802.1x and EAP

Similar Messages

• EAP-PEAP and EAP-TLS on same switched network

  Hello,
  I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
  The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
  I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
  Thanks,
  Guy

  You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
  Good Luck,
  --Jean Paul

• Macintosh OSX, 802.1x and PEAP

  I'm preparing to implement 802.1x port authentication for both wired and wireless connections. The authentication server is Windows 2003 IAS. In the test environment, Windows XP clients can connect fine, but I'm not sure how to configure this for Mac OSX workstations (10.4.6). Has anyone successfully done this? If so could you please explain the proceedure, or direct me to documentation that explains the process?

  Assuming you're using NAC fraework then it's bad news, 802.1x won't work on a Mac. If you use 802.1x and L2IP in combination then wired Macs will work but wireless Macs will not. The reason is that the Cisco CTA for the Mac communicates with using EAP over UDP and this transport is not available when using 802.1x alone or over a wireless link with 802.1x or L2IP. The only way of catering for all client types at once (Windows wired and wireless, Mac wired and wireless) is L3IP.
  The NAC Appliance "will" support wireless Macs in a future release but (I believe) doesn't at the moment.

• Cisco Systems vs "CSIRO" 802.11a and 802.11g infringed upon the '069 patent

  Hi,
  any news about Cisco Systems and the "CSIRO" 802.11a and 802.11g infringed upon the '069 patent ?
  http://www.buffalotech.com/products/wireless/
  Dear Customer
  As you may be aware, Commonwealth Scientific and Industrial Research Organisation ("CSIRO") sued Buffalo, Inc. and Buffalo Technology (USA), Inc. ("Buffalo"), for alleged infringement of United States Patent No. 5,487,069 ("the '069 patent"). Subsequently, CSIRO also asserted its patent against the entire wireless LAN industry, including, Microsoft, Intel, Accton, SMC and Netgear.
  In it's lawsuit against Buffalo, CSIRO claimed certain Buffalo wireless networking products compliant with IEEE standards 802.11a and 802.11g infringed upon the '069 patent. Buffalo believed at that time and continues to believe that there are no grounds for CSIRO's allegations of infringement. The United States district court, however, found Buffalo to infringe the '069 patent and enjoined the importation and sale of Buffalo's IEEE 802.11a and 802.11g compliant products.
  CSIRO's lawsuits are against the entire wireless LAN industry and could affect the supply of wireless LAN products by any manufacturer, not just Buffalo. The entire industry is resisting CSIRO's attempts to enjoin the sale of wireless LAN products. Recently, Microsoft, 3COM Corporation, SMC Networks, Accton Technology Corporation, Intel, Atheros Communications, Belkin International, Dell, Hewlett-Packard, Nortel Networks, Nvidia Corporation, Oracle Corporation, SAP AG, Yahoo, Nokia, and the Consumer Electronics Association filed briefs in support of Buffalo's position that injunctive relief is inappropriate in this case.
  During the period of time that the injunction is in effect (10/1/2007), Buffalo cannot offer for sale, sell, import, or use its IEEE 802.11a and 802.11g compliant products in the United States. A list of the products covered by the injunction is attached here . The injunction does not prohibit sales of pre-existing inventories of products by Buffalo's customers. In addition, Buffalo has secured CSIRO's agreement to permit the replacement of defective products under warranty. None of Buffalo's other products are currently affected by this injunction.
  While Buffalo believes that it will be successful in reversing the district court's decision and will obtain a stay of the injunction pending a decision on the merits, the Court of Appeals has not yet issued a decision. Should the Court of Appeals issue a decision staying the injunction, you will be promptly notified. After the stay is issued or a favorable decision on the merits is obtained, Buffalo will be able to resume the supply of IEEE 802.11a and 802.11g products
  Please rest assured that Buffalo continues to stand behind their products and will continue to support all of our loyal customers as it relates to product warranties, technical support and the like without interruption.

  I suspect after reading the patent and the litigation that you mentioned above, that the US District Court decision will be reversed as the patent appears to be very vague in its contsruction and verbage. Furthermore, the intent to hold the IEEE hostage on the ratification of 802.11n will not bode well in the court's eyes. If in fact the case is reversed, I believe that the members of CSIRO will be in danger of lost profits litigation from Buffalo. Stay tuned to this bat channel.

• 802.1x with EAP-TLS Fails on Wired

  Dear Colleagues,
  I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
  Setup :
  1. Radius Server - Cisco ACS 1113 Engine
  2. Authenticator - Cisco 6509 Switch
  3. Supplicant - Windows XP SP2/3
  Problem:
  1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
  Errors Seen:
  1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
  2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
  3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”
  Other Information:
  1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
  2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
  3. Clients have Certs issued by clients own CA infrastructure.
  4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
  5. PEAP works fine on wired.
  Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
  Thanks
  Volven

  Dear Colleagues,
  I am currently encountering an issue which does not seem to make sense to me and hence checking if anyone of you have come across the same or can provide further input on how to proceed...
  Setup :
  1. Radius Server - Cisco ACS 1113 Engine
  2. Authenticator - Cisco 6509 Switch
  3. Supplicant - Windows XP SP2/3
  Problem:
  1. Supplicants fail to authenticate using EAP-TLS as the authentication method.
  Errors Seen:
  1. Cisco ACS Reports - Authen session timed out: Supplicant did not respond to ACS correctly. Check supplicant configuration.
  2. Cisco Switch Reports - dot1x-err(Gi3/39): Invalid Eapol packet length = 1490
  3. Supplicant Reports when Trace enabled in the RASTLS file - “>> Received Failure (Code: 4) packet: Id: 8, Length: 4, Type: 0, TLS blob length: 0. Flags:” and “Code 4 unexpected in state SentFinished”
  Other Information:
  1. Wireless Clients using the windows supplicant and EAP-TLS connect without any issue.
  2. ACS has certificates issued by 3rd Party Root CA - Geotrust.
  3. Clients have Certs issued by clients own CA infrastructure.
  4. ACS has the clients Root CA cert in the trust list and hence why the wireless users work.
  5. PEAP works fine on wired.
  Any pointers appreciated. Happy to share logs from Switch / Supplicant and ACS if needed.
  Thanks
  Volven

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• MAB/802.1x and Alkatel IP Phones

  Hi All
  We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
  Thanks
  G

  Hi Tarik,
  Thanks for the reply, please find below the switch  port config lines, its a 370x switch, IPbase  and universalon 15.2-1.E1 image
  Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch  goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
  Interface gi x/y
  switchport access vlan xx
   switchport mode access
   switchport voice vlan yy
   ip access-group ACL_ALLOW in
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan xx
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order mab dot1x
   authentication priority dot1x mab
   authentication port-control auto
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   snmp trap mac-notification change added
   snmp trap mac-notification change removed
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast

• Potential Security Hole with 802.1x and Voice VLANs?

  I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
  If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
  Has anyone done any research into this potential security hole?
  Thanks
  Andy

  Thanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
  As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
  Andy

• MAB, 802.1x and ACS 4.2

  Hi all,
  Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
  Logic connection is:   users laptop---->ipphone---->switch---->radius
  What i need is:
  if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
  if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
  I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster  way ( 802.1x and MAB ).
  i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth)  but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1"  is configured.
  I used the dot1x auth-fail vlan  because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
  In both case the "consultant" remain in "auth failed"
  Here my current configuration
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  identity profile default
  interface GigabitEthernet1/0/1
   switchport mode access
   switchport voice vlan 30
   authentication host-mode multi-auth
  authentication event fail action authorize vlan 1
   authentication order mab dot1x
   authentication port-control auto
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 2
   dot1x max-reauth-req 1
   storm-control broadcast level 2.00
   storm-control multicast level 2.00
   spanning-tree portfast
  On ACS side i have 2 groups
  first Group authenticate the iphone and supply the voice vlan ( vlan 30)
  Second Group authenticate using MAB and supply the vlan 58
  is there a different way to accomplish this task?
  Thank you in advance

  hi,
  any ideas?
  thx

• 802.1x and IP Phone

  Is it possible to enable dot1x and voice on the same interface? If so which switches and IOS support this feature ?
  Any references to documents ?
  Commands that cannot be configured together :-
  switch voice vlan xxx
  dot1x port-control auto

  It is possible to enable 802.1X and voice on the same port. If the phone does CDP, it is allowed through, regardless of the 802.1X state of the port with this config. Here's the following switches that support this, with the minimum required releases:
  CatOS (6500) - 7.6(1)
  IOS (4500) - 12.1(20)EWA
  IOS (3750) - 12.2(25)SEA
  IOS (3560) - 12.2(25)SEA
  IOS (3550) - 12.1(12c)EA1
  IOS (2960) - 12.2(25)FX
  IOS (2950) - 12.1(12c)EA1
  IOS (2940) - 12.1(13)AY
  Hope this helps,

• 802.1X and CAT Express 500

  Hi guys,
  I want to know if the Cat Express 500 support dynamic vlan assigment through 802.1X.

  Hi,
  You can do the vlan arrisgnment using 802.1x on CE500. The configuration for 802.1X and Radius authentication server can be done with the help of Cisco Network Assistant (CNA). In the menu Network Security Settings you have to put the
  security level on high. There is the possibility to configure the IP address of the RADIUS server and the RADIUS key.
  In case you don?t have the CNA, you can download it for free from:
  http://www.cisco.com/cgi-bin/tablebuild.pl/NetworkAssistant
  HTH, Please rate if it does.
  -amit singh

• 802.1x and Voice VLAN

  I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
  I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
  interface GigabitEthernet9/48
  description temporary port
  switchport
  switchport access vlan 12
  switchport mode access
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  CIG01-ENT-SW1(config-if)#switchport voice vlan 14
  Command rejected: Gi9/48 is Dot1x enabled port.

  Using IEEE 802.1x Authentication with Voice VLAN Ports
  A voice VLAN port is a special access port associated with two VLAN identifiers:
  ?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
  ?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
  In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
  A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
  When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
  Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
  interface FastEthernet0/1
  switchport access vlan 3
  switchport mode access
  switchport voice vlan 2
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  end
  Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
  under the interface configure "dot1x host-mode multi-host"
  Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

• Compatibility 802.1X and mac-filter from ACS

  If the  clients identities and mac address are stored in the same ACS server.
  In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
  this is really a critical problem for me!
  Thanks~

  Hi,
  I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
  If my understading of your queston is  correct the answer is
  Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
  But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
  i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
  another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
  Thanks

• IEEE 802.3u and IEEE 802.3z Compatibility

  Hello everyone!
  Does anyone know if these 2 fiber optic SFPs are compatible with each other?
  We have and old HP J4853A transceiver which is 802.3u and Cisco SFP LX Module which is 802.3z
  Thank you!

  Hello
  For your reference, when talking about fiber transceiver you want to check the following details:
  - There exists two modes: Single mode, and multi-mode, you want to make sure both use the same mode.
  - Wavelenght, there are 850nm, 950nm, 1310nm.... You need to make sure it matches.
  - No all switches/routers support all types of modules, so check the following compatibility matrix to make sure hardware and tranceiver are compatible.
  http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html
  Regards.
  Wilson B.

• Other LEAP upgrade options besides PEAP and EAP-FAST?

  Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
  Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

  A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
  TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
  Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
  You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
  If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
  There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
  Good Luck
  Scott