802.1x authentication for win XP2 client

Similar Messages

• Certificate authentication for Cisco VPN client

  I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
  I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
  Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.                    

  Dear Doug ,
            What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
  With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
  1)  What is the AnyConnect Essentials License?
  The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers"  platform limit with AnyConnect.  Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device.  With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
  You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          : Disabled 
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Licensed features for this platform:
  Maximum Physical Interfaces    : Unlimited
  Maximum VLANs                  : 150      
  Inside Hosts                   : Unlimited
  Failover                       : Active/Active
  VPN-DES                        : Enabled  
  VPN-3DES-AES                   : Enabled  
  Security Contexts              : 2        
  GTP/GPRS                       : Disabled 
  SSL VPN Peers                  : 2        
  Total VPN Peers                : 750      
  Shared License                 : Disabled
  AnyConnect for Mobile          : Disabled 
  AnyConnect for Cisco VPN Phone : Disabled 
  AnyConnect Essentials          :  Enabled
  Advanced Endpoint Assessment   : Disabled 
  UC Phone Proxy Sessions        : 2        
  Total UC Proxy Sessions        : 2        
  Botnet Traffic Filter          : Disabled
  Any connect VPN Configuration .
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml

• SCCM 2012 - 802.1x authentication for zero touch installation

  Hi guys,
  I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
  the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
  What I did before:
   - mount the SCCM modified WinPE image (boot.XXX99999.wim)
   - integration of the KB972831 hotfix into the WinPE
   - creation of a lan profile and eap profile file
   - copy both files into the mounted image
   - creation of new wim file
  I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
    net start dot3svc
    => The Wired AutoConfig service was started successfully
    netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
    => The profile was added successfully on the interface Local Area connection
   netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
    => Error setting user data for interface Local Area Connection. The operation is not supported.
  Actually I can't post web links here. If the files are needed I can send them per mail.
  What can I do to solve this problem?
  Thanks!
  Regards
  Bastian

  Hi!
  Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
  I've followed those steps and it worked as a charm, even for WinPE 4.0.
  If you have questions let me know.
  Cheers.

• 802.1x Authentication for University Network Fails After 10.5.5 Update

  Hi everyone, I hope that someone might be able to help me with my problem. I used to connect to the internet through my university's network at my dorm using the ethernet connection. Even before when I was using 10.5.4 I had to do the 802.1x authentication manually after every boot.
  Now that I updated to 10.5.5 everytime I try to connect it tells me "802.1x Authentication has failed", does anyone have similar problems, solutions??? This is everything the IT department's homepage has to offer: http://www.unibz.it/ict/8021x_mac1/index.html?LanguageID=EN&
  Thanks a lot!
  Btw, it seems the update somehow messed up Timemachine as well, but that doesn't bother me as much as the internet connection.

  Hi,
  You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
  They should be able to provide you with a file for the CA and instructions.
  cheers

• Help with configuring AP-1240AG as local authenticator for EAP-FAST client

  Hi,
  I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
  dot11 lab_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid
  radius-server local
    eapfast authority id 0102030405060708090A0B0C0D0E0F10
    eapfast authority info lab
    eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
    user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
  Here is the Windows XP client configuration:
  Authentication: Open
  Encrpytion WEP
  Disable Cisco ccxV4 improvements
  username: georges
  password: georges
  Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
  *Mar  4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
  *Mar  4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
  *Mar  4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
  *Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: ssid              [263] 19
  *Mar  4 01:16:56.701: RADIUS:    [lab_test]
  *Mar  4 01:16:56.701: RADIUS:   65                                               [e]
  *Mar  4 01:16:56.701: RADIUS:  AAA Unsupported Attr: interface         [156] 4
  *Mar  4 01:16:56.701: RADIUS:   38 32                                            [82]
  *Mar  4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
  *Mar  4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
  *Mar  4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
  *Mar  4 01:16:56.702: RADIUS(00001F5C): sending
  *Mar  4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
  *Mar  4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
  It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
  Thanks

  Hi Stephen,
  I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
  Thanks for your help
  Stephane
  Here is the complete configuration:
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Lab
  ip subnet-zero
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 lab_test
     authentication open eap eap_methods
     authentication network-eap eap_methods
     guest-mode
     infrastructure-ssid
  power inline negotiation prestandard source
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  ssid lab_test
  traffic-metrics aggregate-report
  speed basic-54.0
  no power client local
  channel 2462
  station-role root
  antenna receive right
  antenna transmit right
  no dot11 extension aironet
  bridge-group 1
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  dfs band 3 block
    speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
  channel dfs
  station-role root
  no dot11 extension aironet
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  hold-queue 160 in
  interface BVI1
  ip address 10.5.104.22 255.255.255.0
  ip default-gateway 10.5.104.254
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  ip radius source-interface BVI1
  radius-server local
    eapfast authority id 000102030405060708090A0B0C0D0E0F
    eapfast authority info LAB
    eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
    user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
  control-plane
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

• Cisco ISE 1.3 using 802.1x Authentication for wireless clients

  Hi,
  I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
  I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
  MACHINE AUTHENTICATION
  match
  framed
  Wireless
  AD group (machine)
  USER AUTHENTICATION
  match
  framed
  Wireless
  AD group (USER)
  was authenticated = true
  Below are steps taken to authenticate any ideas would be great.
  11001  Received RADIUS Access-Request  
    11017  RADIUS created a new session  
    15049  Evaluating Policy Group  
    15008  Evaluating Service Selection Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    15048  Queried PIP  
    15006  Matched Default Rule  
    11507  Extracted EAP-Response/Identity  
    12300  Prepared EAP-Request proposing PEAP with challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
    12318  Successfully negotiated PEAP version 0  
    12800  Extracted first TLS record; TLS handshake started  
    12805  Extracted TLS ClientHello message  
    12806  Prepared TLS ServerHello message  
    12807  Prepared TLS Certificate message  
    12810  Prepared TLS ServerDone message  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12318  Successfully negotiated PEAP version 0  
    12812  Extracted TLS ClientKeyExchange message  
    12804  Extracted TLS Finished message  
    12801  Prepared TLS ChangeCipherSpec message  
    12802  Prepared TLS Finished message  
    12816  TLS handshake succeeded  
    12310  PEAP full handshake finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12313  PEAP inner method started  
    11521  Prepared EAP-Request/Identity for inner EAP method  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11522  Extracted EAP-Response/Identity for inner EAP method  
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
    15041  Evaluating Identity Policy  
    15006  Matched Default Rule  
    22072  Selected identity source sequence  
    15013  Selected Identity Source - AD1  
    24430  Authenticating user against Active Directory  
    24325  Resolving identity  
    24313  Search for matching accounts at join point  
    24315  Single matching account found in domain  
    24323  Identity resolution detected single matching account  
    24343  RPC Logon request succeeded  
    24402  User authentication against Active Directory succeeded  
    22037  Authentication Passed  
    11824  EAP-MSCHAP authentication attempt passed  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
    11814  Inner EAP-MSCHAP authentication succeeded  
    11519  Prepared EAP-Success for inner EAP method  
    12314  PEAP inner method finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    24423  ISE has not been able to confirm previous successful machine authentication  
    15036  Evaluating Authorization Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    24432  Looking up user in Active Directory - xxx\zzz Support  
    24355  LDAP fetch succeeded  
    24416  User's Groups retrieval from Active Directory succeeded  
    15048  Queried PIP  
    15048  Queried PIP  
    15004  Matched rule - Default  
    15016  Selected Authorization Profile - DenyAccess  
    15039  Rejected per authorization profile  
    12306  PEAP authentication succeeded  
    11503  Prepared EAP-Success  
    11003  Returned RADIUS Access-Reject  
    5434  Endpoint conducted several failed authentications of the same scenario  

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• Configure Network Level Authentication for Remote Desktop client

  We publish Remote Desktop in our Windows 2008 R2 terminal server.
  However, in Windows 2008R2 , the remote desktop client will a lillte bit slow
  I found out that if I modify the setting in default.rdp
  authentication level:i:0
  enablecredsspsupport:i:0
  it will increase the speed a lot
  however, how can I set all user use remote desktop will disable those feature as well?
  Thanks

  Hi Kenneth, 
  I suggest you to see similar thread "disable
  Network Level Authentication Terminal Server 2008"
  If above thread does not helps, seek help from RDS/TS experts in here.
  Or wait until any of our moderator move this post to respective forum.
  Thank you for understanding.
  Regards, Ravikumar P

• Windows 7 Professional Pack configuration on SBS 2011 Essentials for Win 7 client after recovering a faulty system drive

  I had a system drive fail on a PC the other day (Seagate Barracudas seem to do this!) and have replaced it with an SSD. Sadly its capacity is less than the original system partition on the failed drive so a bare metal restore does not work.  I have
  therefore reinstalled Windows 7 Pro and configured the PC with the same name.
  In the dashboard of the server Windows 7 Pro Pack is implemented, but it is not functioning on the client. I have re-configured it but still no joy. I cannot see a way to disable W7PP for the client without removing the Add-in and assume this is a problem
  relating to using the same name for the computer.  Should I remove the Add-in and reinstall or is there an alternative?
  TIA
  Andrew

  Here it is. I have replaced the user, client, domain and server names.
  Thanks for your help. I am tempted to just remove the client from the domain, change the PC name and rejoin.
  Microsoft Windows [Version 6.1.7601]
  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
  ===================================
  RSOP data for [DomainName]\xxxxxxxxxxxx on [PCName] : Logging Mode
  OS Configuration:            Member Workstation
  OS Version:                  6.1.7601
  Site Name:                   Default-First-Site-Name
  Roaming Profile:             N/A
  Local Profile:               C:\Users\xxxxxxxxxxxx
  Connected over a slow link?: No
  COMPUTER SETTINGS
      CN=[PCName],CN=Computers,DC=[DomainName],DC=local
      Last time Group Policy was applied: 22/01/2015 at 09:39:11
      Group Policy was applied from:      [ServerName].[DomainName].local
      Group Policy slow link threshold:   500 kbps
      Domain Name:                        [DomainName]
      Domain Type:                        Windows 2000
      Applied Group Policy Objects
          Default Domain Policy
          W7PVP Security Templates
      The following GPOs were not applied because they were filtered out
          W7PVP Folder Redirection
              Filtering:  Disabled (GPO)
          Local Group Policy
              Filtering:  Not Applied (Empty)
          W7PVP Folder Redirection
              Filtering:  Disabled (GPO)
      The computer is a part of the following security groups
          BUILTIN\Administrators
          Everyone
          BUILTIN\Users
          NT AUTHORITY\NETWORK
          NT AUTHORITY\Authenticated Users
          This Organization
          [PCName]$
          Domain Computers
          System Mandatory Level
  USER SETTINGS
      CN=xxxxxxxxxxxx,CN=Users,DC=[DomainName],DC=local
      Last time Group Policy was applied: 22/01/2015 at 09:39:27
      Group Policy was applied from:      [ServerName].[DomainName].local
      Group Policy slow link threshold:   500 kbps
      Domain Name:                        [DomainName]
      Domain Type:                        Windows 2000
      Applied Group Policy Objects
          W7PVP Folder Redirection
          W7PVP Folder Redirection
      The following GPOs were not applied because they were filtered out
          Default Domain Policy
              Filtering:  Not Applied (Empty)
          Local Group Policy
              Filtering:  Not Applied (Empty)
          W7PVP Security Templates
              Filtering:  Disabled (GPO)
      The user is a part of the following security groups
          Domain Users
          Everyone
          BUILTIN\Administrators
          BUILTIN\Users
          NT AUTHORITY\INTERACTIVE
          CONSOLE LOGON
          NT AUTHORITY\Authenticated Users
          This Organization
          LOCAL
          RA_AllowComputerAccess
          WSSUsers
          RA_AllowAddInAccess
          RA_AllowShareAccess
          RA_AllowRemoteAccess
          RA_AllowNetworkAlertAccess
          RA_AllowHomePageLinks
          High Mandatory Level
  C:\Windows\system32>
  Andrew

• 802.1x authentication for LAN base hosts

  How can I get  Cisco Secure Services Client (SSC) ?
  What is the product code for the software and is it free or do we need a licence?
  Could you please send me If you happen to have information on how it works and known design issues with the SSC.
  Cheers,
  Pubudu.

  Cisco Secure Services Version 5.1 Product Data Sheet
  https://www.cisco.com/en/US/prod/collateral/wireless/ps6442/ps7034/product_data_sheet0900aecd805081a7.html

• Web based authentication for wired client, Crendentials submission failure.

  Hi,
  I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
  The problem i encountered is that my switch doesnt forward the client's password to the ACS.
  When the user validate his credentials on the login page only the login seems to be forwarded.
  The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
  the connection between aaa servers and the switch is working.
  You will find in attachements the running-config and the debug file.
  Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).

  Well i took a look on your documents but i didnt find anything that helped me ;S.
  I'm still stucked on the same step.

• Cisco IP Phone 802.1x authentication with NPS

  Hi All,
  I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
  deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

  Hi,
  Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
  configuring 802.1x authentication for Cisco IP phones.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• 802.1x Authentication with Windows and MAC

  Hello Team;
                I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
  Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.

  Hello Sreejith,
  As per your query i can suggest you the following steps-
  No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
  1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
  2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
  3.Click the Security tab, and then, in the Security Type list, click 802.1X.
  4.In the Encryption Type list, click the encryption type you want to use.
  On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
  5.In the Choose a network authentication method list, click the method you want to use.
  To configure additional settings, click Settings.
  Hope this will help you.

• 802.1x authentication manager ..!

  Dear Team ,
  I have miss understanding on dot1x authentication manager so, if someone can help me to understand those scenarios :-
  •1- If I have port configured to authenticate through dot1x first and failover to MAB if dot1x is not successfully. I have phone & PC behind it connected to port so, logically first dot1x should start to send EAPOL request and wait for 90 second if the phone doesn’t response to this request the port will wait some time and failover to MAB. Is it possible to get response first from the PC or its mandatory to get response first from the phone? I mean does the port block all data traffic first until the Voice traffic authenticated ? if yes so, if the phone does not authenticated at all whats happened to Data traffic ? suppose the phone send his mac-address to the port and start to run over MAB authentication process if it successful the port will change to authorization state. if it is not. the MAB authentication failed does the authentication manager process start from the beginning to run 802.1x process again.? Or will assign the Voice traffic on restricted vlan ?
  •2- If I have vice versa scenario by run MAB authentication process first and failover to 802.1x process if the authentication fails. So, the phone authenticated successfully first. does the port send MAB request to the PC which is behind the Phone or directly send EAPOL to the PC ?? if the PC doesn’t authenticated or the time was expired before sending the identity does the port start the authentication process from the beginning by sending MAB request to the PC or it should stuck with 802.1x authentication process ?. does the port assign the data traffic on restricted, gust vlan ? if I didn’t configured any gust or restricted vlan so, what will happen?
  •3- On both way if the port receive EAP response back does it stuck on 802.1x authentication for the Data traffic when the PC response back and never failover to MAB?

  hi gents, one more thing,
  - if I enable dot1x on the port without configure guest & restriction vlan so, what will happend when the authentication faild.?
  the port should be assigned to unauthorized state but to which vlan should be assigned ?
  - if I enable reauthentication feature without faild-authentication vlan. what will happend when the reuthentication timout finish and the authentication process start again with faild authentication from the client. the port should shift to unauthorized state but which vlan should be assigned ? and does the popup authentication appear again on the client machine or the authenticator will used the same cached authenticated credintial since the port doesn't recevie any EAP logoff or link down? does the reauthentication feature work with MAB or just only with dot1x authentication protocols ?
  - whats the diff between authentication order & authentication priority ?
  thanks

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• 802.1X authentication process in Active Directory joined computer.

  Hi,
  I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
  1. When Windows start up,
  2. it will authenticate to the 802.1x network using computer account.
  3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
  4. once 3 is done, the AD credential will be used to auth to AD again to login.
  Why do we need 3 times of authentication? Why do we need steps 3?
  Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
  Thank you!
  Ah_Chao|| MCSE,VCP,EMCSAe

  Hi,
  According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
  It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
  With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
  logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
  (computer credentials when no user is logged on and user credentials when a user is logged on).
  Detailed description you may reference:
  https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
  And more information about 802.1x, you may reference:
  Understanding 802.1X authentication for wireless networks
  https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Creating a secure 802.1x wireless infrastructure using Microsoft Windows
  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]