802.1x problem

Similar Messages

• Windows 7 Home Premium with 802.1x problems with the Authentication

  We have problems with  OS Windows 7 Home Premium 802.1x, the message in ACS:
  EAP-TLS or PEAP authentication failed during SSL handshake
  ACS v4.1
  We have OS Windows 7 Professional and doesn´t have problems with the authentication.
  I hope that you can help me
  Regards

  We were investigated with specialist people of OS Windows and the conclusion was that the Home Premium Version has restrictions about authentication and domain (Active Directory). So we need change the version of OS (Proffessional for example).
  If you had another tip, please tell me and I try it for resolve this issue, if not we have to change the OS.
  Regards

• Late 2013 rMBP 13" 802.11ac problem

  I've got a brand new 13" Retina MacBook Pro 13" (the 512GB i5 model)...and after a rather strong showing at first, it falls absolutely flat when attempting to connect to the 5GHz side of my wireless router.
  Specifically, this:
    Current Network Information:
  yannnet 5G:
    PHY Mode:          802.11ac
    BSSID:          10:fe:ed:xx:xx:xx
    Channel:          149
    Country Code:          US
    Network Type:          Infrastructure
    Security:          WPA2 Personal
    Signal / Noise:          -56 dBm / -92 dBm
    Transmit Rate:          27
    MCS Index:          1
  As you can see, this isn't a weak signal problem. In fact, I've got multiple other devices (mid-2009 MacBook, 27" 2011 iMac, Nexus 5, iPad third-gen) that connect to that network just fine, whether at 11ac speeds (the Nexus 5, at a full 433 Mbps since it only has one antenna) or at 11n speeds (for all other devices).
  2.4GHz appears to have sporadic issues as well, but it's better than 5GHz. Ethernet via a USB 3.0 adapter seems to work fine.
  I've got Mac OS X 10.9.2 installed. Any idea what's going on here? I've cleared preference plist files etc., and that only seems to help for a minute or two.

  Go ahead an exchange it for a different machine - 95% health is just not acceptable for a new machine.
  Clinton

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• WLC 5500 802.1x problems

  So here is the problem that i have.
  I have a WLC 5500 in site A ( let´s say city A too ) with its own set of wlans ( wlan 1 , wlan 2 ... ) that are used to differentiate different types of users ( teachers, students, etc )  using a RADIUS server and a AD for this client and using 802.1x. Everything on site A is working fine.
  Now i´m trying so set an access point in site B ( in city B ) with its own set of wlans ( wlan X, wlan Y ... ) that is also used to differentiate clients, site B as its own DHCP, its own RADIUS and its own AD. I´ve managed to connect the access point to the WLC and set wlans for site B. My problem now is that when a user tries to connect to wlan X and he is suppose to be in wlan Y, he is not forwarded to wlan Y and is left in wlan X. I´ve also configured HREAP.
  Does anyone as any idea why the clients aren't being assigned to the correct wlan??
  I´ve checked in the Radius server and its sending the correct wlan to the user.
  I now that the text is probably a little bit confusing, but i hope that someone can help me.
  Thanks in advanced.

  You are right, it is not supported:
  Note: If the APs are in H-REAP mode and locally switched at the remote site, the dynamic assignment of users to a specific VLAN based on the RADIUS server configuration is not supported. 
  Since you can't do dynamic vlan, why not have two policies, one for teachers and the other for students.  You will need to have then in seperate groups in AD also.  Then filter on the ssid and the AD group, so if students try to access the teachers ssid using their credentials, they get rejected and vice versa.
  I don't know what you mean by connecting two site without h-reap.  The only other way is switching the AP to local mode, which you better have some good bandwidth.
  Scott

• 802.1x problems with Cat4510E-Sup6L, IOS 12.2.54

  Hi, all.
  I have a very strange problem when turning on 802.1x/MAB on Cisco IOS 12.2.54 running on Cat45xx switches.
  Here is a config sample of a port:
  interface GigabitEthernet9/48
  switchport access vlan xxx
  switchport mode access
  switchport voice vlan yyy
  no logging event link-status
  load-interval 60
  authentication event fail action next-method
  authentication event server dead action authorize vlan xxx
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout tx-period 10
  flowcontrol receive off
  storm-control broadcast level 5.00
  storm-control action shutdown
  spanning-tree portfast    
  Cisco ACS 5.1 is running as an radius/tacacs appliance in the network.
  Since we have many non-certificate-capable devices, MAB is used first to authenticate these devices, for many
  devices the radius server sends down a specific vlan id for that port.
  All of this works fine !!!!
  Now for the problem:
  Some devices authenticate fine with mab, but after a few minutes these devices stop responding to the network,
  pings are not answered anymore.
  "show authen sessions" for this port shows everything good:
  show authentication sessions int gig9/48
              Interface:  GigabitEthernet9/48
            MAC Address:  000d.1234.5678
             IP Address:  10.aa.bb.cc.dd
              User-Name:  00-0D-12-34-56-78
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  multi-domain
       Oper control dir:  both
          Authorized By:  Authentication Server
            Vlan Policy:  zzz
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A540423000015FE74510567
        Acct Session ID:  0x00001608
                 Handle:  0x34000609
  Runnable methods list:
         Method   State
         mab      Authc Success
         dot1x    Failed over
  When i shutdown and reenable the interface, show auth sessions changes to:
  show authentication sessions int gig9/48
              Interface:  GigabitEthernet9/48
            MAC Address:  Unknown
             IP Address:  Unknown
                 Status:  Running
                 Domain:  UNKNOWN
         Oper host mode:  multi-domain
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A5404230000160676F62524
        Acct Session ID:  0x00001613
                 Handle:  0x24000610
  Runnable methods list:
         Method   State
         mab      Running
         dot1x    Not run
  After a variable time period (sometimes 2 minutes, sometimes 2 hours) the port learns or sees the
  mac address again, authenticates it and pings start to respond again, but also for a variable time period only
  and the whole thing starts over (pings lost, ......)
  I guess this is a .1x issue, because if I configure the port as a normal switchport (mode access, access vlan "zzz", span portfast),
  the devices show no problems at all, always reachable, no packets lost.
  Did I miss anything ??
  Anyone encountered any similar problems ???

  Hi, I have experiensed a similar problem, I have a C4506 sup 4, with gig interfaces. I have ACS5.1 and if I enable dot1X on a access-port it works fine in multi-host mode but when I switch to multi-domain it stops working, the pc and phone gets an IP address but they are not able to communicate, not even pinging the default GW. Directiy after the switch to multi-domain (from multi-host) the phone and pc works but if i do a shut no shut on the interface it stops working. I have logged a case with TAC and wating for an answer. I run the latest release 12.2(54)
  / Magnus

• 802.1x Problem After Installing Update 10.4.10

  After installing the 10.4.10 update (from 10.4.9), I have started having problems with authenticating using 802.1x over my wireless connection. I enter my login information when prompted, and after a few seconds (when it says "Authenticating..."), it comes back with an error:
  WPA Authentication Failed.
  Security Error: 0
  If I try authenticating several more times, it will eventually work. It is not a signal strength issue, and it is not me mistyping my username and password.
  The only error in the console.log that I see is:
  /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport: Error: Could not start 802.1X
  This only seems to affect my attempts to log in using 802.1x. I am able to associate with WPA and WPA2 networks using pre-shared keys without any issues.
  My 802.1x settings are as follows:
  Network Port: AirPort
  Authentication: TTLS (all other un-checked)
  - TTLS Inner Authentication: MSCHAPv2
  - TTLS Outer Identity: (blank)
  AirPort card information:
  Wireless Card Type: AirPort Extreme (0x168C, 0x86)
  Wireless Card Locale: USA
  Wireless Card Firmware Version: 1.1.8.5
  Kernel Extension information:
  AirPortAtheros:
  Version: 2.3
  Last Modified: 2/27/07 9:32 PM
  Get Info String: 2.3, Copyright © 2006–2007 Apple Inc. All Rights Reserved.
  Location: /System/Library/Extensions/IO80211Family.kext/Contents/PlugIns/AirPortAtheros.k ext
  kext Version: 230.8.5
  Load Address: 0x98c000
  Valid: Yes
  Authentic: Yes
  Dependencies: Satisfied
  Integrity: Correct
  Any ideas? Thanks.
  MacBook   Mac OS X (10.4.10)  

  Found the problem... It turns out it is not related to the 10.4.10 patch, but it is still specific to MacBooks and the way they do EAP for 802.1x authentications.
  The problem was with the default settings on the Cisco/Airespace wireless controllers, which we have recently migrated to. It has a default EAP timeout/retry of 2 seconds, so depending on how long it takes you to type in your login information and submit it, you might fall outside the 2-second window where the controller is accepting that login. The solution was to increase that window on the wireless controller itself.
  My guess is that Windows automatically retries, which is why Windows users did not see this problem.
  Mac OS X (10.4.10)

• 1200 WPA/802.1x problem

  Hi, folks,
  I am trying 1200 WPA/802.1x(EAP). But now run into issues. It's a little strange. Everything I restarted ACS service, the authentication can pass, but after that when I disable or repair the wireless and try again the authentication fail.
  1231G + ACS3.3 + self-signed certificate (I also tried CA server, the same)
  Any one has or ever experienced this issue? Thanks.
  Ed

  Seems to be resolved. I upgraded the AP IOS to the lastest 12.38JA1, then it works. Although each time I can see one fail record in ACS log, but anyway the authentication can be completed after the first failed try.
  BTY, I saw these words in cisco.com:
  PEAP Authentication with Windows XP SP2 Fails with RADIUS Server
  This issue occurs in Windows XP Service Pack 2 when you use a non-Microsoft RADIUS Server like the Cisco RADIUS server for authentiation. Sometimes the initial connection can authenticate successfully, but subsequent fast-connect authentication attempts might not connect successfully. Microsoft has confirmed that this is a problem in the Microsoft products.
  This issue occurs if your Cisco RADIUS server uses a different method to calculate the Extensible Authentication Protocol (EAP) Type:Length:Value format (EAP-TLV) ID than the method that Windows XP uses.
  In order to resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix. You can find more information about this hotfix at Microsoft hotfix for WPA leavingcisco.com.
  Interesting, ah?
  Ed

• Network IEEE 802.1X problems

  I bought a new macbook at last week and when I tried to conect on my university wireless lan with WEP IEEE 802.1X using TTLS.
  In fact the conection works for 5 seconds... After it, my macbook starts an autentication process and cannot authenticate with the LAN. This problems happens by Wireless and by cable. In fact many other students are having the same problem but only with Macbook core2duo models. The old coreduo Macbooks works fine. So, it seems to me that this new model has a problem. I hope Apple find a way to solve it!!
  macbook core2duo black   Mac OS X (10.4.8)  

  Hi materdei,
  I am having the same problem. The thing is though sometimes I stay connected without any problems for hours, but when then it disconnects if you don't "cancel" the authentication process, it just freezes there.
  By the way I don't think it's just new Macbooks, it is all of them because I have an old Macbook, it doesn't work fine either, and I know other people with old Macbooks having the same problem. But for example I have never seen older Apple computers experiencing this.
  Just thought it could be the uni's problem, but then why just Macbooks are affected?
  ps: I see that you're from Portugal, and are you also studying there? Because I am having this problem in a uni in Portugal and I am not really sure but i think all the uni's are using the same system over there.

• 802.1x PROBLEMS

  I need to connect to the internet at my school. IT is a 802.1x connection and it work work it worked with TIGER please tell me why and how to fix it.

  i'm having the same problem.
  i tried turning on 802.1x login. i tried setting up a system 802.1x thing. i tried setting up a user one. in every situation, airport wouldn't automatically log me in but would ask for username and pass even though it recognized the network (which is strange). on top of that, even after then putting in the correct un/pass it would simply say see administrator and not log me on.
  needless to say, since everything worked flawlessly in tiger, this is a disappointment. could someone please help? or perhaps point me to a blog where someone who's knowledgeable has discussed this issue?
  thanks in advace,
  htns

• 802.1X problem eapolclient crashing

  Hi,
  I once had a working 802.1X configuration, but playing around at a different university I messed up the configuration. Some of the options I tried may be still in the system although I erased any 802.1X configuration profiles I had earlier.
  When I try to login I get a message saying that WPA authentification failed. The logs tell me that eapolclient crashed.
  I found some discussions relating to VMWare. I am also using VMware, but I have a recent version and it used to work. I think I messed up the configuration and this causes the problem.
  Is there anything I could do?
  Thanks and greetings

  This is what the logs say:
  Host Name:
  Date/Time: 2009-09-29 16:55:28.912 +0200
  OS Version: 10.4.11 (Build 8S2167)
  Report Version: 4
  Command: eapolclient
  Path: /System/Library/SystemConfiguration/EAPOLController.bundle/Resources/eapolclien t
  Parent: configd [37]
  Version: ??? (???)
  PID: 2681
  Thread: 0
  Exception: EXCBADACCESS (0x0001)
  Codes: KERNPROTECTIONFAILURE (0x0002) at 0x00000004
  Thread 0 Crashed:
  0 com.apple.CoreFoundation 0x9082aed8 CFRunLoopAddSource + 30
  1 eapolclient 0x00002d0e FDHandler_create + 192
  2 eapolclient 0x000021ca EAPOLSocket_create + 373
  3 eapolclient 0x00005fe1 Supplicant_create + 75
  4 eapolclient 0x000033be main + 1179
  5 eapolclient 0x00001e66 _start + 216
  6 eapolclient 0x00001d8d start + 41
  Thread 0 crashed with X86 Thread State (32-bit):
  eax: 0x00000000 ebx: 0x9082aec8 ecx: 0xa0814148 edx: 0xffffffff
  edi: 0x00301590 esi: 0x00000000 ebp: 0xbffff528 esp: 0xbffff4d0
  ss: 0x0000001f efl: 0x00010246 eip: 0x9082aed8 cs: 0x00000017
  ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
  Binary Images Description:
  0x1000 - 0x8fff eapolclient /System/Library/SystemConfiguration/EAPOLController.bundle/Resources/eapolclien t
  0x8fe00000 - 0x8fe4afff dyld 46.16 /usr/lib/dyld
  0x90000000 - 0x90171fff libSystem.B.dylib /usr/lib/libSystem.B.dylib
  0x901c1000 - 0x901c3fff libmathCommon.A.dylib /usr/lib/system/libmathCommon.A.dylib
  0x9080b000 - 0x908d3fff com.apple.CoreFoundation 6.4.11 (368.35) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
  0x90913000 - 0x90a07fff libicucore.A.dylib /usr/lib/libicucore.A.dylib
  0x90a57000 - 0x90ad6fff libobjc.A.dylib /usr/lib/libobjc.A.dylib
  0x90aff000 - 0x90b63fff libstdc++.6.dylib /usr/lib/libstdc++.6.dylib
  0x90bd2000 - 0x90bd9fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib
  0x90bde000 - 0x90c51fff com.apple.framework.IOKit 1.4.8 (???) /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
  0x90c66000 - 0x90c78fff libauto.dylib /usr/lib/libauto.dylib
  0x91158000 - 0x91166fff libz.1.dylib /usr/lib/libz.1.dylib
  0x91169000 - 0x91308fff com.apple.security 4.5.2 (29774) /System/Library/Frameworks/Security.framework/Versions/A/Security
  0x91420000 - 0x91446fff com.apple.SystemConfiguration 1.8.6 /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfi guration
  0x91948000 - 0x919fafff libcrypto.0.9.7.dylib /usr/lib/libcrypto.0.9.7.dylib
  0x94cc8000 - 0x94cd6fff com.apple.framework.Apple80211 4.5.5 (455.2) /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Apple80211
  0x96c26000 - 0x96c3cfff com.apple.EAP8021X 8.0.5 (???) /System/Library/PrivateFrameworks/EAP8021X.framework/Versions/A/EAP8021X

• WRT120N 802.11n problems

  Hello!
  I just bought a new WRT120N Router. It worked perfectly wired and wirelessly.
  But my old laptop burned, and the new one came with a Atheros  AR5B93 Wireless Network Adapter, which is Draft-N compatible.
  The laptop connects to the router fine, but using only the G type. When I set the router to use only 802.11n, i get a message from Windows, like:  "Windows was unable to connect to the network."
  Please help me solve this problem, because the N configuration is much faster than the old G.
  Thanks,
  edydotmail 
  Solved!
  Go to Solution.

  How you come to know that the computer is connecting with G type....?
  Try to adjust the settings on the router..Open the linksys setup page,Change the Channel Width to 40MHz only,Wide Channel to 9 and Standard Channel to 11-2.462GHz and click on save settings...Under the Advanced Wireless Setting,Change the N Transmission Rate to 7-65 Mbps,disable the Frame Burst..Change the Beacon Interval to 75 >>Change the Fragmentation Threshold to 2304, Change the RTS Threshold to 2304 >>Click on "Save Settings"...  Now,check... 

• Airport Express 802.11n problem

  I have an Airport Express 802.11n.
  I use it to send iTunes from my mac on my stereo system in the adjacent room, via my wireless network. I don't use it all that often. It has worked fine over the two or so years I've had it
  A couple of weeks ago I had a new BT Home Hub 5 installed, this may be just a coincidence but I tried to use my Airport Express 802.11n yesterday with no luck. All I get is an amber flashing light. I've plugged the Airport Express 802 into the mains right next to my imac but that has not helped. My Airport Utility doesn't find or show my Airport Express.
  What do I do? Can anyone help?
  Hopefully
  Rob

  Here's an update:-
  By re-setting my Airport Express 802 and updating the firmware, I can now get it to work when connected with an ethernet cable and changing my settings from DHCP to Bridge.
  However, I still can't get it to work wirelessly.
  Is this a known problem with the BT Home Hub 5 and BT Infinity?

• Imac Windows 7 802.11n problem

  I have an imac 27 late 2011. I have windows 7 running on it. Also i have ASUS router that supports 802.11n up to 150Mps. When i'm trying to set up my router to "n" mode, my imac refuses to connect, saying "couldn't connect to network". In a meantime other devices work flawlessly with the network. So i have to put my router back to "b/g" mode to allow my Imac to use internet, which is very sad bc i have 100Mps internet connection.

  Hi,
  the usual way of choosing which operating system to boot is to hold down the 'alt/option'-key during boot to get to the Startup Manager.
  To boot from your OSX installation DVD you can also use that key or alternatively the 'C'-key.
  Once booted from the DVD choose your language and then from 'Utilities' in the Top Menu run Disk Utility to see what is really on your harddisk.
  There is the possibility that during the Windows 7 installation you somehow deleted your OSX form the harddisk.
  Regards
  Stefan

• 802.1x problem with non-Cisco IP Phone, VVID enabled.

  I am testing with a 3750 PoE switch running 12.2(25)SEE1 and trying to configure 802.1x to work with Mitel IP phones.
  I have voice and data vlans configured on each port. Turning on 802.1x causes the phone to hang and timeout in DHCP Discovery. The port status from the switch is "Unauthorized".
  interface FastEthernet1/0/2
  switchport access vlan 1
  switchport mode access
  switchport voice vlan 2
  dot1x pae authenticator
  dot1x port-control auto
  no mdix auto
  spanning-tree portfast
  end
  Should anything be configured besides the Voice VLAN to let phones onto the network? There is no computer behind the phone right now. The only information I can find says I need a VVID, and any clients behind it will cross the PVID.
  Thanks.

  Yes it does.
  Apparently the Mitel phones (testing a 5215 dual-mode) we have support EAP-MD5, but we have a primarily PEAP/EAP-TTLS environment. Apparently the phones need to use a username/password entered on each phone before they will send that to a Radius server doing EAP-MD5. Our PEAP clients authenticate to a Microsoft Radius server, and our EAP-TTLS to a Funk box. Hopefully the Microsoft can support both EAP-MD5 phones and PEAP on the laptops, I'll have to find out.
  I was hoping this was a quick and easy Cisco configuration error... oh well.