802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
I push out the wireless client’s setting via group policy, and the clients are using WZC. 
Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
Some clients this will never happen to and a few it will happen repeatedly. 
To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
Many of our classrooms lack network drops, so wireless is the best for us. 
Except for this one downfall, it is working great. Any help is appreciated.

Hi Ryan,
Thanks for posting here.
Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
Some clients this will never happen to and a few it will happen repeatedly. ”
  in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
Only certain computers are facing this issue or all?
What’s OS running on these client computers?
According the situation right now , I’d like to share some suggections with you:
1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
dialog.
3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
authentication.
5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
authentication process the failure occurs.
Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
Windows Server 2003 Wireless Troubleshooting
http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
Troubleshooting Windows Vista 802.11 Wireless Connections
http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
I checked if logging is turned on and I can see successful events from computers that are working. 
I can also see failed events from computers that are not ours that tried to connect to our wireless. 
However for the computers that are having this problem there are no logged events. 
It is as if they don’t even communicate with the server. 
Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
I did notice that the firewall is also turned on through group policy when the domain is not available.
   Do you think the firewall is blocking the communication? 
I added an exception to port 1812 UDP and this did not make a difference.

Similar Messages

  • 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

    I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
    autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
    Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
    even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
    Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
    in the username password Setting.
    Is it possible edit or change the way the client PC is sett up to prevent this?
    Is there any way make a policy setting? or is there other solutions?
    I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
    Thanks

    Hi,
    As I know, this goal cannot be achieved.
    Reference:
    Use the 802.1X Wizard to Configure NPS Network Policies
    For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
    Microsoft: Smart Card or other certificate, click
    Configure, click
    OK, and then click
    Next.
    For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
    Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Smart Card or other certificate, click the
    Move Up button to position a smart card or other certificate at the top of the list, click
    OK, and then click
    Next.
    For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
    version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Secured password (EPA-MSCHAP v2), click the
    Move Up button to position the secured password authentication type at the top of the list, click
    OK, and then click
    Next.
    Regards,
    Sabrina
    TechNet Subscriber Support
    in forum.
    If you have any feedback on our support, please contact
    [email protected]
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    This can be beneficial to other community members reading the thread.

  • Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

    Hello,
    We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

    Originally Posted by djaquays
    I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
    I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
    This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
    It's a couple of years since I did this so my memory is a bit vague... :(
    Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
    http://support.arubanetworks.com/TOO...4/Default.aspx
    Thomas

  • 802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

    Hello
    [Env on my lab investigation]
    supplicant - W7 with cert
    authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
    authentication server 2x - W2008/NPS like a RADIUS server
    [Config some part of authenticator]
    interface FastEthernet0/1
    switchport access vlan 34
    switchport mode access
    authentication event fail retry 1 action authorize vlan 47
    authentication event server dead action authorize vlan 35
    authentication event no-response action authorize vlan 47
    authentication event server alive action reinitialize
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 15
    dot1x timeout tx-period 15
    spanning-tree portfast
    [Symptoms]
    After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
    [Summary]
    The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
    [The question]
    What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
    Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
    [Logs]
    During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
    1. supplicant and authenticator orderflow at wireshar:
    - supplicant EAPOL Start
    - authenticator EAP Request Identity
    - supplicat  Response Identity, 3 times
    - supplicant EAPOL Start
    - authenticator EAP Failure
    - authenticator EAP Request Identity x2
    - supplicat  Response Identity x2
    and again, more detail about flow from whireshar chart at the end
    2. authenticator console saw like this:
    *Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    krasw8021x>
    *Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    and finaly
    *Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    3. Authentication server:
    - NPS doesn'e recived any RADIUS Access-Request/Response.
    [supplicant EAPOL flow chart, source wireshark]
    |Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
    |         |                   | Nearest           |                  
    |0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,051    |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,063   |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |18,065   |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |129,684  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |190,996  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,002  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    /regards Piter 

    Hi,
    Did you ever try to configure re-authentication?
    Is the client is up and running if you connect it to the switch?
    Sent from Cisco Technical Support iPad App

  • 802.1x eap-tls machine + user authentication (wired)

    Hi everybody,
    right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
    You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
    Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
    1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
    <key>SetupModes</key>
    <array>
        <string>System</string>
        <string>Loginwindow</string>
    </array>
    <key>PayloadScope</key>
        <string>System</string>
    but it does not work
    2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
    Thanks

    Unfortunatelly this documents do not describe how to do what I want.
    I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
    I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
    Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
    Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
    Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
    Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
    this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
    The certificates are in my System keychain.
    Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
    Any ideas ?

  • Windows 7 Home Premium with 802.1x problems with the Authentication

    We have problems with  OS Windows 7 Home Premium 802.1x, the message in ACS:
    EAP-TLS or PEAP authentication failed during SSL handshake
    ACS v4.1
    We have OS Windows 7 Professional and doesn´t have problems with the authentication.
    I hope that you can help me
    Regards

    We were investigated with specialist people of OS Windows and the conclusion was that the Home Premium Version has restrictions about authentication and domain (Active Directory). So we need change the version of OS (Proffessional for example).
    If you had another tip, please tell me and I try it for resolve this issue, if not we have to change the OS.
    Regards

  • ISE 802.1x EAP-TLS machine and smart card authentication

    I suspect I know the answer to this, but thought that I would throw it out there anway...
    With Cisco ISE 1.2 is it possible to enable 802.1x machine AND user smart card  authentication simultaneously for wired/wireless clients (specifically  Windows 7/8, but Linux or OSX would also be good).  I can find plenty of  information regarding 802.1x machine authentication (EAP-TLS) and user  password authentication (PEAP), but none about dual EAP-TLS  authentication using certificates for machines and users at the same time.  I think I can figure out how to configure such a policy in ISE, but options seem to be lacking on the client end.  For example, the Windows 7 supplicant seems only able to present either a machine or user smart card certificate, not one then the other.  Plus, I am not sure how the client would know which certificate to present, or if the type can be specified from the authenticator.

    Hope this video link will help you
    http://www.labminutes.com/sec0045_ise_1_1_wired_dot1x_machine_auth_eap-tls

  • Computer Authentication /host/machine name using EAP on AP Problem

    Hi All,
    I have a wireless access point model 1242 with ACS server. Acs server is intigrated with windows domain. The user authentication is working ok but i would like to have a computer authentication setup. I am using PEAP with MS chapv2 on client machine and on access point using open authentication with EAP. ACS has its on certificate and client has the root certificate. I can see the acs server pulls the /host/machine name from AD but i am getting (EAP-TLS or PEAP authentication failed during SSL handshake) message on ACS server for computer authentication. What could be the problem? user authentication is working OK....
    Does computer authentication require the EAP-TLS? I don't have client certificate in my setup.
    I would be gratefull for any suggestion / help.

    You did not mention whether your clients are running Windows or Mac OS (or some mixture of OS's)?  If you are running in a pure Windows environment, it is very easy to enable PEAP machine authentication.  It sounds like you have properly enabled machine authentication on the client side (since you are seeing host/machine auth attempts in the ACS log), but have you enabled machine authentication on the ACS server?
    Which version of ACS are you running (hopefully 4.2).
    Read up on this:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354014
    ACS supports EAP-TLS, PEAP (EAP-MS-CHAPv2), and  PEAP (EAP-TLS) for machine authentication. You can enable each  separately on the Windows User Database Configuration page, which allows  a mix of computers that authenticate with EAP-TLS or PEAP  (EAP-MS-CHAPv2). Microsoft operating systems that perform machine  authentication might limit the user authentication protocol to the same  protocol that is used for machine authentication. For more information  about Microsoft operating systems and machine authentication, see Microsoft  Windows and Machine Authentication.
    Windows User Database Support
    ACS supports the use of Windows external user databases for:
    •User Authentication—For  information about the types of authentication that ACS supports with  Windows Security Accounts Manager (SAM) database or a Windows Active  Directory database, see Authentication  Protocol-Database Compatibility, page 1-8.
    •Machine Authentication—ACS  supports machine authentication with EAP-TLS and PEAP (EAP-MS-CHAPv2).  For more information, see EAP  and Windows Authentication.
    •Group Mapping for  Unknown Users— ACS supports group mapping for unknown users by  requesting group membership information from Windows user databases. For  more information about group mapping for users authenticated with a  Windows user database, see Group Mapping by Group  Set Membership, page 16-3.
    •Password-Aging—  ACS supports password aging for users who are authenticated by a Windows  user database. For more information, see User-Changeable  Passwords with Windows User Databases.
    •Dial-in Permissions—ACS  supports use of dial-in permissions from Windows user databases. For  more information, see Preparing  Users for Authenticating with Windows.
    •Callback Settings—ACS  supports use of callback settings from Windows user databases. For  information about configuring ACS to use Windows callback settings, see Setting the User  Callback Option, page 6-6.

  • How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

    I am trying to connect to the company network, but it always shows "PEAP authentication failed".
    There are only instructions for iPhone and PC.
    security : WPA2-Enterprise
    authority certificate : None
    Security Type : PEAP
    Inner Link Security : EAP-MSCHAPv2
    additionally MAC address filtering.
    The access point I set is as follows:
    network status: public
    wLAN network mode: infrastructure
    security: WPA/WPA2
    WPA2 only mode: off
    EAP plug-in setting: EAP-PEAP enable only
    personal certificate: not defined
    authority certificate: not defined
    user name: user-defined   BLANK
    realm in use: user-defined   BLANK
    allow PEAPv0
    MSCHAPv2
    user name: username
    password: mypassword
    We have domain, but there are no command about domain in iPhone guide. 
    Is there anything wrong of my setting?

    WPA2-Enterprise is not supported on your device.
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • 802.1x EAP-TLS for wired users with ACS 5.5

    Hi All,
    We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
    We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
    Kindly suggest on how to get certificates for clients both manually as well as automatically?
    Thanks,
    Vijay

    Hi Vijay,
       for the Wired 802.1x (EAP-TLS) you need to have following certificates:
    On ACS--- Root CA, Intermediate CA, Server Certificate
    On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
     I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
    In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
    This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
    http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
    In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
    Cheers
    Minakshi(rate the helpful post)

  • 802.1x with AD authentication in a wired environment

    Hello,
    I have a question about 802.1x authentication. I want use a combination from 802.1x and a domain authentication on a AD from microsoft. I think the first login request is the domain login, but the port on the switch is always blocked. After the PC is already up, then I can login with 802.1x authentication. Please let me know what is the best solution for this scenario. The customer need a domain login and he want use the 802.1x authentication.
    Give it a solution with only 1 login request???
    thanks
    Jens

    You can enable Machine Authentication with Windows 2000/XP/2003 clients. For this to work you need to use either PEAP or EAP-TLS. PEAP requires only a certifacate on the RADIUS Server. EAP-TLS requires a client certificate installed in the machine store on the 2000/XP/2003 client. With Machine Authentication the switchport authenticates the PC using 802.1x prior to user logon.
    You can push certificates down to Machines & Users via Active Directory Group Policy (you can't push user certificates down with a 2000 AD or 2000 Clients). You need to also enable Remote Access privileges for Machines as well.
    http://support.microsoft.com/kb/318750/EN-US/
    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx
    I have this deployed in a test environment at the moment using Microsoft IAS (Radius). Due to the way the IAS policies are created you need to plan things out carefully. Each switch has to be added individually to the IAS Server so it can look ugly (no more so than a DHCP server though).
    HTH
    Andy

  • Pb 802.1X Computer authentication

    Hello
    I want to know if some GPO parameters can prevent computer authentication 802.1X ?
    Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
    And certain PC works fine and other not
    And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
    If you have a solution to prevent out/in PC in the domain ?
    Thanks for your help

    Hello
    When i do the command csagent -v the result is:
    ACSRemoteAgent version 4.1(3.12)
    and I have an Appliance ACS:
    Cisco Secure ACS 4.1.3.12
    Appliance Management Software 4.1.3.12
    Appliance Base Image 4.1.1.4
    CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
    and in the file cswinAgent i have this error
    CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
    CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
    CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
    CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    I don't know if this that you want
    I have just change the domain name (DOMAIN-TEST) to confidential resaon
    Thanks

  • ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008

    Hi All,
    I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
    Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
    Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
    I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
    http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
    Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
    Thanks,
    Rob

    Hello,
    Did you find a guide for EAP-FAST with AD ?
    I'm facing the same problem, I can't make EAP-FAST working with AD Account,
    Thanks to you
    Regards,
    Gérald

  • 802.1x - EAP-MSCHAPv2 / LDAP on ACS 4.2

    Is possible to use PEAP EAP-MSCHAPv2 with LDAP ?

    No LDAP doesnt support mschapv2, here are the authentication protocols/database matrix:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
    Thanks,
    Tarik

  • Intel Mac OS X can't connect using 802.1x with TTLS authentication

    To login at the wireless network on my school I use the following settings:
    802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
    My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
    On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
    Bug in the Intel version of Mac OS X I guess?

    Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
    What I cant understand is why they have changed the
    airport express card for the intel macs, albeit the
    processor has changed but that shouldn't affect the
    card as that should be processor
    The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
    In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
    Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

Maybe you are looking for

  • Double clicking on file doesn't open file in Photoshop

    I've tried all the well-known fixes for this and they don't work. I'm on a Power Mac G5, 2MHz, running OS X 10.4.11, and Photoshop CS. I've been through the fixes for "can't open in Photoshop from double clicking file on desktop"-reinstalling Photosh

  • Time machine no longer backs up changes to files in home folder.

    My Time Machine seems to be in some sort of weird state where it has stopped backing up any files/folders in my home (~/) folder or below. This is obviously a big issue since those are the files most needing to be backed up. It does catch changes to

  • HP Pavilion dv6000 will not power up.

    I have had an HP Pavillion dv6000 for a few years, and suddenly, it will not power up at all.  I can not determine that anything at all happens when I press the power button.  What's weird is that when I connect the power, the AC LED (the one with th

  • Can't see Report Layout in IE

    Hi All, When i am executing the report in report designer, the report is executing but cant see the layout of the report in IE . I can see all tools and options except report layout at portal and even i m not finding any error msg also. plz help in t

  • T43 recovery CDs not working

    Hi, My T43 has pre-installed winXP and later I added a Linux system using Sussie Linux installation CD. I am happy with the dual boot as it is always working fine. Now I wish to remove the Linux system to get more space for my Windows. It has about 4