802.1X "hangs" on authenticating

Hi,
I am trying to connect to a 802.1X network at my office where they have only a Windows manual. I double checked all configuration settings and I think my configuration is correct. When I try to connect I can see the airport signal indicator jump to full and back to nothing. The status line says that it is authenticating (or authorizing) but nothing happens. I would expect a window with certificates would appear (which I could choose to thrust).
When I start internet connect the console says the following:
2005-09-08 11:44:46.747 Internet Connect[885] Could not connect the action disclosureButtonPressed: to target of class OneXDialogs
2005-09-08 11:44:46.747 Internet Connect[885] Could not connect the action okButtonPressedTLS: to target of class OneXDialogs
2005-09-08 11:44:46.748 Internet Connect[885] Could not connect the action cancelButtonPressedTLS: to target of class OneXDialogs
2005-09-08 11:44:46.748 Internet Connect[885] Could not connect the action certificatePopupPressed: to target of class OneXDialogs
Any thoughts?
Cheers,
Ezz.

We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
Hope that someone else has any clue?

Similar Messages

Mac Pro hangs on authentication

I have a Mac Pro dual-dual 3GHz which has a sporadic issue where (as far as I can tell) processes hang when authentication is attempted.
I haven't seen any rhyme or reason to when this occurs. Sometimes, I will be in the middle of working, and I will notice that Terminal hangs when I try to open a new window. Other times, it will occur after the machine has gone to sleep (it wakes up fine, but then attempting to log in will hang).
When this issue is occurring, all the following will hang:
* Logging in via loginwindow
* Switching users
* Logging in via SSH
* Performing sudo
* Opening a new Terminal window
The problem doesn't always go away upon rebooting. Sometimes, I reboot and everything is normal; on other occasions, the login window will hang after I enter my username and password and click Log in, even after multiple reboots.
This problem has never occurred when rebooting in safe mode. However, often I can reboot in safe mode, log in, everything appears normal (for safe mode), but when I reboot in normal mode, the inability to authenticate occurs again.
When this problem is occurring, it occurs on all accounts.
Eventually, after enough reboots, I am able to log in and work normally (until the next time it happens).
Also, I have never noticed anything wrong with either CPU or memory usage when this problem is occurring.
On one occasion when this was happening, I happened to have an open root SSH session available. I ran sc_usage on securityd and found that it was waiting on 'machmsg_overwritetrap'. It waited over 5 minutes without anything further happening. I'm not sure what, if anything, this indicates. (Also, 'LASTPATHNAME_WAITEDFOR' was blank.)
Any ideas would be welcome.

Corupted object.... I had this under 10.3.x..... had to wipe clean and reload OS X from CD.
I read in a post that you could boot in safe mode, and delete "something" (I do not remember now) where the authentification data is stored and then you re-create your users... search past posts.
My suggestion of a clean reload is a safer bet that you will have a clean system.

802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
Donfrico

I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS?

802.1X Port Based Authentication Security Violation

I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
Donfrico

I believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server

802.1X EAP-PEAP Authentication issue

Hi Experts,
I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
The networks in question are set up identically, here is an overview:
Layer 2 security is WPA & WPA2
WPA - TKIP
WPA2 - AES
Auth Key Management is 802.1X
Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
This is the only change I can think of that could possibly be relevant.
Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
Debugs as follows:
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 23) in 5 seconds
*Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
*Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station: (callerId: 24) in 5 seconds
*Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
*Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
*Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
*Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
*Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
*Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
*Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
*Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
*Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
*Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
*Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
*Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
*Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
*Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
*Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
*Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
*Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
*Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
*Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
*Oct 11 16:13:01.113: New PMKID: (16)
*Oct 11 16:13:01.113:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
*Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
*Oct 11 16:13:01.116: Including PMKID in M1 (16)
*Oct 11 16:13:01.116:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
   state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
*Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
*Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
*Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
   state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
*Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
*Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
*Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo F
*Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
*Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
type = Airespace AP - Learn IP address
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumb
*Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
*Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
*Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
            dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
            dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
            dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
            dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2 VLAN: 110
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
*Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0, yiaddr: 0.0.0.0
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0, giaddr: 172.23.24.2
*Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
*Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
*Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
type = Airespace AP Client
on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
ACL Id = 255, Jumbo Frames = N
*Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
*Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 0, flags: 0
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
*Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0, yiaddr: 172.23.26.53
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0, giaddr: 0.0.0.0
*Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   server id: 1.1.1.1 rcvd server id: 172.19.0.50
*Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
*Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
*Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
At this point, the client is connected and everything is working.

Hi,
It looks like some issue on the client side...
Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
Looking at the logs:
*Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
At this point, the username and password dialog pops up again.
If credentials are not entered, the following timeout message pops up....
*Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
If the credentials are re-entered the it continues:
*Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
*Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
===================
This logs show exactly what you describe...
The AAA sends an EAP request asking for the credentials.
The login pops up and the EAP timeout starts decrementing.
If the user does not enter credentials, it will expire and another EAP Request is sent.
If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
HTH,
Tiago

Intel Mac OS X can't connect using 802.1x with TTLS authentication

To login at the wireless network on my school I use the following settings:
802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
Bug in the Intel version of Mac OS X I guess?

Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
What I cant understand is why they have changed the
airport express card for the intel macs, albeit the
processor has changed but that shouldn't affect the
card as that should be processor
The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

802.1x for user authentication setup questions

Hi,
I am fairly new to the 802.1x realm, I have read several documents on how the setup is accomplished and I was hoping someone could validate the setup I have in mind to make sure I am on the right page. Any comments or assistance would be greatly appreciated, I do not have the infrastructure to test everything before hand.
I have a remote site with a switch and router. I want to authenticate users using their AD credentials. At the datacenter I will have ACS 5.2, a Windows 2008 enterprise server for AD service and CS service. I do not have the option to install an additional client on the PC like anyconnect, I need to use Windows OS supplicant without installing physcial certificates on the machine.
- Within the CS service I will generate a certificate that will be imported by ACS.
- I will activate ACS to integrate with AD
- I do not want to insall certificates on the client machines so I will use PEAP w/ MSCHAPv2
- The authenticating clients will be XP w/ SP3, I am hoping that a group policy can be created to enabed the wired service to start automatically and I will also need to add my CS/CA server as a trusted authority unless I purhcase a verisign certificate to be used. Correct? or will this need to be done when the desktop image is installed on the pc?
Additional Questions:
- With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)
- Once the user is autheticated can I push an ACL down to the switch to enforce a set policy? or does this happen on the router?
- Most of the documents I have read are related to L2 802.1x is there a L3 option that includes the router that I should be looking at to provide more features?
- can anyone speak to their experience with the Windows OS supplicants? is the functionality flaky/clunky or if the backend is setup properly it works seamlessly?
Sorry for the long winded post but I am kind of shooting in the dark without having the equipment to test with. Any help is appreciated!
Thanks

Thanks too you both for the responses.
I have a few followup questions which I have added inline.
Q:
- With the setup I described above using MSCHAPv2 when the user boots the computer in the morning, hits ctrl+alt+delete and provides their AD credentials will this act as a single sign on? first authenticating them through 802.1x so the port is authorized and then authenticating them to the AD server? or will there be some type of pop up window that will appear before the ctrl+alt+delete window? making the user provide credentials twice (annoying)
A: If you select "Use windows credentials" it won't prompt you for credentials. so All automatic.
However note that it will only login AFTER you entered the credentials on the logon page. So you won't have network connectivity for the initial logon, so no login scripts this way.
With your comments I am rethinking my approach, I am considering that if the company security policy will allow it I will do machine authentication only instead of user auth. Obviously this is not as secure since a rogue user could change the local admin password and have access to the network. But interms of simplicity and ease of use machine authentication provides a transparent authentication mechanism that should suffice. I would just have to sell the solution to security.
There a few things I need to understand before persuing this.
- will the machine be 802.1x authenticated and on the network before the ctrl+alt+delete? so when user logs in the machine has passed 802.1x already and has received ip from dhcp? this is my hope.
- is peap/mschap still the supported protocol so no physical cert is required per machine? no EAP-TLS
- is the machine profile on the AD server used for 802.1x verification/authentication? meaning ACS will pass off to AD to verify the machine is part of the domain? or do you have to create machine profiles in ACS?
- I have read a few articles out there about issues with machine auth with clients using XP, perhaps this was related to previous serivce packs before SP3? there was mention of registery changes required etc.
- is there a different supplicant offered by cisco that is more robust that would provide more stability or is the cisco supplicant cost money per user license or other etc.
Again your feedback is invaluable as I do not have the physical equipment to test with. Unfortunatly I have to propose a solution before actually testing something which I am not particularly fond of.
Regards,
Eric

Windows 7 Wireless Logon - Problems with 802.1X Machine & User Authentication

Hello All,
We’ve had difficulty with our Windows 7 clients authenticating to our wireless network. I’m hoping someone out there has experienced the same thing and can offer some help.
Some info about our environment:
Single Windows 2008 R2 domain with 6 DCs
MS Radius server
Aruba wireless controllers
The Problem:
The client computer boots,
Auths as machine (802.1X successful)
User enters creds
User auth (802.1X successful)
To this point, everything is working normally. Next is where it gets weird.
During the logon process, there is another machine auth
2-5 minutes later another User auth
OS is up and usable (connected to wireless network); however, no homefolder is mapped and GPP didn’t apply properly.
From what I understand, after the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it.
Can anyone offer some insight to what is causing this? I have logs available if anyone is interested.
Thanks in advance for any help you can offer!
Brett
-- Brett

I did a network trace to gain more insight. I don’t understand why after 802.1X auth is successful on port 1, it then initiates 802.1X auth on port 2.
Can you offer any insight?
10487    3:50:19 PM 8/23/2012    63.0340126
ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Authentication Starting   {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
10867    3:50:19 PM 8/23/2012    63.3403904
ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Time taken for this authentication = 281 (0x119) ms
{ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
Then >>>
11718    3:50:35 PM 8/23/2012    79.3196653
ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXDestroySupplicantPort     {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
11938    3:50:36 PM 8/23/2012    80.0530315
ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Finished initializing a new port with id=2 (0x2) and friendly name=Dell Wireless 1504 802.11b/g/n (2.4GHz)
{ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
11959    3:50:36 PM 8/23/2012    80.0556734
ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXStartAuthentication           {ONEX_MicrosoftWindowsOneX:126,
NetEvent:5}
11964 3:50:36 PM 8/23/2012
80.0557074 svchost.exe (1036)
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Starting a new 802.1X authentication (MSM initiated)
11965 3:50:36 PM 8/23/2012
80.0557333 svchost.exe (1036)
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Authentication Starting
-- Brett

802.1x + Machine Account Authentication = Vulnerability?

Hello forum,
I'm trying to determine the security implications of utilizing 802.1x authentication/authorization with the "Domain Computers" option selected within ACS. The problem I am having with this scenerio is this:
1) Client machines are authenticated to the LAN or WLAN based on AD machine account name/password if "Domain Computers" is selected.
2) Windows XP machines will authenticate 802.1x using the machine account name/password by default upon initial boot and upon log-off.
3) Once a machine boots up or someone logs off, the 802.1x port status is placed into "Authorized" using machine account name/password credentials.
4) If you log onto a machine after the port goes "Authorized" (from #3) with a local user or local administrator account you gain "free access" to the network for < 60 seconds (I've done this many times now and you do infact gain "free access.")
So then the following scenerio comes into play, what if:
1) Someone steals a laptop.
2) Compromises a local user or local administrator account on said laptop.
3) Places the laptop onto either the wired or wireless network.
4) Reboots the box.
5) Logs in with local user or local administrator and launches a script (they will have free-access for < 60 seconds before a re-authentication is forced).
Anyone famliar with this, or any white papers/KB's is/are greatly appreciated!
Thanks,
Jeremy

A small clarification here about your statement:
"The PC will try machine authentication once it boots up. Once is entered, the PC initiate 802.1x authentication by sending EAPOL start. The AP or switch should change the state of the PC from authenticated to authenticating. Thus, the PC should not get network connectivity unless it passes user authentication again. If you use a local account to logon to the PC, the PC should not pass 802.1xauthentication. At least, that's how Cisco equipment works."
This is not up to Cisco equipment, the AP has no idea the PC is switching between machine and user mode unless the supplicant on the PC restarts the authentication (via EAPOL-Start as you stated), this is wholey up to the supplicant installed on the PC. So with this < 60 second window that is being seen here it is most likely due to slow load of the user space/desktop.
An option to prevent this would be to use a supplicant that can start before login (such as the Cisco Secure Services Client) that way the user is authenticated before they have access to the desktop.
--Jesse

802.1x Machine Based Authentication - Password expired

Hi,
I would like to ask 1 question about machine based authentication on 802.1x.
1.We are deploying 802.1x on wired user.
2.Some user are using machine based authentication in order to authenticate their port.
3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
Anybody can shed a light to me. Thanks.

This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
This also might help:
http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

Problem with Windows 7 802.1x prompted for authentication multiple times

I have setup a WLAN for users to bring in their own devices (devices are not on the domain). It is setup for WPA2-Enterprise/AES and it doesn't require certificates. We authenticate with a Cisco Secure Access Server 5.1.44 (setup with Active Directory).
I have configure dthe Windows 7 wireless client:
WPA-Enterprise/AES
PEAP - removed "Validate server certificate"
EAPMSCHAPv2 properties disabled "Automatically use my Windows login name and password
Advanced settings 802.1x - ticked for "user authentication"
My problem is when I connect to the WLAN, I'm prompted for authentication multiple times (x2). On the second login prompt everything logs in OK. No errors are received after the first login attempt.
Thanks

This doesn't have anything to do with eap settings?
Are the current defaults the recommended settings:
EAP-Identity-Request Timeout (seconds)........... 30
EAP-Identity-Request Max Retries................. 2
EAP Key-Index for Dynamic WEP.................... 0
EAP Max-Login Ignore Identity Response........... enable
EAP-Request Timeout (seconds).................... 30
EAP-Request Max Retries.......................... 2
EAPOL-Key Timeout (milliseconds)................. 1000
EAPOL-Key Max Retries............................ 2
EAP-Broadcast Key Interval....................... 3600
I have seen this multiple times on varying drivers and systems. The first time you login until it is cached.
Thanks,
Andrew

802.1x PEAP Machine Authentication with MS Active Directory

802.1x PEAP Machine and User Authentication with MS Active Directory:
I have a simple pilot-text environment, with
- Microsoft XP Client,
- Cisco 2960 Switch,
- ACS Solution Engine (4.1.4)
- MS Active Directory on Win 2003 Server
The Remote Agent (at 4.1.4) is on the same server as the MS AD.
User Authentication works correctly, but Machine Authentication fails.
Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
The Remote Agent shows an error:
See Attachment.
Without Port-Security the XP workstation is able to log on to the domain.
Many thanks for any indication.
Regards,
Stephan Imhof

Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

Use smart card for 802.1x secured WiFi authentication

Hi,
is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
and granted access.
To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
fails.
As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
the local client computer configuration or in the Safenet software on the client computer.
I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
Thanks + Best Regards
Matt

Hi,
I found some links form technet site which can be helpful in this case
Network access authentication and certificates
http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
Enable smart card or other certificate authentication
http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
Quote:
Client certificate requirements
With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
Yolanda Zhu
TechNet Community Support

Airport 802.1x w/ TLS Authentication Certificate Problem

Trying to set up an Airport connection to my company's Wireless network.
I've gone into the Internet Connect application and tried to create a new 802.1x connection.
I named the connection, choose Airport as the port, provided my username and password, filled in the SSID, and tried to choose TLS as the authentication but got the following error:
"TLS can't be enabled because your keychain does not contain any suitable certifications..."
I had previously added the certificate the IT department had generated and is successfully using it with their Window's clients.
I can see the key in my keychain but cannot access it when trying to add TLS authentication.
They are using Microsoft Certificate Server to generate the certs.
Is there anything special I need to do in my keychain or with the cert to have it available for use with TLS.

I've set this up at home using Windows 2003 IAS & EAP-TLS. It took a little playing around to get it right, but here are the instructions I wrote for myself:
Mac;
http://certificateauthorityserver/certsrv
Download a CA Certificate, certificate chain, or CRL
Click Download CA Certificate
Double click certnew.cer and install it to the System keychain
Go back
Request a Certificate
User Certificate
2048, Submit
Install (downloads)
On Windows machine, view private store. Select export with shared key. Export p12 certificate. Import on Mac.
Go to Internet Connect configuration. Choose 802.1X and then TLS. Use the certificate assigned to the user.

Sg300 - 802.1x NPS - mac authentication not working

I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
   Connection Request Policy Name:   Secure Wire
   Network Policy Name:       -
   Authentication Provider:       Windows
   Authentication Server:        myradius.local
   Authentication Type:       -
   EAP Type:           -
   Account Session Identifier:       30353030399999
   Reason Code:           1
   Reason:               An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...

Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P?

802.1X "hangs" on authenticating

Similar Messages

Maybe you are looking for