802.1x and Authentication Methods

Similar Messages

• Transport protocol and authentication method

  Hi gurus,
  i am trying to configure EBP-SUS, i am not having access to solution manager .
  I am working on SRM_SERVER 5.5.
  can somebody who has configured EBP-SUS give me more information about the transport protocol and the authenticaton method.

  solved by self

• MacBookPro and Cisco's LEAP authentication method

  I am getting ready to get laptop in next couple of weeks.
  The Law School's wireless network standard is 802.11g. The network uses Cisco's LEAP authentication method. Only LEAP-enabled notebook computers may connect to all access points of the Law School wireless network.
  I googled this and at least last year in 2006, macbook pro's weren't working with the LEAP system because they woudln't assign an IP address. Do you know has this been resolved?
  MacG5 Mac OS X (10.4.10)

  I found this: Finder>Help>Mac Help>Search: LEAP>
  "AirPort: How to configure Mac OS X 10.4 "Tiger" clients for LEAP authentication
  If you select LEAP authentication on a Mac OS X 10.4.2 or later computer on which the AirPort 4.2 or later update has been installed, your authentication settings may be lost after restart, sleep, or location change. As a workaround, you should use the steps shown here, which will have the effect of configuring LEAP, even though you will choose WEP from the menu.
  Go to the Network pane of the System Preferences, show AirPort, and click the AirPort tab.
  Be sure the "By default, join" menu is set to "Preferred networks."
  Note: If you don't have "Preferred networks" as a choice, this means that your 10.4 system was upgraded from 10.3, and that you're still using a Location imported from 10.3 (Panther). In this situation, you experience Panther behavior instead of new Tiger features. You will need to create a new location to utilize Tiger features and complete these steps.
  Click the "+" button.
  Enter the desired network name in the window that appears.
  From the Wireless Security pop-up menu, choose WEP Password.
  Replacing username and password with actual name and password, enter them exactly as show here, including both brackets and slash:
  <username/password>
  Note: Though there will not be any visible indication, this entry format sets the client to use LEAP rather than WEP.
  Click OK. Note: The network entry will appear in the table as "WEP," but LEAP will be used.
  Click Apply Now."
  Looks like it works when you know what to do (or where to search).

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

  Hi experts,
  I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
  i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
  Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
  ii. If it is possible, any reference that I can check on how to configure this?
  The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
  Hope anyone here could help me on this.
  Thanks very much,
  Daniel

  With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
  Specific info is here:
  <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
  Hope this helps,

• 802.1x and eDir Authentication

  We are purchasing the Enterasys 802.1x NetSight policy manager (running on SLES 9 with OES) along with new Matrix N3 and C2 switches. We plan on utilizing 802.1x authentication on both our wired and wireless networks. We currently use NW 6.5 with BM 3.8 and NMAS RADIUS for wireless MAC authentication and it works well. I understand that BM/NMAS RADIUS does not work with 802.1x authentication.
  I have read the previous two posts "How to implement a secure wireless solution (PEAP/EAP-TTLS)" and "eDirectory and 802.1x wireless authentication" Thank you Jim and others for your ideas and information.
  My question is, has Novell gotten off their hands and provided a solution yet? Will they? I will look into the Funk Odyssey / Steel Belted Radius software, freeRadius, and Radiator.
  Are there any other suggestions? Any changes since the above postings in January / February?
  I just wish Novell were more leading edge with the new technologies. It has been quite disappointing.
  Thanks,
  OZ
  Owen Zorge
  IT Specialist III
  AZ Department of Emergency and Military Affairs
  602-392-7507
  [email protected]

  Thank you for the info and link Jim. I seem to remember a session at BrainShare this year that discussed this issue. I'll also look up that presentation on the CD I just received.
  I have already contacted Funk to get some information on their 802.1x client. Any idea when Novell will integrate 802.1x authentication into the NetWare Client?
  Thanks again,
  OZ
  Owen Zorge
  IT Specialist III
  AZ Department of Emergency and Military Affairs
  602-392-7507
  [email protected]
  >>> Jim Michael<[email protected]> 5/24/2005 1:55:03 PM >>>
  Owen Zorge wrote:
  > My question is, has Novell gotten off their hands and provided a
  > solution yet? Will they?
  Yes, they have. You still cannot use the NetWare RADIUS server (it's
  dead), but Novell contributed code to the freeRADIUS project that lets
  you do 802.1x a wee bit easier than what I had to go through.
  I suggest you start here
  http://www.novell.com/documentation/...ius/index.html
  > I will look into the Funk Odyssey / Steel
  > Belted Radius software, freeRadius, and Radiator.
  Understand that you will most likely need at least the Odyssey *client*
  (supplicant) for your Windows boxes. The 802.1x supplicant that ships in
  WindowsXP works, but doesn't have enough features for most shops. This
  has nothing to do with Novell and is purely a client-side issue.
  Jim
  NSC SYsop

• VDI and other authentication methods

  hello,
  I want to set VDI 3 and i know you need AD/LDAP for a production environment.
  I was wondering if in any way there is/(will be) an open framework for other authentication methods,
  for instance like HESIOD?
  thanks
  Michael.

  Since you disabled "clear", you will need to configure SquirrelMail to use Cram-MD5.
  To do so run:
  sudo /etc/squirrelmail/config/conf.pl
  and adjust your IMAP and SMTP settings

• Reset Authentication method to Exchange 2013 EAC and now I can't get in.

  In trying to work through a list of issues related to Exchange upgrade I inadvertently have locked myself out of the EAC by changing the authentication method.  Is there any way to change it back?

  Hi,
  According to my experience, the ECP login failure issue has many reasons. Thus, to narrow down the cause, we can try to confirm the following information and try the following troubleshooting:
  1. Check the detail information about OWA and ECP virtual directory:
  Get-owavirtualdirectory |fl
  Get-ecpvirtualdirectory |fl
  2. Clear or restart the MSExchangeOWAAppPool
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support

• TS3276 Does anyone know the YAHOO authentication method and port? I recently installed the new OSX 10.8.2 software and my mac mail wont work.

  Does anyone know the YAHOO authentication method and port? I recently installed the new OSX 10.8.2 software and my mac mail wont work.

  Hello,
  I have no idea what you're talking about, however my Mail stopped working when I
  had to add a new e-mail address for my Hotmail account.
  My new Hotmail address works, and seems to get e-mail from the old e-mail address,
  which from I've read behaves as a "default" address for the old address.
  Apple Mail is linked to my Hotmail account of the old e-mail address.
  I no longer know my old password.
  Apple Mail will not accept my new password for ny new Hotmail account.
  Can someone help me solve this problem WITOUT COMPLICATED SOLUTION!
  As I said I have no idea what a port, or SSL or authentication is!
  If you do answer,please answer in vert simple steps that are easy to follow, and donlt make matters worse.
  Thanks,
  SB

• Suggestions/Help - Authentication method and tracking of acess/download

  Hello all.
   Recently i've got a mission to do on Sharepoint and i would like to ask you guys for some suggestions on how to do this:
  -Create an authentication method and tracking of access and download documents from one page.
  Already tried some ways but no success until now, then i come here to ask for your help.
  I am a beginner in sharepoint development so please try to speak in the simplest possible way, some terms i may end up not understanding.
  I do Really appreciate all the help.

  Hopefully you have access to Central Administration.  If you don't, I think you don't have the control over the farm you will need to accomplish your task.  Go into Central Admin.  On the left side you will see an option "Upgrade and
  Migration".  Select the option "Convert farm license type".  The next page will tell you the current license version.  I'm not sure about Foundation, but I expect that the upgrade and migration link won't be available at all and
  thus could be assumed to be Foundation which may not have the functionality you desire.  The list at
  http://technet.microsoft.com/en-us/library/jj819267.aspx will show you that they are only available in the Standard or Enterprise version.

• About TACACS+ and 802.1x port authentication

  Hi
  Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
  Where to find the documents about Tacacs+ doesn't support EAP?
  Regards,
  Thanks.

  Correct, TACACS does not support EAP, check the following links:
  https://cisco.hosted.jivesoftware.com/message/7901
  http://www.rfc-editor.org/rfc/rfc1492.txt

• 802.1x re authentication problem

  Hello,
  I have problem with 802.1x authentication on switch ports which are configured in "Multi Session" mode. In Single host mode and Multiple Host mode it works just fine.
  The problem is following, when PC  is first connected on switch port it authenticates successfully. After about 1-2 minutes windows 7 NIC notifies that its going to authenticate again, and after couple of minutes NIC status is changed to “Authentication Failed”. On ACS I only see first authentication request which is successful.  If I unplug PC from port and plug it again. It authenticates successfully and then starts again with same problems.
  I was doing packet sniffing on PC, and it seems that after pc first authentication completes successful, switch starting to sent EAP Identity/Request packets to host, for that host is sending EAP Identity/Response to switch, but switch don’t continues authentication process and starts again with new EAP Identity/Request packets.
  On Windows 7 host Event viewer I see  following log messages:
                  Reason: 0x70004
                  Reason Text: The network stopped answering authentication requests
                  Error Code: 0x0
  The ACS version is 5.3. Authentication method is PEAP.  Supplicant OS is Windows 7 I also trued with Windows XP, with same result. The Authentication switch is ESW 520 with latest firmware. I also trued with 2960/3560 switches and it works perfectly. On ESW 520 switch if port mode is other  than “Multi Session" if works without any issue.
  Do you have any Idea how can i fix this ?

  Hi ngtransge,
  Thanks for rating the replies. You need to select "User Authentication". I am pasting some screenshots which might help you out.

• Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

  Hi!
  I'm in the processes of setting up a new wireless network for a costumer.
  A little info about the hardware:
  Cisco WLC 5508
  Cisco AP 2602i
  Cisco ISE - radius server
  ipads gen 4 (iOS 6)
  EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
  The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
  I use the Use Per-connection password option
  User that are allowed to connect are placed in a specific group in there AD.
  The problem that I have is:
  When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
  BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
  I cant seem to get rid of this popup and therefor the ipad cant connect.
  If I don't use the profile I can forget about the network and after that i can connect with a different user.
  But then i can't verify the server-certificate and use the option per-connection password!
  Please help!
  Has someone else seen this type of bug.
  //Simon

  Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
  1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
  2. My config is as below:
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authenication login default group radius
  dot1x system-auth-control
  interface f0/1
  switchport mode access
  dot1x port-control auto
  end
  I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
  3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
  I even tried using local authenication with 802.1x, this did not work
  4. If I have a certificate, will this automatically give me access to the 802.1x port?
  5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
  Am I missing anything?
  Any advise will be greatly appreciated
  Chris

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael