802.1x - ACS authentication issue.....

Similar Messages

• 802.1x multiple-authentication issue

  Hey,
  I'm configuring 802.1x multiple authenticatino with C3560G.
  Without any timer changes, user's mac address is registered by static on mac address table.
  The issue is that if authenticated user moves to non-802.1x port, this user can't access network due to static mac entry.
  If I set periodic reauthentication up for solve this, PCs which is connected to 802.1x port got EAP packets periodically, then users on those PC should have msg "local areal connection is connected" on Windows taskbar. I got a tons of this complaints.
  What else I can do in order to clear this situaltion?

  Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
    The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
    I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
    As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

• NAP / 802.1x wired authentication issues

  NAP/NPS Server = 2012R2 NPS Role installedClient Swiches: HP Proliant 5400 seriesSupplicant: Windows 7 Pro domain joined, built in Windows 802.1x suplicant.We are using user and machine based authentication (to accomodate RDP sessions) with health checks (AV installed and Firewall enabled on all network profiles). User authentication policies are above Machine authentication policies in NPS so that when a user logs in, it superceedes the machine's authentication and switches VLANs based on the user's AD group membership. If a user or machine fails authentication, or fails the health check, they are quarantined on our 666 VLAN (We call it the Leper Colony!).Everything pretty much works...except one small thing...PROBLEMWhen a computer first boots up (maybe other times, I dont know), before presenting a user with a login screen, it gets...
  This topic first appeared in the Spiceworks Community

  Hi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.

• 802.1X Port Authentication\ACS Question

  Hello,
  I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
  I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa.  When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that.  Thanks for any suggestions you might have.
  dot1x pae authenticator
  dot1x port-control auto
  dot1x host-mode multi-host
  dot1x violation-mode protect
  dot1x reauthentication
  aaa new-model
  aaa authentication password-prompt PASSCODE---->
  aaa authentication login default group radius local
  aaa authorization exec default group radius local
  aaa session-id common

  I have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
  Thanks,

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 802.1x and Authentication Methods

  Hi,
  I have ACS 5.2, Cisco 4507 switches and AD domain environment.
  Planning on performing only machine authentication and not user authentication.
  I have the following type of devices:
  1. Windows XP SP3 and higher on the AD Domain
  2. Devices to be with installed with third-party supplicants as they natively don't
  support 802.1x.
  If I ignore device type 2, and only consider device type 1, am I able to simply configure
  802.1x for authentication based on machine against AD, without having to use any
  certificates at all?
  Taken device type 2 into account, given the devices are not on the domain and I don't
  want to manually enter details into ACS, will I need to use certificate for authentication?
  Thanks

  Hi,
  > Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
  [ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  > I was thinking for devices that not on the domain, to load certificate on the machine.
  If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
  [ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
  In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• ACS Authentication Limit

  Hi all, We currently are running 400 laptops that all utilize the same username to authenticate to our wireless network and we randomly see authentication issues. We are running verson 11.1 of the Intel client and we have a mix of LWAPP and Autonomous AP deployments. We have mostly 1242 AP's. Is there any kind of limit imposed by ACS or anything else that would be causing the random authentication failures we are seeing. We have to reboot the laptop for the authentication to work again once this happens. Our laptops are auto-login as is the wireless authentication. Is this a best practice or should we be auto-logging the wireless in with a seperate account for each laptop? Thanks for any opinions.

  If you are not using CCKM on the client, then you are not fast roaming. This is regardless of autonomous with an WDS server or centralized (LWAPP). Without CCKM, the AP or controller is not participating in the auth and cannot cache the credentials.
  This is a common misconception.
  Microsoft zero config has *no* support for fast roaming, so you will need to use the Intel ProSet client and confirm that 'Cisco CCX Extensions' and CCKM is enabled.
  I don't believe any client but Cisco's ADU supports fast roaming with LEAP. In most cases you will need to run WPA2/PEAP-MSCHAPv2 and CCKM (NOT 802.1x) with the Intel client.
  Note that if you enable WPA1+WPA2 and/or 802.1x+CCKM on the LWAPP controller then you will most likely *not* negotiate CCKM with the client. For the SSID that you want fast roaming, enable WPA2 only and use CCKM (only).
  I am assuming that you are running OS version 4.0.206 or higher on the controller and at least an Intel 2200BG with ProSet 10.0 or higher.

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• How to get rid of 802.1x 'Default Authentication'?

  Hi All,
  Everytime I close my MBP's lid, put it to sleep, or simply turn it on...  My wifi is no longer connected.
  this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
  Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
  And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
  There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
  After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
  Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
  Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
  It would be very very much appreciated! Thank You!
  PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
  Don't really understand it though. Please explain if you could. Cheers 

  Realized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
  What I had to do was place it in first priority again in Network settings.
  Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
  Also attached above is the picture that for some strange reason disappeared in the original post..

• Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

  Hi
  My company has implemented 802.1x Wired authentication, we use GPO to specify a
  Wired Profile that uses a COMPUTER certificate.
  We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
  This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
  I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
  KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
  issue still occurs.

  Hi,
  From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
  Meanwhile, I found the following hotfix which may related to this issue.
  No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
  Next Action Plan:
  1.Clean Boot
  a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
  b. In the Startup tab, click the "Disable All" button.
  c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
  ======================================================
  Clean Boot + binary search
  In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
  You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
  we find out the root cause. Please let me know if this action plan is OK for you.
  2.Collect etl trace on the problematic client.
  netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
  ****Try to reproduce this issue****
  netsh trace stop
  Please send the net.etl to us for underlying analysis.
  For any concerns, please let us know.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• 802.1x & windows Authentication

  Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
  and what are the challenges if windows user accounts password changed frequently..
  can any body explain adv & dis adv of 802.1x before I deploy it in network..

  There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
  MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

• Radius server for 802.1x port authentication

  Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
  Thanks

  Check connectivity between the PIX and the server.
  If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
  aaa-server group_tag (if_name) host server_ip key timeout 5
  If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
  If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
  Ensure that the secret key is correct.
  Check the server logs for failed attempts. All servers have some kind of logging function.

• Pb 802.1X Computer authentication

  Hello
  I want to know if some GPO parameters can prevent computer authentication 802.1X ?
  Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
  And certain PC works fine and other not
  And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
  If you have a solution to prevent out/in PC in the domain ?
  Thanks for your help

  Hello
  When i do the command csagent -v the result is:
  ACSRemoteAgent version 4.1(3.12)
  and I have an Appliance ACS:
  Cisco Secure ACS 4.1.3.12
  Appliance Management Software 4.1.3.12
  Appliance Base Image 4.1.1.4
  CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
  and in the file cswinAgent i have this error
  CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
  CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
  CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
  CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  I don't know if this that you want
  I have just change the domain name (DOMAIN-TEST) to confidential resaon
  Thanks

• 802.1X Inaccessible Authentication Bypass

  On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available.  The interface configuration mode command is supposed to be "dot1x critical". 
  Has it changed to something else in this version of IOS?
  The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.html

  Hello Prashant
  Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
  I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
  Hope this helps.. all the best.. rate replies if found useful..
  Raj