802.1x and Authentication Methods
Hi,
I have ACS 5.2, Cisco 4507 switches and AD domain environment.
Planning on performing only machine authentication and not user authentication.
I have the following type of devices:
1. Windows XP SP3 and higher on the AD Domain
2. Devices to be with installed with third-party supplicants as they natively don't
support 802.1x.
If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?
Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?
Thanks
Hi,
> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
> I was thinking for devices that not on the domain, to load certificate on the machine.
If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
Transport protocol and authentication method
Hi gurus,
i am trying to configure EBP-SUS, i am not having access to solution manager .
I am working on SRM_SERVER 5.5.
can somebody who has configured EBP-SUS give me more information about the transport protocol and the authenticaton method.solved by self
-
MacBookPro and Cisco's LEAP authentication method
I am getting ready to get laptop in next couple of weeks.
The Law School's wireless network standard is 802.11g. The network uses Cisco's LEAP authentication method. Only LEAP-enabled notebook computers may connect to all access points of the Law School wireless network.
I googled this and at least last year in 2006, macbook pro's weren't working with the LEAP system because they woudln't assign an IP address. Do you know has this been resolved?
MacG5 Mac OS X (10.4.10)I found this: Finder>Help>Mac Help>Search: LEAP>
"AirPort: How to configure Mac OS X 10.4 "Tiger" clients for LEAP authentication
If you select LEAP authentication on a Mac OS X 10.4.2 or later computer on which the AirPort 4.2 or later update has been installed, your authentication settings may be lost after restart, sleep, or location change. As a workaround, you should use the steps shown here, which will have the effect of configuring LEAP, even though you will choose WEP from the menu.
Go to the Network pane of the System Preferences, show AirPort, and click the AirPort tab.
Be sure the "By default, join" menu is set to "Preferred networks."
Note: If you don't have "Preferred networks" as a choice, this means that your 10.4 system was upgraded from 10.3, and that you're still using a Location imported from 10.3 (Panther). In this situation, you experience Panther behavior instead of new Tiger features. You will need to create a new location to utilize Tiger features and complete these steps.
Click the "+" button.
Enter the desired network name in the window that appears.
From the Wireless Security pop-up menu, choose WEP Password.
Replacing username and password with actual name and password, enter them exactly as show here, including both brackets and slash:
<username/password>
Note: Though there will not be any visible indication, this entry format sets the client to use LEAP rather than WEP.
Click OK. Note: The network entry will appear in the table as "WEP," but LEAP will be used.
Click Apply Now."
Looks like it works when you know what to do (or where to search). -
We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with. -
802.1x port authentication and Windows Radius, possible?
Hello,
I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server? See out users are all all on a Windows domain and I want to authenticate using their active directory credentials. I think I am fine with the switch config, but it is the Windows IAS/Raduis server. I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
ThanksAndy:
Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
See this link, it could be useful for you: https://supportforums.cisco.com/thread/2090403
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
802.1x and eDir Authentication
We are purchasing the Enterasys 802.1x NetSight policy manager (running on SLES 9 with OES) along with new Matrix N3 and C2 switches. We plan on utilizing 802.1x authentication on both our wired and wireless networks. We currently use NW 6.5 with BM 3.8 and NMAS RADIUS for wireless MAC authentication and it works well. I understand that BM/NMAS RADIUS does not work with 802.1x authentication.
I have read the previous two posts "How to implement a secure wireless solution (PEAP/EAP-TTLS)" and "eDirectory and 802.1x wireless authentication" Thank you Jim and others for your ideas and information.
My question is, has Novell gotten off their hands and provided a solution yet? Will they? I will look into the Funk Odyssey / Steel Belted Radius software, freeRadius, and Radiator.
Are there any other suggestions? Any changes since the above postings in January / February?
I just wish Novell were more leading edge with the new technologies. It has been quite disappointing.
Thanks,
OZ
Owen Zorge
IT Specialist III
AZ Department of Emergency and Military Affairs
602-392-7507
[email protected]Thank you for the info and link Jim. I seem to remember a session at BrainShare this year that discussed this issue. I'll also look up that presentation on the CD I just received.
I have already contacted Funk to get some information on their 802.1x client. Any idea when Novell will integrate 802.1x authentication into the NetWare Client?
Thanks again,
OZ
Owen Zorge
IT Specialist III
AZ Department of Emergency and Military Affairs
602-392-7507
[email protected]
>>> Jim Michael<[email protected]> 5/24/2005 1:55:03 PM >>>
Owen Zorge wrote:
> My question is, has Novell gotten off their hands and provided a
> solution yet? Will they?
Yes, they have. You still cannot use the NetWare RADIUS server (it's
dead), but Novell contributed code to the freeRADIUS project that lets
you do 802.1x a wee bit easier than what I had to go through.
I suggest you start here
http://www.novell.com/documentation/...ius/index.html
> I will look into the Funk Odyssey / Steel
> Belted Radius software, freeRadius, and Radiator.
Understand that you will most likely need at least the Odyssey *client*
(supplicant) for your Windows boxes. The 802.1x supplicant that ships in
WindowsXP works, but doesn't have enough features for most shops. This
has nothing to do with Novell and is purely a client-side issue.
Jim
NSC SYsop -
VDI and other authentication methods
hello,
I want to set VDI 3 and i know you need AD/LDAP for a production environment.
I was wondering if in any way there is/(will be) an open framework for other authentication methods,
for instance like HESIOD?
thanks
Michael.Since you disabled "clear", you will need to configure SquirrelMail to use Cram-MD5.
To do so run:
sudo /etc/squirrelmail/config/conf.pl
and adjust your IMAP and SMTP settings -
Reset Authentication method to Exchange 2013 EAC and now I can't get in.
In trying to work through a list of issues related to Exchange upgrade I inadvertently have locked myself out of the EAC by changing the authentication method. Is there any way to change it back?
Hi,
According to my experience, the ECP login failure issue has many reasons. Thus, to narrow down the cause, we can try to confirm the following information and try the following troubleshooting:
1. Check the detail information about OWA and ECP virtual directory:
Get-owavirtualdirectory |fl
Get-ecpvirtualdirectory |fl
2. Clear or restart the MSExchangeOWAAppPool
Thanks,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Angela Shi
TechNet Community Support -
Does anyone know the YAHOO authentication method and port? I recently installed the new OSX 10.8.2 software and my mac mail wont work.
Hello,
I have no idea what you're talking about, however my Mail stopped working when I
had to add a new e-mail address for my Hotmail account.
My new Hotmail address works, and seems to get e-mail from the old e-mail address,
which from I've read behaves as a "default" address for the old address.
Apple Mail is linked to my Hotmail account of the old e-mail address.
I no longer know my old password.
Apple Mail will not accept my new password for ny new Hotmail account.
Can someone help me solve this problem WITOUT COMPLICATED SOLUTION!
As I said I have no idea what a port, or SSL or authentication is!
If you do answer,please answer in vert simple steps that are easy to follow, and donlt make matters worse.
Thanks,
SB -
Suggestions/Help - Authentication method and tracking of acess/download
Hello all.
Recently i've got a mission to do on Sharepoint and i would like to ask you guys for some suggestions on how to do this:
-Create an authentication method and tracking of access and download documents from one page.
Already tried some ways but no success until now, then i come here to ask for your help.
I am a beginner in sharepoint development so please try to speak in the simplest possible way, some terms i may end up not understanding.
I do Really appreciate all the help.Hopefully you have access to Central Administration. If you don't, I think you don't have the control over the farm you will need to accomplish your task. Go into Central Admin. On the left side you will see an option "Upgrade and
Migration". Select the option "Convert farm license type". The next page will tell you the current license version. I'm not sure about Foundation, but I expect that the upgrade and migration link won't be available at all and
thus could be assumed to be Foundation which may not have the functionality you desire. The list at
http://technet.microsoft.com/en-us/library/jj819267.aspx will show you that they are only available in the Standard or Enterprise version. -
About TACACS+ and 802.1x port authentication
Hi
Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
Where to find the documents about Tacacs+ doesn't support EAP?
Regards,
Thanks.Correct, TACACS does not support EAP, check the following links:
https://cisco.hosted.jivesoftware.com/message/7901
http://www.rfc-editor.org/rfc/rfc1492.txt -
802.1x re authentication problem
Hello,
I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.
The problem is following, when PC is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful. If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.
I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.
On Windows 7 host Event viewer I see following log messages:
Reason: 0x70004
Reason Text: The network stopped answering authentication requests
Error Code: 0x0
The ACS version is 5.3. Authentication method is PEAP. Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other than “Multi Session" if works without any issue.
Do you have any Idea how can i fix this ?Hi ngtransge,
Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out. -
Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)
Hi!
I'm in the processes of setting up a new wireless network for a costumer.
A little info about the hardware:
Cisco WLC 5508
Cisco AP 2602i
Cisco ISE - radius server
ipads gen 4 (iOS 6)
EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
I use the Use Per-connection password option
User that are allowed to connect are placed in a specific group in there AD.
The problem that I have is:
When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
I cant seem to get rid of this popup and therefor the ipad cant connect.
If I don't use the profile I can forget about the network and after that i can connect with a different user.
But then i can't verify the server-certificate and use the option per-connection password!
Please help!
Has someone else seen this type of bug.
//SimonHi, I am new with 802.1x, and was hoping that someone would help with these queries:
1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
2. My config is as below:
aaa new-model
aaa authentication dot1x default group radius
aaa authenication login default group radius
dot1x system-auth-control
interface f0/1
switchport mode access
dot1x port-control auto
end
I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
I even tried using local authenication with 802.1x, this did not work
4. If I have a certificate, will this automatically give me access to the 802.1x port?
5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
Am I missing anything?
Any advise will be greatly appreciated
Chris -
Hi guys,
I have a strange error here and I`m really disappointed.
We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
At the other clients we can see a strange error at the ACS.
At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
Logged At RADIUS
Status NAS
Failure Details Username MAC/IP
Address Access Service Authentication
Method Network Device NAS IP Address NAS Port ID CTS
Security Group ACS Instance Failure Reason
Sep 2,10 3:37:46.916 PM
Wired_802.1X_EAP-TLS
EAP-TLS
svacs01
5411 EAP session timed out
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Wired_802.1X_EAP-TLS
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
5411 EAP session timed out
At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
Switch --> Request Identity --> Client
Switch <-- Response Identity <-- Client
Switch --> Request EAP-TLS --> Client
Switch --> Request EAP-TLS --> Client
Switch --> Request EAP-TLS --> Client
Switch --> Request Identity --> Client
Switch --> Request Identity --> Client
Switch --> Request Identity --> Client
What is missing ist the Switch <-- Response EAP-TLS <-- Client
Any ideas what is going wrong ? Maybe someone had this error before ?
Any suggestions how to debug this ?
Thank you very much for your help!
MathiasHi @all,
I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
Logged At RADIUS
Status NAS
Failure Details Username MAC/IP
Address Access Service Authentication
Method Network Device NAS IP Address NAS Port ID CTS
Security Group ACS Instance Failure Reason
Sep 7,10 11:50:36.143 PM
dot1x wireless
PEAP
bfnetacs01
5411 EAP session timed out
Kind regards,
Michael
Maybe you are looking for
-
My macbook air camera does not work
I have a macbook air 11" mid 2011 running OSX Yosemite 10.10.1 I need to use the facetime camera, but it says no camera is available. what I have done (6 hours or research and grief later): After reading a plethora of forums, I have tried: Migr
-
Different artists in the same unique album
Hi. I have this little question, maybe someone will know how to help me : i'm using the grid view, sorting by genres. then if i click on a genre, i can see what's inside, with the albums covers on the left. this could be very nice, but when an album
-
I am having trouble updating software. keep getting error -1 and -5000 codes and stops update. can't get new games without update on software. any help greatly appreciated.
-
Value in cusotm subtotal field is not updating in LIS (S) tables
Hello Experts, All the existing subtotal vlues (provided by SAP) we have consumed based on the pricing procedure's requriement and we have created a new Z subtotal field (like ZZKZWI11) in pricing, it is working fine and the values are getting update
-
Program Monitor Sync Off When using Color correction
it takes about few splits of a sec never timed it, but when im using any effect an i move a slider or anything the monitor doesnt update for a while. so makes working in the moment impossible. I have an I7 16gb ram with a 2gb nvidia with cuda. I don