802.1x authentication for LAN base hosts

Similar Messages

• SCCM 2012 - 802.1x authentication for zero touch installation

  Hi guys,
  I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
  the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
  What I did before:
   - mount the SCCM modified WinPE image (boot.XXX99999.wim)
   - integration of the KB972831 hotfix into the WinPE
   - creation of a lan profile and eap profile file
   - copy both files into the mounted image
   - creation of new wim file
  I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
    net start dot3svc
    => The Wired AutoConfig service was started successfully
    netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
    => The profile was added successfully on the interface Local Area connection
   netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
    => Error setting user data for interface Local Area Connection. The operation is not supported.
  Actually I can't post web links here. If the files are needed I can send them per mail.
  What can I do to solve this problem?
  Thanks!
  Regards
  Bastian

  Hi!
  Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
  I've followed those steps and it worked as a charm, even for WinPE 4.0.
  If you have questions let me know.
  Cheers.

• 802.1x Authentication for University Network Fails After 10.5.5 Update

  Hi everyone, I hope that someone might be able to help me with my problem. I used to connect to the internet through my university's network at my dorm using the ethernet connection. Even before when I was using 10.5.4 I had to do the 802.1x authentication manually after every boot.
  Now that I updated to 10.5.5 everytime I try to connect it tells me "802.1x Authentication has failed", does anyone have similar problems, solutions??? This is everything the IT department's homepage has to offer: http://www.unibz.it/ict/8021x_mac1/index.html?LanguageID=EN&
  Thanks a lot!
  Btw, it seems the update somehow messed up Timemachine as well, but that doesn't bother me as much as the internet connection.

  Hi,
  You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
  They should be able to provide you with a file for the CA and instructions.
  cheers

• 802.1x authentication for win XP2 client

  HI,
  I am using Aironet 1200 AP, ACS 3.3 with 802.1x authentication, when I am enabling win XP utility insted of Cisco ACU it's wait for certificate credentials.
  I installed CA authority in windows 2000 server. But i am unable to accessing wireless network with 802.1x authentications
  Please help on this required configuration of CA role in server side and Client side.

  Hi,
  You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
  They should be able to provide you with a file for the CA and instructions.
  cheers

• Cisco ISE 1.3 using 802.1x Authentication for wireless clients

  Hi,
  I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
  I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
  MACHINE AUTHENTICATION
  match
  framed
  Wireless
  AD group (machine)
  USER AUTHENTICATION
  match
  framed
  Wireless
  AD group (USER)
  was authenticated = true
  Below are steps taken to authenticate any ideas would be great.
  11001  Received RADIUS Access-Request  
    11017  RADIUS created a new session  
    15049  Evaluating Policy Group  
    15008  Evaluating Service Selection Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    15048  Queried PIP  
    15006  Matched Default Rule  
    11507  Extracted EAP-Response/Identity  
    12300  Prepared EAP-Request proposing PEAP with challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
    12318  Successfully negotiated PEAP version 0  
    12800  Extracted first TLS record; TLS handshake started  
    12805  Extracted TLS ClientHello message  
    12806  Prepared TLS ServerHello message  
    12807  Prepared TLS Certificate message  
    12810  Prepared TLS ServerDone message  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12318  Successfully negotiated PEAP version 0  
    12812  Extracted TLS ClientKeyExchange message  
    12804  Extracted TLS Finished message  
    12801  Prepared TLS ChangeCipherSpec message  
    12802  Prepared TLS Finished message  
    12816  TLS handshake succeeded  
    12310  PEAP full handshake finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12313  PEAP inner method started  
    11521  Prepared EAP-Request/Identity for inner EAP method  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11522  Extracted EAP-Response/Identity for inner EAP method  
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
    15041  Evaluating Identity Policy  
    15006  Matched Default Rule  
    22072  Selected identity source sequence  
    15013  Selected Identity Source - AD1  
    24430  Authenticating user against Active Directory  
    24325  Resolving identity  
    24313  Search for matching accounts at join point  
    24315  Single matching account found in domain  
    24323  Identity resolution detected single matching account  
    24343  RPC Logon request succeeded  
    24402  User authentication against Active Directory succeeded  
    22037  Authentication Passed  
    11824  EAP-MSCHAP authentication attempt passed  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
    11814  Inner EAP-MSCHAP authentication succeeded  
    11519  Prepared EAP-Success for inner EAP method  
    12314  PEAP inner method finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    24423  ISE has not been able to confirm previous successful machine authentication  
    15036  Evaluating Authorization Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    24432  Looking up user in Active Directory - xxx\zzz Support  
    24355  LDAP fetch succeeded  
    24416  User's Groups retrieval from Active Directory succeeded  
    15048  Queried PIP  
    15048  Queried PIP  
    15004  Matched rule - Default  
    15016  Selected Authorization Profile - DenyAccess  
    15039  Rejected per authorization profile  
    12306  PEAP authentication succeeded  
    11503  Prepared EAP-Success  
    11003  Returned RADIUS Access-Reject  
    5434  Endpoint conducted several failed authentications of the same scenario  

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Free RADIUS/802.1X Service for WPA/WPA2-Enterprise

  Hi, just wanted to let everyone know that I recently started offering a Free Edition of our AuthenticateMyWiFi service, a hosted RADIUS/AAA service offering 802.1X authentication for use with WPA/WPA2-Enterprise encryption.
  The Free Edition features 1 user account, supports 1 AP, and includes: PEAP authentication for wireless and wired connections, web-based control panel, and activity logging.
  This is great for IT professionals wanting to experiment with 802.1X or to get enterprise Wi-Fi security in homes and small offices.
  For more info visit our site:
  http://www.nowiressecurity.com/service.htm
  - Eric Geier

  I recommend contacting Linksys support on the phone and ask them which model router has Radius or Enterprise WPA features. Some home class routers may not have this. Ask and see what is available. 

• Cisco IP Phone 802.1x authentication with NPS

  Hi All,
  I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
  deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

  Hi,
  Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
  configuring 802.1x authentication for Cisco IP phones.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• 802.1X authentication process in Active Directory joined computer.

  Hi,
  I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
  1. When Windows start up,
  2. it will authenticate to the 802.1x network using computer account.
  3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
  4. once 3 is done, the AD credential will be used to auth to AD again to login.
  Why do we need 3 times of authentication? Why do we need steps 3?
  Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
  Thank you!
  Ah_Chao|| MCSE,VCP,EMCSAe

  Hi,
  According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
  It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
  With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
  logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
  (computer credentials when no user is logged on and user credentials when a user is logged on).
  Detailed description you may reference:
  https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
  And more information about 802.1x, you may reference:
  Understanding 802.1X authentication for wireless networks
  https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Creating a secure 802.1x wireless infrastructure using Microsoft Windows
  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• 802.1x Authentication with Windows and MAC

  Hello Team;
                I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
  Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

  Hello Sreejith,
  As per your query i can suggest you the following steps-
  No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
  1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
  2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
  3.Click the Security tab, and then, in the Security Type list, click 802.1X.
  4.In the Encryption Type list, click the encryption type you want to use.
  On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
  5.In the Choose a network authentication method list, click the method you want to use.
  To configure additional settings, click Settings.
  Hope this will help you.

• 802.1x authentication manager ..!

  Dear Team ,
  I have miss understanding on dot1x authentication manager so, if someone can help me to understand those scenarios :-
  •1- If I have port configured to authenticate through dot1x first and failover to MAB if dot1x is not successfully. I have phone & PC behind it connected to port so, logically first dot1x should start to send EAPOL request and wait for 90 second if the phone doesn’t response to this request the port will wait some time and failover to MAB. Is it possible to get response first from the PC or its mandatory to get response first from the phone? I mean does the port block all data traffic first until the Voice traffic authenticated ? if yes so, if the phone does not authenticated at all whats happened to Data traffic ? suppose the phone send his mac-address to the port and start to run over MAB authentication process if it successful the port will change to authorization state. if it is not. the MAB authentication failed does the authentication manager process start from the beginning to run 802.1x process again.? Or will assign the Voice traffic on restricted vlan ?
  •2- If I have vice versa scenario by run MAB authentication process first and failover to 802.1x process if the authentication fails. So, the phone authenticated successfully first. does the port send MAB request to the PC which is behind the Phone or directly send EAPOL to the PC ?? if the PC doesn’t authenticated or the time was expired before sending the identity does the port start the authentication process from the beginning by sending MAB request to the PC or it should stuck with 802.1x authentication process ?. does the port assign the data traffic on restricted, gust vlan ? if I didn’t configured any gust or restricted vlan so, what will happen?
  •3- On both way if the port receive EAP response back does it stuck on 802.1x authentication for the Data traffic when the PC response back and never failover to MAB?

  hi gents, one more thing,
  - if I enable dot1x on the port without configure guest & restriction vlan so, what will happend when the authentication faild.?
  the port should be assigned to unauthorized state but to which vlan should be assigned ?
  - if I enable reauthentication feature without faild-authentication vlan. what will happend when the reuthentication timout finish and the authentication process start again with faild authentication from the client. the port should shift to unauthorized state but which vlan should be assigned ? and does the popup authentication appear again on the client machine or the authenticator will used the same cached authenticated credintial since the port doesn't recevie any EAP logoff or link down? does the reauthentication feature work with MAB or just only with dot1x authentication protocols ?
  - whats the diff between authentication order & authentication priority ?
  thanks

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• 802.1x Authentication on Wired and Wireless LAN

  I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
  But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
  Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• Ldap authentication not working for Solaris 8 host - Help!

  Greetings folks,
  I just recently migrated a host to use LDAP authentication. The only difference between this host and the rest of the hosts in the environment that I've converted to use LDAP is that this one is running Solaris 8.
  Here's the steps I took to migrate it (though, I used the same steps for another Sol8 host in another environment and it works fine):
  ldapclient -P stg -d mydomain.com -D cn=proxyagent,ou=profile,dc=mydomain,dc=com -w secret 192.168.1.69
  My /etc/nsswitch.conf looks like this:
  passwd: files ldap
  group: files ldap
  My /etc/pam.conf looks like this:
  login auth requisite pam_authtok_get.so.1
  login auth required pam_dhkeys.so.1
  login auth sufficient pam_unix_auth.so.1
  login auth required pam_ldap.so.1
  sshd auth requisite pam_authtok_get.so.1
  sshd auth sufficient pam_unix_auth.so.1
  sshd auth required pam_ldap.so.1
  other auth requisite pam_authtok_get.so.1
  other auth required pam_dhkeys.so.1
  other auth sufficient pam_unix_auth.so.1
  other auth required pam_ldap.so.1
  passwd auth sufficient pam_passwd_auth.so.1
  passwd auth required pam_ldap.so.1
  I've also cleared out the local user accounts for my human users, so there aren't any more passwd or shadow entries (yes, I ran pwconv). I also cleaned out the /etc/group entries for the same users. The machine appears to be configured properly, because I can run various DS commands that indicate this:
  hostname# getent passwd user1
  user1::1001:1001:User 1:/opt/home/user1:/bin/bash
  hostname# ldaplist -l passwd user1
  dn: uid=user1,ou=people,dc=mydomain,dc=com
  shadowFlag: 0
  userPassword: {crypt}(removed)
  uid: user1
  objectClass: posixAccount
  objectClass: shadowAccount
  objectClass: account
  objectClass: top
  cn: user1
  uidNumber: 1001
  gidNumber: 1001
  gecos: User 1
  homeDirectory: /opt/home/user1
  loginShell: /bin/bash
  However, in the end, actual logins to this host fail via ssh. Snooping the traffic reveals that all the right info is being handed back to the client, including the crypt'ed password hash, uid, etc. just like I see with other hosts that work.
  Any ideas?
  Thanks!
  Patrick

  I assume you have applied lastest kernel patch and 108993 to this Solaris8 machine, and its nss_ldap.so.1 and pam_ldap.so.1 are the same as the other Solaris8 LDAP clients that are working for ssh via LDAP auth.
  1) Please replace "objectClass: account" with "objectClass: person", I know SUN ONE DS5.2 likes "person".
  2) Did you test and verify telnet/ftp/su working? but SSH not working?
  3) If telnet/ftp/su all worked, and SSH (SUN-SSH or OpenSSH), make sure you have "UsePAM yes" in sshd_config and restart sshd.
  4) It is not a must I think but normally I will add "shadow: files ldap" to /etc/nsswitch.conf, restart nscd after that.
  5) Whenever ldapclient command is run and ldap_cachemgr is restarted, I usually also restart nscd and sshd after that, if not testing result may not be accurate as nscd is still remembering OLD stuffs cached which could be very misleading.
  6) You may use "ssh -v userid@localhost" to watch the SSH communications, on top of your usual "snoop"ing of network packets.
  7) Use the sample pam.conf that is meant for pam_ldap from Solaris 10 system admin guide with all the pam_unix_cred.so.1 lines commented out. This works for me, there is no sshd defintions as it will follow "other".
  http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
  Gary

• Why Unable to identify a user for 802.1X authentication (0x50001)?

  Hello, 
    We are trying to set up wifi single-sign-on. When logging to a laptop get a message
  "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
  Server: windows server 2003 (with all updates)
  laptop: windows 7 professional SP1 (with all updates)
  When looking to event log i found this error:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2012-10-10 10:38:01
  Event ID:      5632
  Task Category: Other Logon/Logoff Events
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      sba01-nb
  Description:
  A request was made to authenticate to a wireless network.
  Subject:
  Security ID:                
  Account Name:                -
  Account Domain:                -
  Logon ID:                0x0
  Network Information:
  Name (SSID):                Pivot_Users
  Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
  Local MAC Address:        C4:85:08:12:77:44
  Peer MAC Address:        00:24:97:83:8E:61
  Additional Information:
  Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
  Error Code:                0x525
  EAP Reason Code:        0x0
  EAP Root Cause String:        
  EAP Error Code:                0x0
  Event Xml:
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5632</EventID>
      <Version>1</Version>
      <Level>0</Level>
      <Task>12551</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
      <EventRecordID>37791</EventRecordID>
      <Correlation />
      <Execution ProcessID="760" ThreadID="2224" />
      <Channel>Security</Channel>
      <Computer>sba01-nb</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SSID">Pivot_Users</Data>
      <Data Name="Identity">
      </Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="PeerMac">00:24:97:83:8E:61</Data>
      <Data Name="LocalMac">C4:85:08:12:77:44</Data>
      <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
      <Data Name="ReasonCode">0x50001</Data>
      <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
      <Data Name="ErrorCode">0x525</Data>
      <Data Name="EAPReasonCode">0x0</Data>
      <Data Name="EapRootCauseString">
      </Data>
      <Data Name="EAPErrorCode">0x0</Data>
    </EventData>
  </Event>
  Thank you for answer and help.
  Regards, 
    Tadas

  Hi,
  Thanks for your post.
  Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
  Here is the process that is followed.
  1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
  2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
  3. The Authenticator cannot validate and the authentication would fail.
  4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
  it will just ignore them
  5. You will see event 15506 after the event 15514.
  Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
  http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
  0x50001 = Dec 327681
  Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
  ONEX_UNABLE_TO_IDENTIFY_USER
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• 802.1x authentication with ACS 4.1 for MAC OSX

  Hi,
  I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
  If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
  I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
  Thanks in advance
  Best regards
  Thanks

  Yes, Refer to the below DOC
  http://support.apple.com/kb/HT2717
  Port settings and ACS configuration remain the same as you do it for windows based clients