802.1X TLS Authentication

My company is using TLS certificate to do switch port athentication. Everything works when I set up the 802.1X connection as user based, add in the certificate. I would like to be able to use the system or login based, but the server is not looking for a username/password, it only looks at the certificate.
When I attempt to use the system, the only way you can enable it, is to enter a user/name password. The login by default passes the user/pass.
Does anyone have any suggestions about how to setup the 802.1X TLS so you logins in the without being tied to the user?

Similar Messages

802.1x TLS (Machine certifcate) authentication in Snow Leopard

Hi,
In our company we are using 802.1x TLS authentication for WLAN and in some LAN ports. We are have been delivering machine certificate to our PCs for a while without problems and these are using the certificate to authenticate themselves before login to the network.
We would like to deliver the same user experience to mac users but we are having sever problems to configure them. Our mac users use Snow Leopard and the few references I found on the internet regarding 802.1x TLS authentication is for Leopard or previous versions, where the 802.1x and Keychain configuration is quite different.
We do have a proper machine certificate (with the correct usages, SAN, etc) and it´s related AD object provisioned. I have create the 802.1x profile as "User Prfile" and as a "System Profile" with the same results
I add the Client logs below but what I don´t understand id why the client is sending it´s going to use MSCHap when that is not the case.
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
Lastly the Keychain has also a weird behavior. If we import a Root CA in the "login" and/or "System" keychain, mark is as "always Trust" and later we import a certificate created by this Root CA, the keychain UI insist that the certificate "was signed by an unknown authority". For the logs below that does not seams the reason why the client is not able to use the 802.1x TLS but in any case that is a bug.
Client logs:
2010/05/14 10:37:12.872405 update_configuration
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AcceptEAPTypes</key>
<array>
<integer>13</integer>
</array>
<key>Description</key>
<string>Automatic</string>
<key>EAPFASTProvisionPAC</key>
<true/>
<key>EAPFASTUsePAC</key>
<true/>
<key>TLSIdentityHandle</key>
<data>
[Removed]
</data>
<key>TLSTrustedCertificates</key>
<array>
<data>
[In here we have our Internal Root CA we use to create Machine certificate and also to create the certificate used in our IAS Server (the RADIUS)
</data>
</array>
<key>TLSVerifyServerCertificate</key>
<true/>
<key>TTLSInnerAuthentication</key>
<string>MSCHAPv2</string>
</dict>
</plist>
2010/05/14 10:37:12.968769 link up
2010/05/14 10:37:12.968862 Associated SSID [Removed SSID] BSSID [Removed BSSID]
2010/05/14 10:37:12.972850 Receive Packet Size 77
Ether packet: dest f8:1e:df:e4:88:5a source 0:11:5c:c7:14:90 type 0x888e
EAPOL: proto version 0x2 type EAP Packet (0) length 59
EAP Request (1): Identifier 1 Length 59
Identity (1)
length 59 - sizeof(*rd_p) 5 = 54
[Removed. In here there is our networkid,nasid and portid ]
2010/05/14 10:37:12.972955 Supplicant (main) status: state=Connecting
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>1</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:12.976795 EAP Request Identity
2010/05/14 10:37:12.976819 EAP Response Identity [Removed, in here there is the Machine name as appears in the SAN of the certificate ]
2010/05/14 10:37:12.976832 Transmit Packet Size 39
Ether packet: dest 0:11:5c:c7:14:90 source f8:1e:df:e4:88:5a type 0x888e
EAPOL: proto version 0x1 type EAP Packet (0) length 35
EAP Response (2): Identifier 1 Length 35
Identity (1)
length 35 - sizeof(*rd_p) 5 = 30
(Removed raw data with the SAN ]
2010/05/14 10:37:12.977530 Supplicant (main) status: state=Acquired
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ClientStatus</key>
<integer>0</integer>
<key>ConfigurationGeneration</key>
<integer>2</integer>
<key>DomainSpecificError</key>
<integer>0</integer>
<key>IdentityAttributes</key>
<array>
<string>networkid=[Removed our SSID]</string>
<string>nasid=[Removed our WLANC ID]</string>
<string>portid=29</string>
</array>
<key>Mode</key>
<integer>1</integer>
<key>SupplicantState</key>
<integer>2</integer>
<key>Timestamp</key>
<date>2010-05-14T08:37:12Z</date>
<key>UniqueIdentifier</key>
<string>[Removed]</string>
</dict>
</plist>
2010/05/14 10:37:13.022577 force renew
2010/05/14 10:37:13.025323 stop
* Does someone been able to use 802.1x TLS based authentication for Snow Leopard clients and is able to point me to the right direction?
* Does Apple provide any documentation for this? (all I found is that I should contact the "Network Administrator" to get the mac configured!!!))
* How can I make that a certificate issued by a "Private CA" is trsuted in Snow Leopard? All workarounds I found are not suitable for Snow Leopard
Thanks
Jofre

Hi,
some updates, besides the keytools UI issue and the strange logs seams that the request is reaching the RADIUS, a Windows IAS Server.
If we compare a PC and A MAc we have the follwoing.
PC:
1 0.000000 IntelCor_c1:49:69 Cisco_c7:14:90 EAPOL Start
2 0.030210 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748]
3 0.034350 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, Identity [RFC3748] (Repeated)
4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
5 0.135258 IntelCor_c1:49:69 Cisco_c7:14:90 EAPResponse, Identity [RFC3748] (Repeated)
6 0.142715 Cisco_c7:14:90 IntelCor_c1:49:69 EAPRequest, EAP-TLS [RFC5216] [Aboba]
7 0.196988 IntelCor_c1:49:69 Cisco_c7:14:90 TLSv1 Client Hello
8 0.213640 Cisco_c7:14:90 IntelCor_c1:49:69 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done
Continues OK
While on a Snow Leopard are:
44 39.196967 Apple_e4:88:5a Cisco_c7:14:90 EAPOL Start
45 39.201062 Cisco_c7:14:90 Apple_e4:88:5a EAPRequest, Identity [RFC3748]
46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAPResponse, Identity [RFC3748]
47 39.209543 Cisco_c7:14:90 Apple_e4:88:5a EAPFailure
after analizin the network traces we see that the different is on the 3rd EAP Packet:
PC:
4 0.084879 IntelCor_c1:49:69 Cisco_c7:14:90 EAP Response, Identity [RFC3748]
802.1X Authentication
Version: 1
Type: EAP Packet (0)
Length: 40
Extensible Authentication Protocol
Code: Response (2)
Id: 1
Length: 40
Type: Identity [RFC3748] (1)
Identity (35 bytes): host/SAN-NAME01.INTERNALDOMAIN.COM
Mac Snow Leopard:
46 39.201386 Apple_e4:88:5a Cisco_c7:14:90 EAP Response, Identity [RFC3748]
802.1X Authentication
Version: 1
Type: EAP Packet (0)
Length: 35
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 35
Type: Identity [RFC3748] (1)
Identity (30 bytes): SAN-NAME01.INTERNALDOMAIN.COM
that difference prevents our RADIUS (IAS Server) to authenticate the device properly, with the error:
User SAN-NAME01.INTERNALDOMAIN.COM was denied access.
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
while in the PC case we have:
PC:
User host/SAN-NAME02.INTERNALDOMAIN.COM was granted access.
Policy-Name = Allow Wireless Lan Access With Certificate
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
* Question1: Is there a way to ensure that the Snow Leopard added the "host/" at the begining of the Identity?
* Question2: Did someone been able to connect a Snow Leopard to a WLAN protected with 802.1x using TLS?
Thanks
Jofre

Airport 802.1x w/ TLS Authentication Certificate Problem

Trying to set up an Airport connection to my company's Wireless network.
I've gone into the Internet Connect application and tried to create a new 802.1x connection.
I named the connection, choose Airport as the port, provided my username and password, filled in the SSID, and tried to choose TLS as the authentication but got the following error:
"TLS can't be enabled because your keychain does not contain any suitable certifications..."
I had previously added the certificate the IT department had generated and is successfully using it with their Window's clients.
I can see the key in my keychain but cannot access it when trying to add TLS authentication.
They are using Microsoft Certificate Server to generate the certs.
Is there anything special I need to do in my keychain or with the cert to have it available for use with TLS.

I've set this up at home using Windows 2003 IAS & EAP-TLS. It took a little playing around to get it right, but here are the instructions I wrote for myself:
Mac;
http://certificateauthorityserver/certsrv
Download a CA Certificate, certificate chain, or CRL
Click Download CA Certificate
Double click certnew.cer and install it to the System keychain
Go back
Request a Certificate
User Certificate
2048, Submit
Install (downloads)
On Windows machine, view private store. Select export with shared key. Export p12 certificate. Import on Mac.
Go to Internet Connect configuration. Choose 802.1X and then TLS. Use the certificate assigned to the user.

Eap tls authentication fails if bluetooth device connected

Hi All, I'm new to Macs but was tasked with getting a MacBook Air connected to our AD integrated, 802.1x wifi network. After a lot of trial and error with certificates I finally got this working but now have a rather bizarre problem. With the MBA on it's own it will connect to the wifi network, sucessfully authenticate and work perfectly well. However, if my Apple bluetooth mouse or keyboard are connected to the MBA the EAP-TLS authentication fails. A packet capture of the connection process shows that at the same point every time the process take a while then a packet shows as "Unknown Error Ignored", then loops thorugh the process. Turning off the keybpard and mouse at this point and the MBA will connect. Once connected I can then connect the keyboard and mouse and continue to stay connected for a while before, I assume, the AP forces a re-auth and the connection drops again.
Has anyone come across this elsewhere?
Thanks

I have a Macbook Pro Retina 15" from 2012 and it has the same issue. Running 10.8.4. I have spent probably 5-6 hours trying to troubleshoot cert's network settings, did a complete fresh install (then restored from timemachine when that did not work) with no luck this solution worked but obviously is not a real solution as it should not confilct in this way. Great job on finding a workaround! I will be contacting apple about this ASAP under my applecare.

802.1x and Authentication Methods

Hi,
I have ACS 5.2, Cisco 4507 switches and AD domain environment.
Planning on performing only machine authentication and not user authentication.
I have the following type of devices:
1. Windows XP SP3 and higher on the AD Domain
2. Devices to be with installed with third-party supplicants as they natively don't
support 802.1x.
If I ignore device type 2, and only consider device type 1, am I able to simply configure
802.1x for authentication based on machine against AD, without having to use any
certificates at all?
Taken device type 2 into account, given the devices are not on the domain and I don't
want to manually enter details into ACS, will I need to use certificate for authentication?
Thanks

Hi,
> Using PEAP wouldn't I need certificate installed on the ACS? Or can it work without any certificate at all.
[ANS] Yes, you always need certificate on the ACS but it can be a self signed certificate that you can do with 2 clicks on the ACS itself. oc the client machines you have only to make sure that you have the supplicant configured to not "Validate server certificate" so that you do not have any further complication with certs.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
> I was thinking for devices that not on the domain, to load certificate on the machine.
If I were to have both type 1 and 2 devices, would it possible to have domain devices to be authentication using machine authentication against AD and the non domain devices autheticated using certificate installed on each device?
[ANS] Yes, you can. Non domain devices could be authenticated simply by trusting the CA that issued the device certificate. Imagine you have CA "JEDI" issuing the device's certs. You can configure the ACS to validate authentications only by trusting CA "JEDI". When a device tries to connect, it will send the certificate, the ACS simply checks the CA that issued the cert and if it is trusted, it will accept the authentication.
In this scenario, you will need to use an authnetication method which uses clients certs for authneitcation like EAP-TLS.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ISE 1.3 Why are Windows endpoints defaulting to 802.1x machine authentication in wireless profile and not User or User&Computer

We are running ISE 1.3 tied to AD with WLC 7.6.130.0. Our ISE has a GoDaddy (none wildcard) certificate loaded for https and EAP. We are just running PEAP. We have a mix of IOS, Android, and Windows 7/8 devices. IOS and Android devices can self create a wireless profile and after entering credentials can connect without issue. Our Windows 7/8 devices, when auto creating a wireless profile are selecting 802.1x machine authentication instead of User authentication or the best option which is machine or user authentication. This is problematic as we do allow for machine authentication but have an authorization rule limiting machine auth to domain controller and ISE connectivity only. This is to allow domain Windows 7/8 devices to have domain connectivity prior to user sign-in but force user auth to get true network connectivity. The problem is why are the Windows devices not auto setting to user authentication (as I think they did when we ran ISE1.2), or the best option which is to allow both types of authentication? I have limited authentication protocols to just EAP CHAP and moved the machine auth profile to the bottom of the list. Neither have helped. I also notice that the Windows 7/8 endpoints have to say allow connectivity several times even though we are using a global and should be trusted certificate authority (probably a separate issue).
Thank you for any help or ideas,

When connecting a windows device to the ISE enabled SSID when there is not a saved wireless profile on that machine, it will connect and auto create the profile. In that profile, 802.1x computer authentication option is chosen by windows. That has to be changed to computer or user for the machine to function correctly on the network.
On 1.2, this behavior was different. The Windows device would auto select user authentication by default. At other customer sites, windows devices auto select user authentication. This of course needs to be changed to user or computer in order to support machine auth, but at least the default behavior of user authentication would allow machines to get on the network and functional easily to begin with.

How to get rid of 802.1x 'Default Authentication'?

Hi All,
Everytime I close my MBP's lid, put it to sleep, or simply turn it on... My wifi is no longer connected.
this all started ever since I decided to 'Turn Off Wifi' the very first time since I got my MBP this year 2011, in June.
Whenever I do any of the above (put MBP to sleep etc) then get back to working.. My Safari says I'm not connected to the internet.
And I see my Wifi signal "blinking" and trying to connect. So I go to my Network preferences and see this:
There's that '802.1X: Default Authenticating' that appears below my wireless network's name..
After which i have to Disconnect from twice - 1 time, before it tries to "authenticate" again.. and then a 2nd time.. and then it stops completely,
Then i have to proceed to click and choose my network again and re-enter my password just to get the Airport/Wifi working again..
Someone please give me a solution to get my Wifi to automatically connect whenever I switch on my MBP - and to get rid of this annoying 802.1X which does nothing and just continues to try and "authenticate" with no result.
It would be very very much appreciated! Thank You!
PS. I did read somewhere online about 802.11g newer wirelss network cards and how they may have issues with an 802.1x network etc..
Don't really understand it though. Please explain if you could. Cheers

Realized that OSX Lion as re-prioritized my Wi-Fi to the bottom of the list.
What I had to do was place it in first priority again in Network settings.
Quite a disappointment from OSX Lion since in OS Snow Leopard that was the default setting - and certainly a hassle for newbie Mac users like myself who may be clueless when faced with these "issues"
Also attached above is the picture that for some strange reason disappeared in the original post..

802.1x Port Authentication via RADIUS

I am investigating implementing 802.1x port authentication on our network.
I have a test LAN with a Catalyst 2950 switch and 2 Win XP workstations, (I know its pretty basic, but should be enough for testing purposes). One of these XP PCs is running a Win32 RADIUS server and the other has been configured for 802.1x authentication with MD5-Challenge. Both switch ports are configured for the default vlan and can ping each other.
I have configured the switch with the following commands
aaa new-model
aaa authentication dot1x default group radius
dot1x system-auth-control
radius-server host x.x.x.x key test
and the port to be authorised has been configured with
dot1x port-control auto
As far as I can tell this is all I need to configure on the switch, please correct me if I am wrong.
When I plug the PC into the port I get the request to enter login details, which I do, the RADIUS server sees the request but rejects it, because 'the password wasnt available'. Here is the output from the request, but there isnt any password field and I know there should be as the RADIUS server comes with a test utility and the output from that is similar to below, but the password field is included. I have removed IP/MAC addresses.
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=3
Realm = def
User = Administrator
Code = Access request
ID = 26
Length = 169
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
NAS-IP-Address = x.x.x.x
NAS-Port = 50024
NAS-Port-Type = Ethernet
User-Name = Administrator
Called-Station-Id = 00-11-00-11-00-11
Calling-Station-Id = 11-00-11-00-11-00
Service-Type = Framed
Framed-MTU = 1500
State = 0x3170020000FCB47C00
EAP-Message = 0x0201002304106424F60D765905F614983F30504A87BA41646D696E6973747261746F72
Message-Authenticator = 0xA119F2FD6E7384F093A5EE1BF4F761EC
Client address [x.x.x.x]
NAS address [x.x.x.x]
UniqueID=4
Realm = def
User = Administrator
Code = Access reject
ID = 26
Length = 0
Authenticator = 0xCCD65F510764D2B2635563104D0C2601
EAP-Message = 0x04010004
Message-Authenticator = 0x00000000000000000000000000000000
On the 2950 I have turned on debugging with 'debug dot1x all' and part of the output is below:
*Mar 2 01:58:38: dot1x-ev:Username is Administrator
*Mar 2 01:58:38: dot1x-ev:MAC Address is 0011.0011.0011
*Mar 2 01:58:38: dot1x-ev:RemAddr is 00-11-00-11-00-11/00-11-00-11-00-11
*Mar 2 01:58:38: dot1x-ev:going to send to backend on SP, length = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN is No Vlan
*Mar 2 01:58:38: dot1x-ev:Enqueued the response to BackEnd
*Mar 2 01:58:38: dot1x-ev:Sent to Bend
*Mar 2 01:58:38: dot1x-ev:Received QUEUE EVENT in response to AAA Request
*Mar 2 01:58:38: dot1x-ev:Dot1x matching request-response found
*Mar 2 01:58:38: dot1x-ev:Length of recv eap packet from radius = 26
*Mar 2 01:58:38: dot1x-ev:Received VLAN Id -1
Again there doesnt appear to be a password, shouldn't I see one?
Ultimately we will be using a Unix RADIUS server but for testing purposes I have just configured an eval version of Clearbox's RADIUS server. I've tried others as I thought the problem maybe the software, but I get similar problems regardless. If anyone can recommend better Win32 software, please do so.
I'm struggling to figure out where the problem is, the XP machine, the switch or the RADIUS server. Any advice would be appreciated as it's getting quite frustrating.

These are dot1x event debugs, so you wouldn't see this with that debug. The closest thing to seeing it would be to debug radius on the switch, and the password would be contained in RADIUS Attribute[79]. The switch uses this attribute to replay the EAP message (unmodified) to a RADIUS server. You might see it, but it's encrytped, so it might not buy you much. I'm sure you can imagine from a security point of view why the switch won't/shouldn't have this much visibility into this ;-).
I would recommend either:
a) Double-checking your RADIUS setup and logs to find out why the user failed. (double-check the RADIUS key configured on the switch too .. it must match).
b) Downloading a third-party supplicant from Meetinghouse or Funk to use as a control.
Eval copies are available on their websites.
Hope this helps,

Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

Hi
My company has implemented 802.1x Wired authentication, we use GPO to specify a
Wired Profile that uses a COMPUTER certificate.
We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open. If we close Lync 2010 the issue does not occur. Lync 2010 installs a self signed USER certificate for authentication.
I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER. We have installed these hotfixes and the
issue still occurs.

Hi,
From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
Meanwhile, I found the following hotfix which may related to this issue.
No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
Next Action Plan:
1.Clean Boot
a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
b. In the Startup tab, click the "Disable All" button.
c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
======================================================
Clean Boot + binary search
In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
we find out the root cause. Please let me know if this action plan is OK for you.
2.Collect etl trace on the problematic client.
netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
****Try to reproduce this issue****
netsh trace stop
Please send the net.etl to us for underlying analysis.
For any concerns, please let us know.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

802.1x port authentication and Windows Radius, possible?

Hello,
I'm just testing at the moment before implementing on our netowrk, but has anyone implemented 802.1x port authentication on there Cisco switch and used a Windows IAS server? See out users are all all on a Windows domain and I want to authenticate using their active directory credentials. I think I am fine with the switch config, but it is the Windows IAS/Raduis server. I have added the switch IP's and secret, but I need to create a policy to accept the domain users and need help.
Thanks

Andy:
Yes of course you can use whatever radius server as a AAA server for 802.1x authentication on the switches. NPS, IAS, ACS, Open RADIUS ....etc.
If you have problem with configuring the IAS then I would suggest that you post your quesiton in a microsoft forum and not here. They would be able to better assist you with your issue. But you can still look somewhere in this forum or in google to help yourself.
See this link, it could be useful for you: https://supportforums.cisco.com/thread/2090403
Regards,
Amjad
Rating useful replies is more useful than saying "Thank you"

802.1x & windows Authentication

Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
and what are the challenges if windows user accounts password changed frequently..
can any body explain adv & dis adv of 802.1x before I deploy it in network..

There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

Help Please :) LInksys WRVS4400N 802.1X port authentication setup

HI all,
I am trying to configure 802.1X port authentication on my Linksys WRVS4400N. I created a test lab in order to do this, currently I am using
1x Linksys WRVS4400N
1x Microsoft Server 2003 with IAS and Active Directory services
1x Dell Laptop (Used for testing Radius Athentication)
I Created 4 VLAN(s) to test with this LAB
VLAN 1 Managament. Addr Range 192.168.1.0 /24. GW 192.168.1.254
VLAN 10 Servers. Addr Range 172.16.1.0 /24. GW 172.16.1.254
VLAN 20 IT. Addr Range 172.16.2.0 /24. GW 172.16.2.254
VLAN 30 Design. Addr Range 172.16.3.0 /24. GW 172.16.3.254
This is how I assigned my VLAN(s) to my ports. This is found on the VLAN & Port Assignment Screen
Port 1 -> Mode: General -> Frame Type: All -> PVID 1 (Port 1 is used for VLAN 1: Management)
Port 2 -> Mode: General -> Frame Type: All -> PVID 10 (Port 2 is used for VLAN 20: Servers)
Port 3 -> Mode: Access -> Frame Type: All (Port 3 is used for RADIUS. DHCP enabled)
Port 4 -> Mode: Access -> Frame Type: All (Port 4 is used for RADIUS. DHCP enabled)
VLAN 1: Default
Port 1: Untagged, Port 2: Tagged, Port(s): 3, 4 & Wireless: Excluded
VLAN 10: Servers
Port(s): 1, 3, 4 & Wireless: Excluded. Port 2: Untagged
VLAN 20: IT
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
VLAN 30: Design
Port(s): 1, 2: Excluded, Port(s): 3,4 & Wireless: Untagged
This is how my Radius is setup
Mode: Enabled
RADIUS IP: 172.16.1.1 (IP of the WIN2K3 Server)
UDP Port: 1812
Secret: Password1
Port(s) 1 & 2: Force Authorized
Port(s) 3 & 4: Force UnAuthorized
On the Server this is what I have configured
1. Created a domain: GLAB. Created two groups: IT LAN, Design LAN, then assigned users to those groups. IE: User1 belongs to IT LAN
2. Created a IAS Remote Access Policy and named it IT LAN. The profile settings are listed below
Tunnel-Medium-Type: 802
Tunnel-PVT-Group-ID: 20
Tunnel-Type: Virtual LAN
My goal is to test RADIUS authentication on ports 3 and 4 on the Linksys WRV . I tested everything else I made sure the VLAN's were working ok so what I did was took a Dell Laptop and joined it to my domain. I pluged the Dell Laptop into port 4 to test Radius Authentication. When I tried to log in as User1 it didn't work.
I am new to setting up 802.1X, I wanted to know if I missed a setting or I misconfigured something. I even ran wireshark on my Windows 2003 machine to see if any RADIUS data is coming from my router (172.16.1.254) and I didn't see anything
If anybody can help me out that would be great!
Cheers
Graham

1. I don't think the WRVS4400N supports RADIUS assigned VLANs. I can't find anything in the manual suggesting it would. I would say you can only use the RADIUS server for authentication on a port but the VLAN must be configured before.
2. You don't write what is exactly connected to each port on the WRVS. For instance, it is unclear whether the MS Server is connected directly to port 2 or whether it connects to another switch to which you have connected other servers as well.
3. The VLAN configuration looks very odd to me. If I see it correctly you have:
Port 1: General mode, PVID 1, 1U
Port 2: General mode, PVID 10, 1T, 10U
Port 3: Access mode, PVID ???, 20U, 30U
Port 4: Access mode, PVID ???, 20U, 30U
I wonder why you are even able to set this up...
a. Port 1 should be set to Access mode with PVID 1 and 1U. With access mode the port is member of a single VLAN and all traffic is untagged. That is exactly what you have set up, but with General mode.
b. Port 2 must be connected to a server (or a managed switch). The NIC in the server must be configured for 802.1q tagged frames. On the server NIC you must configure VLAN 1 as tagged VLAN and VLAN 10 as default/native/untagged VLAN. Only then the server is able to communicate on VLAN 1 and VLAN 10.
c. Port 3&4 are in access mode. In access mode the port can only be member of a single VLAN. What you post suggests that they are member of two VLANs. That should not even be possible to configure. If it is possible, that it is definitively incorrect. You must decide to which VLAN these ports belong to.
4. To use RADIUS authentication on a port you must set it to "Auto". "Force UnAuthorized" sets it unauthorized, i.a.W. you disable the port completely. To traffic will go through. See the manual: "Force Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic). All connections are blocked."
5. Did you verify that your RADIUS server is actually using port 1812? 1645 is also commonly used for radius authentication. Check the configuration on the RADIUS server or check with "netstat -a" to see if 1812 is used.
6. Also check, whether the RADIUS traffic is sent on the management VLAN 1. The WRVS uses VLAN 1 as management VLAN and it might well be that it expects the RADIUS server to be in the management VLAN. Use the server IP address in VLAN 1 as RADIUS server IP address to check that.
7. Did you check with wireshark the traffic on the 802.1x client machine? Does it send something out? Does it receive anything?

VPN Tunnel w/ 802.1X port authentication against remote RADIUS server

I have a Cisco 892 setup as a VPN client connecting to an ASA 5515-X. The tunnel works fine and comes up if theirs correct traffic. I have two RADIUS servers I want to use certificate based authentication to, that are located behind the ASA 5515-X.
If I connect a computer that has the correct certificates to ports FA0 through 3, authentication won't work. I'll see the following. This happens even if the VPN tunnel is established already by doing something such as connecting a VOIP phone. No entrys are located in the RADIUS logs, and I also cannot ping the RADIUS servers from VLAN10.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.1.100:1812,1813 is not responding.
*Jan 30 19:46:01.435: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.1.100:1812,1813 is being marked alive.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_DEAD: RADIUS server 192.168.26.10:1812,1813 is not responding.
*Jan 30 19:46:21.659: %RADIUS-4-RADIUS_ALIVE: RADIUS server 192.168.26.10:1812,1813 is being marked alive.
If I connect a second PC to an interface with 802.1X disabled, such as FA6, the VPN tunnel will establish itself correctly. In this situation, I can ping the RADIUS servers from VLAN10. If I go ahead and connect another PC with correct certificates to a port with 802.1X enabled such as port FA0 through 3, then 802.1X will suceed.
Current configuration : 6199 bytes
! Last configuration change at 15:40:11 EST Mon Feb 3 2014 by
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router1
boot-start-marker
boot-end-marker
aaa new-model
aaa local authentication default authorization default
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
clock timezone EST -5 0
clock summer-time EDT recurring
ip cef
ip dhcp pool pool
import all
network 192.168.28.0 255.255.255.248
bootfile PXEboot.com
default-router 192.168.28.1
dns-server 192.168.26.10 192.168.1.100 8.8.8.8 4.2.2.2
domain-name domain.local
option 66 ip 192.168.23.10
option 67 ascii PXEboot.com
option 150 ip 192.168.23.10
lease 0 2
ip dhcp pool phonepool
network 192.168.28.128 255.255.255.248
default-router 192.168.28.129
dns-server 192.168.26.10 192.168.1.100
option 150 ip 192.168.1.132
domain-name domain.local
lease 0 2
ip dhcp pool guestpool
network 10.254.0.0 255.255.255.0
dns-server 8.8.8.8 4.2.2.2
domain-name local
default-router 10.254.0.1
lease 0 2
no ip domain lookup
ip domain name remote.domain.local
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9
dot1x system-auth-control
username somebody privilege 15 password 0 password
redundancy
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key secretpassword address 123.123.123.123
crypto ipsec transform-set pix-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto map pix 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set pix-set
match address 110
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet1
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet2
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet3
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet4
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet5
switchport access vlan 12
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet6
switchport access vlan 10
switchport voice vlan 11
no ip address
spanning-tree portfast
interface FastEthernet7
switchport access vlan 10
switchport voice vlan 11
no ip address
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map pix
interface Vlan1
no ip address
interface Vlan10
ip address 192.168.28.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
interface Vlan11
ip address 192.168.28.129 255.255.255.248
interface Vlan12
ip address 10.254.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 101 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip radius source-interface Vlan10
ip sla auto discovery
access-list 101 deny ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.28.0 0.0.0.255 any
access-list 101 permit ip 10.254.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.28.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.29.0 0.0.0.255 192.168.0.0 0.0.255.255
radius-server host 192.168.1.100 auth-port 1812 acct-port 1813 key secretkey
radius-server host 192.168.26.10 auth-port 1812 acct-port 1813 key secretkey
control-plane
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
ntp source FastEthernet0
ntp server 192.168.26.10
ntp server 192.168.1.100
end

I have 802.1X certificate authentication enabled on the computers. As described in my post above, authentication will work if theirs another device on the same VLAN that is connected to a port that bypasses authentication. It seems like I have a chicken and egg scenario, a device needs to be sucessfully connected to VLAN10 before the router will use it's VLAN10 interface to communicate with my remote RADIUS server.

Radius server for 802.1x port authentication

Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
Thanks

Check connectivity between the PIX and the server.
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
Ensure that the secret key is correct.
Check the server logs for failed attempts. All servers have some kind of logging function.

About TACACS+ and 802.1x port authentication

Hi
Is it true? TACACS+ will not work with 802.1x port authentication because EAP is not supported in TACACS+,
Where to find the documents about Tacacs+ doesn't support EAP?
Regards,
Thanks.

Correct, TACACS does not support EAP, check the following links:
https://cisco.hosted.jivesoftware.com/message/7901
http://www.rfc-editor.org/rfc/rfc1492.txt

802.1X TLS Authentication

Similar Messages

Maybe you are looking for