802.1x - Secuirty policies
Hello All
for 802.1x authentication what should be the security policy confgiured on the WLC
[WPA2][Auth(PSK)]
or
[WPA2][Auth(802.1X)]
or
hope to get some help
VR
WPA2 is not available alone. You need to select WPA+WPA2 as many clients still work on WPA.
Wi-Fi Protected Access (WPA or WPA1) and WPA2 are standards-based security solutions from the Wi-Fi Alliance that provide data protection and access control for wireless LAN systems. WPA1 is compatible with the IEEE 802.11i standard but was implemented prior to the standard’s ratification; WPA2 is the Wi-Fi Alliance's implementation of the ratified IEEE 802.11i standard.
By default, WPA1 uses Temporal Key Integrity Protocol (TKIP) and message integrity check (MIC) for data protection while WPA2 uses the stronger Advanced Encryption Standard encryption algorithm using Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Both WPA1 and WPA2 use 802.1X for authenticated key management by default.
You should select [WPA2][Auth(802.1X)]. 802.1x is the standard for wireless LAN security, as defined by IEEE, is called 802.1X for 802.11, or simply 802.1X. An access point that supports 802.1X acts as the interface between a wireless client and an authentication server, such as a RADIUS server, to which the access point communicates over the wired network. If 802.1X is selected, only 802.1X clients are supported.
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
Similar Messages
-
Applet- RS232 serial communication
Hi,
Can any one tell how to do applet -RS232 serial communication?Do i signed applets? any secuirty policies to incorporated?
Thanx
/JPyou need to install the jre, and place the win32.dll at JavaSoft\JRE\1.3.1_06\bin, that properties file place at JavaSoft\JRE\1.3.1_06\lib, comm.jar at JavaSoft\JRE\1.3.1_06\lib\ext\
and in ur code try to use it to open ur com port
public String test() {
String drivername = "com.sun.comm.Win32Driver";
try
CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
catch (Throwable th)
{* Discard it */}
drivername = "javax.comm.*";
try
CommDriver driver = (CommDriver) Class.forName(drivername).newInstance(); driver.initialize();
catch (Throwable th)
{* Discard it */}
portList = CommPortIdentifier.getPortIdentifiers();
while (portList.hasMoreElements()) {
portId = (CommPortIdentifier) portList.nextElement();
if (portId.getPortType() == CommPortIdentifier.PORT_SERIAL) {
if (portId.getName().equals("COM2")) {
//if (portId.getName().equals("/dev/term/a")) {
try {
serialPort = (SerialPort)
portId.open("SimpleWriteApp", 2000);
} catch (PortInUseException e) {}
try {
outputStream = serialPort.getOutputStream();
} catch (IOException e) {}
try {
serialPort.setSerialPortParams(9600,
SerialPort.DATABITS_8,
SerialPort.STOPBITS_1,
SerialPort.PARITY_NONE);
} catch (UnsupportedCommOperationException e) {}
int i=0;
while(true)
try {
messageString="hi";
System.out.println(i++);
outputStream.write(messageString.getBytes());
} catch (IOException e)
System.out.println(e);
messageString=String.valueOf(e);
return messageString;
and yet u need to signed the applet
1. Compile the applet
2. Create a JAR file
3. Generate Keys
4. Sign the JAR file
5. Export the Public Key Certificate
6. Import the Certificate as a Trusted Certificate
7. Create the policy file
8. Run the applet
Susan
Susan bundles the applet executable in a JAR file, signs the JAR file, and exports the public key certificate.
1. Compile the Applet
In her working directory, Susan uses the javac command to compile the SignedAppletDemo.java class. The output from the javac command is the SignedAppletDemo.class.
javac SignedAppletDemo.java
2. Make a JAR File
Susan then makes the compiled SignedAppletDemo.class file into a JAR file. The -cvf option to the jar command creates a new archive (c), using verbose mode (v), and specifies the archive file name (f). The archive file name is SignedApplet.jar.
jar cvf SignedApplet.jar SignedAppletDemo.class
3. Generate Keys
Susan creates a keystore database named susanstore that has an entry for a newly generated public and private key pair with the public key in a certificate. A JAR file is signed with the private key of the creator of the JAR file and the signature is verified by the recipient of the JAR file with the public key in the pair. The certificate is a statement from the owner of the private key that the public key in the pair has a particular value so the person using the public key can be assured the public key is authentic. Public and private keys must already exist in the keystore database before jarsigner can be used to sign or verify the signature on a JAR file.
In her working directory, Susan creates a keystore database and generates the keys:
keytool -genkey -alias signFiles -keystore susanstore -keypass kpi135 -dname "cn=jones" -storepass ab987c
This keytool -genkey command invocation generates a key pair that is identified by the alias signFiles. Subsequent keytool command invocations use this alias and the key password (-keypass kpi135) to access the private key in the generated pair.
The generated key pair is stored in a keystore database called susanstore (-keystore susanstore) in the current directory, and accessed with the susanstore password (-storepass ab987c).
The -dname "cn=jones" option specifies an X.500 Distinguished Name with a commonName (cn) value. X.500 Distinguished Names identify entities for X.509 certificates.
You can view all keytool options and parameters by typing:
keytool -help
4. Sign the JAR File
JAR Signer is a command line tool for signing and verifying the signature on JAR files. In her working directory, Susan uses jarsigner to make a signed copy of the SignedApplet.jar file.
jarsigner -keystore susanstore -storepass ab987c -keypass kpi135 -signedjar SSignedApplet.jar SignedApplet.jar signFiles
The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
5. Export the Public Key Certificate
The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
The -storepass ab987c and -keystore susanstore options specify the keystore database and password where the private key for signing the JAR file is stored. The -keypass kpi135 option is the password to the private key, SSignedApplet.jar is the name of the signed JAR file, and signFiles is the alias to the private key. jarsigner extracts the certificate from the keystore whose entry is signFiles and attaches it to the generated signature of the signed JAR file.
5: Export the Public Key Certificate
The public key certificate is sent with the JAR file to the whoever is going to use the applet. That person uses the certificate to authenticate the signature on the JAR file. To send a certificate, you have to first export it.
In her working directory, Susan uses keytool to copy the certificate from susanstore to a file named SusanJones.cer as follows:
keytool -export -keystore susanstore -storepass ab987c -alias signFiles -file SusanJones.cer
Ray
Ray receives the JAR file from Susan, imports the certificate, creates a policy file granting the applet access, and runs the applet.
6. Import Certificate as a Trusted Certificate
Ray has received SSignedApplet.jar and SusanJones.cer from Susan. He puts them in his home directory. Ray must now create a keystore database (raystore) and import the certificate into it. Ray uses keytool in his home directory /home/ray to import the certificate:
keytool -import -alias susan -file SusanJones.cer -keystore raystore -storepass abcdefgh
7. Create the Policy File
The policy file grants the SSignedApplet.jar file signed by the alias susan permission to create newfile (and no other file) in the user's home directory.
Ray creates the policy file in his home directory using either policytool or an ASCII editor.
keystore "/home/ray/raystore";
// A sample policy file that lets a JavaTM program
// create newfile in user's home directory
// Satya N Dodda
grant SignedBy "susan"
permission java.security.AllPermission;
8. Run the Applet in Applet Viewer
Applet Viewer connects to the HTML documents and resources specified in the call to appletviewer, and displays the applet in its own window. To run the example, Ray copies the signed JAR file and HTML file to /home/aURL/public_html and invokes Applet viewer from his home directory as follows:
Html code :
</body>
</html>
<OBJECT classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93"
width="600" height="400" align="middle"
codebase="http://java.sun.com/products/plugin/1.3/jinstall-13-win32.cab#Version=1,3,1,2">
<PARAM NAME="code" VALUE="SignedAppletDemo.class">
<PARAM NAME="archive" VALUE="SSignedApplet.jar">
<PARAM NAME="type" VALUE="application/x-java-applet;version=1.3">
</OBJECT>
</body>
</html>
appletviewer -J-Djava.security.policy=Write.jp
http://aURL.com/SignedApplet.html
Note: Type everything on one line and put a space after Write.jp
The -J-Djava.security.policy=Write.jp option tells Applet Viewer to run the applet referenced in the SignedApplet.html file with the Write.jp policy file.
Note: The Policy file can be stored on a server and specified in the appletviewer invocation as a URL.
9. Run the Applet in Browser
Download JRE 1.3 from Javasoft
good luck! [email protected]
i already give u many tips, i use 2 weeks to try this to success, hopw that u understand that, a result of success is not important, the process of how to get things done is most usefull! -
BB 9630 Not accepting drivers in Windows
Ok, this is my first post, but I'm not a newbie to BBs, but I'm open to ideas (hince this website
Here's the issue:
We have a bunch of BB 9630s with the 4.7.1.57 OS
We are not able to upgrade our BBs (secuirty policies by our company)
We are using BDM 4.2.18
Root Issue: When connecting the BB to the computer by USB, it asks for the drivers. I point windows to C:\PROGRAM FILES\COMMON FILES\RESEARCH IN MOTION\USB DRIVERS, but it does not take to it (states that it could not find any drivers for this device, etc...)
I have fully uninstalled the BDM, BBHH Drivers (for the 9630) and reinstalled them. I have even tried using BDM 5.0 and no joy.
I pulled the drivers from Sprints website and they did not work.
I tried a few different BBs (all same 9630s, 4.7.1.57 OS and all Sprint) and they all do the same thing.
Here's a kicker, tried it on different computers and still getting the same thing.
Am I missing something?Verizon ver 4.7.1.61 is the OS I'm running on my Tour. The only difference is that my pc OS is Win 7.
Did you also check HK_Current_User to see if any traces of RIM are left under the Software key after your uninstall?
I would also check the %windir%\inf folder to see if there's a .inf driver file related to your device. Keep in mind that if you do find one, there will also be an associated .pnf file as well.
Here's a ref. http://support.microsoft.com/kb/813449
It's only happened to me once but I did run into a similar situation where I couldn't install a device until I deleted the existing .inf and .pnf files. In that particular case, the new driver inf file and the old one had the exact same name and the old file was never overwritten during the install.
Search the folder looking for any .inf or .pnf file that contains "Research or "Research in Motion"
Err on the side of caution and make a copy of the files before you delete them if you do find any.
Instead of launching the executable directly, you can extract the install files to a directory of your choice using WinRAR. By doing so, you will know the exact name of the folder which "should" contain the proper drivers.
I have Blackberry Device Manager running in my system tray. The drivers listed are as follows:
Blackberry Device Manager ver. 5.0.1.11
BBDevMgr. ver. 4.1.0.12
RIM USB Driver ver. 4.1.0.4
RIM USB Serial Driver ver. 2.2.0.3
Also, what's the file date and timestamp on the .inf file in C:\Program Files\Common Files\Research In Motion\USB Drivers? -
802.1x/EAP-TTLS and EAP Certificate Policies
Hello,
I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
Just kind of a weird problem. -
802.1X wirelss restriction on User Login policies
Hi all,
Seeking some technical idea on Wireless 802.1x setup.
Business requirement is:
"User login policy: to limit the number of concurrent login by a single user only apply to one device at any given time. "
There is no problem on PEAP/MSCHAPv2 login, only thing is the same user credential able to be use and login on multiple device, in the same time.
On the NAD part, we configure these on WLC but still cannot achieve our objective
- advanced eap max-login-ignore-identity-response disable
- netuser maxuserLogin 1
Seeking technical solution on this case, please advice. Is there anything need to tweak on the directory server or ACS part?
The components using as below:
Supplicant 1: Window 7, authentication method using PEAP/MSCHAPv2
Supplicant 2: iPhone iOS version 6.x
Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
Authentication server: Cisco secure server ACS 5.3.0.40
Identity Source : Microsoft server 2008 R2 ADDS, single forest single domain.
attached the network diagram: topo1.pnghttp://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html
-
802.1X and automatic vlan assignment
Hello,
I'm testing a 802.1X infrastructure :
Switch : Try with Netgear Prosafe GS728TPS and Cisco SF300
Radius Server : Microsoft NPS
DHCP Relay for address assignement by Vlan
I have created some policies with simple authentication for testing (MSCHAP V2) and vlan assignement or not (depend on Active Directory Group).
All work fine on a Windows 7 Pro. The user 1 is authenticated whithout vlan and the user 2 is authenticated with a vlan.
The DHCP works fine and the 2 users have an IP.
When I try on MAC OS X (ver. 10.7.2 and ver. 10.9.2) the user 1 (whithout vlan) work fine. I have an IP and access to the LAN. But the user 2 (with vlan) don't work. The Mac don't get an IP and I'm not on the VLAN. If i push manually an IP of the vlan, I have no access to the VLAN.
There are some specifics parameters to add for enable vlan on Mac OS X ?
Thanks for reply
BenEdit : It's for wired connections
-
Hello I´m trying to setup 802.1x on an old 3560 switch.
The Switch is a:
Switch Ports Model SW Version SW Image
* 1 52 WS-C3560-48TS 12.2(25)SEE3 C3560-ADVIPSERVICESK
I´m using Windows 2012 IAS as RADIUS with the following policies:
I have the folling config on the switch:
aaa group server radius RadiusAuth
server 172.29.8.12 auth-port 1645 acct-port 1646
aaa authentication login default local
aaa authentication login local enable
aaa authentication dot1x default group RadiusAuth
aaa authorization network default group RadiusAuth
dot1x system-auth-control
interface FastEthernet0/31
description 802.1x tests
switchport mode access
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout tx-period 5
dot1x guest-vlan 106
spanning-tree portfast
radius-server host 172.29.8.12 auth-port 1645 acct-port 1646
radius-server retry method reorder
radius-server transaction max-tries 10
radius-server timeout 4
radius-server deadtime 2
radius-server key KEYSECRET
radius-server vsa send authentication
And I cant authenticate , I think it is a RADIUS problem.
I have this aditional debug info related with RADIUS and Dot1x:
004898: Aug 5 12:32:28: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to down
004899: 7w6d: RADIUS(00000019): Storing nasport 50031 in rad_db
004900: 7w6d: RADIUS(00000019): Config NAS IP: 0.0.0.0
004901: 7w6d: RADIUS/ENCODE(00000019): acct_session_id: 27787264
004902: 7w6d: RADIUS(00000019): sending
004903: 7w6d: RADIUS/ENCODE: Best Local IP-Address 172.29.11.1 for Radius-Server 172.29.8.12
004904: 7w6d: RADIUS(00000019): Send Access-Request to 172.29.8.12:1645 id 21645/77, len 173
004905: 7w6d: RADIUS: authenticator A7 3A 07 F8 8D 5B C1 76 - 67 8E 66 54 05 04 0C DB
004906: 7w6d: RADIUS: User-Name [1] 19 "DOMAIN\User"
004907: 7w6d: RADIUS: Service-Type [6] 6 Framed [2]
004908: 7w6d: RADIUS: Framed-MTU [12] 6 1500
004909: 7w6d: RADIUS: Called-Station-Id [30] 19 "00-17-94-97-D9-23"
004910: 7w6d: RADIUS: Calling-Station-Id [31] 19 "00-24-BE-C7-09-6F"
004911: 7w6d: RADIUS: EAP-Message [79] 24
004912: 7w6d: RADIUS: 02 02 00 16 01 44 49 47 49 54 41 49 4E 45 52 5C [?????DOMAIN\]
004913: 7w6d: RADIUS: 6F 6C 6F 70 65 7A [USER]
004914: 7w6d: RADIUS: Message-Authenticato[80] 18
004915: 7w6d: RADIUS: 31 C9 68 BA B8 E9 DC 78 6E 87 7E A4 89 D5 0C 81 [1?h????xn?~?????]
004916: 7w6d: RADIUS: Vendor, Cisco [26] 24
004917: 7w6d: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/31"
004918: 7w6d: RADIUS: NAS-Port [5] 6 50031
004919: 7w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
004920: 7w6d: RADIUS: NAS-IP-Address [4] 6 172.29.11.1
004921: Aug 5 12:32:32: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to up
004922: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004923: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004924: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004925: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004926: 7w6d: RADIUS(00000019): Storing nasport 50031 in rad_db
004927: 7w6d: RADIUS(00000019): Config NAS IP: 0.0.0.0
004928: 7w6d: RADIUS/ENCODE(00000019): acct_session_id: 27787264
004929: 7w6d: RADIUS(00000019): sending
004930: 7w6d: RADIUS/ENCODE: Best Local IP-Address 172.29.11.1 for Radius-Server 172.29.8.12
004931: 7w6d: RADIUS(00000019): Send Access-Request to 172.29.8.12:1645 id 21645/78, len 173
004932: 7w6d: RADIUS: authenticator 84 B1 75 9D 4C 21 0F 9D - 19 01 A6 23 DE 1B 74 1A
004933: 7w6d: RADIUS: User-Name [1] 19 "DOMAIN\User"
004934: 7w6d: RADIUS: Service-Type [6] 6 Framed [2]
004935: 7w6d: RADIUS: Framed-MTU [12] 6 1500
004936: 7w6d: RADIUS: Called-Station-Id [30] 19 "00-17-94-97-D9-23"
004937: 7w6d: RADIUS: Calling-Station-Id [31] 19 "00-24-BE-C7-09-6F"
004938: 7w6d: RADIUS: EAP-Message [79] 24
004939: 7w6d: RADIUS: 02 03 00 16 01 44 49 47 49 54 41 49 4E 45 52 5C [?????DDOMAIN\]
004940: 7w6d: RADIUS: 6F 6C 6F 70 65 7A [User]
004941: 7w6d: RADIUS: Message-Authenticato[80] 18
004942: 7w6d: RADIUS: D3 1E DC 03 5E 13 CF 93 6B 7F F4 B8 DB 20 65 A6 [????^???k???? e?]
004943: 7w6d: RADIUS: Vendor, Cisco [26] 24
004944: 7w6d: RADIUS: cisco-nas-port [2] 18 "FastEthernet0/31"
004945: 7w6d: RADIUS: NAS-Port [5] 6 50031
004946: 7w6d: RADIUS: NAS-Port-Type [61] 6 Eth [15]
004947: 7w6d: RADIUS: NAS-IP-Address [4] 6 172.29.11.1
004948: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004949: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004950: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004951: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004952: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004953: Aug 5 12:33:04: %RADIUS-4-RADIUS_DEAD: RADIUS server 172.29.8.12:1645,1646 is not responding.
004954: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004955: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004956: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004957: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/77
004958: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004959: 7w6d: RADIUS: No response from (172.29.8.12:1645,1646) for id 21645/77
004960: 7w6d: RADIUS/DECODE: parse response no app start; FAIL
004961: 7w6d: RADIUS/DECODE: parse response; FAIL
004962: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004963: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004964: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004965: 7w6d: RADIUS: Retransmit to (172.29.8.12:1645,1646) for id 21645/78
004966: 7w6d: RADIUS: No response from (172.29.8.12:1645,1646) for id 21645/78
004967: 7w6d: RADIUS/DECODE: parse response no app start; FAIL
004968: 7w6d: RADIUS/DECODE: parse response; FAIL
004969: Aug 5 12:35:04: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.8.12:1645,1646 has returned.
DOT1X
005294: 7w6d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/31
005295: 7w6d: dot1x-registry:dot1x_switch_port_linkcomingup invoked on interface Fa0/31
005296: 7w6d: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/31 has changed to UP
005297: 7w6d: dot1x_auth Fa0: initial state auth_initialize has enter
005298: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_initialize_enter called
005299: 7w6d: dot1x_auth Fa0: during state auth_initialize, got event 0(cfg_auto)
005300: 7w6d: @@@ dot1x_auth Fa0: auth_initialize -> auth_disconnected
005301: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_disconnected_enter called
005302: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005303: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005304: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005305: 7w6d: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
005306: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has enter
005307: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_initialize_enter called
005308: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has idle
005309: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_initialize, got event 16383(idle)
005310: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_initialize -> auth_bend_idle
005311: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005312: 7w6d: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
005313: 7w6d: dot1x-ev:Created a default authenticator instance on FastEthernet0/31
005314: 7w6d: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/31
005315: 7w6d: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/31
005316: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005317: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005318: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005319: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005320: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005321: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005322: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005323: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005324: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005325: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005326: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005327: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005328: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005329: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005330: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005331: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005332: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005333: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005334: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005335: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005336: 7w6d: EAPOL pak dump Tx
005337: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005338: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005339: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005340: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005341: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005342: 7w6d: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
005343: 7w6d: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
005344: 7w6d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/31
005345: 7w6d: dot1x-ev:Received pkt saddr =0024.bec7.096f , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0016
005346: 7w6d: dot1x-ev:Created a client entry for the supplicant 0024.bec7.096f
005347: 7w6d: dot1x-ev:Found the default authenticator instance on FastEthernet0/31
005348: 7w6d: dot1x-registry:EAPOL traffic seen on FastEthernet0/31
005349: 7w6d: dot1x-packet:Received an EAP packet on interface FastEthernet0/31
005350: 7w6d: EAPOL pak dump rx
005351: 7w6d: EAPOL Version: 0x1 type: 0x0 length: 0x0016
005352: 7w6d: dot1x-packet:Received an EAP packet on the FastEthernet0/31 from mac 0024.bec7.096f
005353: 7w6d: dot1x-sm:Posting EAPOL_EAP on Client=39E7F78
005354: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 6(eapolEap)
005355: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_response
005356: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_enter called
005357: 7w6d: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0024.bec7.096f
005358: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_request_response_action called
005359: Aug 5 12:39:28: %LINK-3-UPDOWN: Interface FastEthernet0/31, changed state to up
005360: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005361: 7w6d: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
005362: 7w6d: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
005363: 7w6d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/31
005364: 7w6d: dot1x-ev:Received pkt saddr =0024.bec7.096f , daddr = 0180.c200.0003,
pae-ether-type = 888e.0101.0000
005365: 7w6d: dot1x-packet:Received an EAPOL-Start packet on interface FastEthernet0/31
005366: 7w6d: EAPOL pak dump rx
005367: 7w6d: EAPOL Version: 0x1 type: 0x1 length: 0x0000
005368: 7w6d: dot1x-sm:Posting EAPOL_START on Client=39E7F78
005369: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 4(eapolStart)
005370: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_aborting
005371: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authenticating_exit called
005372: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_aborting_enter called
005373: 7w6d: dot1x-sm:Posting AUTH_ABORT on Client=39E7F78
005374: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_response, got event 1(authAbort)
005375: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_response -> auth_bend_initialize
005376: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_exit called
005377: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_initialize_enter called
005378: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_initialize
005379: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_initialize -> auth_bend_idle
005380: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_idle_enter called
005381: 7w6d: dot1x-sm:Posting !AUTH_ABORT on Client=39E7F78
005382: 7w6d: dot1x_auth Fa0: during state auth_aborting, got event 20(no_eapolLogoff_no_authAbort)
005383: 7w6d: @@@ dot1x_auth Fa0: auth_aborting -> auth_restart
005384: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_aborting_exit called
005385: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_enter called
005386: 7w6d: dot1x-ev:Resetting the client 0024.bec7.096f
005387: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_aborting_restart_action called
005388: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005389: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005390: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005391: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_connecting_enter called
005392: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_connecting_action called
005393: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0024.bec7.096f
005394: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005395: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005396: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005397: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authenticating_enter called
005398: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_connecting_authenticating_action called
005399: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005400: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005401: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005402: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_request_enter called
005403: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005404: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005405: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005406: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005407: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005408: 7w6d: EAPOL pak dump Tx
005409: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005410: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005411: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0024.bec7.096f)
005412: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_idle_request_action called
005413: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005414: 7w6d: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOL pkt on Authenticator Q
005415: 7w6d: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
005416: 7w6d: dot1x-packet:Received an EAPOL frame on interface FastEthernet0/31
005417: 7w6d: dot1x-ev:Received pkt saddr =0024.bec7.096f , daddr = 0180.c200.0003,
pae-ether-type = 888e.0100.0016
005418: 7w6d: dot1x-packet:Received an EAP packet on interface FastEthernet0/31
005419: 7w6d: EAPOL pak dump rx
005420: 7w6d: EAPOL Version: 0x1 type: 0x0 length: 0x0016
005421: 7w6d: dot1x-packet:Received an EAP packet on the FastEthernet0/31 from mac 0024.bec7.096f
005422: 7w6d: dot1x-sm:Posting EAPOL_EAP on Client=39E7F78
005423: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 6(eapolEap)
005424: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_response
005425: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_enter called
005426: 7w6d: dot1x-ev:dot1x_sendRespToServer: Response sent to the server from 0024.bec7.096f
005427: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_request_response_action called
005428: 7w6d: dot1x-sm:Posting A_WHILE_EXPIRE on Client=39E7F78
005429: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_response, got event 9(aWhile_expire)
005430: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_response -> auth_bend_timeout
005431: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_exit called
005432: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_timeout_enter called
005433: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_response_timeout_action called
005434: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_timeout
005435: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_timeout -> auth_bend_idle
005436: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_bend_idle_enter called
005437: 7w6d: dot1x-sm:Posting AUTH_TIMEOUT on Client=39E7F78
005438: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 14(authTimeout)
005439: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_fallback
005440: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authenticating_exit called
005441: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_fallback_enter called
005442: 7w6d: dot1x-sm:Posting AUTH_FAIL on Client=39E7F78
005443: 7w6d: dot1x_auth Fa0: during state auth_fallback, got event 15(authFail)
005444: 7w6d: @@@ dot1x_auth Fa0: auth_fallback -> auth_authc_result
005445: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_authc_result_enter called
005446: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005447: 7w6d: dot1x-sm:Posting AUTHC_FAIL on Client=39E7F78
005448: 7w6d: dot1x_auth Fa0: during state auth_authc_result, got event 23(authcFail)
005449: 7w6d: @@@ dot1x_auth Fa0: auth_authc_result -> auth_held
005450: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005451: 7w6d: dot1x-sm:Posting RESTART on Client=39E7F78
005452: 7w6d: dot1x_auth Fa0: during state auth_held, got event 13(restart)
005453: 7w6d: @@@ dot1x_auth Fa0: auth_held -> auth_restart
005454: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_held_exit called
005455: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_enter called
005456: 7w6d: dot1x-ev:Resetting the client 0024.bec7.096f
005457: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005458: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005459: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005460: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_connecting_enter called
005461: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_restart_connecting_action called
005462: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0024.bec7.096f
005463: 7w6d: dot1x-sm:Posting REAUTH_MAX on Client=39E7F78
005464: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 11(reAuthMax)
005465: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_disconnected
005466: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_disconnected_enter called
005467: 7w6d: dot1x-sm:Fa0/31:0024.bec7.096f:auth_disconnected_enter sending canned failure to version 1 supplicant
005468: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x4 id: 0x4 length: 0x0004 type: 0x0 data:
005469: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005470: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005471: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005472: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005473: 7w6d: EAPOL pak dump Tx
005474: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0004
005475: 7w6d: EAP code: 0x4 id: 0x4 length: 0x0004
005476: 7w6d: dot1x-packet:dot1x_auth_txCannedFail: EAPOL packet sent to client (0024.bec7.096f)
005477: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005478: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005479: 7w6d: dot1x-ev:dot1x_switch_port_unauthorized: Unauthorizing interface FastEthernet0/31
005480: 7w6d: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/31
005481: 7w6d: dot1x-ev:dot1x_vlan_assign_client_deleted on interface FastEthernet0/31
005482: 7w6d: dot1x_auth Fa0: initial state auth_initialize has enter
005483: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_initialize_enter called
005484: 7w6d: dot1x_auth Fa0: during state auth_initialize, got event 0(cfg_auto)
005485: 7w6d: @@@ dot1x_auth Fa0: auth_initialize -> auth_disconnected
005486: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_disconnected_enter called
005487: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005488: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005489: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005490: 7w6d: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000
005491: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has enter
005492: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_initialize_enter called
005493: 7w6d: dot1x_auth_bend Fa0: initial state auth_bend_initialize has idle
005494: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_initialize, got event 16383(idle)
005495: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_initialize -> auth_bend_idle
005496: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005497: 7w6d: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000
005498: 7w6d: dot1x-ev:Created a default authenticator instance on FastEthernet0/31
005499: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005500: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005501: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005502: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005503: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005504: Aug 5 12:40:17: %RADIUS-4-RADIUS_ALIVE: RADIUS server 172.29.8.12:1645,1646 has returned.
005505: 7w6d: dot1x-ev:dot1x_critical_active_state_change: Critical Auth Active state changed to FALSE
005506: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005507: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005508: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005509: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005510: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005511: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005512: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005513: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005514: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005515: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005516: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005517: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005518: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005519: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005520: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005521: 7w6d: EAPOL pak dump Tx
005522: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005523: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005524: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005525: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005526: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005527: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005528: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005529: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005530: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005531: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005532: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005533: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005534: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005535: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005536: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005537: 7w6d: EAPOL pak dump Tx
005538: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005539: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005540: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005541: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005542: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005543: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005544: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005545: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005546: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005547: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
005548: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005549: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005550: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005551: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005552: 7w6d: EAPOL pak dump Tx
005553: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005554: 7w6d: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
005555: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005556: 7w6d: dot1x-ev:Received an EAP Timeout on FastEthernet0/31 for mac 0000.0000.0000
005557: 7w6d: dot1x-sm:Posting EAP_TIMEOUT on Client=39E7F78
005558: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 12(eapTimeout)
005559: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_timeout
005560: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_timeout_enter called
005561: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_timeout_action called
005562: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_timeout
005563: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_timeout -> auth_bend_idle
005564: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005565: 7w6d: dot1x-sm:Posting AUTH_TIMEOUT on Client=39E7F78
005566: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 14(authTimeout)
005567: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_fallback
005568: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_exit called
005569: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_fallback_enter called
005570: 7w6d: dot1x-sm:Posting AUTH_FAIL on Client=39E7F78
005571: 7w6d: dot1x_auth Fa0: during state auth_fallback, got event 15(authFail)
005572: 7w6d: @@@ dot1x_auth Fa0: auth_fallback -> auth_authc_result
005573: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authc_result_enter called
005574: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005575: 7w6d: dot1x-sm:Posting AUTHC_FAIL on Client=39E7F78
005576: 7w6d: dot1x_auth Fa0: during state auth_authc_result, got event 23(authcFail)
005577: 7w6d: @@@ dot1x_auth Fa0: auth_authc_result -> auth_held
005578: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005579: 7w6d: dot1x-sm:Posting RESTART on Client=39E7F78
005580: 7w6d: dot1x_auth Fa0: during state auth_held, got event 13(restart)
005581: 7w6d: @@@ dot1x_auth Fa0: auth_held -> auth_restart
005582: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_held_exit called
005583: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005584: 7w6d: dot1x-ev:Resetting the client 0000.0000.0000
005585: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005586: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005587: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005588: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005589: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005590: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005591: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005592: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005593: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005594: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005595: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005596: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005597: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005598: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005599: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005600: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005601: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005602: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005603: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005604: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005605: 7w6d: EAPOL pak dump Tx
005606: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005607: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005608: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005609: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005610: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005611: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005612: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005613: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005614: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005615: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005616: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005617: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005618: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005619: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005620: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005621: 7w6d: EAPOL pak dump Tx
005622: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005623: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005624: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005625: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005626: 7w6d: dot1x-sm:Posting EAP_REQ on Client=39E7F78
005627: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 7(eapReq)
005628: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_request
005629: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_request_action called
005630: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005631: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1 data:
005632: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005633: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005634: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005635: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005636: 7w6d: EAPOL pak dump Tx
005637: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005638: 7w6d: EAP code: 0x1 id: 0x3 length: 0x0005 type: 0x1
005639: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005640: 7w6d: dot1x-ev:Received an EAP Timeout on FastEthernet0/31 for mac 0000.0000.0000
005641: 7w6d: dot1x-sm:Posting EAP_TIMEOUT on Client=39E7F78
005642: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_request, got event 12(eapTimeout)
005643: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_request -> auth_bend_timeout
005644: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_timeout_enter called
005645: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_timeout_action called
005646: 7w6d: dot1x_auth_bend Fa0: idle during state auth_bend_timeout
005647: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_timeout -> auth_bend_idle
005648: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_enter called
005649: 7w6d: dot1x-sm:Posting AUTH_TIMEOUT on Client=39E7F78
005650: 7w6d: dot1x_auth Fa0: during state auth_authenticating, got event 14(authTimeout)
005651: 7w6d: @@@ dot1x_auth Fa0: auth_authenticating -> auth_fallback
005652: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_exit called
005653: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_fallback_enter called
005654: 7w6d: dot1x-sm:Posting AUTH_FAIL on Client=39E7F78
005655: 7w6d: dot1x_auth Fa0: during state auth_fallback, got event 15(authFail)
005656: 7w6d: @@@ dot1x_auth Fa0: auth_fallback -> auth_authc_result
005657: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authc_result_enter called
005658: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005659: 7w6d: dot1x-sm:Posting AUTHC_FAIL on Client=39E7F78
005660: 7w6d: dot1x_auth Fa0: during state auth_authc_result, got event 23(authcFail)
005661: 7w6d: @@@ dot1x_auth Fa0: auth_authc_result -> auth_held
005662: 7w6d: dot1x-ev:dot1x_guest_vlan_applicable: Guest VLAN not applicable. Supplicant disabled and EAPOL seen on port FastEthernet0/31.
005663: 7w6d: dot1x-sm:Posting RESTART on Client=39E7F78
005664: 7w6d: dot1x_auth Fa0: during state auth_held, got event 13(restart)
005665: 7w6d: @@@ dot1x_auth Fa0: auth_held -> auth_restart
005666: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_held_exit called
005667: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005668: 7w6d: dot1x-ev:Resetting the client 0000.0000.0000
005669: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005670: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005671: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005672: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005673: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005674: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005675: 7w6d: dot1x-sm:Posting REAUTH_MAX on Client=39E7F78
005676: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 11(reAuthMax)
005677: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_disconnected
005678: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_disconnected_enter called
005679: 7w6d: dot1x_auth Fa0: idle during state auth_disconnected
005680: 7w6d: @@@ dot1x_auth Fa0: auth_disconnected -> auth_restart
005681: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_enter called
005682: 7w6d: dot1x-ev:Resetting the client 0000.0000.0000
005683: 7w6d: dot1x-sm:Posting !EAP_RESTART on Client=39E7F78
005684: 7w6d: dot1x_auth Fa0: during state auth_restart, got event 6(no_eapRestart)
005685: 7w6d: @@@ dot1x_auth Fa0: auth_restart -> auth_connecting
005686: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_enter called
005687: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_restart_connecting_action called
005688: 7w6d: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
005689: 7w6d: dot1x-sm:Posting RX_REQ on Client=39E7F78
005690: 7w6d: dot1x_auth Fa0: during state auth_connecting, got event 10(eapReq_no_reAuthMax)
005691: 7w6d: @@@ dot1x_auth Fa0: auth_connecting -> auth_authenticating
005692: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_authenticating_enter called
005693: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_connecting_authenticating_action called
005694: 7w6d: dot1x-sm:Posting AUTH_START on Client=39E7F78
005695: 7w6d: dot1x_auth_bend Fa0: during state auth_bend_idle, got event 4(eapReq_authStart)
005696: 7w6d: @@@ dot1x_auth_bend Fa0: auth_bend_idle -> auth_bend_request
005697: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_request_enter called
005698: 7w6d: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x5 length: 0x0005 type: 0x1 data:
005699: 7w6d: dot1x-ev:FastEthernet0/31:Sending EAPOL packet to group PAE address
005700: 7w6d: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/31.
005701: 7w6d: dot1x-registry:registry:dot1x_ether_macaddr called
005702: 7w6d: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/31
005703: 7w6d: EAPOL pak dump Tx
005704: 7w6d: EAPOL Version: 0x2 type: 0x0 length: 0x0005
005705: 7w6d: EAP code: 0x1 id: 0x5 length: 0x0005 type: 0x1
005706: 7w6d: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
005707: 7w6d: dot1x-sm:Fa0/31:0000.0000.0000:auth_bend_idle_request_action called
005708: 7w6d: dot1x-registry:dot1x_switch_port_physical_linkchange invoked on interface Fa0/31
005709: 7w6d: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/31 has changed to DOWN
005710: 7w6d: dot1x-ev:Cleared all authenticator instances on FastEthernet0/31
Dot1x Info for FastEthernet0/31
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
ReAuthentication = Disabled
QuietPeriod = 3
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 5
RateLimitPeriod = 0
Guest-Vlan = 106
Any idea? thanks in advance.Did you try "Unencrypted authentication (PAP, SPAP)" tick in Network Policies?
It's probably going to solve your problem -
Client Exclusion Policies on WLC not working with ISE as RADIUS Server
Hi,
for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
Am I missing any settings here or do you have some tipps on how to troubleshoot this?
Thanks very much!Hi Renata,
If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
If your Guest WLAN has the following:
SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
You can try and dull the noise a few ways.
Option 1. create and ISE log filter on those alerts so they don't cluter the console.
Option 2. Stop broadcasting the SSID. This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security. You will have to include this information on their credential communication.
Option 4 - both 2 and 3
The most effective option would be 3.
Good Luck! -
802.1x - ACS authentication issue.....
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
Please help. I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
Windows 7 / 2008 duplicate static address when using 802.1x / MAB - ISE
Hi all!
ISE 1.1.3
Cisco 3750 switches
Windows XP / 7 / 2008 clients
I'm having some weird issues were if a client connects to a switchport and happens to be using a static IP address then the client warns of a duplicate address problem. Also the client will then only show the default gateway within ipconfig even though the IP address / mask is still in the GUI network properties of the adaptor. This is happening with Windows 7 and Windows 2008 devices.
Windows XP clients don't get the issue.
Some clients will use 802.1x native supplicant and some will be authenticated based on MAB. Not noticed the problem with 802.1x clients but it always occurs on MAB.
I came across a similar issue here:
http://networkingblog.vvlabs.com/2012/07/cisco-ise-duplicate-ip-address-windows-7.html
Going of that blog I tried using the "ip device tracking delay probe delay" command but the switches don't recognise the "delay" keyword.
The switches are 3750 switches running version 12.2(58)SE2.
All I have is "count, interval, use-svi" as extra options.
Catalyst 4500 switch guide has "delay" option but no "count, interval or use-svi".
The only way I have managed to avoid the problem is using the second solution which is a registry hack on each client. This is fine for the odd server but not realistic when there will be hundreds of other clients.
Any ideas?Hi
We are doing 802.1x for clients using the Windows supplicant. For clients not using supplicants we are using MAB. So the print servers and printers use MAB.
Extract of config...
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client x server-key 7 x
client x server-key 7 x
aaa session-id common
clock summer-time BST recurring last Sun Mar 23:00 last Sun Oct 23:00
system mtu routing 1500
vtp mode transparent
authentication mac-move permit
ip routing
no ip domain-lookup
ip device tracking
dot1x system-auth-control
dot1x critical eapol
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet1/0/1
description ### Dot1x with MAB fallback ###
switchport mode access
switchport voice vlan 2
ip access-group ACL-DEFAULT in
srr-queue bandwidth share 10 10 60 20
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize vlan 1
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer restart 0
authentication timer reauthenticate server
authentication violation restrict
mab
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
dot1x pae authenticator
dot1x timeout tx-period 5
spanning-tree portfast
service-policy input AutoQoS-Police-CiscoPhone
ip http server
ip http secure-server
ip access-list extended ACL-DEFAULT
remark Deny access to new network
deny ip any 172.x.x.x 0.0.0.255 log
remark Allow everything else to other networks
permit ip any any
ip radius source-interface Vlan2
logging esm config
logging host x transport udp port 20514
logging host x transport udp port 20514
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
radius server ISE-1
address ipv4 x auth-port 1645 acct-port 1646
key 7 x
radius server ISE-2
address ipv4 x auth-port 1645 acct-port 1646
key 7 x -
802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication
I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication only, for wireless security.
We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.
I push out the wireless client’s setting via group policy, and the clients are using WZC.
Every now and then, a client will be unable to authenticate/validate during the authentication phase.
Some clients this will never happen to and a few it will happen repeatedly.
To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain.
Many of our classrooms lack network drops, so wireless is the best for us.
Except for this one downfall, it is working great. Any help is appreciated.Hi Ryan,
Thanks for posting here.
Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase.
Some clients this will never happen to and a few it will happen repeatedly. ”
in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
Only certain computers are facing this issue or all?
What’s OS running on these client computers?
According the situation right now , I’d like to share some suggections with you:
1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
dialog.
3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
authentication.
5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
authentication process the failure occurs.
Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
Windows Server 2003 Wireless Troubleshooting
http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
Troubleshooting Windows Vista 802.11 Wireless Connections
http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
Thanks.
Tiger Li
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Random computers running Windows XP have this problem. It does not happen to all of them at once.
It is very random. A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection.
I checked if logging is turned on and I can see successful events from computers that are working.
I can also see failed events from computers that are not ours that tried to connect to our wireless.
However for the computers that are having this problem there are no logged events.
It is as if they don’t even communicate with the server.
Other clients on the same AP are working fine. I rebooted the IAS service, and RADIUS clients, but this did not help.
I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled.
I did notice that the firewall is also turned on through group policy when the domain is not available.
Do you think the firewall is blocking the communication?
I added an exception to port 1812 UDP and this did not make a difference. -
802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.
I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine... We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
in the username password Setting.
Is it possible edit or change the way the client PC is sett up to prevent this?
Is there any way make a policy setting? or is there other solutions?
I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
ThanksHi,
As I know, this goal cannot be achieved.
Reference:
Use the 802.1X Wizard to Configure NPS Network Policies
For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
Microsoft: Smart Card or other certificate, click
Configure, click
OK, and then click
Next.
For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
Microsoft: Protected EAP (PEAP). In
Eap Types, click
Add, click
Smart Card or other certificate, click the
Move Up button to position a smart card or other certificate at the top of the list, click
OK, and then click
Next.
For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
Eap Types, click
Add, click
Secured password (EPA-MSCHAP v2), click the
Move Up button to position the secured password authentication type at the top of the list, click
OK, and then click
Next.
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
[email protected]
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread. -
How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2
How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.
Hi Tarik,
Thanks for your answers,
I've attached my configured AuthZ rules and AuthZ profile for provisioning,
I want the process to be the same for iPhone, Android and Windows.
1) Connect to the SSID
2) Login using your AD credentials PEAP-MS-CHAP-v2
3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
4) As soon as the client click "register" no more redirects and PERMIT-ALL
I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
3) everything else = DENY-ALL
But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
What screenshoot do you need after the registration? the Auth report?
Thank you very much for your time! -
802.1X Authentication failed without 802.1X authentication enabled
Hi,
we are using 2 WISMs, with version 4.2.207 and a WCS to control them.
It seemed to work fine for about 2 weeks, and now we detected the following problem in some users. They were connected to the wireless without problems, and then they lost the connection. For authentication we use WPA2, we also use mac-filter.
When they lost the connection we can see the following error:
Message:
Client 'mac address' which was associated with AP 'mac address', interface '1' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
Message:
Client 'mac' which was associated with AP 'mac', interface '0' is excluded. The reason code is '4(802.1X Authentication failed 3 times.)'.
I also attach an output of the troubleshoot mac address...
Can some help me with this?
Thank you.
Best regards,Hi Kirbus,
we open a TAC and we were advised for now to do the following changes:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
1. please make sure to disable Aironet extensions (if present) , on the WLAN advanced configuration
2. disable management frame protection (MFP) signature generation (if present) , MFP also on the WLAN advanced configuration
3. on the WLC general configuration , can you please disable aggressive load balancing
4. on the security tab on the WLC , please wireless protection policies > disable client exclusion policies
5. on the AP network configuration please disable short preamble the original standard was long preambles
6. Wireless -> disable auto-RRM channel & power assignment & try "on demand"
7. apply these modification on the WLC CLI
Config advanced eap identity-request-timeout 20
Config advanced eap identity-request-retries 10
Config advanced eap request-timeout 20
Config advanced eap request-retries 10
Save config, and see if you still face the problem.
We are still monitoring the solution, but until now we didn't face the problem again.
Let me now how it goes for you.
Thank you.
Best regards, -
Hi,
i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).
I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?
in 'worst' case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?
Thanks,
GuyHi Guy,
provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.
In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.
So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.
However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.
If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:
1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.
2) configure an "Indentity Store Sequence" where you select:
- Authentication Method List : Certificate based : "Certificate Authentication Profile"
- Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores
In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)
You can find relevant documentation about this on the ACS user guide:
- Configuring "Certificate Authentication Profile"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057
- Configuring "Identity Store Sequence"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132
- Managing policy elements:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.
Maybe you are looking for
-
ADFS with SharePoint 2013 RP: What to do when Token Signing Certificate is about to expire?
Hello, I have an ADFS with a SharePoint 2013 Relying Party. I've assigned a primary token signing certificate to the ADFS environment. I had to run this command to be able to add the token signing certificate and "Set as Primary": Set-ADFSProperties
-
Ipod nano not recognised in windows or itunes have done R&R twice
I have had ipods from the beginning of time. trying to sync brand new gen 6 nano without any success. My ipad works OK. can any one help?
-
Tried emailing a photo but I get (null) in the front of the email address and it is not recieved. What is up with that?
-
My current setup is two tables and two objects with a one to one relationship between them, Object and ObjectMD (metadata). Not sure why my predecessors set it up like this but...that's how it is. The problem is that my Object table (and thus ObjectM
-
I'm working with BAM 10.1.2 and BPEL 10.1.2.0.2. Well, I'm trying connect to the BAM server and I can't do it!!! Maybe I need something..... but i dont know what? I red that is posible fix this issue installing the BPEL PM 10.1.3 but I dont to find t