802.1x authentication - how to

Similar Messages

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• How to access 802.1x authentication wired nework with digital certificate?

  How can I access 802.1x authentication wired network with digital certificate?
  I can access the network in windows with the following configutaion:
  BUT in my lion, I had import the digital certifacte. While I connected to the network, I was prompted:
  Enter the name and password for this 802.1X network
  I could not get the opportunity to select my digital certificate? But my colleague can.
  iPhone Configuration Utility seemed to provide wireless 802.1X authentication configuration file . And in my work background, most people use the windows. And there isnot a lion server to provide a configuration file.

  Dear Rune,
  Thank you for reaching Small Business Support Community.
  If you have already followed the 802.1X Supplicant configuration described in page 112, chapter 6, on the admin guide;
  http://www.cisco.com/en/US/docs/wireless/access_point/csbap/wap121/administration/guide/WAP121_321_AG_en.pdf
  All I can suggest you is to make sure you are running on the latest firmware release version 1.0.4.2;
  http://software.cisco.com/download/release.html?mdfid=284152656&flowid=32563&softwareid=282463166&release=1.0.4.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  And then contact the Small Business Support Center to have a TAC engineer figure this out;
  https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• 802.1x - Authentication failed

  Hello!
  There is a network layout: custom laptop, switch Cisco (model - Cisco WS-C3750-48PS-S, firmware version - 122-58.SE2) and Freeradius server.
  The user is authenticated by MAC-address (switch sends MAC-address of the server as username and password).
  On my computer, there is "Authentication failed".
  Port mirroring was made and  the traffic was checked by Wireshark.
  It can be seen that the server responds Accept-message (screenshot attached), which transmits the number of vlan.
  With the command "sh vlan" can be seen that the switch port assigned the desired vlan to port.
  Port is mirrored towards the user. There are three Start messages from the user (screenshot attached), but the message Request-Identity from the switch are absent (no screenshot).
  Therefore, the user does not receive a message from a switch that authentication passed, and does not work with the network (not sending a DHCP-query).
  If you disable 802.1x on a PC, the PC works with a network.
  The network was tested on 2 different switches with different firmware (). PCs are with Windows 7 and Windows 8.
  Fa 1/0/18 - to PC.
  Fa 1/0/47 - to Freeradius-server
  What could be the problem?
  Thanks in advance.
  p.s. I attach config-file.

  No problem! Yes, you are correct, a switchport can be configured to support both mab and dot1x authentications. I am still trying to understanding the following:
  1. When does authentication fail and when does it work. Please provide more details
  2. Can you post screenshots of the supplicant(Windows) configurations
  3. Please post the output of this command during both the failed and successful authentications:
  how authentication session interface_name_number detail
  4. I would also add the following commands to your access port:
  dot1x pae authenticator
  authentication event fail action next-method
  authentication violation restrict
  Thank you for rating helpful posts! 

• 802.1X authentication process in Active Directory joined computer.

  Hi,
  I'm not really sure my understanding of the authentication process of an Active Directory joined computer, and I would like to know the purpose of multiple times auth as described below:
  1. When Windows start up,
  2. it will authenticate to the 802.1x network using computer account.
  3. When user entering AD credential and pressing login, it will disconnect the current 802.1x connection. Re-auth to the network through AD user account.
  4. once 3 is done, the AD credential will be used to auth to AD again to login.
  Why do we need 3 times of authentication? Why do we need steps 3?
  Note: this is just my current understanding on one of the mode of 802.1x authentication. Please feel free to correct and add more information so that I can understand 802.1x authentication more precisely.
  Thank you!
  Ah_Chao|| MCSE,VCP,EMCSAe

  Hi,
  According to your description, my understanding is that you want to know the reason why 802.1x has 3 times authentication.
  It is depends on your 802.1x settings. The option Computer Authentication (allows you to specify how computer authentication works with user authentication). One of the possible settings is
  With User Re-Authentication. When users are not logged on to the computer, authentication is performed using the computer credentials. After a user logs on to the computer, authentication is performed using the user credentials. When a user
  logs off of the computer, authentication is performed with the computer credentials. This is the recommended setting because it ensures that the connection to the wireless AP is always using the security credentials of the computer's current security context
  (computer credentials when no user is logged on and user credentials when a user is logged on).
  Detailed description you may reference:
  https://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx?f=255&MSPPError=-2147217396
  And more information about 802.1x, you may reference:
  Understanding 802.1X authentication for wireless networks
  https://technet.microsoft.com/en-us/library/cc759077(v=ws.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Creating a secure 802.1x wireless infrastructure using Microsoft Windows
  http://blogs.technet.com/b/networking/archive/2012/05/30/creating-a-secure-802-1x-wireless-infrastructure-using-microsoft-windows.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

  In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
  Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
  network and chipset) on affected machines have also been updated.
  802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
  against Active Directory by RADIUS.
  Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
  via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
  We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
  * enabled
  Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
  component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
  authenticate again – successfully and with entries in the given log.
  There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
  - install is not needed because no updates are applicable).
  Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
  Any other advice is highly appreciated as well!
  Thanks a lot

  Hi Deason,
  sorry for my very very late reply on this.
  Even if I could not solve the problem yet, I can tell about some progress.
  As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
  have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
  $doAllTheTime = $true
  $i = 0
  $DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
  $NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
  while ($doAllTheTime -eq $true)
  $i++
  $NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
  $NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
  $ping = $null
  $ping = test-connection $DomainName -count 1
  if ($ping -eq $null)
  "Error with connection"; return
  So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
  So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
  have then been deployed to our clients.
  Even if this is no solution it definitely helps with a high rate of incidents -
  but not entirely... so I am still looking for further steps to
  solve this. Any ideas are highly appreciated.
  Thank you very much for your support!!! Uhle

• 802.1x Authentication in Extreme architecture

  Hi all,
  Objectives :
  Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2
  Supplicant = IP Phone
  Authenticator : Switch Extreme 450 E
  Authentication Server : ACS SE 1113 4.2.0.124.9
  1) We have done the tests with a Windows ACS 4.2.0.124 and everything runs correctly, the supplicant authenticates without any problem.
  2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.
  3) We have upload UDvs and VSA on the ACS SE and it still not work.
  These are the .csv file uploaded :
  accountactionsVsa.csv (used for the vendor)
  accountAttributes.csv (used for the vendor attributes)
  accountProfile.csv (used for the Attributes profile)
  accountvalues.csv (used for the Attributes values). This one is not on the attachment files :
  1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0
  2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0
  3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0
  4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0
  5,4,,,355,,,,,15/04/2009 10:00,,,,0
  The message in ACS Failed Attemps logs is : "Bad Request from NAS".
  We have verified the authenticator address and the secret key, everything is ok.
  With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.
  With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.
  We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).
  Have you already had this kind of problem. How can i Solve it?
  Thanks for your replies.
  Best regards.

  The Supplicant only use EAP MD5 since it is a Ip phone.
  EAP MD5 is already checked in Global authentication Setup.
  Just for remember :
  802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.

• 802.1X Authentication fails when connecting to WPA Enterprise using Leopard

  I'm trying to connect to an office WiFi network with my MacBook Pro which has 10.5.1 installed.
  There are instructions on how to connect using Tiger which are very simple:
  1. Enter network name
  2. Wireless Security: WPA Enterprise
  3. Enter domain credentials for username and password fields
  4. 802.1X Configuration: Automatic
  There are at least two people here using Tiger that can connect using these instructions.
  I've tried the same thing with Leopard and keep getting an error dialog stating "802.1X Authentication has failed."
  I've also tried fiddling with the 802.1X tab under "Advanced" (I know the protocol is PEAP), but no matter what I get the same error.

  Turns out I was not authorized to use the WiFi. IT got me setup and everything works now.

• 802.1X Authentication failed without 802.1X authentication enabled

  Hi,
  we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
  It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
  When they lost the connection we can see the following error:
  Message:
  Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  Message:
  Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
  I also attach an output of the troubleshoot mac address...
  Can some help me with this?
  Thank you.
  Best regards,

  Hi Kirbus,
  we open a TAC and we were advised for now to do the following changes:
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  1.       please make sure to disable Aironet extensions (if present)  , on the WLAN advanced configuration
  2.       disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
  3.       on the WLC general configuration , can you please disable aggressive load balancing
  4.       on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
  5.       on the AP network configuration please disable short preamble the original standard was long preambles
  6.       Wireless -> disable auto-RRM channel & power assignment & try "on demand"
  7.       apply these modification on the WLC CLI
  Config advanced eap identity-request-timeout 20
  Config advanced eap identity-request-retries 10
  Config advanced eap request-timeout 20
  Config advanced eap request-retries 10
  Save config, and see if you still face the problem.
  We are still monitoring the solution, but until now we didn't face the problem again.
  Let me now how it goes for you.
  Thank you.
  Best regards,

• 802.1x Authentication Procedures

  Hi,
  I am sure this has been asked many times here, but couldn't find any consolidated answers for this question:
  - How many 802.1x authentication methods are there? And along with the Name of each, can somebody also tell the advantageof deploying the method, reason to deploy it & disadvantage of it?
  I will be very grateful for any help in this regards.
  Thanks,
  Usama

  Following are the different Extensible Authentication Protocol (EAP)  Types:
  PEAP-MSCHAPv2 (Username/Password-based auth)
  PEAP-EAP-TLS  (Certificate-based auth)
  EAP-TLS (Certificate-based auth)
  EAP-FAST (like  PEAP, auth based on inner method such as MSCHAPv2, EAP-TLS, or  EAP-GTC
  According to your scenario you can use  PEAP-MSCHAPv2 or EAP-TLS . AS you have mentioned that your are having 10,000  users and using BYOD as well you can use ISE for this.
  The following link will help to configure  Protocol Settings on ISE
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_auth_pol.html#wp1146161

• Run 802.1x authenticator on wired interface

  Is it possible to run a Linux-based 802.1x authenticator on a wired ethernet port? Basically, I'm trying to protect physical network access to a server. The server has only one client, connected via 1Gbps crossover cable, so there is no switch involved.
  I've found countless examples where Linux acts as supplicant, and the hardware switch acts as authenticator, but this would be exactly the opposite.
  So my question is, is this possible? And if it is, how? Or perhaps there is some better way to secure a crossover cable connection between two machines on network level that is transparent to applications, and possibly also prevents eavesdropping and MITM attacks? Any suggestions are welcome.
  Thanks!

  bachtiar wrote:
  Is it possible to run a Linux-based 802.1x authenticator on a wired ethernet port? Basically, I'm trying to protect physical network access to a server. The server has only one client, connected via 1Gbps crossover cable, so there is no switch involved.
  I've found countless examples where Linux acts as supplicant, and the hardware switch acts as authenticator, but this would be exactly the opposite.
  So my question is, is this possible? And if it is, how? Or perhaps there is some better way to secure a crossover cable connection between two machines on network level that is transparent to applications, and possibly also prevents eavesdropping and MITM attacks? Any suggestions are welcome.
  Thanks!
  Sure
  pacman -S hostapd

• Using Apple Airport Express in Uni ( 802.1x authentication)

  Hi,
  I am living in halls this upcoming term and i am taking my PS3, Iphone and laptop. All of these require the internet. So i have an Apple Airport express, when i plug it into the ethernet in my room how do i configure it to the 802.1x authentication that my university uses? as i cannot see any options in the admin utility that say 802.1x
  i would appreciate any help

  When i enable this option the RADIUS server information box appears, Does anyone know if when i plug the express into my Uni network will the unit automatically find all the RADIUS server settings or will i have to speak to IT and request them to input manually?
  A RADIUS server is used to authenticate the user before allowing them access to the network. The AirPort Express Base Station (AX) will not automatically populate these fields and this would be something that your University's IT staff should be able to help you with ... if they allow this.

• OS X keeps asking for System keychain password in order to do 802.1X authentication

  In order to join a corporate WLAN that uses WPA2 with 802.1X / EAP-TLS, I added the company's root certificate to the System keychain and set the trust level to always trust this certificate. I then added the client certificate that was issued for my computer. I set the trust level to always trust this certificate as well. Finally, I added the WLAN network, choosing Security: WPA2 Enterprise, Mode: EAP-TLS, Identity: the newly added client certificate, and username: the domain name of my computer. This setup works - I can connect to the WLAN network.
  My problem is that the system always asks me for the System keychain password before the WLAN connection can be established. This seems to be during the 802.1X authentication phase. What do I need to change so that this is not required? Or how can I at least find out which System keychain item it is that cannot be accessed without the password?
  Im using a MacBook Pro with OS X 10.10.1, but I also had the problem back on 10.9.
  If I remember correctly it started whenI received a new client certificate in the summer. But I am not able to say what I might have done differently with the old certificate so that the password was not required back then.

  i'm having the same problem at home. i had problems with my keychain before, because i deleted the system keychain. i recently learned how to replace it, which worked. however, my computer is not remembering the password to my home wireless connection. even when i put the computer to sleep and wake it, it becomes disconnected and never automatically re-connects. i have to again select my network and then re-enter the password, every time. how do i fix this ?
  +

• Configuring Wired 802.1x Authentication step-by-step guide

  Hello All
  I don't have a question at the moment, but I wrote a step-by-step guide on how to configure Wired 802.1x Authentication on Windows Server 2012 using Cisco switches.
  You can find the document on my website http://www.accessdenied.be/blog
  regards
  Johan Loos CISSP,MCT,ISO 27001 and others

  Hi Johan,
  Thanks for your sharing.
  As this post is not a question, I will change it to Discussion. In addition, I would recommend that you to publish guide at TechNet Wiki.
  http://social.technet.microsoft.com/wiki
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• Cisco IP Phone 802.1x authentication with NPS

  Hi All,
  I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
  deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

  Hi,
  Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
  configuring 802.1x authentication for Cisco IP phones.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]