802.1x authentication for win XP2 client
HI,
I am using Aironet 1200 AP, ACS 3.3 with 802.1x authentication, when I am enabling win XP utility insted of Cisco ACU it's wait for certificate credentials.
I installed CA authority in windows 2000 server. But i am unable to accessing wireless network with 802.1x authentications
Please help on this required configuration of CA role in server side and Client side.
Hi,
You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
They should be able to provide you with a file for the CA and instructions.
cheers
Similar Messages
-
Certificate authentication for Cisco VPN client
I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.Dear Doug ,
What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml -
SCCM 2012 - 802.1x authentication for zero touch installation
Hi guys,
I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
What I did before:
- mount the SCCM modified WinPE image (boot.XXX99999.wim)
- integration of the KB972831 hotfix into the WinPE
- creation of a lan profile and eap profile file
- copy both files into the mounted image
- creation of new wim file
I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
net start dot3svc
=> The Wired AutoConfig service was started successfully
netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
=> The profile was added successfully on the interface Local Area connection
netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
=> Error setting user data for interface Local Area Connection. The operation is not supported.
Actually I can't post web links here. If the files are needed I can send them per mail.
What can I do to solve this problem?
Thanks!
Regards
BastianHi!
Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
I've followed those steps and it worked as a charm, even for WinPE 4.0.
If you have questions let me know.
Cheers. -
802.1x Authentication for University Network Fails After 10.5.5 Update
Hi everyone, I hope that someone might be able to help me with my problem. I used to connect to the internet through my university's network at my dorm using the ethernet connection. Even before when I was using 10.5.4 I had to do the 802.1x authentication manually after every boot.
Now that I updated to 10.5.5 everytime I try to connect it tells me "802.1x Authentication has failed", does anyone have similar problems, solutions??? This is everything the IT department's homepage has to offer: http://www.unibz.it/ict/8021x_mac1/index.html?LanguageID=EN&
Thanks a lot!
Btw, it seems the update somehow messed up Timemachine as well, but that doesn't bother me as much as the internet connection.Hi,
You probably need to install a root certificate into your Mac's system keychain so that your Mac knows it can trust the University's Certificate Authority (CA).
They should be able to provide you with a file for the CA and instructions.
cheers -
Help with configuring AP-1240AG as local authenticator for EAP-FAST client
Hi,
I am trying to configure an AP-1240AG as a local authenticator for a Windows XP client with no success. Here is a part of the AP configuration:
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
radius-server local
eapfast authority id 0102030405060708090A0B0C0D0E0F10
eapfast authority info lab
eapfast server-key primary 7 211C7F85F2A6056FB6DC70BE66090DE351
user georges nthash 7 115C41544E4A535E2072797D096466723124425253707D0901755A5B3A370F7A05
Here is the Windows XP client configuration:
Authentication: Open
Encrpytion WEP
Disable Cisco ccxV4 improvements
username: georges
password: georges
Results: The show radius local-server statistics does not show any activity for the user georges and the debug messages are showing the following:
*Mar 4 01:15:58.887: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:28.914: %DOT11-7-AUTH_FAILED: Station 0016.6f68.b13b Authentication failed
*Mar 4 01:16:56.700: RADIUS/ENCODE(00001F5C):Orig. component type = DOT11
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: ssid [263] 19
*Mar 4 01:16:56.701: RADIUS: [lab_test]
*Mar 4 01:16:56.701: RADIUS: 65 [e]
*Mar 4 01:16:56.701: RADIUS: AAA Unsupported Attr: interface [156] 4
*Mar 4 01:16:56.701: RADIUS: 38 32 [82]
*Mar 4 01:16:56.701: RADIUS(00001F5C): Storing nasport 8275 in rad_db
*Mar 4 01:16:56.702: RADIUS(00001F5C): Config NAS IP: 10.5.104.22
*Mar 4 01:16:56.702: RADIUS/ENCODE(00001F5C): acct_session_id: 8026
*Mar 4 01:16:56.702: RADIUS(00001F5C): sending
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response no app start; FAIL
*Mar 4 01:16:56.702: RADIUS/DECODE: parse response; FAIL
It seems that the radius packet that the AP receive is not what is expected. Do not know if the problem is with the client or with the AP configuration. Try many things but running out of ideas. Any suggestions would be welcome
ThanksHi Stephen,
I do not want to create a workgroup bridge, just want to have the wireless radio bridge with the Ethernet port. I will remove the infrastructure command.
Thanks for your help
Stephane
Here is the complete configuration:
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Lab
ip subnet-zero
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 lab_test
authentication open eap eap_methods
authentication network-eap eap_methods
guest-mode
infrastructure-ssid
power inline negotiation prestandard source
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
ssid lab_test
traffic-metrics aggregate-report
speed basic-54.0
no power client local
channel 2462
station-role root
antenna receive right
antenna transmit right
no dot11 extension aironet
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
dfs band 3 block
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
channel dfs
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
hold-queue 160 in
interface BVI1
ip address 10.5.104.22 255.255.255.0
ip default-gateway 10.5.104.254
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
eapfast authority id 000102030405060708090A0B0C0D0E0F
eapfast authority info LAB
eapfast server-key primary 7 C7AC67E296DF3437EB018F73BE00D822B8
user georges nthash 7 14424A5A555C72790070616C03445446212202080A75705F513942017A76057007
control-plane
bridge 1 route ip
line con 0
line vty 0 4
end -
Cisco ISE 1.3 using 802.1x Authentication for wireless clients
Hi,
I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
MACHINE AUTHENTICATION
match
framed
Wireless
AD group (machine)
USER AUTHENTICATION
match
framed
Wireless
AD group (USER)
was authenticated = true
Below are steps taken to authenticate any ideas would be great.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15006 Matched Default Rule
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12810 Prepared TLS ServerDone message
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12318 Successfully negotiated PEAP version 0
12812 Extracted TLS ClientKeyExchange message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12310 PEAP full handshake finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12313 PEAP inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence
15013 Selected Identity Source - AD1
24430 Authenticating user against Active Directory
24325 Resolving identity
24313 Search for matching accounts at join point
24315 Single matching account found in domain
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP
15048 Queried PIP
24432 Looking up user in Active Directory - xxx\zzz Support
24355 LDAP fetch succeeded
24416 User's Groups retrieval from Active Directory succeeded
15048 Queried PIP
15048 Queried PIP
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
11003 Returned RADIUS Access-Reject
5434 Endpoint conducted several failed authentications of the same scenario24423 ISE has not been able to confirm previous successful machine authentication
Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
log off and on or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. -
Configure Network Level Authentication for Remote Desktop client
We publish Remote Desktop in our Windows 2008 R2 terminal server.
However, in Windows 2008R2 , the remote desktop client will a lillte bit slow
I found out that if I modify the setting in default.rdp
authentication level:i:0
enablecredsspsupport:i:0
it will increase the speed a lot
however, how can I set all user use remote desktop will disable those feature as well?
ThanksHi Kenneth,
I suggest you to see similar thread "disable
Network Level Authentication Terminal Server 2008"
If above thread does not helps, seek help from RDS/TS experts in here.
Or wait until any of our moderator move this post to respective forum.
Thank you for understanding.
Regards, Ravikumar P -
I had a system drive fail on a PC the other day (Seagate Barracudas seem to do this!) and have replaced it with an SSD. Sadly its capacity is less than the original system partition on the failed drive so a bare metal restore does not work. I have
therefore reinstalled Windows 7 Pro and configured the PC with the same name.
In the dashboard of the server Windows 7 Pro Pack is implemented, but it is not functioning on the client. I have re-configured it but still no joy. I cannot see a way to disable W7PP for the client without removing the Add-in and assume this is a problem
relating to using the same name for the computer. Should I remove the Add-in and reinstall or is there an alternative?
TIA
AndrewHere it is. I have replaced the user, client, domain and server names.
Thanks for your help. I am tempted to just remove the client from the domain, change the PC name and rejoin.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
===================================
RSOP data for [DomainName]\xxxxxxxxxxxx on [PCName] : Logging Mode
OS Configuration: Member Workstation
OS Version: 6.1.7601
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\xxxxxxxxxxxx
Connected over a slow link?: No
COMPUTER SETTINGS
CN=[PCName],CN=Computers,DC=[DomainName],DC=local
Last time Group Policy was applied: 22/01/2015 at 09:39:11
Group Policy was applied from: [ServerName].[DomainName].local
Group Policy slow link threshold: 500 kbps
Domain Name: [DomainName]
Domain Type: Windows 2000
Applied Group Policy Objects
Default Domain Policy
W7PVP Security Templates
The following GPOs were not applied because they were filtered out
W7PVP Folder Redirection
Filtering: Disabled (GPO)
Local Group Policy
Filtering: Not Applied (Empty)
W7PVP Folder Redirection
Filtering: Disabled (GPO)
The computer is a part of the following security groups
BUILTIN\Administrators
Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
[PCName]$
Domain Computers
System Mandatory Level
USER SETTINGS
CN=xxxxxxxxxxxx,CN=Users,DC=[DomainName],DC=local
Last time Group Policy was applied: 22/01/2015 at 09:39:27
Group Policy was applied from: [ServerName].[DomainName].local
Group Policy slow link threshold: 500 kbps
Domain Name: [DomainName]
Domain Type: Windows 2000
Applied Group Policy Objects
W7PVP Folder Redirection
W7PVP Folder Redirection
The following GPOs were not applied because they were filtered out
Default Domain Policy
Filtering: Not Applied (Empty)
Local Group Policy
Filtering: Not Applied (Empty)
W7PVP Security Templates
Filtering: Disabled (GPO)
The user is a part of the following security groups
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\INTERACTIVE
CONSOLE LOGON
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
RA_AllowComputerAccess
WSSUsers
RA_AllowAddInAccess
RA_AllowShareAccess
RA_AllowRemoteAccess
RA_AllowNetworkAlertAccess
RA_AllowHomePageLinks
High Mandatory Level
C:\Windows\system32>
Andrew -
802.1x authentication for LAN base hosts
How can I get Cisco Secure Services Client (SSC) ?
What is the product code for the software and is it free or do we need a licence?
Could you please send me If you happen to have information on how it works and known design issues with the SSC.
Cheers,
Pubudu.Cisco Secure Services Version 5.1 Product Data Sheet
https://www.cisco.com/en/US/prod/collateral/wireless/ps6442/ps7034/product_data_sheet0900aecd805081a7.html -
Web based authentication for wired client, Crendentials submission failure.
Hi,
I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
The problem i encountered is that my switch doesnt forward the client's password to the ACS.
When the user validate his credentials on the login page only the login seems to be forwarded.
The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
the connection between aaa servers and the switch is working.
You will find in attachements the running-config and the debug file.
Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).Well i took a look on your documents but i didnt find anything that helped me ;S.
I'm still stucked on the same step. -
Cisco IP Phone 802.1x authentication with NPS
Hi All,
I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.Hi,
Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
configuring 802.1x authentication for Cisco IP phones.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
802.1x Authentication with Windows and MAC
Hello Team;
I have one SSID configured with 802.1x . The clients with Mac machines can directly join to the network by just entering the AD usrename and password. For the windows machines we need to do some configuration in the clients machines to work with the SSID.
Could you please clarify ? Whether the windows machines will just work like the Mac or the preconfiguration is mandatory to work windows with 802.1x.Hello Sreejith,
As per your query i can suggest you the following steps-
No, the preconfiguration is not mandatory to work windows with 802.1x.To enable 802.1x authntication on wireless follow the steps-
1.Open Manage Wireless Networks by clicking the Start button , clicking Control Panel, clicking Network and Internet, clicking Network and Sharing Center, and then, in the left pane, clicking Manage wireless networks.
2.Right-click the network that you want to enable 802.1X authentication for, and then click Properties.
3.Click the Security tab, and then, in the Security Type list, click 802.1X.
4.In the Encryption Type list, click the encryption type you want to use.
On wireless networks, 802.1X can be used with Wired Equivalent Privacy (WEP) or Wi‑Fi Protected Access (WPA) encryption.
5.In the Choose a network authentication method list, click the method you want to use.
To configure additional settings, click Settings.
Hope this will help you. -
802.1x authentication manager ..!
Dear Team ,
I have miss understanding on dot1x authentication manager so, if someone can help me to understand those scenarios :-
•1- If I have port configured to authenticate through dot1x first and failover to MAB if dot1x is not successfully. I have phone & PC behind it connected to port so, logically first dot1x should start to send EAPOL request and wait for 90 second if the phone doesn’t response to this request the port will wait some time and failover to MAB. Is it possible to get response first from the PC or its mandatory to get response first from the phone? I mean does the port block all data traffic first until the Voice traffic authenticated ? if yes so, if the phone does not authenticated at all whats happened to Data traffic ? suppose the phone send his mac-address to the port and start to run over MAB authentication process if it successful the port will change to authorization state. if it is not. the MAB authentication failed does the authentication manager process start from the beginning to run 802.1x process again.? Or will assign the Voice traffic on restricted vlan ?
•2- If I have vice versa scenario by run MAB authentication process first and failover to 802.1x process if the authentication fails. So, the phone authenticated successfully first. does the port send MAB request to the PC which is behind the Phone or directly send EAPOL to the PC ?? if the PC doesn’t authenticated or the time was expired before sending the identity does the port start the authentication process from the beginning by sending MAB request to the PC or it should stuck with 802.1x authentication process ?. does the port assign the data traffic on restricted, gust vlan ? if I didn’t configured any gust or restricted vlan so, what will happen?
•3- On both way if the port receive EAP response back does it stuck on 802.1x authentication for the Data traffic when the PC response back and never failover to MAB?hi gents, one more thing,
- if I enable dot1x on the port without configure guest & restriction vlan so, what will happend when the authentication faild.?
the port should be assigned to unauthorized state but to which vlan should be assigned ?
- if I enable reauthentication feature without faild-authentication vlan. what will happend when the reuthentication timout finish and the authentication process start again with faild authentication from the client. the port should shift to unauthorized state but which vlan should be assigned ? and does the popup authentication appear again on the client machine or the authenticator will used the same cached authenticated credintial since the port doesn't recevie any EAP logoff or link down? does the reauthentication feature work with MAB or just only with dot1x authentication protocols ?
- whats the diff between authentication order & authentication priority ?
thanks -
How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2
How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.
Hi Tarik,
Thanks for your answers,
I've attached my configured AuthZ rules and AuthZ profile for provisioning,
I want the process to be the same for iPhone, Android and Windows.
1) Connect to the SSID
2) Login using your AD credentials PEAP-MS-CHAP-v2
3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
4) As soon as the client click "register" no more redirects and PERMIT-ALL
I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
3) everything else = DENY-ALL
But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
What screenshoot do you need after the registration? the Auth report?
Thank you very much for your time! -
802.1X authentication process in Active Directory joined computer.
Hi,
I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
1. When Windows start up,
2. it will authenticate to the 802.1x network using computer account.
3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
4. once 3 is done, the AD credential will be used to auth to AD again to login.
Why do we need 3 times of authentication? Why do we need steps 3?
Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
Thank you!
Ah_Chao|| MCSE,VCP,EMCSAeHi,
According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
(computer credentials when no user is logged on and user credentials when a user is logged on).
Detailed description you may reference:
https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
And more information about 802.1x, you may reference:
Understanding 802.1X authentication for wireless networks
https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
IEEE 802.1X Wired Authentication
https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
Creating a secure 802.1x wireless infrastructure using Microsoft Windows
http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
New user log on went to my google home page, how do I get a seperate one?
I'm setting up a new user on XP, when I tried to get a Google homepage it put my existing one on the new user's log in email and all. How do I get a separate one?
-
Installation Error HTMLDB 1.6 -- ORA-06502
I get an installation error. Oracle 10g 10.1.0.2 HTMLDB 1.6. Does anyone have a tip whats going wrong. ...PAGE 103: Create Application from Scratch Error creating page validation page=103 name=tab 1-5 name unique ORA-06502: PL/SQL: numeric or value e
-
Am facing this error sqlcode :-6502 while running sql code in plsql block
Am facing this error sqlcode :-6502 while running sql code in plsql block. am using query : SELECT SUBSTR('123456DE789KL|987654321|B',1,INSTR('123456DE789KL|987654321|B','|')-1) FROM DUAL; CAN any body tell me why.
-
Proyecto en FLASH MX Professional 2004
Estimados amigos. Tengo un archivo enorme desarrollado en Flash. Lo he dividido en archivos más pequeños formando lo que se llama un "proyecto". ¿Tengo necesariamente que designar un sitio y un modo de conexión? ¿Cómo puedo hacer para dividir mi arch
-
Where is my System folder?
I just had a new hard drive installed, and then installed Leopard myself, and when I select the hard drive icon under DEVICES in the finder window, only 2 folders appear: "Developer" and "User". Where are my Applications, Library, and System folders?