802.1x credentials failure with ACS 5.2

Similar Messages

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• 802.1x authentication with ACS 4.1 for MAC OSX

  Hi,
  I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
  If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
  I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
  Thanks in advance
  Best regards
  Thanks

  Yes, Refer to the below DOC
  http://support.apple.com/kb/HT2717
  Port settings and ACS configuration remain the same as you do it for windows based clients

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• Using Multiple AD domains with ACS

  Hi,
  Is it possible to use multiple domains for authentication with ACS? I need to use AAA to authenticate remote users into a centralised location but the users will be from different domains and I was hoping to use a single applicance to cater for all domains. Can this be achieved using LDAP? I understand that ACS can only be part of one AD domain.....
  In essence I am hoping that I will be able to authenticate the user based on their domain\credentials.
  Thanks in advance
  Jason

  Hi Javier,
  I understand that ACS can only join a single AD domain - but can it use LDAP to authenticate users from different AD domains - I don't want to have to established trusts between different domains.
  Kind regards
  Jason

• Dynamic Vlan Assigment on 2950 with acs 4.2

  Hello to everyone
  We have a problem with Cisco 2950G 48 EI and ACS (version 4.2) providing dynamic Vlan assignment based on groups
  On the ACS we configured the following attributes for the specific group
  64 = VLAN
  65 = 802
  81 = VLAN Name
  We tried for the 81 attribute both Vlan name and Vlan ID but we get the same results
  In detail, we need the machine to be placed on Vlan ID 6 named vlan_sio so we inserted these value in the attribute field
  Before we configured the switch to speak with ACS:
  aaa new-model
  aaa group server radius Switch
                                 server 172.16.0.93 auth-port 1812 acct-port 1813
  dot1x system-auth-control
                  radius-server host 172.16.0.93 auth-port 1812 acct-port 1813 key xxxxxx
  radius-server retransmit 3
  Configured the ports for the use of dot1.x.
  switchport mode access
                 dot1x port-control auto
                 dot1x guest-vlan 7
                 spanning-tree portfast
  The users are correctly authenticated but the ports are always connected to the default Vlan of the ports
  We tried to debug with the debug dot1.x events command and we get the following errors:
  Feb 16 12:00:04.017:         Attribute 64 6 0100000D
  Feb 16 12:00:04.017:         Attribute 65 6 01000006
  Feb 16 12:00:04.017:         Attribute 81 4 01360806
  Feb 16 12:00:04.025: dot1x-ev:Received VLAN is No Vlan
  Feb 16 12:00:04.037: dot1x-ev:Received VLAN Id -1
  Feb 16 12:00:04.041: dot1x-ev:dot1x_port_authorized: clearing HA table from vlan 1
  Feb 16 12:00:04.049: dot1x-ev:dot1x_port_authorized: Added 0006.1bdb.6a09 to HA table on vlan 1
  Does anyone know what we could have missed?
  Thank’s

  solved
  It was just missing the command
  aaa authorization network default group XXXX

• 802.1x Wireless Authentication with 10.8.4 Build 12E3067

  Hello All,
  Work in a school and we use 802.1x authentication for Wi-Fi and access to our server and Staff wireless VLAN.  We use a login window profile that authenticates with our Active Directory.
  Previous and working set up was MBA (Mid 2012) 5,1. Running OS 10.8.4 build 12E55.  This OS was downloaded from Mac App Store. Bound to domain and using authorization certificates for our active directory controllers. Created Wi-Fi 802.1x authentication profile with Profile Manager on 10.8 server.  No issue.  Units authenticate with server at user login, join Wi-Fi and mounts home folder. 
  New and not working set up is MBA (Mid 2013) 6,2 running OS 10.8.4 build 12E3067.  This unit will not run build 12E55, boots to prohibitory sign. Unit is set up with same certificates and 802.1x profile. When first booting up the Wi-Fi signal appears to be attached to the network, unlike previous setup when unit will Wi-Fi indicator will appear disconnected until user logs in.  90% of the time new units will not authenticate. States unable to connect to server and then loads into mobile user account.  Will not attached to Wi-Fi. There are instances when it does authenticate properly.  However logging out and then back in will cause the failure.
  Also note, I have made an image of the 6,2 MBA with build 12E3067 and installed in on MBA 5,1. Same Failure happens.  This leads me to believe the issue lies in OS 10.8.4 build 12E3067.
  Troubleshooting:
  -I have taken OS build 12E3067 on MBA 6,2 (failing to authenticate) and removed Wi-Fi profile. Unit authenticates over Ethernet with no issue. Add profile back and issue surfaces.
  -Created new profile using profile manager and issue continues. Verified proper certificates are being used. Would the previous profile
  -Restarted domain controllers. Issue continues.
  Any thoughts or questions would be appreciated.

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• WLC 4402-50 with ACS 3.3

  Hi,
  We want to use ACS to authenticate an ssh or http connection to a WLC 4403-50 4.2.99 using TACACS+. On our ACS 4.2 test server it works fine. Configured identically on an ACS 3.3 appliance we are not able to log in although we do see a successful login in the Passed Authentications report withing ACS.
  Is there an incompatability between the WLC 4402-50 with ACS 3.3?
  thanks
  Bob

  The Cisco Secure Access Control Server (ACS) provides authentication, authorization, and accounting (AAA) services for users of the wireless network.
  It is also possible to employ a WLC controller strategy that uses an N+1 approach. When using N+1 architecture, each WLC is configured with a WLC that is designated as a backup WLC in the event of a failure. This controller is not used until there is a failure event upon which all APs using the failed controller switch to the backup WLC. This cost-effective approach provides a high level of availability in the event of a single WLC failure scenario.

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• TACACS auth and RADIUS accounting with ACS

  I am having RADIUS accounting issues with an ASA 5520 that uses TACACS for authentication. Both are hosted on the same ACS server. I can send RADIUS info to my Microsoft IAS box but get Syslog ID 113022 errors when trying to send to the ACS RADIUS. A packet capture shows the RADIUS accounting request getting to the ACS box (Windows Server 2003 R2) but syslog shows failedauth. Any ideas?

  Thank you for the response. I did verify the syslog explanation you gave below and the AAA server is online as TACACS message are getting to it. My configuration for the ASA for RADIUS is as follows
  Server Group - RADIUS
  Protocol - RADIUS
  Accounting Mode - Simultaneous
  Reactivation Mode - Timed
  Max Failed attempts - 3
  Two servers in the Server Group
  ACS - Not working
  Microsoft IAS - Working
  I have tried removing the IAS server and changing the accounting mode to single and still getting auth failures.
  ACS is configured as follows
  Network Configuration
  AAA Clients - ASA authenticate using TACACS+
  AAA Servers - None listed. When I tried to add the ACS machine the error said the server already existed (In another Network Device Group)

• "Invalid Credentials (Failure)"

  Hey folks,
  I've seen a couple posts about this but they either haven't been resolved or the help wasn't helpful...I've had my iPhone for a month or two now, and everything was working perfectly, until last night when I went to refresh my inbox and got the "Cannot access mail: Invalid Credentials (failure)" error warning. Not cool.
  Any help, my Apple gurus???
  Meg

  A Gmail account can be accessed as an IMAP or POP account.
  Did you use the Gmail account preset when creating the account on your iPhone?
  If so, the account was created as an IMAP account on your iPhone, and the available IMAP Path Prefix also indicates this.
  EDGE is at&t's data or internet network - which is accessed via at&t cellular network with the iPhone. The iPhone can connect via an available wi-fi network (which is much faster access), or via at&t's EDGE network, which is much slower than wi-fi. If you have access to an available wi-fi network, I recommend using it. The iPhone will switch automatically between an available wi-fi network you have previously accessed with your iPhone, and at&t's EDGE network.
  I would try deleting and manually creating the account on your iPhone. Using the Gmail account preset when doing so automatically creates the account as an IMAP account, and no messages will be lost since all remain on the server - including sent messages.

• SSID To Group Mapping With ACS 5.1

  Hi ;
             I am trying to implement PEAP authentication with ACS 5.1 and PEAP is working fine. I have two SSID's with peap authentication and i have two groups in AD. I need to map one ssid with one group and another SSID with the other group.
  I implemented the same with ACS 4.2 (Screenshot attached) .  Now the requirement is to implement the same concept in ACS 5.1.  Could you please help me on this.

  If you go under Access Policies and Service Selection Rules and check  you hit count( you may need to refresh if you just tried connecting) see  if the rule is incrementing.
  If that rule has a condition tied to that SSID, it should only increment when that SSID sends traffic.  If users credentials are working, thats a separate issue.
  For the Access service you created, that your selection rule feeds, check the following
  Identity will be set to internal users
  Authorization you will need to have hit custom and selected "Identity Group" as a selector"  Then when you make the rule, check that box and set it to your Staff Group.  Set the default at the bottom of the page to Deny Access.

• HP LaserJet M1212nf MFP Printer - Communication Failure with the scanner

  Dear all,
  May I kindly ask if there are any known resolutions in terms of a scanning issue with the HP LaserJet M1212nf MFP Printer?
  When it starts scanning the printer only scans the up to the 3rd or 4th page, it stops in the middle of the sheet and produces an error message stating the following: Communication Failure with the scanner.
  Are there any steps that may be followed in order to resolve the incident?
  Many thanks in advance.
  Best regards,
  Ryan

  Hi @Ryan_HP ,
  I see that you are experiencing a communication error during scanning of multiple pages. I would like to help, but I will need some more information to provide you with the correct steps to resolve this issue.
  If you are using Windows, download and run the Print and Scan Doctor. It will diagnose the issue and might automatically resolve it. Find and fix common printer problems using HP diagnostic tools for Windows?
  Temporarily turn off any Antivirus Software, just to rule out any interference.
  Try scanning again.
  What operating system are you using?
  How to Find the Windows Edition and Version on Your Computer.
  Mac OS X: How Do I Find Which Mac OS X Version Is on My Computer?
  How is the printer connected? (USB/Ethernet)
  What were the results when you ran the Print and Scan Doctor? (did it print or scan, any error messages)
  What scanning software are you using?
  Have a wonderful day!
  Thank You.
  Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos Thumbs Up" on the right to say “Thanks” for helping!
  Gemini02
  I work on behalf of HP

• PlayReady failure with specific OS version of Windows 8.1 Update

  Hello,
  I'm observing a failure in my app during Smooth Streaming video playback using PlayReady DRM. The app is a WinJS Universal App solution for Windows Store and Windows Phone, using the latest updates for Visual Studio 2013, Update 4.
  So far, the failure is limited to one specific version of the Windows 8.1 Update. I have two identical devices, both retail versions of the phone, that demonstrate this issue. Note, these same phones that fail with PlayReady can successfully
  stream unprotected Smooth Streaming content.
  My other five Windows Phone devices, with different OS version numbers, do not demonstrate the failure with the identical app installed. Therefore, I suspect the OS version may be the cause.
  Failure description:
  When I attempt to stream PlayReady protected Smooth Streaming video, the player initializes the media player and the MediaProtectionManager, but then displays the error state (The video failed to play. Try again.) immediately, and the following message is
  displayed in Visual Studio:
  MEDIA12899: AUDIO/VIDEO: Unknown MIME type.
  --- Message: MEDIA_ERR_SRC_NOT_SUPPORTED (0x887A0004)
  Summary of tested OS versions:
  Windows Phone 8.1 Update
  8.10.14141.167, untested
  8.10.14147.180, untested
  8.10.14157.200, untested
  8.10.14176.243, NOKIA Lumia 830, fails to stream, tested with two devices
  8.10.14192.280, untested
  8.10.14203.206, HTC HTC6995LVW, streams successfully
  8.10.14219.341, NOKIA Lumia 920, streams successfully
  8.10.14226.359, BLU WIN HD W510u, streams successfully
  Windows Phone 8.1
  8.10.12359.845, untested
  8.10.12382.878, untested
  8.10.12393.890, NOKIA Lumia 920, streams successfully
  8.10.12397.895, untested
  8.10.12400.899, NOKIA Lumia 530, streams successfully
  Note, one of OS versions I've tested fails to stream the PlayReady protected Smooth Streaming content, and five other OS versions I've tested successfully stream the same video content.
  Is this a known issue with a specific version(s) of Windows Phone 8.1?
  Regards,
  Andrew

  Hello,
  0x887A0004 equates to DXGI_ERROR_UNSUPPORTED. This error is usually generated when you are trying to use Direct3D features that are not supported. Different devices support different D3D features since they contain different video hardware. It is possible
  that a hardware feature that is required by the license is not supported in the hardware / driver of the device. I would recommend that you check the license and make sure that it does not contain any hardware specific requirements such as HDCP.
  In other words try playing content with the least restrictive license and see if it works for you.
  I hope this helps,
  James
  Windows SDK Technologies - Microsoft Developer Services - http://blogs.msdn.com/mediasdkstuff/