKE/0x63000001
  IOS Vendor ID Contruction successful
  15     10:55:11.140  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
  16     10:55:11.140  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  17     10:55:11.140  06/05/14  Sev=Info/4 IKE/0x63000083
  IKE Port in use - Local Port =  0x078F, Remote Port = 0x1194
  18     10:55:11.140  06/05/14  Sev=Info/5 IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  19     10:55:11.140  06/05/14  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  20     10:55:11.203  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  21     10:55:11.203  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
  22     10:55:11.203  06/05/14  Sev=Info/5 IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  23     10:55:11.203  06/05/14  Sev=Info/5 IKE/0x63000047
  This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
  24     10:55:11.203  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  25     10:55:11.203  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
  26     10:55:11.203  06/05/14  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  27     10:55:11.250  06/05/14  Sev=Info/4 IPSEC/0x63700008
  IPSec driver successfully started
  28     10:55:11.250  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  29     10:55:15.484  06/05/14  Sev=Info/4 CM/0x63100017
  xAuth application returned
  30     10:55:15.484  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
  31     10:55:21.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  32     10:55:31.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  33     10:55:41.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  34     10:55:51.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  35     10:55:52.593  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  36     10:55:52.593  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
  37     10:55:52.609  06/05/14  Sev=Info/6 GUI/0x63B00012
  Authentication request attributes is 6h.
  38     10:55:52.593  06/05/14  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  39     10:56:01.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  40     10:56:07.656  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  41     10:56:07.656  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
  42     10:56:11.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  43     10:56:21.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  44     10:56:22.656  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  45     10:56:22.656  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
  46     10:56:31.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  47     10:56:37.765  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  48     10:56:37.765  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
  49     10:56:41.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  50     10:56:51.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  51     10:56:52.812  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  52     10:56:52.812  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
  53     10:57:01.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  54     10:57:07.562  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  55     10:57:07.562  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(Retransmission) from x.x.x.x
  56     10:57:11.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  57     10:57:21.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  58     10:57:31.218  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  59     10:57:33.046  06/05/14  Sev=Info/4 CM/0x63100017
  xAuth application returned
  60     10:57:33.046  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
  61     10:57:33.046  06/05/14  Sev=Info/4 CM/0x63100018
  User does not provide any authentication data
  62     10:57:33.046  06/05/14  Sev=Info/4 IKE/0x63000001
  IKE received signal to terminate VPN connection
  63     10:57:33.046  06/05/14  Sev=Info/4 IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
  64     10:57:33.046  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
  65     10:57:33.046  06/05/14  Sev=Info/4 IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=A5D0259F68268513 R_Cookie=D90058DAEBC5310F) reason = DEL_REASON_RESET_SADB
  66     10:57:33.046  06/05/14  Sev=Info/5 CM/0x63100025
  Initializing CVPNDrv
  67     10:57:33.062  06/05/14  Sev=Info/6 CM/0x63100046
  Set tunnel established flag in registry to 0.
  68     10:57:33.218  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  69     10:57:33.218  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  70     10:57:33.218  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  71     10:57:33.218  06/05/14  Sev=Info/4 IPSEC/0x6370000A
  IPSec driver successfully stopped
  72     11:00:54.656  06/05/14  Sev=Info/4 CM/0x63100002
  Begin connection process
  73     11:00:54.671  06/05/14  Sev=Info/4 CM/0x63100004
  Establish secure connection
  74     11:00:54.671  06/05/14  Sev=Info/4 CM/0x63100024
  Attempt connection with server ".com"
  75     11:00:54.687  06/05/14  Sev=Info/6 IKE/0x6300003B
  Attempting to establish a connection with x.x.x.x
  76     11:00:54.703  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
  77     11:00:54.750  06/05/14  Sev=Info/4 IPSEC/0x63700008
  IPSec driver successfully started
  78     11:00:54.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  79     11:00:54.953  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  80     11:00:54.953  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
  81     11:00:54.953  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  82     11:00:54.953  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DPD
  83     11:00:54.953  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DWR Code and DWR Text
  84     11:00:55.015  06/05/14  Sev=Info/6 GUI/0x63B00012
  Authentication request attributes is 6h.
  85     11:00:54.953  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports XAUTH
  86     11:00:54.953  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports NAT-T
  87     11:00:54.953  06/05/14  Sev=Info/6 IKE/0x63000001
  IOS Vendor ID Contruction successful
  88     11:00:54.968  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
  89     11:00:54.968  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  90     11:00:54.968  06/05/14  Sev=Info/4 IKE/0x63000083
  IKE Port in use - Local Port =  0x0798, Remote Port = 0x1194
  91     11:00:54.968  06/05/14  Sev=Info/5 IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  92     11:00:54.968  06/05/14  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  93     11:00:55.000  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  94     11:00:55.000  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
  95     11:00:55.000  06/05/14  Sev=Info/5 IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  96     11:00:55.000  06/05/14  Sev=Info/5 IKE/0x63000047
  This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
  97     11:00:55.015  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  98     11:00:55.015  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
  99     11:00:55.015  06/05/14  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  100    11:00:58.765  06/05/14  Sev=Info/4 CM/0x63100017
  xAuth application returned
  101    11:00:58.765  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
  102    11:01:05.250  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  103    11:01:15.250  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  104    11:01:25.250  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  105    11:01:30.312  06/05/14  Sev=Info/6 GUI/0x63B0000D
  Disconnecting VPN connection.
  106    11:01:30.312  06/05/14  Sev=Info/4 CM/0x63100006
  Abort connection attempt before Phase 1 SA up
  107    11:01:30.312  06/05/14  Sev=Info/4 IKE/0x63000001
  IKE received signal to terminate VPN connection
  108    11:01:30.312  06/05/14  Sev=Info/4 IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
  109    11:01:30.328  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
  110    11:01:30.328  06/05/14  Sev=Info/4 IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=B172E43640D94E73 R_Cookie=D90058DA499474F6) reason = DEL_REASON_RESET_SADB
  111    11:01:30.328  06/05/14  Sev=Info/5 CM/0x63100025
  Initializing CVPNDrv
  112    11:01:30.328  06/05/14  Sev=Info/6 CM/0x63100046
  Set tunnel established flag in registry to 0.
  113    11:01:30.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  114    11:01:30.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  115    11:01:30.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  116    11:01:30.750  06/05/14  Sev=Info/4 IPSEC/0x6370000A
  IPSec driver successfully stopped
  117    11:01:44.875  06/05/14  Sev=Info/4 CM/0x63100002
  Begin connection process
  118    11:01:44.890  06/05/14  Sev=Info/4 CM/0x63100004
  Establish secure connection
  119    11:01:44.890  06/05/14  Sev=Info/4 CM/0x63100024
  Attempt connection with server ".com"
  120    11:01:44.906  06/05/14  Sev=Info/6 IKE/0x6300003B
  Attempting to establish a connection with x.x.x.x
  121    11:01:44.921  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
  122    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  123    11:01:45.234  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
  124    11:01:45.296  06/05/14  Sev=Info/6 GUI/0x63B00012
  Authentication request attributes is 6h.
  125    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  126    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DPD
  127    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DWR Code and DWR Text
  128    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports XAUTH
  129    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports NAT-T
  130    11:01:45.234  06/05/14  Sev=Info/6 IKE/0x63000001
  IOS Vendor ID Contruction successful
  131    11:01:45.234  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
  132    11:01:45.234  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  133    11:01:45.234  06/05/14  Sev=Info/4 IKE/0x63000083
  IKE Port in use - Local Port =  0x079B, Remote Port = 0x1194
  134    11:01:45.234  06/05/14  Sev=Info/5 IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  135    11:01:45.234  06/05/14  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  136    11:01:45.250  06/05/14  Sev=Info/4 IPSEC/0x63700008
  IPSec driver successfully started
  137    11:01:45.250  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  138    11:01:45.281  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  139    11:01:45.281  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
  140    11:01:45.281  06/05/14  Sev=Info/5 IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  141    11:01:45.281  06/05/14  Sev=Info/5 IKE/0x63000047
  This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
  142    11:01:45.296  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  143    11:01:45.296  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
  144    11:01:45.296  06/05/14  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  145    11:01:53.625  06/05/14  Sev=Info/4 CM/0x63100017
  xAuth application returned
  146    11:01:53.625  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
  147    11:01:53.640  06/05/14  Sev=Info/4 CM/0x63100018
  User does not provide any authentication data
  148    11:01:53.640  06/05/14  Sev=Info/4 IKE/0x63000001
  IKE received signal to terminate VPN connection
  149    11:01:53.640  06/05/14  Sev=Info/4 IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
  150    11:01:53.640  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
  151    11:01:53.640  06/05/14  Sev=Info/4 IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=07A59EB947FF6880 R_Cookie=D90058DA7E39EE62) reason = DEL_REASON_RESET_SADB
  152    11:01:53.640  06/05/14  Sev=Info/5 CM/0x63100025
  Initializing CVPNDrv
  153    11:01:53.640  06/05/14  Sev=Info/6 CM/0x63100046
  Set tunnel established flag in registry to 0.
  154    11:01:53.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  155    11:01:53.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  156    11:01:53.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  157    11:01:53.750  06/05/14  Sev=Info/4 IPSEC/0x6370000A
  IPSec driver successfully stopped
  158    11:02:00.406  06/05/14  Sev=Info/4 CM/0x63100002
  Begin connection process
  159    11:02:00.421  06/05/14  Sev=Info/4 CM/0x63100004
  Establish secure connection
  160    11:02:00.421  06/05/14  Sev=Info/4 CM/0x63100024
  Attempt connection with server "com"
  161    11:02:00.421  06/05/14  Sev=Info/6 IKE/0x6300003B
  Attempting to establish a connection with x.x.x.x
  162    11:02:00.437  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x
  163    11:02:00.750  06/05/14  Sev=Info/4 IPSEC/0x63700008
  IPSec driver successfully started
  164    11:02:00.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  165    11:02:01.015  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  166    11:02:01.015  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from x.x.x.x
  167    11:02:01.015  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer is a Cisco-Unity compliant peer
  168    11:02:01.109  06/05/14  Sev=Info/6 GUI/0x63B00012
  Authentication request attributes is 6h.
  169    11:02:01.015  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DPD
  170    11:02:01.015  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports DWR Code and DWR Text
  171    11:02:01.015  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports XAUTH
  172    11:02:01.015  06/05/14  Sev=Info/5 IKE/0x63000001
  Peer supports NAT-T
  173    11:02:01.031  06/05/14  Sev=Info/6 IKE/0x63000001
  IOS Vendor ID Contruction successful
  174    11:02:01.031  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x
  175    11:02:01.031  06/05/14  Sev=Info/6 IKE/0x63000055
  Sent a keepalive on the IPSec SA
  176    11:02:01.031  06/05/14  Sev=Info/4 IKE/0x63000083
  IKE Port in use - Local Port =  0x079E, Remote Port = 0x1194
  177    11:02:01.031  06/05/14  Sev=Info/5 IKE/0x63000072
  Automatic NAT Detection Status:
     Remote end is NOT behind a NAT device
     This   end IS behind a NAT device
  178    11:02:01.031  06/05/14  Sev=Info/4 CM/0x6310000E
  Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
  179    11:02:01.078  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  180    11:02:01.078  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from x.x.x.x
  181    11:02:01.078  06/05/14  Sev=Info/5 IKE/0x63000045
  RESPONDER-LIFETIME notify has value of 86400 seconds
  182    11:02:01.078  06/05/14  Sev=Info/5 IKE/0x63000047
  This SA has already been alive for 1 seconds, setting expiry to 86399 seconds from now
  183    11:02:01.078  06/05/14  Sev=Info/5 IKE/0x6300002F
  Received ISAKMP packet: peer = x.x.x.x
  184    11:02:01.078  06/05/14  Sev=Info/4 IKE/0x63000014
  RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from x.x.x.x
  185    11:02:01.078  06/05/14  Sev=Info/4 CM/0x63100015
  Launch xAuth application
  186    11:02:06.406  06/05/14  Sev=Info/4 CM/0x63100017
  xAuth application returned
  187    11:02:06.406  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to x.x.x.x
  188    11:02:06.406  06/05/14  Sev=Info/4 CM/0x63100018
  User does not provide any authentication data
  189    11:02:06.406  06/05/14  Sev=Info/4 IKE/0x63000001
  IKE received signal to terminate VPN connection
  190    11:02:06.406  06/05/14  Sev=Info/4 IKE/0x63000017
  Marking IKE SA for deletion  (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
  191    11:02:06.406  06/05/14  Sev=Info/4 IKE/0x63000013
  SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to x.x.x.x
  192    11:02:06.406  06/05/14  Sev=Info/4 IKE/0x6300004B
  Discarding IKE SA negotiation (I_Cookie=E9F0E2EDD6D85F48 R_Cookie=D90058DA2BBDFC93) reason = DEL_REASON_RESET_SADB
  193    11:02:06.406  06/05/14  Sev=Info/5 CM/0x63100025
  Initializing CVPNDrv
  194    11:02:06.421  06/05/14  Sev=Info/6 CM/0x63100046
  Set tunnel established flag in registry to 0.
  195    11:02:06.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  196    11:02:06.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  197    11:02:06.750  06/05/14  Sev=Info/4 IPSEC/0x63700014
  Deleted all keys
  198    11:02:06.750  06/05/14  Sev=Info/4 IPSEC/0x6370000A
  IPSec driver successfully stopped

  I am using 2008 R2 NPS as radius server. 1841 ISR as VPN device. Here are debug loghs from Cisco 1841
  1430434: .Jun  9 2014 12:06:59.187 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
  1430435: .Jun  9 2014 12:06:59.187 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/140
  1430436: .Jun  9 2014 12:06:59.191 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
  1430437: .Jun  9 2014 12:06:59.191 PDT: RADIUS:  authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
  1430438: .Jun  9 2014 12:06:59.191 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
  1430439: .Jun  9 2014 12:06:59.191 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
  1430440: .Jun  9 2014 12:06:59.191 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
  1430441: .Jun  9 2014 12:06:59.191 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
  1430442: .Jun  9 2014 12:06:59.191 PDT: RADIUS: request  authen: 2669BD0BEF3749C79C551EABB4B4D105
  1430443: .Jun  9 2014 12:06:59.191 PDT: RADIUS: Response (140) failed decrypt
  1430444: .Jun  9 2014 12:07:05.246 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
  1430445: .Jun  9 2014 12:07:05.246 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
  1430446: .Jun  9 2014 12:07:05.250 PDT: RADIUS: Received from id 1645/140 10.1.4.7:1645, Access-Reject, len 20
  1430447: .Jun  9 2014 12:07:05.250 PDT: RADIUS:  authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
  1430448: .Jun  9 2014 12:07:05.250 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
  1430449: .Jun  9 2014 12:07:05.250 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
  1430450: .Jun  9 2014 12:07:05.250 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
  1430451: .Jun  9 2014 12:07:05.250 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
  1430452: .Jun  9 2014 12:07:05.250 PDT: RADIUS: request  authen: 2669BD0BEF3749C79C551EABB4B4D105
  1430453: .Jun  9 2014 12:07:05.254 PDT: RADIUS: Response (140) failed decrypt
  1430454: .Jun  9 2014 12:07:08.574 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp x.x.9.47(21303) -> x.x.109.122(5038), 1 packet
  1430455: .Jun  9 2014 12:07:09.826 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
  1430456: .Jun  9 2014 12:07:09.826 PDT: RADIUS: Retransmit to (10.1.4.7:1645,1646) for id 1645/140
  1430457: .Jun  9 2014 12:07:09.830 PDT: RADIUS: Received from id 1645/140 10.1.x.x:1645, Access-Reject, len 20
  1430458: .Jun  9 2014 12:07:09.830 PDT: RADIUS:  authenticator 06 F7 D9 7C 40 F4 9A FB - E1 81 EE EC 66 84 48 B7
  1430459: .Jun  9 2014 12:07:09.830 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
  1430460: .Jun  9 2014 12:07:09.830 PDT: RADIUS: packet dump: 038C001406F7D97C40F49AFBE181EEEC668448B7
  1430461: .Jun  9 2014 12:07:09.830 PDT: RADIUS: expected digest: 7AAF1DE8D8190BC4D8B9B66437405BBA
  1430462: .Jun  9 2014 12:07:09.830 PDT: RADIUS: response authen: 06F7D97C40F49AFBE181EEEC668448B7
  1430463: .Jun  9 2014 12:07:09.830 PDT: RADIUS: request  authen: 2669BD0BEF3749C79C551EABB4B4D105
  1430464: .Jun  9 2014 12:07:09.830 PDT: RADIUS: Response (140) failed decrypt
  1430465: .Jun  9 2014 12:07:14.210 PDT: RADIUS: no sg in radius-timers: ctx 0x62A26CC8 sg 0x0000
  1430466: .Jun  9 2014 12:07:14.210 PDT: RADIUS: No response from (10.1.4.7:1645,1646) for id 1645/140
  Log Buffer (4096 bytes):
  6E7C
  1430534: .Jun  9 2014 12:09:50.586 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
  1430535: .Jun  9 2014 12:09:50.586 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
  1430536: .Jun  9 2014 12:09:50.590 PDT: RADIUS: request  authen: E39E7226C93AFEDCAF03A49F11FDA193
  1430537: .Jun  9 2014 12:09:50.590 PDT: RADIUS: Response (141) failed decrypt
  1430538: .Jun  9 2014 12:09:51.902 PDT: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 12 packets
  1430539: .Jun  9 2014 12:09:55.638 PDT: %SEC-6-IPACCESSLOGP: list 112 denied tcp x.x.245.x(1602) -> x.32.x.x(445), 1 packet
  1430540: .Jun  9 2014 12:09:55.974 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
  1430541: .Jun  9 2014 12:09:55.974 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
  1430542: .Jun  9 2014 12:09:55.978 PDT: RADIUS: Received from id 1645/141 10.1.4.7:1645, Access-Reject, len 20
  1430543: .Jun  9 2014 12:09:55.978 PDT: RADIUS:  authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
  1430544: .Jun  9 2014 12:09:55.978 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
  1430545: .Jun  9 2014 12:09:55.978 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
  1430546: .Jun  9 2014 12:09:55.978 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
  1430547: .Jun  9 2014 12:09:55.978 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
  1430548: .Jun  9 2014 12:09:55.978 PDT: RADIUS: request  authen: E39E7226C93AFEDCAF03A49F11FDA193
  1430549: .Jun  9 2014 12:09:55.978 PDT: RADIUS: Response (141) failed decrypt
  1430550: .Jun  9 2014 12:09:58.070 PDT: %SEC-6-IPACCESSLOGP: list 102 denied tcp 27.x.x.x(33281) -> 12.x.x.x(80), 1 packet
  1430551: .Jun  9 2014 12:10:00.326 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
  1430552: .Jun  9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_DEAD: RADIUS server 10.1.x.x:1645,1646 is not responding.
  1430553: .Jun  9 2014 12:10:00.326 PDT: %RADIUS-4-RADIUS_ALIVE: RADIUS server 10.1.x.x:1645,1646 is being marked alive.
  1430554: .Jun  9 2014 12:10:00.326 PDT: RADIUS: Retransmit to (10.1.x.x:1645,1646) for id 1645/141
  1430555: .Jun  9 2014 12:10:00.330 PDT: RADIUS: Received from id 1645/141 10.1.x.x:1645, Access-Reject, len 20
  1430556: .Jun  9 2014 12:10:00.330 PDT: RADIUS:  authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
  1430557: .Jun  9 2014 12:10:00.330 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
  1430558: .Jun  9 2014 12:10:00.330 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
  1430559: .Jun  9 2014 12:10:00.330 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
  1430560: .Jun  9 2014 12:10:00.330 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
  1430561: .Jun  9 2014 12:10:00.330 PDT: RADIUS: request  authen: E39E7226C93AFEDCAF03A49F11FDA193
  1430562: .Jun  9 2014 12:10:00.334 PDT: RADIUS: Response (141) failed decrypt
  1430563: .Jun  9 2014 12:10:01.713 PDT: %SEC-6-IPACCESSLOGDP: list 102 denied icmp 175.x.x.x -> x.x.x.104 (3/3), 1 packet
  1430564: .Jun  9 2014 12:10:05.841 PDT: RADIUS: no sg in radius-timers: ctx 0x637771F4 sg 0x0000
  1430565: .Jun  9 2014 12:10:05.841 PDT: RADIUS: Retransmit to (10.x.x.x:1645,1646) for id 1645/141
  1430566: .Jun  9 2014 12:10:05.845 PDT: RADIUS: Received from id 1645/141 10.x.x.x:1645, Access-Reject, len 20
  1430567: .Jun  9 2014 12:10:05.845 PDT: RADIUS:  authenticator 97 45 CF 5A D4 B8 41 8A - 59 D9 C9 7E 72 58 6E 7C
  1430568: .Jun  9 2014 12:10:05.845 PDT: RADIUS: response-authenticator decrypt fail, pak len 20
  1430569: .Jun  9 2014 12:10:05.845 PDT: RADIUS: packet dump: 038D00149745CF5AD4B8418A59D9C97E72586E7C
  1430570: .Jun  9 2014 12:10:05.845 PDT: RADIUS: expected digest: DE950EACA36AD5E6CE5A0148663AB1AD
  1430571: .Jun  9 2014 12:10:05.845 PDT: RADIUS: response authen: 9745CF5AD4B8418A59D9C97E72586E7C
  1430572: .Jun  9 2014 12:10:05.849 PDT: RADIUS: request  authen: E39E7226C93AFEDCAF03A49F11FDA193
  1430573: .Jun  9 2014 12:10:05.849 PDT: RADIUS: Response (141) failed decrypt

• WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

  Hello,
  In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
  On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
  I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
  Thanks,

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• ASK THE EXPERTS - Update on 802.11n with Fred Niehaus

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to get an update on 802.11n with Cisco expert Fred Niehaus. Fred is a Technical Marketing Engineer for the Wireless Networking Business Unit at Cisco, where he is responsible for developing and marketing enterprise wireless solutions using Cisco Aironet and Airespace wireless LAN products. In addition to his participation in major deployments, Fred has served as technical editor for several Cisco Press books including the "Cisco 802.11 Wireless Networking Reference Guide" and "The Business Case for Enterprise-Class Wireless LANs." Prior to joining Cisco with the acquisition of Aironet, Fred was a support engineer for Telxon Corporation, supporting some of the very first wireless implementations for major corporate customers. Fred has been in the data communications and networking industry for more than 20 years and holds a Radio Amateur (Ham) License "N8CPI."
  Remember to use the rating system to let  Fred know if you have received an adequate response.
  Fred might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Other Mobility Subjects discussion forum shortly after the event. This event lasts through March 25, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

  So there are two parts of this question, the latter part I cannot address as it is a future question.  Cisco does not comment on products that have not been released or on the strategy of next generation products.
  That said, Cisco was first to market with an 802.11n Access Point and well (we didn't all go on vacation after we did that)
  So let's talk a little about spatial streams in general and how it relates to what customers are doing today.
  The Cisco 1040, 1140, 1250, 1260 and 3500 Series Access Points are all two spatial streams (2SS).
  As of the time of this writing, a critical mass of 3SS and 4SS compatible clients have yet to be deployed, and the vast majority of WiFi clients that will be deployed over the next 18 months will be 1SS and 2SS clients.
  The higher SS clients are likely only show up in some higher end notebooks -- Why? well it is a given that smartphones and tablets are likely to continue to be 1SS and in some rare cases 2SS.
  This is because additional radios used in this technology consume battery life, add to the physical size of the device and increase the cost. Also many devices leverage the same single antenna for cellular as well as WiFi.  Therefore, it is my opinion that 3SS Access Points provide little if any performance benefit for smartphones or tablets in the enterprise today, and any real throughput gain is likely to occur with high end notebooks in close proximity to the Access Point and those are rolling out very slowly and we are monitoring this.
  Now we get to my favorite part of this..  I get to ask myself a question and then answer it..
  So Fred are you saying that there is no value in 3SS and 4SS?
  Of course not, 3SS performs similar to 2SS beyond a short distance, and with any multi-SS product RF interference must be addressed to capture the performance benefits of higher SS Access Points. Actual throughput in any WiFi environment is highly dependent on the presence of interferers and obstacles.
  Without the ability to mitigate the impact of interference, 3SS solutions will "downshift" to 2SS of 1SS and lose all the performance benefits anyway IMHO.
  I don't want to sound like a commercial, but you really do need Cisco cleanair technology in the AP and Cisco innovations deliver more and will go beyond the simple 3SS aspects of the 802.11n standard.
  IMHO it's more about CleanAir, good RF system design, and what we put into the AP with regard to performance "in the environment" and not what is on some spec sheet today.
  For more on Cisco CleanAir see the following URL http://www.cisco.com/en/US/netsol/ns1070/index.html
  Fred

• Cisco ip phones authenticate 802.1x with cisco ise 1.3

  Dear all,
  I want to configure cisco ise 1.3 with 802.1x , to authenticate cisco ip phones ( CUCM 10.5.2 ) with LSC certificate. 
  How I have to configure cisco ise authentication rules for 802.1x with cisco ip phones? Are there any configuration examples ? 
  Thanks

  following are ISE 802.1x  sample authentication rules..you can change the protocol (Policy -> policy elements - > results -> authentication and you can select the proctocal)

• Connecting WRT300N to internet using 802.11x

  My service provider requires 802.11x authentication to connect to Internet. Is there any way to get my WRT300N to act as a 802.11x client on it's internet connection?

  no...the linksys router's cannot be used as wireless clients..they only act as a wireless access point ..

• 802.11x device drivers in Solaris 10

  Can any one point me to a list of 802.11x devices supported by Solaris 10
  Thanks
  Enzo

  http://www.sun.com/bigadmin/hcl/

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Cisco ip phones authenticate 802.1x with cisco ise

  Dears,
  I want to  configure ip phones authenticate from Cisco ISE with 802.1X with certificates. But i can not find any configuration guide about this solutions.
  I find one config and this is about ACS. Please provide me any documentation guide on cisco ise.
  Thanks. 

  802.1x configuration for IP Phones
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html#69217

• Wireless 802.1x with Window 7

  I have a WLC 6.0,  ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication.   The clients are using Windows 7 to connect to wireless.     To get the clients connected they have to go into there network properties if the wireless card,  configure the client to use PEAP,  uncheck validate server certificate, and also uncheck use computer name to login into windows.  This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password.    The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect.  If wireless could also be setup to use  there windows username and password   would be a bonus.  I'm basically looking for a solution that is simple but is also secure as well.  I know that's an oxymoron.   Is there anything I could do to make the wireless process simpler.  Either by going with a different security authentication or by doing something different on the clients computers.   Thanks for any help and suggestions. 

  This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
  The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  https://sourceforge.net/projects/su1x/
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
  Features include:
  - Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
  - Can set EAP credentials without additional user interaction (avoids tooltip bubble)
  - Installation of a certificate (silent)
  - Checks for WPA2 compatibility and falls back to a WPA profile
  - Third party supplicant check -SSID removal and priority setting
  - Support tab: (checks: adapter, wzc service, profile presence, IP)
  - Outputs check results to user with tooltip and/or to file
  - Printer tab to add/remove networked printer
  This tool is very cleverly written by Gareth Ayres at Swansea University

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• [WLAN] Use 802.1x with PEAP without Certificates?

  Hello there,
  is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable it

  On whitch device? You can set the autorithy certifacte to none or choose one from the list.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• 802.1x with Vlan assignment and IP phone and PC

  I have a Catalyst 4510R and I want to im plement 802.1x with dynamic VLAN assignment via Radius server. I am going to plug to switch ports Cisco IP phones and PCs (PCs are plugged in the IP phone).
  For this implementation I need to configure the switch port in mode trunk because I have voice vlan corresponding IP phone and data vlan corresponding to PC.
  However I have read that I can not enable 802.1x on a trunk port.
  How could I configure this?
  I need that when the PC is authenticated correctly is assigned to his cooresponding data vlan and the IP phone is in the voice vlan.
  Thanks

  You should configure the port as an access port with an aux-vlan. Here's an example:
  interface GigabitEthernet2/2
  switchport access vlan 701
  switchport mode access
  switchport voice vlan 702
  load-interval 30
  qos trust device cisco-phone
  qos trust cos
  auto qos voip cisco-phone
  dot1x pae authenticator
  dot1x port-control auto
  tx-queue 3
  bandwidth percent 33
  priority high
  shape percent 33
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy output autoqos-voip-policy
  Hope this helps,