802.1x and PEAP
Dear All,
We are going to use 802.1x PEAP and with MSCHAPv2 for authentication. The problem is we dont have and trusted CA server in our setup.
So clents will not be able to verifiy the server certificate . Is there way to avoid checking of server side certificate or other solution? and what will be the imapct of avoiding this..
Regards,
TS.
I believe this can be done in Windows by unchecking the "Validate Server Certificate" setting under the Protected EAP Properties as shown below.
That said it is recommended and also fairly easy to setup a root CA in their environment. Please mark correct if this post helps
Similar Messages
-
Macintosh OSX, 802.1x and PEAP
I'm preparing to implement 802.1x port authentication for both wired and wireless connections. The authentication server is Windows 2003 IAS. In the test environment, Windows XP clients can connect fine, but I'm not sure how to configure this for Mac OSX workstations (10.4.6). Has anyone successfully done this? If so could you please explain the proceedure, or direct me to documentation that explains the process?
Assuming you're using NAC fraework then it's bad news, 802.1x won't work on a Mac. If you use 802.1x and L2IP in combination then wired Macs will work but wireless Macs will not. The reason is that the Cisco CTA for the Mac communicates with using EAP over UDP and this transport is not available when using 802.1x alone or over a wireless link with 802.1x or L2IP. The only way of catering for all client types at once (Windows wired and wireless, Mac wired and wireless) is L3IP.
The NAC Appliance "will" support wireless Macs in a future release but (I believe) doesn't at the moment. -
802.1x EAP-PEAP over Ethernet need help !!!
I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
troubleshooting this, I am not sure what else to do. Need help. Here
is the scenario:
- Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
- Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
with IP address of 129.174.2.7. This device is connected to the same switch above.
Firewall is OFF on the server, allow ALL,
- Windows 2003 Enterprise Server supplicant with the latest Service pack and patches. Again,
Firewall is OFF on the server, allow ALL. Juniper has verified the configuration settings
on the Supplicant machine. The supplicant has a static IP address of 129.174.2.15, same subnet
as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
the port is activate to be "hot".
- Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
and that everything is looking fine,
I have verified that the switch can communicate fine with the radius server.
- Configuration on the switch for 802.1x:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
interface FastEthernet0/39
description windows 2003 Supplicant
switchport access vlan 401
switchport mode access
dot1x port-control auto
no spanning-tree portfast (does not matter if this is enable or disable)
lab-sw-1#
.May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
.May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
.May 20 07:52:47.338: EAPOL pak dump Tx
.May 20 07:52:47.338: EAPOL Version: 0x2 type: 0x0 length: 0x0005
.May 20 07:52:47.338: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
.May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
lab-sw-1#
lab-sw-1#sh dot1x interface f0/39
Dot1x Info for FastEthernet0/39
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
lab-sw-1#
I am at a complete lost here. don't know what else to do. Someone with expertise in this realm please
help me how to make this work.
Many thanks in advance,#1: dot1x system-auth-control is already in the switch configuration
#2: Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
The case is being worked on by Cisco TAC. One of the issues is the windows 2003 server supplicant refuses to work. Windows XP supplicant uses machine-authentication instead of user-authentication. Cisco TAC is looking into this issue. -
802.1x with PEAP fails on Unified
We have an issue with a Fujitsu Siemens Amilo Laptop. It uses 802.1x with dynamic WEP and PEAP-MSCHAP (MS-IAS), Verisign Imported Certificate. It works fine in a Autonomous environment but fails in Unified environment. Other laptops work fine in both environments with the same setup. Debug on the WiSM shows the EAP request identity/start message send to the client. But there's no answer from the client; Reached Max EAP-Identity Request retries (21) for STA
Any help is welcome!If the issue is with the certain brand of laptop, look at the wireless card firmware. What type of card are in these laptops? What configuration has changed between the Autonomous and the LWAPP (basic settings). What does the log show on the IAS server?
-
802.1x EAP-PEAP - Radius Question
We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
getting a Cisco ACS to run a simple RADIUS server which is all I need.
Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
and how does it differ from the username you provide after the secure TLS tunnel has been configured.Hey John,
Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
http://www.youtube.com/watch?v=YIxG4OEfwtY
The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
So yes it sounds right and you should be good.
Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
Thanks John!
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...
Hello,
I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
The RADIUS SERVER is M$ IAS.
Authentication is working with a laptop, but it is not with my phone
The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
Does somebody know what should I change in my phone's configuration to make it work ?
Thanks,
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert EinsteinHi,
Sorry for the late answer since I was "out of the office" for a while
So here is the process to get the certificate.
Log in to you IAS Server.
Open the IAS Service Application.
Go to "Remote Access Policies".
Choose the policy that apply to "Wireless Connection"
Click "Edit Profile" button.
Choose "Authentication" Tab.
Click "EAP Methods"
Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
The Next Window will show you the Certificate Issuer Name & Expiration Date.
Then, click "Start" Button.
Choose "Run".
Type "mmc" in the "Run" box.
Click "File" & Choose "Add/Remove Snap-In".
Click "Add" Button.
Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
Click "Close" & "OK" Button.
Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
"Right click" on the certificate, choose "All Tasks", the "Export".
In the new window, click "Next" Button.
Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
Choose a suitable location.
Click "Next" Button & "Finnish" Button.
Certificate is now exported.
You have to install it on your Phone now.
The most simple way is to copy the certicate on a Web Server and access it with your phone.
Hope that Help, if you did not already succeed.
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein -
Cisco Systems vs "CSIRO" 802.11a and 802.11g infringed upon the '069 patent
Hi,
any news about Cisco Systems and the "CSIRO" 802.11a and 802.11g infringed upon the '069 patent ?
http://www.buffalotech.com/products/wireless/
Dear Customer
As you may be aware, Commonwealth Scientific and Industrial Research Organisation ("CSIRO") sued Buffalo, Inc. and Buffalo Technology (USA), Inc. ("Buffalo"), for alleged infringement of United States Patent No. 5,487,069 ("the '069 patent"). Subsequently, CSIRO also asserted its patent against the entire wireless LAN industry, including, Microsoft, Intel, Accton, SMC and Netgear.
In it's lawsuit against Buffalo, CSIRO claimed certain Buffalo wireless networking products compliant with IEEE standards 802.11a and 802.11g infringed upon the '069 patent. Buffalo believed at that time and continues to believe that there are no grounds for CSIRO's allegations of infringement. The United States district court, however, found Buffalo to infringe the '069 patent and enjoined the importation and sale of Buffalo's IEEE 802.11a and 802.11g compliant products.
CSIRO's lawsuits are against the entire wireless LAN industry and could affect the supply of wireless LAN products by any manufacturer, not just Buffalo. The entire industry is resisting CSIRO's attempts to enjoin the sale of wireless LAN products. Recently, Microsoft, 3COM Corporation, SMC Networks, Accton Technology Corporation, Intel, Atheros Communications, Belkin International, Dell, Hewlett-Packard, Nortel Networks, Nvidia Corporation, Oracle Corporation, SAP AG, Yahoo, Nokia, and the Consumer Electronics Association filed briefs in support of Buffalo's position that injunctive relief is inappropriate in this case.
During the period of time that the injunction is in effect (10/1/2007), Buffalo cannot offer for sale, sell, import, or use its IEEE 802.11a and 802.11g compliant products in the United States. A list of the products covered by the injunction is attached here . The injunction does not prohibit sales of pre-existing inventories of products by Buffalo's customers. In addition, Buffalo has secured CSIRO's agreement to permit the replacement of defective products under warranty. None of Buffalo's other products are currently affected by this injunction.
While Buffalo believes that it will be successful in reversing the district court's decision and will obtain a stay of the injunction pending a decision on the merits, the Court of Appeals has not yet issued a decision. Should the Court of Appeals issue a decision staying the injunction, you will be promptly notified. After the stay is issued or a favorable decision on the merits is obtained, Buffalo will be able to resume the supply of IEEE 802.11a and 802.11g products
Please rest assured that Buffalo continues to stand behind their products and will continue to support all of our loyal customers as it relates to product warranties, technical support and the like without interruption.I suspect after reading the patent and the litigation that you mentioned above, that the US District Court decision will be reversed as the patent appears to be very vague in its contsruction and verbage. Furthermore, the intent to hold the IEEE hostage on the ratification of 802.11n will not bode well in the court's eyes. If in fact the case is reversed, I believe that the members of CSIRO will be in danger of lost profits litigation from Buffalo. Stay tuned to this bat channel.
-
[WLAN] Use 802.1x with PEAP without Certificates?
Hello there,
is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable itOn whitch device? You can set the autorithy certifacte to none or choose one from the list.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009 -
MAB/802.1x and Alkatel IP Phones
Hi All
We have a distributed deployment where Alkatel ip-touch phones are authentictaed via MAB. Alkatel ip touch phones has 802.1x enabled by default and the phone tries eapol first and then switch authenticates via MAB which is fine. Once authenticated its working as expected. The issue is the phone keeps on periodic retry after x amount of minutes for 802.1x again which triggers the phone to reboot again and goes via the whole process. This interupts the voice. We could disable 802.1x but its per phone basis. Has anyone came across this issue and found a way to diable globally via the call manager etcc. or any workarounf from ISE/switch side?
Thanks
GHi Tarik,
Thanks for the reply, please find below the switch port config lines, its a 370x switch, IPbase and universalon 15.2-1.E1 image
Note- Since the 8021x is enabled by default the phone initially tries 802.1x and after failing , the switch goes to the next auth method which is MAB which is successful. The issue is the phone again initiales a 802.1x packet after some time and the whole process starts again and because 8021x is failed the phone reboots again. I think this is the way this type of phone work and we cannot do much unless disable 802.1x or install the Alkatel CA certs in the ISE cert store?
Interface gi x/y
switchport access vlan xx
switchport mode access
switchport voice vlan yy
ip access-group ACL_ALLOW in
authentication event fail action next-method
authentication event server dead action reinitialize vlan xx
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast -
Potential Security Hole with 802.1x and Voice VLANs?
I have been looking at 802.1x and Voice VLANs and I can see what I think is a bit of a security hole.
If a user has no authentication details to gain access via 802.1x - i.e. they have not been given a User ID or the PC doesn't have a certificate etc. If they attach a PC to a switchport that is configured with a Voice VLAN (or disconnect an IP Phone and plug the PC direct into the switchport) they can easily see via packet sniffing the CDP packets that will contain the Voice VLAN ID. They can then easily create a Tagged Virtual NIC (via the NIC utilities or driver etc) with the Voice VLAN 802.1q Tag. Assuming DHCP is enabled for the Voice VLAN they will get assigned an IP address and have access to the IP network. I appreciate the VLAN can be locked down at the Layer-3 level with ACL's so any 'non-voice related' traffic is blocked but in this scenario the user has sucessfully bypassed 802.1x authentication and gain access to the network?
Has anyone done any research into this potential security hole?
Thanks
AndyThanks for the reply. To be honest we would normally deploy some or all of the measures you list but these don't around the issue of being able to easily bypass having to authenticate via 802.1x.
As I said I think this is a hole but don't see any solutions at the moment except 802.1x on the IP Phone, although at the moment you can't do this with Voice VLANs?
Andy -
MAB, 802.1x and ACS 4.2
Hi all,
Currently i'm using an ACS4.2 as radius server, some switch 2960-s ios 12.2.(55)se5, ipphone Alcatel iptouch 4018 and i would like to assign dinamic vlan to some specific users/laptop Daisy-chained to ip phone.
Logic connection is: users laptop---->ipphone---->switch---->radius
What i need is:
if I connect MY laptop to the ipphone port, i receive a specific vlan ( vlan 58 )
if SOMEONE else ( i.e. a consultant ) connect his laptop to the SAME ipphone port (if available) he has to receive a different vlan ( vlan 1).
I've been able to reach the goal using MACRO but it tooks too much time to authenticate ( approx 1 min ) so i give up and tried a different faster way ( 802.1x and MAB ).
i've been able to authenticate the ip-phone using 802.1x auth and to receive the correct vlan when i connect MY laptop (MAB auth) but i was not able to provide the VLAN 1 to the Consultant when he connect his laptop even if the "authentication event fail action authorize vlan 1" is configured.
I used the dot1x auth-fail vlan because i'm not able to use MAB or 802.1x auth on external laptop. I also tried with guest vlan with no luck.
In both case the "consultant" remain in "auth failed"
Here my current configuration
dot1x system-auth-control
dot1x guest-vlan supplicant
identity profile default
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 30
authentication host-mode multi-auth
authentication event fail action authorize vlan 1
authentication order mab dot1x
authentication port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 2
dot1x max-reauth-req 1
storm-control broadcast level 2.00
storm-control multicast level 2.00
spanning-tree portfast
On ACS side i have 2 groups
first Group authenticate the iphone and supply the voice vlan ( vlan 30)
Second Group authenticate using MAB and supply the vlan 58
is there a different way to accomplish this task?
Thank you in advancehi,
any ideas?
thx -
Is it possible to enable dot1x and voice on the same interface? If so which switches and IOS support this feature ?
Any references to documents ?
Commands that cannot be configured together :-
switch voice vlan xxx
dot1x port-control autoIt is possible to enable 802.1X and voice on the same port. If the phone does CDP, it is allowed through, regardless of the 802.1X state of the port with this config. Here's the following switches that support this, with the minimum required releases:
CatOS (6500) - 7.6(1)
IOS (4500) - 12.1(20)EWA
IOS (3750) - 12.2(25)SEA
IOS (3560) - 12.2(25)SEA
IOS (3550) - 12.1(12c)EA1
IOS (2960) - 12.2(25)FX
IOS (2950) - 12.1(12c)EA1
IOS (2940) - 12.1(13)AY
Hope this helps, -
802.1X and CAT Express 500
Hi guys,
I want to know if the Cat Express 500 support dynamic vlan assigment through 802.1X.Hi,
You can do the vlan arrisgnment using 802.1x on CE500. The configuration for 802.1X and Radius authentication server can be done with the help of Cisco Network Assistant (CNA). In the menu Network Security Settings you have to put the
security level on high. There is the possibility to configure the IP address of the RADIUS server and the RADIUS key.
In case you don?t have the CNA, you can download it for free from:
http://www.cisco.com/cgi-bin/tablebuild.pl/NetworkAssistant
HTH, Please rate if it does.
-amit singh -
I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
interface GigabitEthernet9/48
description temporary port
switchport
switchport access vlan 12
switchport mode access
no ip address
dot1x port-control auto
spanning-tree portfast
CIG01-ENT-SW1(config-if)#switchport voice vlan 14
Command rejected: Gi9/48 is Dot1x enabled port.Using IEEE 802.1x Authentication with Voice VLAN Ports
A voice VLAN port is a special access port associated with two VLAN identifiers:
?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
interface FastEthernet0/1
switchport access vlan 3
switchport mode access
switchport voice vlan 2
no ip address
dot1x port-control auto
spanning-tree portfast
end
Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
under the interface configure "dot1x host-mode multi-host"
Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform. -
EAP Authentication Configuration for EAP-FAST and PEAP
Hi Everyone,
I pretty much got EAP working, however using LEAP
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xDEAP is a complicated subject for sure. But it shouldn't be really once you know the foundation.
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed.
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password back to AD for example.
Hope this helps ..
Maybe you are looking for
-
BAPI_INCOMINGINVOICE_CREATE : Payment Terms not appearing
Dear All, In the Bapi "BAPI_INCOMINGINVOICE_CREATE ", i am passing the HEADERDATA (invoice_ind, doc_type, doc_date, pstng_date, ref_doc_no, comp_code, diff_inv, currency, gross_amount, pmnttrms) and ITEMDATA (invoice_doc_item, po_number, po_item, tax
-
The green PHONE icon has dropped from the bottom of the home screen and isn't among the icons that I have installed. I can get to it by searching but how do I get it back on the bottom of the home screen?
-
Can we do caluculated keyfigure with in a restricted key figure
can we do caluculated keyfigure with in a restricted key figure give details
-
Create Reconnection from CRM Web-IC for Utility
Hi Experts, We have set up an Interaction Center for Utilities. If a utility customer calls the center for reconnection/ disconnection of his meter request, then the IC Agent logs in with a business role assigned to him, identifies and confirms an ac
-
SMS Site Componenet Manager - Componenet Not Installed
Hi, We're using SCCM 2012 R2 with the databases on a SQL 2012 Failover Cluster (2 nodes). Active node is SQLNode-1. We're getting the following error: Site Component Manager could not create the Configuration Manager Server Components' installation