802.1x + ACS + AD

Similar Messages

• 802.1x - ACS authentication issue.....

  I will attempt to explain the history of our wireless controller configurations as best I can.  We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance.  All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together.  The ACS is setup to map to AD for specific groups. 
    In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to.  Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks.  The reason for this is those ip networks can reach certain services that are not allowed for general users.  ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
  Problem 1.  When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
  Problem 2.  Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not.  Upon further investigation it was discovered that the reason they are not is that the authentication is not correct.  When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username .  So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
  Please help.  I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.

  Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
    The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
    I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
    As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

• 802.1X ACS Self Signed External Windows DB

  I can configure the ACS server whit Self Signed and integrate it into a Windows database?
  The users will be authenticate whit 802.1X configured in a WLAN in WLC4400.

  Thanks Sthephen,
  I have configured this in the ACS:
  1. The ACS server is member server, for example LAB.
  2. In External User Database / Windows Database / Configure / In the configure domain list I select the domain called LAB.
  3. System Configuration/ACS Certificate Setup/Generate Self-Signed. I enter all parameter requerided and the certificate is created.
  4. The certificate is installed in the wireless client and the wireless profile is configured selecting the certificate. In the windows profile of the wireless conection, I uncheck the Automatically use my Windows logon name and password, this option is disable to use the local database of the ACS.
  The only configuration necessary for the integration of the ACS server whit the Windows domain. Is that the server is a member of the Windows domain and select the domain in the domain list in the acs? and check the option "Automatically use my Windows logon name and password"

• Scale 802.1X ACS in High Security Mode any Idea's?

  Scenario
  Platform ACS V 5.1.0.44
  Switch 4510R with 8 48 port modules (384 ports)
  802.1x authentication of the ports in High Security Mode (VLAN assignments required)
  Authentication Method Cert based eap-tls to machine
  we currently have 4 Data Vlans that users and assets drop into on this switch
  How do I scale this as I cant differentiate the cert to distribute the users across the 4 vlans in ACS?
  I think I can use unique Identity groups for the MAB of assets but the users has me really scratching my head.

  Looks like a Switching group has been looking at this as a possible answer for the stack switches but I cant configure vlan groups on 4510's
  and would theres no config guide on how to apply it in ACS 5.1 (use attrib 81 like we do for vlan assignment?)
  12.2(52)SE
  IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) to improve scalability of the network by load balancing users across different VLANs. Authorized users are assigned to the least populated VLAN in the group, assigned by RADIUS server.
  12.2(52)SE
  3750-E, 3560-E
  But then you get bit with even using VLAN assignments on large stacks
  •When IEEE 802.1x authentication with VLAN assignment is enabled, a CPUHOG message might appear if the switch is authenticating supplicants in a switch stack.
  The workaround is not use the VLAN assignment option. (CSCse22791)

• 802.1x ACS RSA Secure ID/Safeword Token server

  Hello, We are trying to impliment wireless scurity in our network. We want to issue badges with attached tokens so clients can come into our office and login to our wireless network, They would then be prompted for their login and password which would be their Badge ID an their token credentials.
  We are using an airespace wireless security device, We specify ACS as the 802.1x radius server. Airespace is sending the requests to ACS just fine but ACS does not seem to like what it's seeing. We also imported a custom VSA vendor file for the airespace wireless security device. The log below reflects this.
  We have tested by creating local ACS users, and authentication works and we can get onto our network. But when we specify the AAA servers as our Radius Token Server, Set the unknown user DB to that Server and test auth, We are not granted permission to our WLAN. It's as if Cisco does not recognize the PEAP auth information and rejects it by default. We ARE required to get this working with XPSP1, as we would hate to have to install software on every clients laptop.
  A wireless client of ours DID work when we specified EAP-GTC on the client side, But it will never work when we specify PEAP on the client side, We never seem to see communications from ACS to our Safeword token server regardless of what we do(including the successful EAP-GTC login). Our radius strings are correct etc. Safeword is listening on 1812, But also has protols EASSP-1/2 listening on ports we have set manually(are these relevant to our needs?)
  The failed attempts log show "External DB Auth Failed"
  Here is a snip of the CSRadius/RDS.log when we try to auth, when we sniff traffic we see the eap request and the radius reject on the wire, but we never see ACS ask the token server. If anyone can make any suggestions on how we could troubleshoot further/test or make forward progress in any way please do. Thank you all in advance.
  Cisco RDS log attached.

  The problem could be with your Secure ID RSA server.

• 802.1x - ACS 3.3 with AD Integration

  I'm running into an issue using AD integration and 802.1x. A previous thread on this indicated the 802.1x authentication occured prior to the domain login process.
  However, when I attempt to login to a machine using a domain account and that account profile is not cached on the machine, the authentication fails indicating it could no contact te specified domain.
  Obviously the 802.1x authentication is not occuring to open the port then pass the domain credentials to the AD. The ACS is configuerd to pass unknown users to the AD for authentication at which point the ACS should import the account.
  Why is the 802.1x failing for uncached user accounts?

  Try this steps:>
  1.Check your NTLM version.
  NTLMv2 is not supported between ACS and AD. Supported is only NTLM.
  2.Check Authentication Method
  For the authenticating dot1x users on the external database you need use either PEAP or EAP-TLS as the authentication method. Both of these involve certificates. EAP-MD5 is not supported on External database for authentication.
  Try this links:>
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacsapp/csapp33/ra/rawi.htm
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm#wp624132
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a008031479e.html

• 802.1x(ACS) with avaya phones

  Hi All ,
  We are implementing wired dot1x for our wired users with EAP-TLS. When I am connecting laptop it is getting authenticated and it is working fine. For Voip(Avaya) we are using MAB .When we connect VOIP , after 30 seconds ACS is giving Access-accept(auth success) . But Voip is stuck up in Bad router state and VOIP is not working. If I connect the laptop behind the voip it is getting authenticated and it is working fine eventhough voip is stuck up.
  Is there a way we can reduce 802.1x auth timings , so that VOIP can register succesfully?
  The switch interface config is ,
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication order dot1x mab
  authetication priority dot1x mab
  authentication port-control auto
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  Thanks,
  Vijay

  Hi,
  i am using AVAYA as well in production. They support 802.1X.
  Configure Voice VLAN on each Port.
  Let ACS send the radius attribute device-traffic-class=voice under
  Policy Elements/Authorization and Permissions/Network Access/Authorization Profiles VOICE VLAN
   and select Permission to join static.
  A good guide: IP Telephony for 802.1X Design Guide
  http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telephony_DIG.html
  Regards Horst

• Problems with 802.1x,ACS and Windows Server 2000

  Hi,
  My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
  Laptop with Windows XP SP2 (802.1x Client)
  I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
  Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
  I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
  Does anyone have any idea what the problem is?
  Here is the Config of the Catalyst 2950 if that will help:
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname ACS-Client1
  aaa new-model
  aaa authentication dot1x default group radius
  enable secret xxxx
  username xxxx privilege xxx password xxx
  ip subnet-zero
  ip ssh time-out 120
  ip ssh authentication-retries 3
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  dot1x system-auth-control
  interface FastEthernet0/13
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 3
  dot1x timeout reauth-period 1
  dot1x reauthentication
  interface GigabitEthernet0/2
  interface Vlan1
  ip address 10.10.3.253 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.3.254
  ip http server
  radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key radius
  line con 0
  password xxx
  line vty 0 4
  password xxx
  line vty 5 15
  password xxx
  end

  Yes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
  The config of the switch is ok, we set the reauth-period and quiet-period to default.
  Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
  Attention, we used the AEGIS Client not the XP Client!

• 802.1x ACS 5.2 and AD

  Hi,
  I would like to enable 802.1x to replace an existing Cisco port security implementation. This will provide us
  a greater mobility as workstations are moved within the network.
  Planning on using 802.x for devices that are on the AD domain and MAB for devices that don't either have
  in-built supplicants or not in the domain.
  Can someone please advice if I am able to do this without using certificates? Would EAP work without having certificates?
  I see that when the Windows supplicant is being configured to enable 802.1x, it is asking for certificate.
  Thanks

  Patrick,
  You can do PEAP with Certificate Checking turned off. It's not as secure, but it would give you the option of user authentication without worrying about certificates at all. For the non-supplicant devices, you will have to have a database of MAC addresses ready to do MAB.
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Compatibility 802.1X and mac-filter from ACS

  If the  clients identities and mac address are stored in the same ACS server.
  In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
  this is really a critical problem for me!
  Thanks~

  Hi,
  I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
  If my understading of your queston is  correct the answer is
  Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
  But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
  i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
  another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
  Thanks

• Ask the Experts: Introduction to Cisco Trustsec Solution and Configuration (from Webcast)

  This is an opportunity to learn and ask more questions about Cisco Trustsec solution. The Trustsec solution is designed to flatten the network regardless of the access method but still provide fully distributed and differentiated access control no matter whether you are coming from wired or WiFi or remote access, the Trustsec solution provides a consistent access control policy.
  Ankur Bajaj is a customer support engineer from the AAA team at the Cisco Technical Assistance Center in Richardson, Texas, USA. He has 14 years of total experience. He has worked on a wide range of Cisco Security Technologies such as Cisco ASA, VPN deployments, NAC solution, ACS and ISE deployment. Ankur has CCIE # 22135 in Security.
  Mrinal Jaiswal has been with Cisco since 2007 with previous experience as a software developer.  He works with AAA and Wireless Technical Assistance. Mrinal holds a CCIE in security #31389, MCSA in 2003 track, MCAD in .net, GNIIT from NIIT.
  Beau Wallace is an engineer for the RTP AAA TAC team, supporting multiple solutions including ISE, TrustSec, 802.1x, ACS, NAC, etc. He attended East Carolina University and lives in Raleigh, NC. He holds CCNP, RHCSA, and Security+ Certifications
  This Discussion starts Dec 16th through Dec 19th, 2014
  Remember to use the rating system to let the exerts know if you have received an adequate response. 
  The experts might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation in Security community,  sub-community, AAA, Identity and NAC discussion forum shortly after the event. This event lasts through December 19, 2014. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Marvin, first, you would want to ensure the router or switch you use has support for SG-ACLs and enforcement via:
  http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/trustsec_matrix.html
  One you know that works, you can configure SG-ACLs with a source or destination on "unknown". This keyword indicates traffic where we cannot discover what SGT should be assigned to that traffic, or in other words, outside the trustsec domain. We use a relatively common command-set on enforcement supporting platforms, take a look at the following link for command syntax:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/trustsec/configuration/guide/trustsec/sgacl_config.html
  Let me know if the unknown tag was what you were looking for!
  Edits: Spelling.

• EAP authentication

  Hi,
  Can any one help me to configure the EAP in Cisco ACS 4.1 ,In fact I am using the Cisco ACS for wireless clients through WLC4402,in which I have enabled the 802.1X,ACS also configure for the basic authentication.
  I want to use the EAP authentication.
  Thanks and Regards,
  S.Venkataraman

  Please find attached PEAP config guide.
  Regards,
  ~JG
  Do rate helpful posts

• ACS 5.3 Configuring 802.1x

  Trying to configure 802.1x with ACS 5.3, have some general doubts about how to make it, this is what I got for the moment:
  ACS 5.3 = 192.168.240.28
  AD = 192.168.251.97
  Switch = 192.168.240.171
  IOS device config
  Already configured and running Device Administration using Tacacs, mising with Radius aaa commands:
  aaa group server tacacs+ TACACS_PLUS
  server 192.168.240.28
  aaa group server radius RADIUS_1x
  server 192.168.240.28 auth-port 1812 acct-port 1813
  aaa authentication login default group TACACS_PLUS
  aaa authentication login no_tacacs enable local
  aaa authentication enable default group RADIUS_1x
  aaa authentication dot1x default group RADIUS_1x
  aaa authorization config-commands
  aaa authorization exec no_tacacs local
  aaa authorization commands 15 TACACS_PLUS group tacacs+
  aaa authorization network default group RADIUS_1x
  aaa authorization auth-proxy default group RADIUS_1x
  aaa accounting send stop-record authentication failure
  aaa accounting update newinfo
  aaa accounting dot1x default start-stop group RADIUS_1x
  aaa accounting exec default start-stop group TACACS_PLUS
  aaa accounting network default start-stop group TACACS_PLUS
  aaa accounting connection default start-stop group TACACS_PLUS
  aaa accounting system default start-stop group RADIUS_1x
  tacacs-server host 192.168.240.28 port 49 key 7 104D0617040717180F05
  tacacs-server directed-request
  radius-server attribute 8 include-in-access-req
  radius-server host 192.168.240.28 auth-port 1812 acct-port 1813
  radius-server timeout 20
  radius-server key 7 094F410718151201080D
  radius-server vsa send authentication
  dot1x system-auth-control
  errdisable detect cause security-violation shutdown vlan
  errdisable recovery cause security-violation
  interface GigabitEthernet0/24
  switchport mode access
  switchport voice vlan 7
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x timeout quiet-period 15
  spanning-tree portfast
  spanning-tree bpduguard enable
  ACS 5.3 Configuration until now
  I have a document on how to configure this on ACS 4.2, but I have some problems trying to configure on ACS 5.3.
  I'll appreciate a lot any ideas that could help me on this.
  Regards,
  Juan Carlos

  Ok Carlos, I make it simple, just AD as condition and authorization profile, I tested with compliant client, and still receiving timeout, and Network Access Authorization still in 0, here is the debug:
  001250: Jan 19 18:40:58.028 GDL: AAA/BIND(0000002F): Bind i/f 
  001251: Jan 19 18:40:58.237 GDL: %AUTHMGR-5-START: Starting 'dot1x' for client (f04d.a2a2.a028) on Interface Gi0/24 AuditSessionID C0A8F0AB0000001101B6C743
  001252: Jan 19 18:41:00.007 GDL: %LINK-3-UPDOWN: Interface GigabitEthernet0/24, changed state to up
  001253: Jan 19 18:41:01.014 GDL: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/24, changed state to up
  001254: Jan 19 18:41:08.547 GDL: AAA/AUTHEN/8021X (0000002F): Pick method list 'default'
  001255: Jan 19 18:41:08.547 GDL: RADIUS/ENCODE(0000002F):Orig. component type = Dot1X
  001256: Jan 19 18:41:08.547 GDL: RADIUS(0000002F): Config NAS IP: 0.0.0.0
  001257: Jan 19 18:41:08.547 GDL: RADIUS(0000002F): Config NAS IPv6: ::
  001258: Jan 19 18:41:08.555 GDL: RADIUS/ENCODE(0000002F): acct_session_id: 37
  001259: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): sending
  001260: Jan 19 18:41:08.555 GDL: RADIUS/ENCODE: Best Local IP-Address 192.168.240.171 for Radius-Server 192.168.240.28
  001261: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): Send Access-Request to 192.168.240.28:1812 id 1645/27, len 246
  001262: Jan 19 18:41:08.555 GDL: RADIUS:  authenticator 27 15 50 22 ED AB FC 34 - F1 24 56 87 30 6F 7D F9
  001263: Jan 19 18:41:08.555 GDL: RADIUS:  User-Name           [1]   18  "juancarlos.arias"
  001264: Jan 19 18:41:08.555 GDL: RADIUS:  Service-Type        [6]   6   Framed                    [2]
  001265: Jan 19 18:41:08.555 GDL: RADIUS:  Vendor, Cisco       [26]  27 
  001266: Jan 19 18:41:08.555 GDL: RADIUS:   Cisco AVpair       [1]   21  "service-type=Framed"
  001267: Jan 19 18:41:08.555 GDL: RADIUS:  Framed-MTU          [12]  6   1500                     
  001268: Jan 19 18:41:08.555 GDL: RADIUS:  Called-Station-Id   [30]  19  "00-1C-0E-08-69-98"
  001269: Jan 19 18:41:08.555 GDL: RADIUS:  Calling-Station-Id  [31]  19  "F0-4D-A2-A2-A0-28"
  001270: Jan 19 18:41:08.555 GDL: RADIUS:  EAP-Message         [79]  23 
  001271: Jan 19 18:41:08.555 GDL: RADIUS:   02 01 00 15 01 6A 75 61 6E 63 61 72 6C 6F 73 2E 61 72 69 61 73  [ juancarlos.arias]
  001272: Jan 19 18:41:08.555 GDL: RADIUS:  Message-Authenticato[80]  18 
  001273: Jan 19 18:41:08.555 GDL: RADIUS:   E5 92 90 F9 39 F2 EA A9 E4 B2 C9 02 12 9D EA B0                 [ 9]
  001274: Jan 19 18:41:08.555 GDL: RADIUS:  EAP-Key-Name        [102] 2   *
  001275: Jan 19 18:41:08.555 GDL: RADIUS:  Vendor, Cisco       [26]  49 
  001276: Jan 19 18:41:08.555 GDL: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C0A8F0AB0000001101B6C743"
  001277: Jan 19 18:41:08.555 GDL: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
  001278: Jan 19 18:41:08.555 GDL: RADIUS:  NAS-Port            [5]   6   50024                    
  001279: Jan 19 18:41:08.555 GDL: RADIUS:  NAS-Port-Id         [87]  21  "GigabitEthernet0/24"
  001280: Jan 19 18:41:08.555 GDL: RADIUS:  NAS-IP-Address      [4]   6   192.168.240.171          
  001281: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): Sending a IPv4 Radius Packet
  001282: Jan 19 18:41:08.555 GDL: RADIUS(0000002F): Started 20 sec timeout
  001283: Jan 19 18:41:26.507 GDL: RADIUS(0000002F): Request timed out
  001284: Jan 19 18:41:26.507 GDL: RADIUS: Retransmit to (192.168.240.28:1812,1813) for id 1645/27
  001285: Jan 19 18:41:26.507 GDL: RADIUS(0000002F): Started 20 sec timeout
  Complete Report:
  aaa group server tacacs+ TACACS_PLUS
  server 192.168.240.28
  aaa group server radius RADIUS_1x
  server 192.168.240.28 auth-port 1812 acct-port 1813
  aaa authentication login default group TACACS_PLUS
  aaa authentication login no_tacacs enable local
  aaa authentication enable default group RADIUS_1x
  aaa authentication dot1x default group RADIUS_1x
  aaa authorization config-commands
  aaa authorization exec no_tacacs local
  aaa authorization commands 15 TACACS_PLUS group tacacs+
  aaa authorization network default group RADIUS_1x
  aaa authorization auth-proxy default group RADIUS_1x
  aaa accounting send stop-record authentication failure
  aaa accounting update newinfo
  aaa accounting dot1x default start-stop group RADIUS_1x
  aaa accounting exec default start-stop group TACACS_PLUS
  aaa accounting network default start-stop group TACACS_PLUS
  aaa accounting connection default start-stop group TACACS_PLUS
  aaa accounting system default start-stop group RADIUS_1x
  dot1x system-auth-control
  interface GigabitEthernet0/24
  switchport mode access
  switchport voice vlan 7
  authentication port-control auto
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout quiet-period 15
  spanning-tree portfast
  spanning-tree bpduguard enable
  tacacs-server host 192.168.240.28 key 7 104D0617040717180F05
  tacacs-server directed-request
  radius-server attribute 8 include-in-access-req
  radius-server host 192.168.240.28 auth-port 1812 acct-port 1813 key 7 15110402053A2E372B32
  radius-server timeout 20
  radius-server key 7 0110090A5A1B031C224D
  radius-server vsa send authentication
  The compliant client should have access to Vlan 60.

• 802.1x with ACS does not correctly work

  Hello
  I have here a WLan setup with a WDS, some 40 Accesspoints, an ACS 4.1 server and a Windows Domain Controller which has the users configured.
  I have a group mapping in ACS configured which points to a small group in the ADS.
  The groupmapping in ACS points to a specific group in ACS.
  There I've configured the following:
  [009\001] cisco-av-pair
  - ssid=xx-200 (the name of the SSID the clients connect)
  [006] Service-Type
  - Login
  [007] Framed-Protocol
  - PPP
  [025] Class
  - OU=pers; (this is not the special group where those users are in, but they are also in this one)
  [064] Tunnel-Type
  - Tag 1 Value Vlan
  [065] Tunnel-Medium-Type
  - Tag 1 Value 802
  [081] Tunnel-Private-Group-ID
  - Tag 1 Value 200 (the Vlan in which they should go)
  The good thing is, authentication with username password works.
  The bad thing is, every user can authenticate and get into this SSID instead of only the users in the special group which points to this groupmapping.
  The other ADS groups also point to other ACS groups, but they don't have the above values ([009\001] cisco-av-pair, [064] Tunnel-Type, [065] Tunnel-Medium-Type, [081] Tunnel-Private-Group-ID) configured.
  The logfile from the ACS also shows that the wrong users are mapped into the correct group like they should, but they still get access.
  Here the WDS configuration:
  aaa group server radius RADIUS_GROUP_WDS_RADIOMANAGEMENT
  server 10.1.1.30 auth-port 1645 acct-port 1646
  server 10.1.2.30 auth-port 1645 acct-port 1646
  aaa authentication login METHOD_WDS_RADIOMANAGEMENT group RADIUS_GROUP_WDS_RADIOMANAGEMENT
  aaa authentication enable default enable
  aaa session-id common
  radius-server host 10.1.1.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server host 10.1.2.30 auth-port 1645 acct-port 1646 key 7 xxxx
  radius-server retransmit 2
  radius-server timeout 18
  radius-server deadtime 1
  radius-server vsa send accounting
  wlccp authentication-server infrastructure METHOD_WDS_RADIOMANAGEMENT
  wlccp authentication-server client any METHOD_WDS_RADIOMANAGEMENT
  ssid xx-200
  The accesspoint config:
  aaa authentication login METHOD_RAD_WDS_CLIENT group radius
  aaa authentication enable default enable
  aaa session-id common
  dot11 ssid xx-200
  vlan 200
  authentication open eap METHOD_RAD_WDS_CLIENT
  authentication network-eap METHOD_RAD_WDS_CLIENT
  authentication key-management wpa
  interface Dot11Radio0
  encryption vlan 200 mode ciphers aes-ccm
  broadcast-key vlan 200 change 60
  ssid xx-200
  interface Dot11Radio0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  no cdp enable
  bridge-group 200
  bridge-group 200 subscriber-loop-control
  bridge-group 200 block-unknown-source
  no bridge-group 200 source-learning
  no bridge-group 200 unicast-flooding
  bridge-group 200 spanning-disabled
  interface FastEthernet0.200
  description
  encapsulation dot1Q 200
  no ip route-cache
  bridge-group 200
  no bridge-group 200 source-learning
  bridge-group 200 spanning-disabled
  I hope you can find why any user can authenticate and not just the ones in the groupmapping which has the radius attributes configured.
  Thanks,
  pato

  I have finally found something to look into :/
  000619: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: ssid [263] 6
  000620: Jan 18 16:50:11 A: RADIUS: 48 53 52 2D [xxx-]
  000621: Jan 18 16:50:11 A: RADIUS: AAA Unsupported Attr: interface [156] 4
  000622: Jan 18 16:50:11 A: RADIUS: 32 35 [25]
  This is with various debugging active on the WDS. And this might be the reason why it doesn't work.

• Acs & 802.1x & external db (odbc)

  Hello
  I'm evaluating 802.1x authentication per eap-tls with ACS-Server (4.0). The authentication have to be done with an external odbc database (- we cannot use AD/windows database for this project). The certs on the server and on the client are ok. The SQL-Server returns OK. BUT: the authentication fails with "certificate name or binary comparison failed". In the auth.log file there are entries like:
  AUTH 01/09/2007 14:40:05 I 1554 3440 pvAuthenticateUser: authenticate 'host/pcqj1c.sitest.net' against ODBCACS
  AUTH 01/09/2007 14:40:05 I 0376 3440 External DB [ODBCAuthDll.dll]: FindUser start for user [host/pcqj1c.sitest.net]
  AUTH 01/09/2007 14:40:05 I 0376 3440 External DB [ODBCAuthDll.dll]: Authentication OK for user [host/pcqj1c.sitest.net]
  AUTH 01/09/2007 14:40:06 I 0897 3440 AuthenProcessResponse: process response for 'host/pcqj1c.sitest.net'
  AUTH 01/09/2007 14:40:06 E 0361 3440 EAP: TLS: No match between name in certificate and user account
  The CN in the clients cert is "pcqj1c.sitest.net"
  Can anybody help ?
  regards
  Roland

  I am in a installation with 802.1x.
  I have install a Cisco ACS and cisco 2950 Switch and I am authorizating users via MS-CHAPv2 against the Cisco ACS
  ACS is validating users against a Microsoft Active directory.
  I have the following problem: When user logs in, it takes between 45 to 90 seg to log the user and change the vlan.
  I have install Windows XP Service Pack 2 and patches:
  xp-kb817778-x86-esn
  xp-kb826942-x86-esn
  I have change the switch software to the latest release.
  How can I reduce this delay? Any idea?