802.1x on wired LAN with ACS 4.2

Similar Messages

• How to access 802.1x authentication wired nework with digital certificate?

  How can I access 802.1x authentication wired network with digital certificate?
  I can access the network in windows with the following configutaion:
  BUT in my lion, I had import the digital certifacte. While I connected to the network, I was prompted:
  Enter the name and password for this 802.1X network
  I could not get the opportunity to select my digital certificate? But my colleague can.
  iPhone Configuration Utility seemed to provide wireless 802.1X authentication configuration file . And in my work background, most people use the windows. And there isnot a lion server to provide a configuration file.

  Dear Rune,
  Thank you for reaching Small Business Support Community.
  If you have already followed the 802.1X Supplicant configuration described in page 112, chapter 6, on the admin guide;
  http://www.cisco.com/en/US/docs/wireless/access_point/csbap/wap121/administration/guide/WAP121_321_AG_en.pdf
  All I can suggest you is to make sure you are running on the latest firmware release version 1.0.4.2;
  http://software.cisco.com/download/release.html?mdfid=284152656&flowid=32563&softwareid=282463166&release=1.0.4.2&relind=AVAILABLE&rellifecycle=&reltype=latest
  And then contact the Small Business Support Center to have a TAC engineer figure this out;
  https://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
  Please do not hesitate to reach me back if there is anything I may assist you with in the meantime.
  Kind regards,
  Jeffrey Rodriguez S. .:|:.:|:.
  Cisco Customer Support Engineer
  *Please rate the Post so other will know when an answer has been found.

• 802.1x EAP-TLS for wired users with ACS 5.5

  Hi All,
  We are configuring a new setup for wired users authentication with 802.1x(EAP-TLS). ACS 5.5 we are using as authentication server.
  We have added the root CA(internal) certificate and certifcate for ACS signed by CA. Now We want to check the authentication is working or not . I hope both root CA and identity certifcate also we need to install in the laptops. But I am not sure how to download the certifcates for client machine manually from CA.
  Kindly suggest on how to get certificates for clients both manually as well as automatically?
  Thanks,
  Vijay

  Hi Vijay,
     for the Wired 802.1x (EAP-TLS) you need to have following certificates:
  On ACS--- Root CA, Intermediate CA, Server Certificate
  On Client-- Root CA, Intermediate CA, User certificate(In case of user authentication) OR Machine certificae(In case of Machine authentication)
   I am not sure which third party certificate are you using, If its in house Microsoft or any other certificate server then you need download the client certificate from the server itself. 
  In case of Microsoft, There will be a template for user certificate. You can select it and create user certificate
  This one is an old document, But has steps to configure Machine certificate for the user, You can see the steps to download user certificate if its Microsoft server:
  http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/43722-acs-eap.html#wc-2
  In case You are using the third party certificate serevr , Then you need to check with them on how to download the user certificate
  Cheers
  Minakshi(rate the helpful post)

• Extending a wired LAN with Airport Express &  Sharing Printer

  Hello.
  I currently have a wired network consisting of two G5s behind a router, which is connected to the internet via an ADSL modem. Neither of the G5s have airport cards.
  I want to extend the network wirelessly for two iBooks to share the existing ADSL connection. Can I do this simply by plugging an Airport Express into one of the free LAN ports on my existing router? Wouldn't this cause problems with DHCP and any port forwarding I have set up on the router?
  I also have a USB printer (HP LaserJet 1300) which is currently connected to one of the G5s because the router doesn't have a printer port. After extending my network wirelessly as described above, if I plugged the printer into the USB port on the Airport Express would the two G5s be able to print to it? Would I have to use IP printing?
  Thanks in advance for any advice.
  Dual G5 1.8GHz   Mac OS X (10.4.4)  

  Can this be done?
  Yes, if you have an AirPort Expess 802.11"n" and you configure it to "Join a wireless network", then you can select the option to "Enable Ethernet Clients", which will activate the Ethernet port.
  The Express"n" can join virtually any wireless network if you know the exact type of wireless security that the main router is using.
  If you are not sure which model of Express you have, look on the side of the device in the faint print for the Model No. You need to see A1264 there.
  "this network cannot be extended".
  The Express can only "extend a wireless network" if the main network is provided by an Apple "n" wireless router. Do you have an Apple router or another brand?

• 802.1x on wired LAN

  Hi there
  I implemented a wired 802.1x authenticated network. I only use machine (computer) certificates to authenticate the workstations. Automatic Certificate Enrollemnt is installed in the Windows 2003 domain. I was wondering what will happen after one year. Right than the certificate is not valif anymore. Auth-Fail VLAN or Guest-VLAN is a Internet-Only VLAN on the firewall.
  When users power on their computer the next mornig, access will be rejected. Is it posible to do a automatic certificate renewal a few days before the validity of the certificate expires ?
  Regards
  Remco

  Your certificate template will have a "renewal period" (for example, 6 weeks). Then, 6 weeks (or whatever the renewal period is) before the certificate is supposed to expire, the workstation will automatically attempt to renew its certificate. As long as the workstation is connected to the domain and has access to the CA at some point during that period, it can update its certificate and hence will not fail authentication.
  Hope that helps.
  Shelly

• How can I get my wired LAN to share my iMac's wireless internet connection

  Hi. (sorry for the long-winded posting below. I really struggled to explain what I'm trying to do, but would really appreciate any help from people who can recognise what I'm aiming for!)
  I've seen several postings about sharing internet connection, but none (I think) which sort my problem.
  I have a wired LAN with 3 Macs connected to a router, and the router to a cable modem and the internet. All working fine. All Macs have internet access.
  I'm considering ditching my broadband provider, and so looking for a replacement configuration, at least for the short term.
  So, I'd like to change the arrangement, connecting one of the Macs to the internet (through a local free WIFI hotspot) using it's airport card (that bit is done) and enable the other two Macs to share that connection via the router.
  I've turned internet sharing on, and share connection from Built-In ethernet, on the internet connected Mac. But whatever
  Has anyone got this setup working?
  PB
  Intel iMac 4,1 (early 2006)   Mac OS X (10.4.8)   1Gb SDRAM, 2GHz

  You can share a connection through the router or you can share a connection from the Mac via Internet Sharing, but you can't share an already shared connection.

• Wired LAN for Canon MP620

  I have had mixed success once I upgraded my MacBook Pro 17CoreDuo to Snow Leopard with my Canon MP620 in my office. In Leopard, it was set up as a wired LAN, with a cable running from my Airport Extreme Base Station to my printer. Scanning was nice and speedy.
  All I can seem to do now is get it set up wirelessly, and the scanning is way too slow.
  What is the proper way to set up a wired LAN with Airport Extreme?
  I have gone so far as to get the printer on the same IP settings as my Mac.
  Mac IP is 192.168.1.55 Printer IP is 192.168.1.70
  Mac Subnet Mask is 255.255.255.0 Printer Subnet Mask is the same
  Mac Router setting is 192.168.1.1 Printer Router Setting is the same
  On the Printer, it is set to Wired LAN, and the wired LAN settings are all reading correctly.
  I can print as long as I keep the USB connected to the printer. As soon as I try to remove it, it shows up as "offline".

  When you have the printer connected via wired or wireless, you will have to add another print queue. The USB queue is purely for connecting from the Mac to the printer via USB, so this is why it will show offline when the USB is disconnected.
  To add the network printer on 10.6, you don't use More Printer > Canon IJ Printer menu like you did with 10.5. Instead, you need to select the Default browser view and wait. The printer will eventually appear in the Default view with the Kind column showing 'canonijnetwork'. Note that you will probably see the scanner appear very quickly, because it uses a different protocol to advertise itself on the network.
  Note that the printer will only advertise itself on the network if the v10.26 driver is installed. The version 10.19 driver included with 10.6 does not work across the network. If you open the Options & Supplies button for the USB printer queue, it will show which version you are using under the General tab.
  Note also, if you have the Parallels VM application installed, this can stop the network printer from appearing in the Default browser view.
  HTH
  Pahu

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• 802.1x with ACS and Windows AD

  Hi
  Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
  I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
  Marco

  Hi Marco,
  i guess you've missed a mapping configuration in the Access Policy Section.
  Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
  You'll see the new service click Identity.
  Select the identity source you've created then save.
  Click on authorization
  Select a default authorization rule permit access and save.
  Create a Service Access Rule name it 802.1x
  Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
  then you can try again.
  regards
  alex

• 802.1x and Windows Domain Controller with ACS

  Wow, I am having a tough time getting my ACS and the Domain controller to work with 802.1x PEAP. Can somebody explane to me how to set up the domain controller (Active directry) to get a PEAP cert? Some other questions. If I am using PEAP and 802.1x how does my computer get a cert. from the CA if the port is disabled by 802.1x? And How do I set up my domain controller to work with ACS to authenticate users. I have been beating my self to death to figure this out. Any help would be ausome. I am really stuck on trying to make this work.
  Thanks a ton in advance
  Justin

  I as a Cisco customer would like to see answers to our questions based on some real world experience or something you've noticed in a lab environment.
  By simply posting links is not very helpful. The reason most of us come to this site and post our questions, is because we already went to the Cisco website and found the explanation to be vague. In the future, please post answers to our question, intead of referring us to a link.
  Thank you,
  John...

• WRT54G2 V1 wired authentication with 802.1X

  Hello, does this device support WIRED authentication with 802.1X and MD5-crypt? If not, whether such a possibility in the next firmware version? Thanks for  your reply.

  Well i am not sure if that will work or not. May be you can give a try and check if its working or not.

• Sync with USB or UTP/wired-LAN?

  Hi,
  I'm seriously considering to buy an AppleTV. Now, the only question is concerning how the movies being sync into the Apple TV.
  I'm running a PC with WinXP and do not have wireless devices. I see that AppleTV has a USB port and also an Etnernet port for wired LAN. Can I connect the Apple TV to my PC via either the USB or the Ethernet port and then sync (or copy) the movies to Apple TV?
  If not, then I may need also to buy a wireless adapter for my PC. It will be on additional cost.

  Can I connect the
  Apple TV to my PC via either the USB or the Ethernet
  port and then sync (or copy) the movies to Apple TV?
  Yes using Ethernet; no using USB.

• 802.1x dynamic VLAN assignment with Radius NPS Server

  I can NOT get the NPS and Cisco 3550 switch to drop the authenticated user in a VLAN.
  I have followed this documentation,
  http://msdn.microsoft.com/en-us/library/dd314181(v=ws.10).aspx
  that basically says to use these Radius attributes,
  Tunnel-Medium-Type : 802
  Tunnel-Pvt-Group-ID  :  My_VLAN_Number  (also tried VLAN name)
  Tunnel-Type  : VLAN
  There is some Cisco documentation that says to use Vendor Specific attributes Cisco-AV-Pair,
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_19_ea1/configuration/guide/2950scg/swauthen.html#wpxref83693
  and I have also tried that,
  cisco-avpair= "tunnel-type(#64)=VLAN(13)"
  cisco-avpair= "tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair= "tunnel-private-group-ID(#81)=vlanid"
  My user authenticates on the port fine, but doesn't get put into a VLAN.  If I add "sw acc vlan 110"  then the user authenticates and then does get an IP address in that VLAN and all is well.
  Anybody know how to get dynamic VLAN assignment working with NPS?
  NPS on Win 2012 R2
  Domain controller separate Win 2012 R2 server
  Cisco 3550 switch

  Hi All, Can any one guide me to
  configure 802.1x with acs 5.0. Its totally new look and m not able to
  find document related to 802.1x.Thanks
  Hi,
  Check out the below link on how to configure 802.1x and ACS administration hope to help !!
  http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a00808abf2d.shtml#MDA
  Ganesh.H

• H-REAP vs Local mode on LAN with a single WLC

  Hi
  I have a question about H-REAP vs Local mode on a LAN with a single WLC.
  We use EAP-TLS with Cisco ACS for authentication of wireless clients.
  Up and until controller version 4.2 it was not possible to authenticate using 802.1x when a H-REAP AP went into standalone mode.
  Code above 4.2 can now support this. According to the documentation all you need to do is configure the RADIUS IP addresses on the H-REAP AP.
  Usually I would use H-REAP with central authentication and local switching for AP’s that are separated from the WLC via a WAN link.
  However, a colleague has suggested that we could configure H-REAP (central authentication\local switching) AP’s at the same site as the controller. This would give us the advantage that if we lost the controller (we only have 1) then at least the AP’s could still authenticate users.
  I am trying to see the “cons” of this solution. I guess roaming would be affected when the AP’s went to standalone mode as each roam would require complete re-authentication. But this is still better that a hard down state. Are there any cons to this approach during normal operation (e.g. when the controller is up)?
  What about RRM limitations?
  I seem to recall that a H-REAP AP was unable to increase its power output to address coverage holes?
  Layer 3 roaming not supported on locally switched WLAN’s?
  I would appreciate any thoughts\feedback
  Thanks,
  Andy

  My 2 cents :
  -I don't recall the HREAP APs having any RRM limitations in recent code.
  -No layer 3 roaming when you are locally switching. If the APs are dropping traffic locally at their switchport, you can't tunnel through WLCs like it happens when you usually do l3 roaming.
  -There are a number of features not supported when you do H-REAP. WGB is one of them for example. Fancy features like directstream and others.
  -The best answer in your case would be to have a second WLC where the APs can failover to. But I know it's not always possible.
  Nicolas

• Unable to see Shared Folder / Drop Box on wired LAN

  I am unable to connect to another Mac on my wired LAN (Netgear wndr3700), and it is unable to connect to my machine. We cannot see each others’ Public Folder / Drop Box.
  We can see each others Macs in the Shared section of the Finder’s sidebar, but trying to connect fails: “The server … may not exist or it is unavailable at this time…”
  Both are running 10.6.4 Snow Leopard SL. No Windows machines on the LAN - so this should be AFP only.
  We can see and connect to another Mac running 10.4.11 Tiger with no problem. BUT it is unable to connect to either 10.6.4 machine.
  Firewall on both machines: On; File Sharing (AFP) set to “Allow incoming connections”; Stealth mode Enabled (toggling doesn’t change); “Automatically allow signed software to receive incoming connections” is Off; “Block all incoming connections” is Off. Some other apps and services are set to Block… (krb5kdc, numbed, smbd…) AppleFileServer is set to Allow.
  Sharing: File Sharing Service only is On:
  Hard Drive - Everyone - Read & Write
  Users - Everyone - Read Only
  ~ (My Home Directory) - Everyone - Read Only
  Public - Everyone - Read & Write
  Drop Box - Everyone - Write only
  Thanks for any suggestions.

  It isn't directly related to the firewall, I'm having the same problem between two up to date machines, and to be sure, I have disabled the firewall on both. however, If i connect using the connect to server dialogue, I get through just fine. I believe it could be a dns resolution problem.
  strike that.
  Just tested, check in advanced network settings, and if you have any wins servers listed, remove them.
  krb5kdc needs to be allowed to accept connections, for me it popped up in little snitch when it was authenticating.