802.1X EAP-PEAP with Apple devices

Similar Messages

• 802.1x EAP-PEAP over Ethernet need help !!!

  I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
  troubleshooting this, I am not sure what else to do.  Need help.  Here
  is the scenario:
  - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
  - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
  with IP address of 129.174.2.7.  This device is connected to the same switch above.
  Firewall is OFF on the server, allow ALL,
  - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
  Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
  on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
  as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
  the port is activate to be "hot".
  - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
  and that everything is looking fine,
  I have verified that the switch can communicate fine with the radius server.
  - Configuration on the switch for 802.1x:
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
  interface FastEthernet0/39
    description windows 2003 Supplicant
    switchport access vlan 401
    switchport mode access
    dot1x port-control auto
    no spanning-tree portfast (does not matter if this is enable or disable)
  lab-sw-1#
  .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  .May 20 07:52:47.338: EAPOL pak dump Tx
  .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  lab-sw-1#
  lab-sw-1#sh dot1x interface f0/39
  Dot1x Info for FastEthernet0/39
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = PROTECT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  lab-sw-1#
  I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
  help me how to make this work.
  Many thanks in advance,

  #1:  dot1x system-auth-control is already in the switch configuration
  #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
  The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

• 802.1x EAP-PEAP - Radius Question

  We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
  1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
  802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
  getting a Cisco ACS to run a simple RADIUS server which is all I need.
  Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
  and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

  Hey John,
  Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
  http://www.youtube.com/watch?v=YIxG4OEfwtY
  The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
  http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
  So yes it sounds right and you should be good.
  Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
  Thanks John!
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Which smart tv (SAMSUNG U46F7000 or SONY BRAVIA W8 46'') has the best communication and functionality with apple devices?

  Which SMARTTV (SAMSUNG U46F7000 or SONY BRAVIA W8 46'') has a better communication and functionality with apple devices (i pad- iphone).
  Since the above manufacturers do not give me a straight answer and it is very important reason for me to make a choice please advise!

  Sorry but I must correct about SONY!!!
  The question was for Bravia series W9 and not W8.

• Does the Samsung galaxy s4 mini compatible with apple devices

  Is the Samsung  galaxy s4 compatible with apple devices such as iPad 2 Mac book air ?

  Compatible in what respect?

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• Multiple issues with apple devices.

  First up is my iPhone 5. The major issue with it is that it cannot text anyone no matter what. I have reset the network settings multiple times but to no avail. I have even tried iMessage but that is only a temporary fix, as it doesnt allow me to text people without an iPhone. Secondly, it fails most of the time to connect to the 2.4GHz signal coming from my router, however, the 5GHz signal is proving to have much better results, but i cannot connect to it at all times, as the 5GHz signal cannot reach my room.
  The second issue is my iPad 2. This device straight up wont connect to either signal, despite not only a network reset, but many factory resets.
  I have heard of other devices in my house not having a great connection, namely my mothers MacBook Pro, but this is only the case with apple devices.
  I am fairly certain my iPhone is under warranty, so is it possible to get a replacement, or will the current one be fixed.
  Any insight or advice is greatly appreciated.

  RoyalRice wrote:
  I am fairly certain my iPhone is under warranty, so is it possible to get a replacement, or will the current one be fixed.
  Any insight or advice is greatly appreciated.
  Did you reset the router? Is the wifi signal coming from the router? Since multiple devices are having problems connecting to your wifi, the problem might be there and not on the devices.
  I would check that first. If that does not solve the problem, then take the iPhone to an Apple store or authorized service center.

• Connection to wi-fi network with apple devices is highly unstable

  About a year ago I bought a 1TB time capsule that I use to create a wi-fi network at home. At wi-fi network I connected with no problem my Imac and Iphone 3g up to 20 days ago. Since then the connection to network has become unstable, I can not always connected with both utilities, especially with the iPhone that any attempt to link it to network indicates "can not access the network". Without change anything, sometime We can connect to network without any problem for some hours, sometime for some minuts/seconds. I tried several times to reset the configuration of the time capsule, also with qualified personnel apple but I have not solved anything. Today the connection to wi-fi network at home with apple devices is highly unstable.

  Hi,
  Thanks for your reply but as mentioned in my post, I've checked if drivers needed updating and it says the latest driver is already installed and updated for this device (network adapter).  I double checked through the HP Drivers & Download page and scan for updates for out of date and missing drivers and software and it seems to scan to about 17% then I'm taken to another page with a link that goes back to software & driver downloads page so I click 'next' to confirm my operating system which then shows a long list of things to download and being that I know very little about computers, I don't know what I'm meant to be downloading or not?  Everything?  There's a total of 31 possible downloads listed (under their respective headings).
  Have just rung the store that sold us this notebook a week ago and they are going to replace it as they've said it sounds like a faulty network card.  Whew.  I'm still a little confused though as to which of the downloads from HP's list I'm meant to download (assuming I'll see a similar list when we get the replacement computer) so if anyone can help me out with that, I'd really appreciate it.  Thanks.

• Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

  Hello,
  I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
  The RADIUS SERVER is M$ IAS.
  Authentication is working with a laptop, but it is not with my phone
  The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
  Does somebody know what should I change in my phone's configuration to make it work ?
  Thanks,
  Ceux qui aiment marcher en rangs sur une musique :
  ce ne peut être que par erreur qu'ils ont reçu un cerveau,
  une moelle épinière leur suffirait amplement. -- Albert Einstein

  Hi,
  Sorry for the late answer since I was "out of the office" for a while
  So here is the process to get the certificate.
  Log in to you IAS Server.
  Open the IAS Service Application.
  Go to "Remote Access Policies".
  Choose the policy that apply to "Wireless Connection"
  Click "Edit Profile" button.
  Choose "Authentication" Tab.
  Click "EAP Methods"
  Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
  The Next Window will show you the Certificate Issuer Name & Expiration Date.
  Then, click "Start" Button.
  Choose "Run".
  Type "mmc" in the "Run" box.
  Click "File" & Choose "Add/Remove Snap-In".
  Click "Add" Button.
  Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
  Click "Close" & "OK" Button.
  Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
  The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
  "Right click" on the certificate, choose "All Tasks", the "Export".
  In the new window, click "Next" Button.
  Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
  Choose a suitable location.
  Click "Next" Button & "Finnish" Button.
  Certificate is now exported.
  You have to install it on your Phone now.
  The most simple way is to copy the certicate on a Web Server and access it with your phone.
  Hope that Help, if you did not already succeed.
  Ceux qui aiment marcher en rangs sur une musique :
  ce ne peut être que par erreur qu'ils ont reçu un cerveau,
  une moelle épinière leur suffirait amplement. -- Albert Einstein

• 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

  I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
  autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
  Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
  even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
  Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
  in the username password Setting.
  Is it possible edit or change the way the client PC is sett up to prevent this?
  Is there any way make a policy setting? or is there other solutions?
  I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
  Thanks

  Hi,
  As I know, this goal cannot be achieved.
  Reference:
  Use the 802.1X Wizard to Configure NPS Network Policies
  For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
  Microsoft: Smart Card or other certificate, click
  Configure, click
  OK, and then click
  Next.
  For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
  Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Smart Card or other certificate, click the
  Move Up button to position a smart card or other certificate at the top of the list, click
  OK, and then click
  Next.
  For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
  version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Secured password (EPA-MSCHAP v2), click the
  Move Up button to position the secured password authentication type at the top of the list, click
  OK, and then click
  Next.
  Regards,
  Sabrina
  TechNet Subscriber Support
  in forum.
  If you have any feedback on our support, please contact
  [email protected]
  This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
  This can be beneficial to other community members reading the thread.

• Android ASUS tab into 802.1X EAP/PEAP wireless network

  Hi Guys,
                  I have been fighting with this for awhile now, i decided to call the exeprt.  At work with have a 802.1x EAP wirless network. PCs and Blackberies work fine once they grab their cert. However,  things aren't that esay with the Android tablets. I have been testing with  an ASUS, i have both cert(CA, and user) into the /etc/security folder of the tablet. But tablet still unable to authenticate, i don't even receive any logs in the Radius SERVER.
  Any tricks or ideas will be very appreciate.
  Thanks,
  GV

  Jean,
  When you say your using PEAP, that means you only need a certificate on the radius server and not the client device.  What radius server are you using and are you setup for PEAP or EAP-TLS?

• Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

  Hello,
  We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

  Originally Posted by djaquays
  I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
  I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
  This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
  It's a couple of years since I did this so my memory is a bit vague... :(
  Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
  http://support.arubanetworks.com/TOO...4/Default.aspx
  Thomas

• Cisco 877 - not working with apple devices

  Hello all,
  I'm hoping someone can help me with a problem I have with my 877 adsl router.
  A bit of background:
  I have set this up as my home router to the internet,  which is connected to a Linksys WRT54GL as a wireless access point.
  My windows & Linux devices/laptops all work fine over this setup and connect without a problem
  However, all my apple devices, phones and ipads don't fully work. I can get to google and a handful of pages,  but not the store or games or facebook etc. (my daughter thinks its the end of the world - without FB and instagram)
  If I take out the Cisco and put a Thompson router in, it all works fine. so I'm assuming it something with the Cisco config.
  Below is the config I'm using on the router
  Any pointers would be most appreciated.
  ddhrouter#sh run
  Building configuration...
  Current configuration : 2292 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname ddhrouter
  boot-start-marker
  boot-end-marker
  enable secret 5 mysecret
  no aaa new-model
  dot11 syslog
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1
  ip dhcp pool CISCODHCP
     network 192.168.1.0 255.255.255.0
     dns-server 212.50.160.100 213.249.130.100 8.8.8.8
     default-router 192.168.1.1
  ip name-server 212.50.160.100
  ip name-server 213.249.130.100
  ip name-server 8.8.8.8
  username cisco privilege 15 password 0 mysecret
  archive
   log config
    hidekeys
  interface ATM0
   description ** adsl interface **
   mtu 1452
   no ip address
   load-interval 30
   no atm ilmi-keepalive
   pvc 1/50
    ubr 288
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
   dsl operating-mode auto
   hold-queue 224 in
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
   description ** local lan **
   ip address 192.168.1.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   hold-queue 100 out
  interface Dialer0
   no ip address
  interface Dialer10
   description ** adsl dialer interface **
   ip address negotiated
   ip mtu 1482
   ip nat outside
   ip virtual-reassembly
   encapsulation ppp
   dialer pool 1
   ppp chap hostname myusername
   ppp chap password 0 mypassword
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer10
  no ip http server
  no ip http secure-server
  ip http max-connections 4
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer10 overload
  ip access-list extended TerminalAccess
   permit tcp host 192.168.1.0 any eq telnet
   permit tcp any any eq 22
   deny   tcp any any
  ip access-list extended no_telnet
   deny   tcp any any eq telnet
  access-list 1 remark INSIDE_IF=Ethernet0
  access-list 1 remark SDM_ACL Category=2
  access-list 1 permit 192.0.0.0 0.255.255.255
  access-list 110 permit icmp any any echo
  access-list 110 permit icmp any any echo-reply
  dialer-list 1 protocol ip permit
  control-plane
  line con 0
   password password
   no modem enable
  line aux 0
  line vty 0 4
   access-class TerminalAccess in
   password password
   login
  scheduler max-task-time 5000
  end
  ddhrouter#
  all I'm after is a standard setup for my router. allow any out - deny any in.
  Many thanks in advance.
  Dave

  ooo, you left your username, password, and enable in in clear text in the config you pasted, as well as not having an outside ACL applied and the VTY ACL allowing ssh from anywhere.  Luckily the outside IP address isn't in the config or I'm sure someone would get ahold of your router....:)  You should apply an outside access list and a firewall (I prefer CBAC firewall config for ease of use, but there is Zone based) to fix this.  I assume ACL 110 was meant to be your outside ACL but it just isn't applied.
  That being said Jody is likely right.  PPPoE requires you to shrink your packet size (MTU/MSS) to allow room for the encapsulation that gets added to the packet.  The command he supplied should fix this. 
  The 'ip mtu 1482' on the dialer interface may be too large as well.

• WRT120N connection issues with Apple devices

  my family has a plethora of devices we connect to the internet wirlessly through our relatively new WRT120N router, including a desktop, 3 laptops, 2 iPhones, 2 iPod Touches, an iPad, and a Playstation 3. 
  The wireless on the laptops and desktop (all are PCs) is fine, but the wireless on the Apple devices is terrible. every 5 seconds or so the signal will drop and the devices will lose the connection with the wifi. You have to go to settings and wireless to reconnect, but that will only last you another 15 seconds (if you're lucky). I have updated the firmware on the router, but it didn't do anything.
  Does anybody have an idea of how to fix this problem? It's ridiculously annoying, and I have a feeling can be fixed with relative ease, especially since it's just the Apple products that are affected. 
  Thanks! 

  @ jimmypat1221,
  Same here and I did some research and here’s what I found.  I accessed the router settings by typing the 192.168.1.1 (http://kb.linksys.com/Linksys/ukp.aspx?vw=1&docid=856544c9d38d4e7a870493667aac568b_20603.xml&pid=80&...) and I found out that the firmware is not updated, so I upgraded the firmware my self. I downloaded first the firmware (http://support.linksys.com/en-apac/support/routers/WRT120N) and saved it to my desktop screen. Going back to the router settings and I just follow this link on how to upgrade (http://kb.linksys.com/Linksys/ukp.aspx?pid=96&vw=1&articleid=4030) and it was successfully upgraded.  I set my set settings on the router with channel 11 and the security was wpa2 personal. From then on I don’t have issue with any of my apple devices.

• Is there errors with apple devices lately?

  My iPad Wifi and iPhone 4 don't seem to send the notifications and emails through right away. It's weird. It did it home, it did it on vacation this weekend. Is Apple experiencing errors with their devices? If so, they should release iOS5 soon 'cause it would update their devices

  Copied from the iPad User Guide for iOS 4.3 book that is available in iBooks as a free download. I highlighted and made the type bold and red that I think is pertinent to your question. The notification delay could be on the server end as well I would imagine.
  Fetch New Data
  This setting lets you turn Push on or off for MobileMe, Microsoft Exchange, Yahoo! Mail, and any other push accounts on iPad. Push accounts automatically deliver new information to iPad when new information appears on the server (delays may occur). To fetch or sync pushed data, iPad must have an Internet connection. Turn Push off to suspend delivery of email and other information, or to conserve battery life.
  When Push is off, and with accounts that don’t support push, iPad can still check the server to see if new information is available. Use the Fetch New Data setting to determine how often data is requested. For optimal battery life, don’t fetch too frequently.