802.1x, PEAP, WinXP, and 3550 (Radius)

Similar Messages

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• 802.1x port authentication and Windows Radius, possible?

  Hello,
  I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server?  See out users are all all on a Windows domain and I want to authenticate using their active directory credentials.  I think I am fine with the switch config, but it is the Windows IAS/Raduis server.  I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
  Thanks

  Andy:
  Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
  If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
  See this link, it could be useful for you:  https://supportforums.cisco.com/thread/2090403
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• 802.1x/EAP clarification and implementation

  Dear SIr,
  To setup LEAP authentication using ACS, the client needs a supplicant such as the ACU to run LEAP independent of OS.
  Cisco AP will be the carrier of the EAP message between the client and the Radius server sitting between the client and the server. I know from the fact that Cisco AP support LEAP, PEAP, EAP-TLS, EAP-MD5 and EAP-SIM. From my understanding, those types of EAP mentioned earlier can be relay to the Radius server(ACS), am I right?
  Does it mean that these messages are transparent from the AP point of view? If I replace the Cisco AP with other third party access point that they claim support 802.1x/EAP but they never specify the type of EAP protocol, can I still run LEAP with a third party AP though my client is Cisco and the Radius server is CSACS?
  What type of OS or supplicant support EPA-MD5? I know that Windows XP and 2000 support 802.1x driver, what about their EAP protocol supported on XP and 2000?
  Thanks.
  Delon

  I think the following document will clear most of your doubts,
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008019fea2.shtml

• Certificates to 802.1x LEAP ethernet and wireless clients

  Hello guys, I have just configured a radius server, active directory domain controller and certificate server on one windows 2003 pc. I have generate a self-signed digital certificate and used certificate server to generate a root certificate from it. I have exported it as a 'public key only' and saved it on the desktop of the radius server.
  1) I configure the radius server policy to accept connections from wireless and Ethernet connections using 'PEAP'
  2) And that the user must supply a user name and password from active directory. Before entering the network.
  3) I am planning on using 802.1x port security ( config-if # dot1x port-security auto )on the switch connecting to the pc
  4) i am planning on pointint the switch to server and server to switch. i will also configure the client network cards for PEAP.
  What I don't know is how will the client pc get this certificate that is on my radius server? Do they need to have a copy on their own machines for them to be able to communicate with the server? This is where I am lost
  Thanks

  Certificates are a matter of trust - if an entity trusts the root (your CA) of a user certificate, and the certificate itself has no other problems, then it automatically trusts the certificate. If your RADIUS server and user/machine certificates all came from the same root (your self-signed CA), and you put the root certificate (public key version) in the trusted list, then you are good to go.
  If you are using the Microsoft PKI services on your server (that is also your domain controller), then I'm pretty sure that your windows computers will automatically trust your root once the windows computers have been joined to your domain.
  Also - for PEAP on Windows computers, you can completely disable the client's verification of the (RADIUS) server certificate. It's great for testing, but I recommend deploying with server certificate validation enabled.
  Lastly - if you're building a lab, you may also want to investigate user and computer certificates and EAP-TLS. Windows CA with windows clients makes it very simple to deploy. Macintoshes are a pain, no matter what kind of CA you use.

• 802.1x/PEAP over Ethernet

  I am trying to setup 802.1x PEAP in my home lab. I have:
  a windows 2003 enterprise server with SP2 and latest patches running as
  Active Directory, DHCP, DNS, WINS. The AD domain name is LAB.
  The windows 2003 is also running Cisco ACS 4.0.1 with a self-signed
  certififcate. I can log into the box https://PEAP8021x:2002 so the cert
  works. I also configure the ACS so that it can also use AD accounts for
  authentication
  Cisco Catalyst 2960 running IOS version flash:c2960-lanbase-mz.122-25.SEE2.bin.
  This version supports 802.1x
  A couple of WindowsXP with Service Pack 2 and latest patches that will act as
  clients for the domain LAB.
  Everything is connected to the Catalyst switch 2960 via CAT-5 cables.
  I would like to accomplish something very simple. Before user(s) on
  WinXP can even access the domain LAB, the winXP machine must be
  authenticated with Cisco ACS with username/password on the AD Server
  so that the machine can be placed in the correct VLAN(s). If this is just
  a visitor and their machine is plugged into my network, authentication will
  fail and they will be put in a guest VLAN where the only connection they have
  will be acess to the Internet and that will be it. All the information will be pushed
  out to the catalyst from the Cisco ACS
  Can someone help me out on how to get this done? Thanks.

  Hi,
  You would need to do following :
  - Machine authentication with user authentication( This part is tricky on WinXP, you may get intermittent results)
  Something to help you:
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "SupplicantMode"=dword:00000003
  "AuthMode"=dword:00000001
  - Machine Access Restriction (MAR)(its on ACS)
  - guest vlan or auth-fail-vlan
  Wired 802.1x:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml
  Configuring IEEE 802.1x Port-Based Authentication:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/sw8021x.htm
  Regards,
  Prem

• 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

  Hi my name is Ivan, i have an issue
  I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
  I have a service dhcp into the wlc to this profile.
  This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
  MAC Filter - IP Address A - UserA
  My policy say:
  PolicyUserA - Internet
  Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
  I possible to do it?.
  How can i do it?

  Hi Ivan,
  You can not map the mac-ip address pairs on the WLC DHCP.
  The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• 802.1x PEAP Windows 2008 NPS Certificate

  I've setup a centrally switched SSID on a 5508 WLC utilising 802.1x PEAP authentication to a pair of Windows 2008 NPS which authenticate the PEAP username and password to our Active Directory domain.
  Currently the Windows 2008 NPS servers are utilsing a server certificate issued from our internal Certificate Authority with the certificate being presented to the device upon connection depending upon which server the WLC sends the authentication too. The servers names on the internally issued certificate are in the form of:
  Server01.domain.local
  Server02.domain.local
  Due to these certificates being internally issued certificates when some devices specifically Apple iPad and iPhones connect to the SSID initally they are prompted to accept the certificate but it is listed as not verified as its issued by an internal domain CA and not an external root certificate authority.
  I am going to be obtaining an external root CA issued certificate for both servers to replace the internally issued certifcates however I notice using the internal certificate if I connect a device to the SSID and accept the certificate of server with certificate name server01.domain.local and then if disable the ability for clients to connect to server01 the WLC will automatically forward the authentication connection to the next server on the list however as this server is presenting a different certificate "server02.domain.local" devices which are conducting certificate validation will fail to connect as the certificate does not match the previously accept certificate.
  Does anyone know a way around this?
  Will adding say server02.domain.local as an additional name to the certificate for server01.domain.local resolve this issue?

  Hi,
  Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
  More information:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  NPS Server Certificate: Configure the Template and Autoenrollment
  http://msdn.microsoft.com/en-us/library/cc754198.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• 802.1x/EAP-TTLS and EAP Certificate Policies

  Hello,
  I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
  After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
  The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?

  I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
  The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
  If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
  Just kind of a weird problem.

• Eaopclient crashes when attempting to connect to a 802.1x  PEAP

  Hello,
  I am having a problem connecting my macbook to my school's 802.1x PEAP authenticated network.
  The issue appeared after I updated my computer about 2 months ago. (today being 01/22/2008).
  Any help would be appreciated.

  Funny thing, i solved my own problem.
  not sure what it was that i did, but, I will repeat the steps i took that
  appear to have lead to the solution:
  first, I deleted the root certificate and the stored login credentials via the
  keychain access program.
  be careful not to delete your entire keyring!
  Then, I booted in to single user mode, via refit ( non refit people
  can use do cmd-v (that's the clover, or apple key).
  I then fsck'd the computer with the command
  /sbin/fsck -fy
  the f means force, and the y means assume yes when asking for permission to do things.
  then, I did something really strange, which probably didn't cause my configuration to work, but for completeness, I shall tell it anyways.
  I remounted root read-write via mount -w / and continued the booting process with a sh /etc/rc. what that does is call the script that is normally called when OS X is booting. or at least thats how it works in BSD. Sh, if you don't know, is THE shell that preceeded bash, the bourne again sh. On OS X, it's just a symlink to bash. But, I digress.
  When I found that it just brought me to a blue start up screen with a mouse, I shut down the system via the power button and rebooted normally.
  And, for some unknown reason, this restored the normal functionally of eapolclient.
  As I'm sure the person with a decent knowledge of Unix systems may come to the conclusion that maybe all I needed to do was fsck my system. Which I will remember next time before I spend 4 hours on a OS X problem. (or any OS for that matter).

• Switching between a 802.1x at school and my home wireless network

  Hey,
  I've been having some problems trying to figure out how I can swap between my university wireless network and my home WI-Fi network
  my university network uses
  802.1x WPA2 Enterprise and the authentication is PEAP
  my problem is once I create a new network location for my uni and enter in the details under the 802.1x tab in advanced settings, even after I change to another location and try to connect to my home network I can still see under the 802.1x tab that my uni setting are there. I am wondering if there is a way so that you can keep the 802.1x setting and proxy setting separate for each location as it seems to carry over the settings to every network location?

  chriswalsh wrote:
  two locations - 1 network in each location...different networks in each location.
  do you mean create a location for each then delete the airport service that would usually be automatically created in that location then in both locations create a new airport service which should make their setting individual from one another? cause I have already tried this and it didn't seem to work
  thanks for your help though
  it seems impossible which is seems stupid when they have a location feature wouldn't this be to allow you to create individual setting for each network location you go to?

• I have a pc running windows 7.  I got an Airport Extreme 802.11n Wi-Fi and the printer is now plugged into the Airport.  The wireless router works fine but the printer shows as offline in control panel and in word. The printer is a HP LaserJet CP1525nw.

  I have a pc running windows 7.  I got an Airport Extreme 802.11n Wi-Fi and the printer is now plugged into the Airport.  The Airport works fine but the printer shows as offline in control panel and in word. The printer is a HP LaserJet CP1525nw.

  +For now I have it set to Share Public IP address - Is this correct for my Network Setup with The Airport Extreme being the only router being used ?+
  This would be the correct setting if the AirPort Extreme is connected to a simple modem (one ethernet port).
  *Settings I have Enabled*
  5 GHz name indicates that you have elected to use the option to assign a separate name to the 5 GHz network. This will allow you to "tell" compatible computers to connect to that network, rather than the slower 2.4 GHz network
  Use Wide Channels is recommended for 5 GHz operation.
  Interference Robustness often does more harm than good and should not be used unless you know you are in a area with a lot of wireless networks and you feel that your network is experiencing interference issues from a nearby network.