802.1x multiple-authentication issue

Hey,
I'm configuring 802.1x multiple authenticatino with C3560G.
Without any timer changes, user's mac address is registered by static on mac address table.
The issue is that if authenticated user moves to non-802.1x port, this user can't access network due to static mac entry.
If I set periodic reauthentication up for solve this, PCs which is connected to 802.1x port got EAP packets periodically, then users on those PC should have msg "local areal connection is connected" on Windows taskbar. I got a tons of this complaints.
What else I can do in order to clear this situaltion?

Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
  The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
  I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
  As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

Similar Messages

  • 802.1x - ACS authentication issue.....

    I will attempt to explain the history of our wireless controller configurations as best I can.  We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance.  All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together.  The ACS is setup to map to AD for specific groups. 
      In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to.  Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks.  The reason for this is those ip networks can reach certain services that are not allowed for general users.  ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
    Problem 1.  When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
    Problem 2.  Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not.  Upon further investigation it was discovered that the reason they are not is that the authentication is not correct.  When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username .  So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
    Please help.  I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.

    Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
      The topology that I know of is this.  Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's.  In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing.  Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?).  Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects.  Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
      I am very familiar with other wireless products and controllers such as Aruba.  In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication.  In the Aruba we used the windows supplicant.  I'd like to do the same with Cisco. 
      As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate.

  • NAP / 802.1x wired authentication issues

    NAP/NPS Server = 2012R2 NPS Role installedClient Swiches: HP Proliant 5400 seriesSupplicant: Windows 7 Pro domain joined, built in Windows 802.1x suplicant.We are using user and machine based authentication (to accomodate RDP sessions) with health checks (AV installed and Firewall enabled on all network profiles). User authentication policies are above Machine authentication policies in NPS so that when a user logs in, it superceedes the machine's authentication and switches VLANs based on the user's AD group membership. If a user or machine fails authentication, or fails the health check, they are quarantined on our 666 VLAN (We call it the Leper Colony!).Everything pretty much works...except one small thing...PROBLEMWhen a computer first boots up (maybe other times, I dont know), before presenting a user with a login screen, it gets...
    This topic first appeared in the Spiceworks Community

    Hi, you need machine authentication as well. Otherwise Windows will not be able to verify the user's identity and cannot log the user in. Windows authentication of the user takes place before the switchport authenticates for the user. Machine authentication allows the computer to authenticate and get access to the network before the user logs in. Thus the user authentication CAN take place because the DC's are only available after machine authentication succeeded.

  • 802.1x multiple sessions with same LOGIN+MAC on single-host port

    We have 802.1x with radius server.
    c2960 configured to allow only one device per port with no Mac-Bypass and no critical auth.
    From time to time user seems to get multiple authentications on single port with single mac-address.
    So we get several sessions on port with the same login, mac (but different session-id).
    Command "dot1x re-auth int" doesn't clear those sessions. Neither do "force-unauthorized" or "shut/noshut". Only thing that helps is reboot switch.
    Happens with different users.
    Anybody seen this issue?
    IOS 12.2(46)SE

    Sure. Tried to make it short.
    Config for 802.1x-aaa:
    aaa new-model
    aaa group server radius default
      server X.X.X.X auth-port 12345 acct-port 12346
    aaa authentication login default group radius enable
    aaa authentication dot1x default group radius
    aaa authorization exec default group radius if-authenticated
    aaa authorization network default local group radius
    aaa authorization reverse-access default group radius
    aaa accounting suppress null-username
    aaa accounting update periodic 1
    aaa accounting dot1x default start-stop group radius
    aaa accounting exec default start-stop group radius
    aaa accounting network default start-stop group radius
    aaa accounting system default start-stop group radius
    aaa session-id common
    dot1x system-auth-control
    interface FastEthernet0/48
    switchport access vlan 1398
    switchport mode access
    dot1x pae authenticator
    dot1x port-control auto
    dot1x violation-mode shutdown
    spanning-tree portfast
    spanning-tree link-type point-to-point
    radius-server attribute 44 include-in-access-req
    radius-server attribute 44 extend-with-addr
    radius-server attribute 188 format non-standard
    radius-server attribute 218 mandatory
    radius-server attribute 32 include-in-accounting-req format %i %h %d
    radius-server attribute 55 include-in-acct-req
    radius-server attribute list att
    attribute 30-31,44
    radius-server host X.X.X.X auth-port 12345 acct-port 12346 key keykeykey
    radius-server vsa send accounting
    sh dot1x int fa 0/48 det
    Dot1x Info for FastEthernet0/48
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    Violation Mode            = SHUTDOWN
    ReAuthentication          = Disabled
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthPeriod              = 3600 (Locally configured)
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 30
    RateLimitPeriod           = 0
    Dot1x Authenticator Client List Empty
    Port Status               = UNAUTHORIZED
    And right now, while port is UNAUTHORIZED we have 2 sessions as follows:
    sh aaa user all
    Unique id 34974 is currently in use.
    Accounting:
      log=0x208241
      Events recorded :
        CALL START
        ATTR REPLACE
        NET UP
        INTERIM START
        VPDN NET UP
      update method(s) :
        PERIODIC
      update interval = 60
      Outstanding Stop Records : 0
      Dynamic attribute list:
        0244DC34 0 00000001 connect-progress(44) 4 Auth Open
        0244DC48 0 00000001 pre-session-time(272) 4 0(0)
        0244DC5C 0 00000001 elapsed_time(339) 4 4828941(49AF0D)
        0244DC70 0 00000001 input-giga-words(111) 4 2(2)
        0244DC84 0 00000001 output-giga-words(250) 4 8(8)
        024A8C10 0 00000001 bytes_in(112) 4 119041621(7186E55)
        024A8C24 0 00000001 bytes_out(252) 4 3588031221(D5DD02F5)
        024A8C38 0 00000001 pre-bytes-in(268) 4 7373(1CCD)
        024A8C4C 0 00000001 pre-bytes-out(269) 4 8204(200C)
        024A8C60 0 00000001 paks_in(113) 4 45940138(2BCFDAA)
        024A8CB0 0 00000001 paks_out(253) 4 46979788(2CCDACC)
        024A8CC4 0 00000001 pre-paks-in(270) 4 68(44)
        024A8CD8 0 00000001 pre-paks-out(271) 4 61(3D)
      No data for type EXEC
      No data for type CONN
      NET: Username=(n/a)
        Session Id=000088AD Unique Id=0000889E
        Start Sent=0 Stop Only=N
        stop_has_been_sent=N
        Method List=0
        Attribute list:
          024CAA00 0 00000001 session-id(336) 4 34989(88AD)
          024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
      No data for type CMD
      No data for type SYSTEM
      No data for type RM CALL
      No data for type RM VPDN
      No data for type AUTH PROXY
      8: Username=157102
        Session Id=000088AD Unique Id=0000889E
        Start Sent=1 Stop Only=N
        stop_has_been_sent=N
        Method List=226B3E4 : Name = default
        Attribute list:
          0244DB94 0 00000001 session-id(336) 4 34989(88AD)
          0244DBA8 0 00000001 start_time(342) 4 Jan 23 2012 16:22:08
          0244DBBC 0 00000009 audit-session-id(599) 24 0AC5010200001C45A5C67429
      No data for type IPSEC-TUNNEL
      No data for type RESOURCE
      No data for type 11
      No data for type 12
      No data for type CALL
      No data for type VPDN-TUNNEL
      No data for type VPDN-TUNNEL-LINK
    Debg: No data available
    Radi: 2032FD8
    Interface:
      TTY Num = -1
      Stop Received = 0
      Byte/Packet Counts till Call Start:
        Start Bytes In = 993512241     Start Bytes Out = 3867828098
        Start Paks  In = 23586320      Start Paks  Out = 28511581
      Byte/Packet Counts till Service Up:
        Pre Bytes In = 993519614     Pre Bytes Out = 3867836302
        Pre Paks  In = 23586388      Pre Paks  Out = 28511642
      Cumulative Byte/Packet Counts :
        Bytes In = 1112561235    Bytes Out = 3160900227
        Paks  In = 69526526      Paks  Out = 75491430
      StartTime = 16:22:08 GMT+5 Jan 23 2012
      AuthenTime = 16:22:08 GMT+5 Jan 23 2012
      Component = DOT1X
    Authen: service=8021X type=EAP method=RADIUS
    Kerb: No data available
    Meth: No data available
    PreA: No data available
    General:
      Unique Id = 0000889E
      Session Id = 000088AD
      Attribute List:
        024A8C10 0 00000001 port-type(174) 4 Ethernet
        024A8C24 0 00000009 interface(170) 16 FastEthernet0/48
        024A8C38 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
        024A8C4C 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
    PerU: No data available
    Unique id 34976 is currently in use.
    Accounting:
      log=0x10000208241
      Events recorded :
        CALL START
        ATTR REPLACE
        NET UP
        INTERIM START
        VPDN NET UP
        SESSION INFO
      update method(s) :
        PERIODIC
      update interval = 60
      Outstanding Stop Records : 0
      Dynamic attribute list:
        024CAA00 0 00000001 connect-progress(44) 4 Auth Open
        024CAA14 0 00000001 pre-session-time(272) 4 2(2)
        024CAA28 0 00000001 elapsed_time(339) 4 4828961(49AF21)
        024CAA3C 0 00000001 input-giga-words(111) 4 2(2)
        024CAA50 0 00000001 output-giga-words(250) 4 8(8)
        024CAAA0 0 00000001 bytes_in(112) 4 119021816(71820F8)
        024CAAB4 0 00000001 bytes_out(252) 4 3588011179(D5DCB4AB)
        024CAAC8 0 00000001 pre-bytes-in(268) 4 6219(184B)
        024CAADC 0 00000001 pre-bytes-out(269) 4 7005(1B5D)
        024CAAF0 0 00000001 paks_in(113) 4 45939933(2BCFCDD)
        0244DB94 0 00000001 paks_out(253) 4 46979618(2CCDA22)
        0244DBA8 0 00000001 pre-paks-in(270) 4 59(3B)
        0244DBBC 0 00000001 pre-paks-out(271) 4 51(33)
      No data for type EXEC
      No data for type CONN
      NET: Username=(n/a)
        Session Id=000088AF Unique Id=000088A0
        Start Sent=0 Stop Only=N
        stop_has_been_sent=N
        Method List=0
        Attribute list:
          024A8C10 0 00000001 session-id(336) 4 34991(88AF)
          024A8C24 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
      No data for type CMD
      No data for type SYSTEM
      No data for type RM CALL
      No data for type RM VPDN
      No data for type AUTH PROXY
      8: Username=157102
        Session Id=000088AF Unique Id=000088A0
        Start Sent=1 Stop Only=N
        stop_has_been_sent=N
        Method List=226B3E4 : Name = default
        Attribute list:
          024CAA00 0 00000001 session-id(336) 4 34991(88AF)
          024CAA14 0 00000001 start_time(342) 4 Jan 23 2012 16:22:18
          024CAA28 0 00000009 audit-session-id(599) 24 0AC5010200001C49A5C6990F
      No data for type IPSEC-TUNNEL
      No data for type RESOURCE
      No data for type 11
      No data for type 12
      No data for type CALL
      No data for type VPDN-TUNNEL
      No data for type VPDN-TUNNEL-LINK
    Debg: No data available
    Radi: 2032F58
    Interface:
      TTY Num = -1
      Stop Received = 0
      Byte/Packet Counts till Call Start:
        Start Bytes In = 993533200     Start Bytes Out = 3867849339
        Start Paks  In = 23586534      Start Paks  Out = 28511761
      Byte/Packet Counts till Service Up:
        Pre Bytes In = 993539419     Pre Bytes Out = 3867856344
        Pre Paks  In = 23586593      Pre Paks  Out = 28511812
      Cumulative Byte/Packet Counts :
        Bytes In = 1112561235    Bytes Out = 3160900227
        Paks  In = 69526526      Paks  Out = 75491430
      StartTime = 16:22:18 GMT+5 Jan 23 2012
      AuthenTime = 16:22:19 GMT+5 Jan 23 2012
      Component = DOT1X
    Authen: service=8021X type=EAP method=RADIUS
    Kerb: No data available
    Meth: No data available
    PreA: No data available
    General:
      Unique Id = 000088A0
      Session Id = 000088AF
      Attribute List:
        0244DB94 0 00000001 port-type(174) 4 Ethernet
        0244DBA8 0 00000009 interface(170) 16 FastEthernet0/48
        0244DBBC 0 00000009 dnis(50) 17 00-18-B9-F5-5B-30
        0244DBD0 0 00000009 clid(37) 17 48-5B-39-EA-26-7C
    PerU: No data available
    PS. Have no command "show authentication"

  • ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

    We are running ISE 1.3 tied to AD with WLC 7.6.130.0.  Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP.  We are just running PEAP.  We have a mix of IOS, Android, and Windows 7/8 devices.  IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue.  Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication.  This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only.  This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity.  The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication?  I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list.  Neither have helped.  I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
    Thank you for any help or ideas,

    When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile.  In that profile, 802.1x computer authentication option is chosen by windows.  That has to be changed to computer or user for the machine to function correctly on the network.
    On 1.2, this behavior was different.  The Windows device would auto select user authentication by default.  At other customer sites, windows devices auto select user authentication.  This of course needs  to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

  • Multiple authentication sources with the same category

    Quote from portal help:
    "Multiple authentication sources can use the same category. However, because the prefix is prepended to the user and group names, you need to be certain that the domains involved do not have different users or groups with the same name. That is, if a LizaR user exists on one domain, and a LizaR user exists on another domain, they must be the same user because only one user will be created."
    Fine, let's say I am "certain that the domains involved do not have different users or groups with the same name".
    But there is other concern I have here. I want to know how portal will RECOGNIZE which authentication source to use?
    Let's say I have 2 auth sources AS1 and AS2 with the same category MyAuth. AS1 use WS1 to authenticate against LDAP1 and AS2 use WS2 to authenticate against LDAP2.
    Now, I have a user - Dmitry. I am trying to login into portal and I selected AS1 to do actual authentication. My question is how portal will CHOOSE which auth source to use because all portal knows about me is <MyAuth\Dmitry> that is came from portal login screen? Both auth sources match this pattern so seems like portal may choose any of them.
    Does it mean that portal will try to authenticate again AS1 and if this attempt failed then you AS2?
    I didn't find any explanation in portal documentation.
    Thank you.
    Edited by Bryazgin at 12/12/2007 10:42 AM

    Yes, it seems you are right. As soon as portal have found CORRECT user there is no issue anymore because user is bind to unique auth source that actually has been used to created this user.
    I think my main confusion come from the fact that having <Category> and <UserName> is not enough to UNIQUE identify user in portal as soon as <Category> can be the SAME for different auth sources.
    Let's have you have user created by AS1. According API this user created by this AS1 will have 4 different names, like sUniqueName, sAuthenticationName, sLoginName and sDisplayName. But portal is going to search user in portal database BASED on information that is available in login form - <Category> and <User Name>. At this point portal has no idea about sUniqueName and all this things.
    Now if there were 2 users in database that have been created by 2 different auth sources with the same <category> and <User Name> then I don't understand how portal will figured out which user to choose from. I guess <Category> value somehow MUST participate in sUniqueName value. <Category> has to be involve in process of finding user in database. In this scenario 2 users will be retrieved from database and what is important these 2 users are different, they have been created by different auth sources. Now question became which user is CORRECT one?
    Edited by Bryazgin at 12/12/2007 1:34 PM

  • How to get rid of 802.1x 'Default Authentication'?

    Hi All,
    Everytime I close my MBP's lid, put it to sleep, or simply turn it on...  My wifi is no longer connected.
    this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
    Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
    And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
    There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
    After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
    Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
    Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
    It would be very very much appreciated! Thank You!
    PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
    Don't really understand it though. Please explain if you could. Cheers 

    Realized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
    What I had to do was place it in first priority again in Network settings.
    Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
    Also attached above is the picture that for some strange reason disappeared in the original post..

  • ACS 5.2 Authentication Issue with Local & Global ADs

    Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
    - Wireless Users >> Cisco WLC >> ADs <-- everything OK
    - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
    Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
    Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
    For the user from the old group, authentication is ok.
    For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
    Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
    Can anyone advice to troubleshoot the issue?
    Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
    How can we check or make sure it?
    Thanks ahead,
    Ye

    Hello,
    There is an enhacement request open already:
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
    ACS should be able to query only desired DCs
    Symptom:
    Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
    It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
    Conditions:
    Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
    Workaround:
    Make sure ALL DCs are UP and reachable from the ACS.
    At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
    Hope this clarifies it.
    Regards.

  • Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

    Hi
    My company has implemented 802.1x Wired authentication, we use GPO to specify a
    Wired Profile that uses a COMPUTER certificate.
    We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
    This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
    I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
    KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
    issue still occurs.

    Hi,
    From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
    Meanwhile, I found the following hotfix which may related to this issue.
    No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
    Next Action Plan:
    1.Clean Boot
    a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
    b. In the Startup tab, click the "Disable All" button.
    c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
    ======================================================
    Clean Boot + binary search
    In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
    You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
    we find out the root cause. Please let me know if this action plan is OK for you.
    2.Collect etl trace on the problematic client.
    netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
    ****Try to reproduce this issue****
    netsh trace stop
    Please send the net.etl to us for underlying analysis.
    For any concerns, please let us know.
    Best regards,
    Steven Song
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • 802.1x port authentication and Windows Radius, possible?

    Hello,
    I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
    Thanks

    Andy:
    Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
    If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
    See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
    Regards,
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • 802.1x and Authentication Methods

    Hi,
    I have ACS 5.2, Cisco 4507 switches and AD domain environment.
    Planning on performing only machine authentication and not user authentication.
    I have the following type of devices:
    1. Windows XP SP3 and higher on the AD Domain
    2. Devices to be with installed with third-party supplicants as they natively don't
    support 802.1x.
    If I ignore device type 2, and only consider device type 1, am I able to simply configure
    802.1x for authentication based on machine against AD, without having to use any
    certificates at all?
    Taken device type 2 into account, given the devices are not on the domain and I don't
    want to manually enter details into ACS, will I need to use certificate for authentication?
    Thanks

    Hi,
    > Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
    [ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    > I was thinking for devices that not on the domain, to load certificate on the machine.
    If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
    [ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
    In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Radius server for 802.1x port authentication

    Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
    Thanks

    Check connectivity between the PIX and the server.
    If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
    aaa-server group_tag (if_name) host server_ip key timeout 5
    If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
    If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
    Ensure that the secret key is correct.
    Check the server logs for failed attempts. All servers have some kind of logging function.

  • 802.1X Port Authentication\ACS Question

    Hello,
    I"m troubleshooting a 3560 port authentication issue. From what I was told from other members of my team when we upgraded to windows 7 at this site authentication no longer works. I compared an old config to a recent one and noticed there was no command dot1x system-auth-control.
    I have only been dealing with 802.1x for a short time and my other configs have this command. My question is without this command could there still have been port authentication working? On a inteface for ex. they do have the following which are inligned with my other configs. FYI, I didn't set this site up and it has the rest of the config correct like radius and aaa.  When I went onsite to test I shut down the service on my laptop for 802.1x which should of blocked me so I thought. When I checked the ACS server for the log it showed my username and my correct IP address along with the correct switch but it showed I connected using PAP_ASCII, I"m not sure how this protocol got used since we don't use that.  Thanks for any suggestions you might have.
    dot1x pae authenticator
    dot1x port-control auto
    dot1x host-mode multi-host
    dot1x violation-mode protect
    dot1x reauthentication
    aaa new-model
    aaa authentication password-prompt PASSCODE---->
    aaa authentication login default group radius local
    aaa authorization exec default group radius local
    aaa session-id common

    I have a little more to add. I was looking in the ACS and did find PAP_ASCII checked so at my home office which I know port security to be working at least that's what I thought. I turned off wired auto config and could still get on and when I looked at the ACS logs I saw my name with this protocol again. Not sure how this got turned on but my questionbecomes if 802.1x is setup on the switch but ACS allows this protocol and my laptop isn't running any 802.1x settings I can still get on the network, is this the correct behavior for this setup?
    Thanks,

  • 802.1X Inaccessible Authentication Bypass

    On a 4506-E switch with supervisor engine 6L-E running IOS version 12.2(54)SG1, the command to enable Inaccessible Authentication Bypass is not available.  The interface configuration mode command is supposed to be "dot1x critical". 
    Has it changed to something else in this version of IOS?
    The data sheet for the Cisco Catalyst 4500 Supervisor Engine 6L-E shows this feature is supported (see link below).
    http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps4324/data_sheet_c78-530856.html

    Hello Prashant
    Can you post the port configurations here ? have you configured the critical port, radius parameters etc, and does the switch recognize that the radius server is down ?
    I think this is more to do with the design of the entire dot1x authentication.. I have tried this in labs and have had tough times, generating these scenarios.. we would hardly able to justify this feature on the network. I think it is highly advisible to have dual radius servers (or even more than 2), and configure the switches with standby radius servers.. I really wouldnt want my network enabled with 802.1x and having issues contacting the radius server.. even though we have options and solutions to overcome it, i wouldnt want too many complications on the 802.1x front..
    Hope this helps.. all the best.. rate replies if found useful..
    Raj

  • 802.1x wired authentication via PEAP, MD5

    Hi everyone,
    Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
    i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
    hop of security work but the next no.
    Thank you in advance to read this.

    Hi,
    According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
    Some articles and just for your reference:
    802.1X Authenticated Wired Access Overview
    https://technet.microsoft.com/en-us/library/hh831831.aspx
    802.1X Authenticated Wired Access Design Guide
    https://technet.microsoft.com/library/dd378864(WS.10).aspx
    IEEE 802.1X Wired Authentication
    https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
    Best Regards,
    Eve Wang
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Maybe you are looking for