802.1x + Machine Account Authentication = Vulnerability?

Similar Messages

• 802.1x Machine Based Authentication - Password expired

  Hi,
  I would like to ask 1 question about machine based authentication on 802.1x.
  1.We are deploying 802.1x on wired user.
  2.Some user are using machine based authentication in order to authenticate their port.
  3.However, after the user password expired, the user need to change their password and then the machine are unable to authenticate. The error i got is "External DB user invalid or bad password". Then switch assign the user to Guest Vlan
  4.But, once i plug out the cable and plug in back the UTP cable after the user login, the switch will assigned the user to proper VLAN.
  5.User wont be able to access their share drive n etc since the guest vlan only have access to the internet.
  5.Anyone have any idea what is happening? It seems that the machine is sending the old password during authentication process to the ACS.
  Anybody can shed a light to me. Thanks.

  This should certainly work with that rev. On your passed (or failed) auth log, you should see the username of the session authenticating. If you see the FQDN of the machine, this is a machine auth. Also, machine-auth typically executes before the GINA is displayed to the user. It sounds like machine-auth is failing and we need to determine why. Has this machine been away from the domain for long?
  This also might help:
  http://supportwiki.cisco.com/ViewWiki/index.php/802.1x_authentication_with_Cisco_Secure_Access_Control_Server_fails_to_work_for_Microsoft_Windows_XP_PC

• Windows 7 Wireless Logon - Problems with 802.1X Machine & User Authentication

  Hello All,
  We’ve had difficulty with our Windows 7 clients authenticating to our wireless network. I’m hoping someone out there has experienced the same thing and can offer some help.
  Some info about our environment:
  Single Windows 2008 R2 domain with 6 DCs
  MS Radius server
  Aruba wireless controllers
  The Problem:
  The client computer boots,
  Auths as machine (802.1X successful)
  User enters creds
  User auth (802.1X successful)
  To this point, everything is working normally. Next is where it gets weird.
  During the logon process, there is another machine auth
  2-5 minutes later another User auth
  OS is up and usable (connected to wireless network); however, no homefolder is mapped and GPP didn’t apply properly.
  From what I understand, after the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it.
  Can anyone offer some insight to what is causing this? I have logs available if anyone is interested.
  Thanks in advance for any help you can offer!
  Brett
  -- Brett

  I did a network trace to gain more insight. I don’t understand why after 802.1X auth is successful on port 1, it then initiates 802.1X auth on port 2.
  Can you offer any insight?
  10487    3:50:19 PM 8/23/2012    63.0340126                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Authentication Starting   {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  10867    3:50:19 PM 8/23/2012    63.3403904                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Time taken for this authentication = 281 (0x119) ms               
  {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  Then >>>
  11718    3:50:35 PM 8/23/2012    79.3196653                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXDestroySupplicantPort     {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  11938    3:50:36 PM 8/23/2012    80.0530315                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:Finished initializing a new port with id=2 (0x2) and friendly name=Dell Wireless 1504 802.11b/g/n (2.4GHz)         
  {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
  11959    3:50:36 PM 8/23/2012    80.0556734                                                         
  ONEX_MicrosoftWindowsOneX                ONEX_MicrosoftWindowsOneX:OneXStartAuthentication           {ONEX_MicrosoftWindowsOneX:126,
  NetEvent:5}
  11964 3:50:36 PM 8/23/2012
  80.0557074 svchost.exe (1036)
  ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Starting a new 802.1X authentication (MSM initiated)
  11965 3:50:36 PM 8/23/2012
  80.0557333 svchost.exe (1036)
  ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Authentication Starting
  -- Brett

• 802.1x TLS (Machine certifcate) authentication in Snow Leopard

  Hi,
  In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
  We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
  We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
  I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
  <key>TTLSInnerAuthentication</key>
  <string>MSCHAPv2</string>
  Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
  Client logs:
  2010/05/14 10:37:12.872405 update_configuration
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>AcceptEAPTypes</key>
  <array>
  <integer>13</integer>
  </array>
  <key>Description</key>
  <string>Automatic</string>
  <key>EAPFASTProvisionPAC</key>
  <true/>
  <key>EAPFASTUsePAC</key>
  <true/>
  <key>TLSIdentityHandle</key>
  <data>
  [Removed]
  </data>
  <key>TLSTrustedCertificates</key>
  <array>
  <data>
  [In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
  </data>
  </array>
  <key>TLSVerifyServerCertificate</key>
  <true/>
  <key>TTLSInnerAuthentication</key>
  <string>MSCHAPv2</string>
  </dict>
  </plist>
  2010/05/14 10:37:12.968769 link up
  2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
  2010/05/14 10:37:12.972850 Receive Packet Size 77
  Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
  EAPOL: proto version 0x2 type EAP Packet (0) length 59
  EAP Request (1): Identifier 1 Length 59
  Identity (1)
  length 59 - sizeof(*rd_p) 5 = 54
  [Removed. In here there is our networkid,nasid and portid ]
  2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>ClientStatus</key>
  <integer>0</integer>
  <key>ConfigurationGeneration</key>
  <integer>2</integer>
  <key>DomainSpecificError</key>
  <integer>0</integer>
  <key>Mode</key>
  <integer>1</integer>
  <key>SupplicantState</key>
  <integer>1</integer>
  <key>Timestamp</key>
  <date>2010-05-14T08:37:12Z</date>
  <key>UniqueIdentifier</key>
  <string>[Removed]</string>
  </dict>
  </plist>
  2010/05/14 10:37:12.976795 EAP Request Identity
  2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
  2010/05/14 10:37:12.976832 Transmit Packet Size 39
  Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
  EAPOL: proto version 0x1 type EAP Packet (0) length 35
  EAP Response (2): Identifier 1 Length 35
  Identity (1)
  length 35 - sizeof(*rd_p) 5 = 30
  (Removed raw data with the SAN ]
  2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>ClientStatus</key>
  <integer>0</integer>
  <key>ConfigurationGeneration</key>
  <integer>2</integer>
  <key>DomainSpecificError</key>
  <integer>0</integer>
  <key>IdentityAttributes</key>
  <array>
  <string>networkid=[Removed our SSID]</string>
  <string>nasid=[Removed our WLANC ID]</string>
  <string>portid=29</string>
  </array>
  <key>Mode</key>
  <integer>1</integer>
  <key>SupplicantState</key>
  <integer>2</integer>
  <key>Timestamp</key>
  <date>2010-05-14T08:37:12Z</date>
  <key>UniqueIdentifier</key>
  <string>[Removed]</string>
  </dict>
  </plist>
  2010/05/14 10:37:13.022577 force renew
  2010/05/14 10:37:13.025323 stop
  * Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
  * Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
  * How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
  Thanks
  Jofre

  Hi,
  some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
  If we compare a PC and A MAc we have the follwoing.
  PC:
  1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
  2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
  3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
  4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
  5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
  6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
  7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
  8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
  Continues OK
  While on a Snow Leopard are:
  44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
  45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
  46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
  47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
  after analizin the network traces we see that the different is on the 3rd EAP Packet:
  PC:
  4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
  802.1X Authentication
  Version: 1
  Type: EAP Packet (0)
  Length: 40
  Extensible Authentication Protocol
  Code: Response (2)
  Id: 1
  Length: 40
  Type: Identity [RFC3748] (1)
  Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
  Mac Snow Leopard:
  46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
  802.1X Authentication
  Version: 1
  Type: EAP Packet (0)
  Length: 35
  Extensible Authentication Protocol
  Code: Response (2)
  Id: 2
  Length: 35
  Type: Identity [RFC3748] (1)
  Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
  that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
  User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
  Policy-Name = <undetermined>
  Authentication-Type = EAP
  EAP-Type = <undetermined>
  Reason-Code = 8
  Reason = The specified user account does not exist.
  while in the PC case we have:
  PC:
  User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
  Policy-Name = Allow Wireless Lan Access With Certificate
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  * Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
  * Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
  Thanks
  Jofre

• ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

  We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
  Thank you for any help or ideas,

  When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
  On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• 802.1X Machine Authentication ONLY!

  Hi. I have a customer who wants to perform 802.1x machine authentication only to prevent users connecting there own devices to the corporate network. The machine credentials will be authenticated via Cisco ACS which will proxy the authentication to ActiveDirectory. If successful, the 802.1x assigns the port to a VLAN. At this point, the port is 'opened up' and the user can recieve an IP address and can then login to the domain as normal (AD username/password) via the network login screen. Is this a workable solution?
  I basically want the end user to not notice anything new, but 802.1x operates in the background to authenticate the machine before displaying the network login box. To the user, the PC boots and displays the login box and they login as normal :-) If they bring in their own device, it will fail 802.1x machine authentication and will not get any access.
  Has anyone implemented this? Is it a feasible design?
  Thanks
  Darren

  Hi Darren,
  good news for you.. you can do this using the "Machine Access Restriction" on both ACS 4.x and ACS 5.x:
  * ACS 5.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1254965
  * ACS 4.x:
  http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/UsrDb.html#wp354105
  As soon as the machine performs the 802.1x using the client credentials, the ACS will keep this info on a cache and it will match any further auth attempt (e.g. using the user credentials) for this client using the "Calling-Station-ID", so basically the client's MAC address.
  Depending on whether a client performed or not Machine Authentication before, you can decide whether to assign a sort of restricted access/guest VLAN or to deny access.
  If the personal client doesn't have a 802.1x supplicant at all, then you can decide to enable the guest vlan feature on the switch itself.
  I hope this helps.
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• 802.1x machine auth w/ certificate authority

  Two quick questions ...
  I am building a lab for 802.1x, I want to use peap w/ mschap v2 and I want to do machine authentication only.  I have AD and CA services running on a test windows 2003 server. I have ACS setup, my AD is connected, my switch is configured and now I am stuck on the CA portion and I am not sure if I am doing it right, I can't seem to find documentation that outlines this piece specific to the scenerio I described above, perhaps someone can give me a hand. 
  I browse to the CA, request a certificate >  advanced certificate request > create and submit request to this CA >
  From this point I am suppose to select a certificate template.  The docs I have found say to use a "webserver" template and select the option to "export keys to file".  When I attempt this the export key option is greyed out.  I google and some people say only Enterprise edition supports this, I am running Enterprise R2 so I don't see the problem.  All of the other templates available allow me to export except for webserver.
  1) my question is for the lab scenerio I detailed above what type of certifcate template should I be using? if your answer is a "webserver" template can you perahps tell me why I cannot export to a file?
  2) Do my client machines require a certificate to be installed prior to connecting to the 802.1x switch? from what I read using peap mschap v2 coupled with machine authentication you do not require a certificate on each machine.  During initial 802.1x authentication the certificate will be pushed from the ACS over to the client.  I believe the one caveat is that the client machine will require to be modified to list the new CA or ACS server as a trusted root authority.  I need some clarity on this subject, I will not have the option to install a certicate on each machine prior to 802.1x auth.  Please confirm
  Any help is appreciated, thanks!
  If there are any links that someone can provide that have details on this setup please share

  I am going through this process currently also, and I can tell you what I have gathered so far.
  These notes are applicable to Machine, or Machine & User authentication, Wired and/or Wireless 802.1x.
  The certificate must be present on each client machine in order to connect.    The thing that I am finding annoying is that when we used the Microsoft IAS Radius, the certificate enrollment was seamless.   The domain clients just seemed to "automatically" have the certificate installed on their machines (pushed down by the Domain), that matches the certificate presented by the IAS Radius server during the authentication process (Of course, because it's all within the same domain).  Easy as pie, windows magic...
  But suppose we want to use Cisco ACS or our own radius server ?   Well the first thing I tried was to use a Certificate signed by our internal Linux CA.  The Windows domain administrator was not able to set up the Linux CA as a "trusted intermediate", which I don't fully understand.   Instead he asked me to purchase a certificate from a Trusted CA such as Verisign or DigiCert.  By the way I found a list of Microsoft trusted Intermediates here:
  http://social.technet.microsoft.com/wiki/contents/articles/2592.aspx
  The Windows Domain Administrator will do 3 things :
  1) Configure Certificate Auto-Enrollment Policy for the Certificate we purchase
  2) Configure the Wired & Wireless Autoconfig service settings Group Policy Objects
  3) Set the Wired Autoconfig service to start.
  I will have to
  1) Generate the CSR & Import the puchased signed certificate into the ACS(s).
  Now, that said, there must be an easier way to do this!  If anyone has notes on whether or not the following is possible, it would be appreciated & interesting:
  1) Can the Windows Domain sign my CSR ?  If so - how
  2) Can the Windows Domain be configured to trust our Linux CA ? If so - how
  Good luck to you dot1xers

• 802.1x for server authentication

  Hello everybody,
  this the first time I write on this forum, so please excuse me if I do something wrong.
  My objective is to authenticate servers in my customer's server farm, so that none can put an unauthorised server in place.
  I am thinking about using 802.1x machine authentication to reach my aim.
  Does anybody has experience about similar situations?
  The server platforms are:
  - Windows 2k Server
  - Windows 2k Advanced Server
  - Linux Redhat
  - IBM AIX
  Which are the applicable EAP methods for each platform?
  Has anybody experienced the use of 802.1x client such as Meetinghouse or Funk Odissey on the mentioned platforms?
  Thank you in advance.
  Kind regards,
  Barbara

  EAP, EAP-TLS, EAP-MS-CHAP v2, and PEAP authentication
  The support that 802.1X provides for Extensible Authentication Protocol (EAP) types allows you to choose from several different authentication methods for wireless clients and servers.
  EAP
  802.1X uses EAP for message exchange during the authentication process. With EAP, an arbitrary authentication method, such as certificates, smart cards, or credentials, is used. EAP allows for an open-ended conversation between an EAP client (such as a wireless computer) and an EAP server (such as an Internet Authentication Service (IAS) server). The conversation consists of requests for authentication information by the server and responses by the client. In order for authentication to be successful, the client and the server must use the same authentication method.
  EAP-TLS
  EAP-Transport Layer Security (TLS) is an EAP type that is used in certificate-based security environments, and it provides the strongest authentication and key determination method. EAP-TLS provides mutual authentication, negotiation of the encryption method, and encrypted key determination between the client and the authenticating server. If you want to use certificates or smart cards for user and client computer authentication, you must use EAP-TLS or, for enhanced security, Protected EAP (PEAP) with EAP-TLS.
  EAP-MS-CHAP v2
  EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) is a mutual authentication method that supports password-based user or computer authentication. During the EAP-MS-CHAP v2 authentication process, both the server and client must prove that they have knowledge of the user's password in order for authentication to succeed. With EAP-MS-CHAP v2, after successful authentication, users can change their passwords, and they are notified when their passwords expire.
  EAP-MS-CHAP v2 is available only with PEAP.
  PEAP
  PEAP is an authentication method that uses TLS to enhance the security of other EAP authentication protocols. PEAP provides the following benefits: an encryption channel to protect EAP methods running within PEAP, dynamic keying material generated from TLS, fast reconnect (the ability to reconnect to a wireless access point by using cached session keys, which allows for quick roaming between wireless access points), and server authentication that can be used to protect against the deployment of unauthorized wireless access points.

• Sconadm timeout - Sun On-line Account authentication failed.

  Hello,
  I run Solaris 10 5/08 s10x_u5wos_10 X86.
  and the registration timeout. See below the basicreg.log
  I copy the commands i used. and the output. I also run the suc.sh script and post in the end.
  #ping 82.98.86.176
  82.98.86.176 is alive
  #sconadm register -a -r regfile
  sconadm is running
  Authenticating user ...
  Sun On-line Account authentication failed
  failed registration!
  telnet cns-transport.sun.com 443
  Trying 198.232.168.137...
  traceroute to cns-transport.sun.com (198.232.168.137), 30 hops max, 40 byte packets
  1 172.30.168.254 (172.30.168.254) 0.409 ms 0.241 ms 0.147 ms
  2 125-230-64-254.dynamic.hinet.net (125.230.64.254) 2.334 ms 77.107 ms 1.457 ms
  3 tc-kk-t64-2.router.hinet.net (168.95.149.78) 0.937 ms 1.112 ms 0.867 ms
  4 220-128-17-98.HINET-IP.hinet.net (220.128.17.98) 1.246 ms tc-c12r12.router.hinet.net (220.128.17.158) 1.252 ms 1.138 ms
  5 tp-crs11.router.hinet.net (220.128.2.10) 4.423 ms 4.281 ms 15.803 ms
  6 220-128-4-29.HINET-IP.hinet.net (220.128.4.29) 5.076 ms 4.274 ms 4.034 ms
  7 r02-s2.tp.hinet.net (220.128.4.38) 16.038 ms 4.358 ms 4.359 ms
  8 r12-pa.us.hinet.net (211.72.108.121) 142.842 ms 150.936 ms 142.567 ms
  9 r11-pa.us.hinet.net (202.39.83.193) 143.152 ms 142.800 ms 142.830 ms
  10 206.111.12.165.ptr.us.xo.net (206.111.12.165) 142.651 ms 142.925 ms 142.852 ms
  11 te-11-0-0.rar3.sanjose-ca.us.xo.net (207.88.12.69) 144.081 ms 144.510 ms 144.974 ms
  12 207.88.14.117.ptr.us.xo.net (207.88.14.117) 218.322 ms 218.461 ms 217.083 ms
  13 207.88.14.118.ptr.us.xo.net (207.88.14.118) 218.363 ms 217.950 ms 218.103 ms
  14 207.88.183.54.ptr.us.xo.net (207.88.183.54) 214.827 ms 214.479 ms 216.544 ms
  15 border7.te2-2-bbnet2.wdc002.pnap.net (216.52.127.87) 214.862 ms 215.908 ms 214.832 ms
  16 seven-6.border7.wdc002.pnap.net (216.52.125.250) 214.658 ms 214.440 ms 214.558 ms
  17 * * *
  18 * * *
  # cat basicreg20081024111737681.log
  24.10.2008 11:17:48 com.sun.cns.basicreg.BasicReg loadPropertiesFromHomeDir
  INFO: properties file loaded from the default config.properties
  24.10.2008 11:17:48 com.sun.scn.util.Utils getLocalHostNames
  INFO: get hostname 82.98.86.176
  24.10.2008 11:17:48 com.sun.scn.util.Utils getLocalHostNames
  INFO: first returned hostname 82.98.86.176
  24.10.2008 11:17:48 com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
  INFO: SCNNetworkProxyConfigMBean.setHost() = null
  24.10.2008 11:17:48 com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
  INFO: SCNNetworkProxyConfigMBean.setPort() = null
  24.10.2008 11:17:48 com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
  INFO: SCNNetworkProxyConfigMBean.setUser() = null
  24.10.2008 11:17:48 com.sun.cns.basicreg.cacao.NetworkProxyCacaoAdapter setProxy
  INFO: SCNNetworkProxyConfigMBean.setPassword() = null
  24.10.2008 11:17:48 com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
  INFO: userName = [email protected]
  24.10.2008 11:17:48 com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
  INFO: password = *****
  24.10.2008 11:17:48 com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
  INFO: hostName =
  24.10.2008 11:17:48 com.sun.cns.basicreg.BasicRegCLI printRegistrationProfile
  INFO: portalEnabled =false
  24.10.2008 11:17:48 com.sun.cns.basicreg.BasicRegCLI run
  INFO: Authenticating user ...
  24.10.2008 11:17:48 com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter getSCNClientSession
  INFO: CREATING SCNClientSession
  24.10.2008 11:25:18 com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter loginAccount
  SCHWERWIEGEND: Error: login account exception: Connection refused to host: 82.98.86.176; nested exception is:
  java.net.ConnectException: Connection timed out
  24.10.2008 11:25:18 com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter loginAccount
  SCHWERWIEGEND:
  com.sun.scn.jmx.impl.UISClientLoginModule.login(UISClientLoginModule.java:151)
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  java.lang.reflect.Method.invoke(Method.java:585)
  javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
  java.security.AccessController.doPrivileged(Native Method)
  javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
  javax.security.auth.login.LoginContext.login(LoginContext.java:575)
  com.sun.scn.jmx.impl.UISClientLogin.login(UISClientLogin.java:201)
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  java.lang.reflect.Method.invoke(Method.java:585)
  com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
  javax.management.StandardMBean.invoke(StandardMBean.java:323)
  com.sun.jmx.mbeanserver.DynamicMetaDataImpl.invoke(DynamicMetaDataImpl.java:213)
  com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
  com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
  com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
  com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)
  com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:736)
  com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)
  com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)
  com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)
  javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1410)
  javax.management.remote.rmi.RMIConnectionImpl.access$100(RMIConnectionImpl.java:81)
  javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1247)
  java.security.AccessController.doPrivileged(Native Method)
  javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1350)
  javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:784)
  sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  java.lang.reflect.Method.invoke(Method.java:585)
  sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
  sun.rmi.transport.Transport$1.run(Transport.java:153)
  java.security.AccessController.doPrivileged(Native Method)
  sun.rmi.transport.Transport.serviceCall(Transport.java:149)
  sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
  sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
  java.lang.Thread.run(Thread.java:595)
  24.10.2008 11:25:18 com.sun.cns.basicreg.cacao.ClientLoginCacaoAdapter getLoginResult
  INFO: SCN Fault: Connection refused to host: 82.98.86.176; nested exception is:
  java.net.ConnectException: Connection timed out
  24.10.2008 11:25:18 com.sun.cns.basicreg.BasicRegCLI run
  SCHWERWIEGEND: Sun On-line Account authentication failed
  #sh suc.sh
  User: root
  Logname: root
  Freitag, 24. Oktober 2008 11:48 Uhr CST
  xxx
  smpatch settings:
  patchpro.backout.directory - ""
  patchpro.baseline.directory - /var/sadm/spool
  patchpro.download.directory - /var/sadm/spool
  patchpro.install.types - rebootafter:reconfigafter:standard
  patchpro.patch.source - https://getupdates1.sun.com/
  patchpro.patchset - current
  patchpro.proxy.host - ""
  patchpro.proxy.passwd **** ****
  patchpro.proxy.port - 8080
  patchpro.proxy.user - ""
  smpatch analyze:
  Failure: Cannot connect to retrieve detectors.jar: This system is currently unregistered and is unable to retrieve patches from the Sun Update Connection. Please register your system using the Update Manager, /usr/bin/updatemanager or provide valid Sun Online Account(SOA) credentials.
  Sun UC patch revision:
  120336-04
  121082-06
  121119-13
  121454-02
  123004-03
  123006-07
  123631-03
  123896-04
  124187-07
  Solaris release:
  Solaris 10 5/08 s10x_u5wos_10 X86
  Copyright 2008 Sun Microsystems, Inc. All Rights Reserved.
  Use is subject to license terms.
  Assembled 24 March 2008
  Solaris Kernel: Generic_127128-11
  Machine Type: i86pc
  Platform: i86pc
  Java -version:
  java version "1.5.0_14"
  Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_14-b03)
  Java HotSpot(TM) Client VM (build 1.5.0_14-b03, mixed mode, sharing)
  Cacao Java version:
  java-home=/usr/jdk/jdk1.5.0_14
  Software Cluster:
  CLUSTER=SUNWCall
  All ccr properties:
  Property not defined: 18
  18:
  cns.assetid:
  cns.br.SunUCenabled:
  true
  cns.ccr.keyGenPath:
  /usr/lib/cc-ccr/bin/ccrKeyGen
  cns.clientid:
  cns.httpproxy.auth:
  cns.httpproxy.ipaddr:
  cns.httpproxy.port:
  cns.regtoken:
  cns.security.password:
  cns.security.privatekey:
  cns.security.publickey:
  cns.swup.UMautolaunch:
  false
  cns.swup.autoAnalysis.enabled:
  true
  cns.swup.checkinInterval:
  2
  cns.swup.lastCheckin:
  0
  cns.swup.patchbaseline:
  current
  cns.swup.regRequired:
  true
  cns.transport.serverurl:
  patchsvr not installed.
  Sun UC package status:
  SUNWbreg not installed
  SUNWdc not installed
  Edited by: Denis_Theinert on Oct 24, 2008 4:13 AM

  I could connect all of this hosts without problems.
  # telnet sun.com 80
  Trying 72.5.124.61...
  Connected to sun.com.
  Escape character is '^]'.
  ^CConnection to sun.com closed by foreign host.
  # telnet cns-services.sun.com 443
  Trying 198.232.168.133...
  Connected to cns-services.sun.com.
  Escape character is '^]'.
  ^CConnection to cns-services.sun.com closed by foreign host.
  # telnet getupdates1.sun.com 443
  Trying 198.232.168.136...
  Connected to getupdates1.sun.com.
  Escape character is '^]'.
  ^CConnection to getupdates1.sun.com closed by foreign host.
  # telnet a248.e.akamai.net 443
  Trying 60.254.154.75...
  Connected to a248.e.akamai.net.
  Escape character is '^]'.
  ^CConnection to a248.e.akamai.net closed by foreign host.
  #

• Windows 2008 R2 DCs machine account password expiring

  We've a mixed Windows 2008/2003 environment across 30 connected sites. There is a mixture of 2008/2003 DCs. We've had an issue whereby when some of the Windows 2008 R2 DC have been rebooted, they lose there trust relationship with the domain ie
  we have needed to reset the Machine Account Password for the Windows 2008 R2 DC. This only happens after the reboot. Initially the problem was only occuring on one site, but now it has happened on 3 seperate sites.
  Servers trying to communicate with the effected DC, are generating Kerberos Event ID 4 (KRB_AP_ERR_Modified) .
  Any ideas what may be causing this issue.
  Marcus.

  Looks, error indicates that the secure channel between the DC's are broken.
  Refer below link to fix the issue:
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e9c162cb-1e26-43e0-80df-73c491c22aac/
  http://social.technet.microsoft.com/Forums/ar/winserverDS/thread/61841544-ac49-49cc-8db0-ecc511941c95
  Also refer:
  http://blogs.technet.com/b/askds/archive/2014/07/23/it-turns-out-that-weird-things-can-happen-when-you-mix-windows-server-2003-and-windows-server-2012-r2-domain-controllers.aspx
  Devaraj G | Technical solution architect

• SCCM Console issue, SQL connectivity login failed for SCCM machine account

  Hi ,
  As part of resolving the corrupt SCCM 2012 R2 environment, we have uninstalled the site from the Standalone primary site and restored it from the last backup. The database is on remote server on SQL 2012 SP1. Only Site recovery is run.
  Post the restoration on unable to launch the SCCM console, Error Could not connect to the site.
  When I checked the logs in the log file SmsProv.log in the program filles\Microsoft Configuration manager\logs, the error is as below
  *~*~e:\nts_sccm_release\sms\siteserver\sdk_provider\smsprov\sspobjectquery.cpp(6260) : SQL Connection attempt timed out~ SQL Error: [28000][18456][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'XXXX\ABBC$'.~*~*
  *~*~SQL Connection attempt timed out [28000][18456][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'XXXX\ABBC$'.~*~*
  <*><*> CANT CONNECT TO SQL, RETURNING ERROR <*><*>
  Regards
  Leela

  Duplicate post.
  https://social.technet.microsoft.com/Forums/en-US/6b26502b-ac07-426c-abe4-6cfdaa45b33b/sccm-console-launch-fails-sql-connectivity-issue-with-sccm-machine-account?forum=configmanagergeneral
  Garth Jones | My blogs: Enhansoft and
  Old Blog site | Twitter:
  @GarthMJ

• SCCM console launch fails , SQL connectivity issue with SCCM machine account

  Hi ,
  As part of resolving the corrupt SCCM 2012 R2 environment, we have uninstalled the site from the Standalone primary site and restored it from the last backup. The database is on remote server on SQL 2012 SP1. Only Site recovery is run.
  Post the restoration on unable to launch the SCCM console, Error Could not connect to the site.
  When I checked the logs in the log file SmsProv.log in the program filles\Microsoft Configuration manager\logs, the error is as below
  *~*~e:\nts_sccm_release\sms\siteserver\sdk_provider\smsprov\sspobjectquery.cpp(6260) : SQL Connection attempt timed out~ SQL Error: [28000][18456][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'XXXX\ABBC$'.~*~*
  *~*~SQL Connection attempt timed out [28000][18456][Microsoft][SQL Server Native Client 11.0][SQL Server]Login failed for user 'XXXX\ABBC$'.~*~*
  <*><*> CANT CONNECT TO SQL, RETURNING ERROR <*><*>
  Regards
  Leela

  Hi Grath,
  We ran a Site recovery, I checked the permissions on SQL server. Could not find the SCCM machine account in the SQL logins. Adding the SCCM machine account to the SQL logins solved the issue. As part of the recovery we only recovered the Site using the Site
  backup. Have not touched the SQL server which is on a remote machine??
  Anyways the login issue is resolved now.
  Regards
  Leela

• 802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation

  I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the  802.1x compliant  windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
  Feb  4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
  Feb  4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
  Feb  4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
  Feb  4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
  If the port config  is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
  The ports GI1/0./1 & Gi1/02 are configured thus:
  interface GigabitEthernet1/0/1
  switchport mode access
  switchport voice vlan 20
  authentication event fail action authorize vlan 4
  authentication event no-response action authorize vlan 4
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  mab
  mls qos trust cos
  dot1x pae authenticator
  spanning-tree portfast
  sh ver
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960S-48FPS-L  15.2(1)E1             C2960S-UNIVERSALK9-M
  Full config attached. Assistance will be grately appreciated.
  Donfrico

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?