802.1x multiple-authentication issue
Hey,
I'm configuring 802.1x multiple authenticatino with C3560G.
Without any timer changes, user's mac address is registered by static on mac address table.
The issue is that if authenticated user moves to non-802.1x port, this user can't access network due to static mac entry.
If I set periodic reauthentication up for solve this, PCs which is connected to 802.1x port got EAP packets periodically, then users on those PC should have msg "local areal connection is connected" on Windows taskbar. I got a tons of this complaints.
What else I can do in order to clear this situaltion?
Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.
Similar Messages
-
802.1x - ACS authentication issue.....
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
Please help. I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
NAP / 802.1x wired authentication issues
NAP/NPS Server = 2012R2 NPS Role installedClient Swiches: HP Proliant 5400 seriesSupplicant: Windows 7 Pro domain joined, built in Windows 802.1x suplicant.We are using user and machine based authentication (to accomodate RDP sessions) with health checks (AV installed and Firewall enabled on all network profiles). User authentication policies are above Machine authentication policies in NPS so that when a user logs in, it superceedes the machine's authentication and switches VLANs based on the user's AD group membership. If a user or machine fails authentication, or fails the health check, they are quarantined on our 666 VLAN (We call it the Leper Colony!).Everything pretty much works...except one small thing...PROBLEMWhen a computer first boots up (maybe other times, I dont know), before presenting a user with a login screen, it gets...
This topic first appeared in the Spiceworks CommunityHi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.
-
802.1x multiple sessions with same LOGIN+MAC on single-host port
We have 802.1x with radius server.
c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.
From time to time user seems to get multiple authentications on single port with single mac-address.
So we get several sessions on port with the same login, mac (but different session-id).
Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.
Happens with different users.
Anybody seen this issue?
IOS 12.2(46)SESure. Tried to make it short.
Config for 802.1x-aaa:
aaa new-model
aaa group server radius default
server X.X.X.X auth-port 12345 acct-port 12346
aaa authentication login default group radius enable
aaa authentication dot1x default group radius
aaa authorization exec default group radius if-authenticated
aaa authorization network default local group radius
aaa authorization reverse-access default group radius
aaa accounting suppress null-username
aaa accounting update periodic 1
aaa accounting dot1x default start-stop group radius
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
aaa session-id common
dot1x system-auth-control
interface FastEthernet0/48
switchport access vlan 1398
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x violation-mode shutdown
spanning-tree portfast
spanning-tree link-type point-to-point
radius-server attribute 44 include-in-access-req
radius-server attribute 44 extend-with-addr
radius-server attribute 188 format non-standard
radius-server attribute 218 mandatory
radius-server attribute 32 include-in-accounting-req format %i %h %d
radius-server attribute 55 include-in-acct-req
radius-server attribute list att
attribute 30-31,44
radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey
radius-server vsa send accounting
sh dot1x int fa 0/48 det
Dot1x Info for FastEthernet0/48
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = SHUTDOWN
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 0
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
Dot1x Authenticator Client List Empty
Port Status = UNAUTHORIZED
And right now, while port is UNAUTHORIZED we have 2 sessions as follows:
sh aaa user all
Unique id 34974 is currently in use.
Accounting:
log=0x208241
Events recorded :
CALL START
ATTR REPLACE
NET UP
INTERIM START
VPDN NET UP
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
0244DC34 0 00000001 connect-progress(44) 4 Auth Open
0244DC48 0 00000001 pre-session-time(272) 4 0(0)
0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
0244DC70 0 00000001 input-giga-words(111) 4 2(2)
0244DC84 0 00000001 output-giga-words(250) 4 8(8)
024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000088AD Unique Id=0000889E
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
024CAA00 0 00000001 session-id(336) 4 34989(88AD)
024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
Session Id=000088AD Unique Id=0000889E
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=226B3E4 : Name = default
Attribute list:
0244DB94 0 00000001 session-id(336) 4 34989(88AD)
0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032FD8
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 993512241 Start Bytes Out = 3867828098
Start Paks In = 23586320 Start Paks Out = 28511581
Byte/Packet Counts till Service Up:
Pre Bytes In = 993519614 Pre Bytes Out = 3867836302
Pre Paks In = 23586388 Pre Paks Out = 28511642
Cumulative Byte/Packet Counts :
Bytes In = 1112561235 Bytes Out = 3160900227
Paks In = 69526526 Paks Out = 75491430
StartTime = 16:22:08 GMT+5 Jan 23 2012
AuthenTime = 16:22:08 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 0000889E
Session Id = 000088AD
Attribute List:
024A8C10 0 00000001 port-type(174) 4 Ethernet
024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
Unique id 34976 is currently in use.
Accounting:
log=0x10000208241
Events recorded :
CALL START
ATTR REPLACE
NET UP
INTERIM START
VPDN NET UP
SESSION INFO
update method(s) :
PERIODIC
update interval = 60
Outstanding Stop Records : 0
Dynamic attribute list:
024CAA00 0 00000001 connect-progress(44) 4 Auth Open
024CAA14 0 00000001 pre-session-time(272) 4 2(2)
024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
024CAA50 0 00000001 output-giga-words(250) 4 8(8)
024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=000088AF Unique Id=000088A0
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
024A8C10 0 00000001 session-id(336) 4 34991(88AF)
024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
8: Username=157102
Session Id=000088AF Unique Id=000088A0
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=226B3E4 : Name = default
Attribute list:
024CAA00 0 00000001 session-id(336) 4 34991(88AF)
024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 11
No data for type 12
No data for type CALL
No data for type VPDN-TUNNEL
No data for type VPDN-TUNNEL-LINK
Debg: No data available
Radi: 2032F58
Interface:
TTY Num = -1
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 993533200 Start Bytes Out = 3867849339
Start Paks In = 23586534 Start Paks Out = 28511761
Byte/Packet Counts till Service Up:
Pre Bytes In = 993539419 Pre Bytes Out = 3867856344
Pre Paks In = 23586593 Pre Paks Out = 28511812
Cumulative Byte/Packet Counts :
Bytes In = 1112561235 Bytes Out = 3160900227
Paks In = 69526526 Paks Out = 75491430
StartTime = 16:22:18 GMT+5 Jan 23 2012
AuthenTime = 16:22:19 GMT+5 Jan 23 2012
Component = DOT1X
Authen: service=8021X type=EAP method=RADIUS
Kerb: No data available
Meth: No data available
PreA: No data available
General:
Unique Id = 000088A0
Session Id = 000088AF
Attribute List:
0244DB94 0 00000001 port-type(174) 4 Ethernet
0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
PerU: No data available
PS. Have no command "show authentication" -
We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with. -
Multiple authentication sources with the same category
Quote from portal help:
"Multiple authentication sources can use the same category. However, because the prefix is prepended to the user and group names, you need to be certain that the domains involved do not have different users or groups with the same name. That is, if a LizaR user exists on one domain, and a LizaR user exists on another domain, they must be the same user because only one user will be created."
Fine, let's say I am "certain that the domains involved do not have different users or groups with the same name".
But there is other concern I have here. I want to know how portal will RECOGNIZE which authentication source to use?
Let's say I have 2 auth sources AS1 and AS2 with the same category MyAuth. AS1 use WS1 to authenticate against LDAP1 and AS2 use WS2 to authenticate against LDAP2.
Now, I have a user - Dmitry. I am trying to login into portal and I selected AS1 to do actual authentication. My question is how portal will CHOOSE which auth source to use because all portal knows about me is <MyAuth\Dmitry> that is came from portal login screen? Both auth sources match this pattern so seems like portal may choose any of them.
Does it mean that portal will try to authenticate again AS1 and if this attempt failed then you AS2?
I didn't find any explanation in portal documentation.
Thank you.
Edited by Bryazgin at 12/12/2007 10:42 AMYes, it seems you are right. As soon as portal have found CORRECT user there is no issue anymore because user is bind to unique auth source that actually has been used to created this user.
I think my main confusion come from the fact that having <Category> and <UserName> is not enough to UNIQUE identify user in portal as soon as <Category> can be the SAME for different auth sources.
Let's have you have user created by AS1. According API this user created by this AS1 will have 4 different names, like sUniqueName, sAuthenticationName, sLoginName and sDisplayName. But portal is going to search user in portal database BASED on information that is available in login form - <Category> and <User Name>. At this point portal has no idea about sUniqueName and all this things.
Now if there were 2 users in database that have been created by 2 different auth sources with the same <category> and <User Name> then I don't understand how portal will figured out which user to choose from. I guess <Category> value somehow MUST participate in sUniqueName value. <Category> has to be involve in process of finding user in database. In this scenario 2 users will be retrieved from database and what is important these 2 users are different, they have been created by different auth sources. Now question became which user is CORRECT one?
Edited by Bryazgin at 12/12/2007 1:34 PM -
How to get rid of 802.1x 'Default Authentication'?
Hi All,
Everytime I close my MBP's lid, put it to sleep, or simply turn it on... My wifi is no longer connected.
this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
It would be very very much appreciated! Thank You!
PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
Don't really understand it though. Please explain if you could. CheersRealized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
What I had to do was place it in first priority again in Network settings.
Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
Also attached above is the picture that for some strange reason disappeared in the original post.. -
ACS 5.2 Authentication Issue with Local & Global ADs
Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
- Wireless Users >> Cisco WLC >> ADs <-- everything OK
- Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
For the user from the old group, authentication is ok.
For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
Can anyone advice to troubleshoot the issue?
Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
How can we check or make sure it?
Thanks ahead,
YeHello,
There is an enhacement request open already:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
ACS should be able to query only desired DCs
Symptom:
Currently on 5.0 and 5.1, the ACS queries the DNS with the domain, in order to get a list of all the DCs in the domain and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
It should be possible to define which DCs to contact and/or make ACS to interpret DNS Resource Records Registered by the Active Directory Domain Controller to facilitate the location of domain controllers. Active Directory uses service locator, or SRV, records. An SRV record is a new type of DNS record described in RFC 2782, and is used to identify services located on a Transmission Control Protocol/Internet Protocol (TCP/IP) network.
Conditions:
Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
Workaround:
Make sure ALL DCs are UP and reachable from the ACS.
At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
Hope this clarifies it.
Regards. -
Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010
Hi
My company has implemented 802.1x Wired authentication, we use GPO to specify a
Wired Profile that uses a COMPUTER certificate.
We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open. If we close Lync 2010 the issue does not occur. Lync 2010 installs a self signed USER certificate for authentication.
I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER. We have installed these hotfixes and the
issue still occurs.Hi,
From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
Meanwhile, I found the following hotfix which may related to this issue.
No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
Next Action Plan:
1.Clean Boot
a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
b. In the Startup tab, click the "Disable All" button.
c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
======================================================
Clean Boot + binary search
In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
we find out the root cause. Please let me know if this action plan is OK for you.
2.Collect etl trace on the problematic client.
netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
****Try to reproduce this issue****
netsh trace stop
Please send the net.etl to us for underlying analysis.
For any concerns, please let us know.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
802.1x port authentication and Windows Radius, possible?
Hello,
I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server? See out users are all all on a Windows domain and I want to authenticate using their active directory credentials. I think I am fine with the switch config, but it is the Windows IAS/Raduis server. I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
ThanksAndy:
Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
See this link, it could be useful for you: https://supportforums.cisco.com/thread/2090403
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you" -
802.1x and Authentication Methods
Hi,
I have ACS 5.2, Cisco 4507 switches and AD domain environment.
Planning on performing only machine authentication and not user authentication.
I have the following type of devices:
1. Windows XP SP3 and higher on the AD Domain
2. Devices to be with installed with third-party supplicants as they natively don't
support 802.1x.
If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?
Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?
ThanksHi,
> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
> I was thinking for devices that not on the domain, to load certificate on the machine.
If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Radius server for 802.1x port authentication
Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
ThanksCheck connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function. -
802.1X Port Authentication\ACS Question
Hello,
I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa. When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that. Thanks for any suggestions you might have.
dot1x pae authenticator
dot1x port-control auto
dot1x host-mode multi-host
dot1x violation-mode protect
dot1x reauthentication
aaa new-model
aaa authentication password-prompt PASSCODE---->
aaa authentication login default group radius local
aaa authorization exec default group radius local
aaa session-id commonI have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
Thanks, -
802.1X Inaccessible Authentication Bypass
On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available. The interface configuration mode command is supposed to be "dot1x critical".
Has it changed to something else in this version of IOS?
The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.htmlHello Prashant
Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
Hope this helps.. all the best.. rate replies if found useful..
Raj -
802.1x wired authentication via PEAP, MD5
Hi everyone,
Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
i would really appreciate if someone could point me some where to find detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
hop of security work but the next no.
Thank you in advance to read this.Hi,
According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
Some articles and just for your reference:
802.1X Authenticated Wired Access Overview
https://technet.microsoft.com/en-us/library/hh831831.aspx
802.1X Authenticated Wired Access Design Guide
https://technet.microsoft.com/library/dd378864(WS.10).aspx
IEEE 802.1X Wired Authentication
https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Maybe you are looking for
-
Dear Sir or Madam, I have been working with LabVIEW for 10 years. recently I have istalled the last version (LabVIEW 2011) and encountered some fundamental Bugs as bellow: 1-when I want to close LabVIEW 2011 Platform,it taks about 3 sec time to be cl
-
How to Enable Week Level Planning instead of Day Level with ATPM
Hello Experts, We've a requirement wherein, we would like to do Week Level Planning instead of Day Level. But as soon as, we remove CALDAY from the DSO/aggregation level, the planning layout doesn't get rendered. Hence we need to always add CALDAY in
-
Apple TV ver # 3 "Sleep mode".
G'day All, Purchase the above last night, installed and configured it and all is working. Did a f/ware update all went well. Have the unit connected via WiFi. The unit is connect to my TV via the surround sound receiver with a HDMI cable. Watched a m
-
N95 V21.0.0.16 Navigation Crashing
All, Please help. Since upgrading my Nokia N95 to V21.0.0.16 of the firmware I am unable to get navigation working on the phone. (I have not installed or had installed Beta maps). I can start maps fine, display the current GPS position ok and find a
-
How do I keep these songs from permanetly downloading to my iPad?