802.1X Authentication on 4507 switch using AD

Similar Messages

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• Using Apple Airport Express in Uni ( 802.1x authentication)

  Hi,
  I am living in halls this upcoming term and i am taking my PS3, Iphone and laptop. All of these require the internet. So i have an Apple Airport express, when i plug it into the ethernet in my room how do i configure it to the 802.1x authentication that my university uses? as i cannot see any options in the admin utility that say 802.1x
  i would appreciate any help

  When i enable this option the RADIUS server information box appears, Does anyone know if when i plug the express into my Uni network will the unit automatically find all the RADIUS server settings or will i have to speak to IT and request them to input manually?
  A RADIUS server is used to authenticate the user before allowing them access to the network. The AirPort Express Base Station (AX) will not automatically populate these fields and this would be something that your University's IT staff should be able to help you with ... if they allow this.

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• 802.1X Authentication fails when connecting to WPA Enterprise using Leopard

  I'm trying to connect to an office WiFi network with my MacBook Pro which has 10.5.1 installed.
  There are instructions on how to connect using Tiger which are very simple:
  1. Enter network name
  2. Wireless Security: WPA Enterprise
  3. Enter domain credentials for username and password fields
  4. 802.1X Configuration: Automatic
  There are at least two people here using Tiger that can connect using these instructions.
  I've tried the same thing with Leopard and keep getting an error dialog stating "802.1X Authentication has failed."
  I've also tried fiddling with the 802.1X tab under "Advanced" (I know the protocol is PEAP), but no matter what I get the same error.

  Turns out I was not authorized to use the WiFi. IT got me setup and everything works now.

• ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

  Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
  I have come up with bunch of incompatibilities between the offered support e.g.
  1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
  2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
  We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
  I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

  Hi,
  We have tried to do the exact same setup as you and we also failed.
  When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
  MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
  When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
  A list with EAP protocols supported by the RSA is in attach.
  Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
  table "EAP Authentication Protocol and User Database Compatibility "
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
  What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

• Why Unable to identify a user for 802.1X authentication (0x50001)?

  Hello, 
    We are trying to set up wifi single-sign-on. When logging to a laptop get a message
  "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
  Server: windows server 2003 (with all updates)
  laptop: windows 7 professional SP1 (with all updates)
  When looking to event log i found this error:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2012-10-10 10:38:01
  Event ID:      5632
  Task Category: Other Logon/Logoff Events
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      sba01-nb
  Description:
  A request was made to authenticate to a wireless network.
  Subject:
  Security ID:                
  Account Name:                -
  Account Domain:                -
  Logon ID:                0x0
  Network Information:
  Name (SSID):                Pivot_Users
  Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
  Local MAC Address:        C4:85:08:12:77:44
  Peer MAC Address:        00:24:97:83:8E:61
  Additional Information:
  Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
  Error Code:                0x525
  EAP Reason Code:        0x0
  EAP Root Cause String:        
  EAP Error Code:                0x0
  Event Xml:
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5632</EventID>
      <Version>1</Version>
      <Level>0</Level>
      <Task>12551</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
      <EventRecordID>37791</EventRecordID>
      <Correlation />
      <Execution ProcessID="760" ThreadID="2224" />
      <Channel>Security</Channel>
      <Computer>sba01-nb</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SSID">Pivot_Users</Data>
      <Data Name="Identity">
      </Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="PeerMac">00:24:97:83:8E:61</Data>
      <Data Name="LocalMac">C4:85:08:12:77:44</Data>
      <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
      <Data Name="ReasonCode">0x50001</Data>
      <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
      <Data Name="ErrorCode">0x525</Data>
      <Data Name="EAPReasonCode">0x0</Data>
      <Data Name="EapRootCauseString">
      </Data>
      <Data Name="EAPErrorCode">0x0</Data>
    </EventData>
  </Event>
  Thank you for answer and help.
  Regards, 
    Tadas

  Hi,
  Thanks for your post.
  Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
  Here is the process that is followed.
  1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
  2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
  3. The Authenticator cannot validate and the authentication would fail.
  4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
  it will just ignore them
  5. You will see event 15506 after the event 15514.
  Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
  http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
  0x50001 = Dec 327681
  Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
  ONEX_UNABLE_TO_IDENTIFY_USER
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• 802.1x Authentication on Wired and Wireless LAN

  I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
  But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
  Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• Send vlan via Radius with 802.1x Authentication

  Hi all.
  I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
  I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
  Reading docs, I have found these attributes:
  cisco-avpair="tunnel-type(#64)=VLAN(13)"
  cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
  but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
  Here are some outputs:
  Sending Access-Challenge of id 80 to 128.0.0.21:1812
  Cisco-AVPair = "tunnel-type=VLAN"
  EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0xf88b9673c199cb13def96563250cf8a7
  I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
  02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
  02:49:39: Attribute 26 75 0000000901457475
  02:49:39: Attribute 79 6 03010004
  02:49:39: Attribute 80 18 1ABB3507
  02:49:39: Attribute 1 10 74657374
  02:49:39: RADIUS: EAP-login: length of eap packet = 4
  02:49:39: RADIUS: EAP-login: radius didn't send any vlan
  so I can see that radius is not sending anything about vlan...
  Has anyone alredy tried this set up?
  Thank you in advance.
  Massimo Magnani.

  OK, so I may have glossed over that before. From your debug post, you had:
  Cisco-AVPair = "tunnel-type=VLAN"
  Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
  You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
  [64] Tunnel-Type – “VLAN” (13)
  [65] Tunnel-Medium-Type – “802” (6)
  [81] Tunnel-Private-Group-ID - "" OR ""
  They are defined in RFC 2868.
  Hope this helps,

• 802.1x authentication failure

  hi, i'm not sure if i'm posting this in the right category but here goes
  i wanna use 802.1x on our network but can't seem to get it to work. i followed all the instruction on the web site. it says authentication failed. i'm pretty sure the radius works because i use that same radius for our vpn authentication.
  btw i'm using 48 port 2950-EI
  config
  aaa new-model
  aaa authentication dot1x default group radius
  interface FastEthernet0/3
  switchport access vlan 52
  switchport mode access
  no ip address
  dot1x port-control auto
  dot1x timeout reauth-period 1
  dot1x max-req 10
  dot1x reauthentication
  radius-server host x.x.x.x auth-port 1812 acct-port 1813 key <password>
  radius-server retransmit 3
  am i missing something? thanks

  Hello,
  ok, the config looks all right then. Is there a firewall or some other filter active between the switch and the RADIUS server that might be blocking the ports 1812 and 1813 ?
  Regards,
  GP

• 802.1x Authentication in Extreme architecture

  Hi all,
  Objectives :
  Authenticate a supplicant on a Extreme 802.1x port with an ACS SE 4.2
  Supplicant = IP Phone
  Authenticator : Switch Extreme 450 E
  Authentication Server : ACS SE 1113 4.2.0.124.9
  1) We have done the tests with a Windows ACS 4.2.0.124 and everything runs correctly, the supplicant authenticates without any problem.
  2)We have replicate the windows ACS with the ACS SE. The 802.1x authentication does not work with the ACS SE but works with the Windows ACS.
  3) We have upload UDvs and VSA on the ACS SE and it still not work.
  These are the .csv file uploaded :
  accountactionsVsa.csv (used for the vendor)
  accountAttributes.csv (used for the vendor attributes)
  accountProfile.csv (used for the Attributes profile)
  accountvalues.csv (used for the Attributes values). This one is not on the attachment files :
  1,8,,,354,Disabled,1916,201,0,15/04/2009 10:00,,,,0
  2,7,,,354,Enabled,1916,201,1,15/04/2009 10:00,,,,0
  3,6,,,354,Disabled,1916,206,0,15/04/2009 10:00,,,,0
  4,5,,,354,Enabled,1916,206,1,15/04/2009 10:00,,,,0
  5,4,,,355,,,,,15/04/2009 10:00,,,,0
  The message in ACS Failed Attemps logs is : "Bad Request from NAS".
  We have verified the authenticator address and the secret key, everything is ok.
  With Windows ACS we can see first an "access request" between authenticator and aurthentication server. Next an "access challenge" from authentication server to Authenticator. NExt an "access request" between authenticator and aurthentication server and then an "access Accept" from authentication server to Authenticator.
  With ACS SE we can see first an "access request" between authenticator and aurthentication server. Next an "access Reject" from authentication server to Authenticator.
  We have tried to understand the differences between the first "access request" in ACS windows architecture and the first "access request" in ACS SE architecture. The only difference is on the Message-authenticator(80).
  Have you already had this kind of problem. How can i Solve it?
  Thanks for your replies.
  Best regards.

  The Supplicant only use EAP MD5 since it is a Ip phone.
  EAP MD5 is already checked in Global authentication Setup.
  Just for remember :
  802.1x runs in a Windows Version but not in a SE version with same configuration (we have done the test with a replication from Windows version to Appliance SE version. Both ACS version have the same configuration but one is running and not the other.

• 802.1X Authentication + PKI encryption

  Hi Guys,
  I want to know if there is a relationship between 802.1x authentication and cisco PKI encryption.
  We are facing some problems with many IP Phones that were using 802.1x without problems. Once we we installed PKI encryption on ip phones , many of them began to fail : the ip phone shows phone not registered and on the status messages we can see authentication fail. I have to restart security settings on ip phones or disabling 802.1x on the switches to get phones registering again
  I am using CUCM 8.5 with 6961 phones
  Regards

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• 802.1x Authentication problems

  I configured dot1x port authentication on the switched network using an cisco ACS SE and on the computers (windows XP/SP2) PEAP and EAP-MSCHAPV2, everything works ok while the user have got already loaded his credentials on the PC, but if somebody tries to log in on the pc as a new user the authentication process fails, so i have to force the authentication process to gain access to network after that i reverse the authentication proccess to auto and the user log off and then the authentication process works again.
  what am i missing??
  Please some help...

  What we are seeing here is the known behavior of dot1x authentication. To bypass this issue we would need to set up machine authentication along with user auth. Here is the 802.1x Process that explains the behavior that we were experiencing with the cached credentials,
  When machine authentication is enabled, the authentications occur in this order:
  When starting a computer,
  * Machine authentication-ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services.
  * User domain authentication-If machine authentication succeeded, the windows domain authenticates the user. If machine authentication failed, the computer does not have access to Windows domain services and the user credentials are authenticated by using cached credentials that the local operating system retains. When a user is authenticated by cached credentials instead of the domain, the computer does not enforce domain policies, such as running login scripts that the domain dictates.
  * You can also have only user authentication without machine authentication. It only gives problem in case of first time user that is not yet registered once on the AD. So with machine authentication you have network connection to AD, and therefore first time user have no problem. In addition without machine authentication (no access to AD during user login) you need to make sure to have user credential cashing on the workstation. In machine authentication AD and machine will generate its own password (you don't know it) and username = machinename, for the dot1x authentication. So after boot up
  the machine will do dot1x with this machine credetial. As soon you type CTRL-ALT-DEL user login will start.
  Regards,
  ~JG
  Do rate helpful posts

• Configuring Wired 802.1x Authentication step-by-step guide

  Hello All
  I don't have a question at the moment, but I wrote a step-by-step guide on how to configure Wired 802.1x Authentication on Windows Server 2012 using Cisco switches.
  You can find the document on my website http://www.accessdenied.be/blog
  regards
  Johan Loos CISSP,MCT,ISO 27001 and others

  Hi Johan,
  Thanks for your sharing.
  As this post is not a question, I will change it to Discussion. In addition, I would recommend that you to publish guide at TechNet Wiki.
  http://social.technet.microsoft.com/wiki
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support