802.1x Wireless Authentication with 10.8.4 Build 12E3067

Similar Messages

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• 802.1x Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  No, CA wasn't changed with R2.
  Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
  In the login keychain, when looking at the Users certificate, does it show as valid?

• 802.1x wireless authentication using NPS - SSO sign on to Office 365 using ADFS

  Hi Spiceys,I'm researching for a potential client and would like to know if the following is possible:They have an existing wireless network with a working 802.1x implementation using NPS as RADIUS. They are very keen to move to Office 365 and use SSO and my understanding is that they'll need to spin up a working ADFS implementation to arrange this. We want to use Microsoft tech to tie it all in, so 3rd party SSO apps I don't want to investigate.If a wireless client is authenticated with NPS, and we have a working ADFS implementation are they able to access Office 365 resources without signing in twice? I'd imagine that the NPS auth would give them the necessary DC token, but if they access O365 resources and get redirected to the ADFS website and use Windows integrated login, will it 'just work' ? They are looking at using the full...
  This topic first appeared in the Spiceworks Community

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• Adding 802.1x Wireless networks with a script

  Hi,
  We have some new wireless networks we've set up for students to use (I work in a University). The networks use 802.1x authentication, and WPA2-Enterprise encryption. Adding Macs with various versions of OSX isn't a big issue, but it's time-consuming. Users need to follow an instruction sheet, and the process is prone to errors.
  I'm looking for a method to give users some sort of download to run, which can just add the SSID for our wireless LAN with the minimum of fuss. I've dug around and found various things, but I'm a little perplexed as to how best to go around it. I've seen things suggesting an AppleScript would be able to do it, but I'm no AppleScript export, so some sort of example would be nice.
  Any pointers gratefully received.

  did you find any resolution to this?  our mba- mid 2013 deployment is having a very similar problem.  We've gone through loads of troubleshooting and have yet to come to a resolution.  all our mid 2012 mba's are working fine they're 10.7.5/10.8.4 mixed.  console logs don't show much, i'll try the wireless diags tomorrow.  our other 10.8.4 build appears fine on other models of machines.  i've read posts about deleteing the adapters, deleting the system config plists and changing the mtu size, these steps do not work for us.
  we don't have as high a failure rate with our deployment, but 25%-30% of our clients randomly drop connectivity and are unable to reconnect (fluttering wi-fi wave).  when you slect the wifi symbol in the menu bar other wireless networks do not show, the 'looking for networks' fly wheel continues to spin.  ocasionaly on login the yellow jelly bean will appear then disappear before finally timeing out without logging the user in (depsite having mobile accounts enabled).    mostly the problem manifests itself when waking from sleep - the wifi symbol flutters endlessly without connecting.  deleting the 8021x profile and readding it will reenable connectivity.  we've tried new profiels, but to the same end.  i know our certs and systems are fine because previous mac os x builds work fine as do our windows clients.
  any input would be much appreciated.

• 1552 in P-MP acting as 802.11a Wireless Bridge with single antenna SISO

  Can you configure three Cisco 1552EUs to act as a RAP and two MAPs in a bridge only Point to Multipoint configuration. 
  I'd like to disable two of the 5Ghz antenna ports and use just a single TX/RX port and a single directional antenna for each AP.
  Does this simply reduce the system gain because you lose the MRC MIMO advantage / gain of either 1.7 or 4.7db (depending on qty of spatial streams).
  Also, are the 1552EU's backward compatible with the Cisco 1310's in the configuration mentioned above.
  Thanks for any comments.

  The transfer speeds sound about right. The "54Mbps" is a signaling rate, not a throughput.
  To make 802.11 wireless "reliable"  (comparable to a wired network)  the data is, in effect, sent twice and staggered such that a glitch usually doesn't get both.
  In terms of throughput of your data, a strong signal with good signal quality, using IP, unencrypted  should run ~22-26Mbps (some variability for noise/interference, mixed frame sizes, TCP ACK times, application responses, etc). 
  So, at ~24 Mbps (megabits per second) you're looking at ~4  megabytes per second versus 100Mbps/12.5mBps as a probable max rate.
  Given that, a transfer that takes approximately one minute on a wired network under typical conditions ... having it take four-to-five minutes on a typical wireless system is about right.
  For power settings, you can adjust the power by monitoring the RSSI values on the receiving system. If I can find the docs on Cisco's main site I'll post 'em up later (gotta run ...), but if the mechanical install is good, then it'll just be a little keyboard work.
  Good Luck
  Scott

• 802.1x Wireless Implementation with NPS - Guest computers access

  Hi guys,
  I have a 802.1x network using NPS services in Windows server 2012 that I am testing right now with Windows 7 machines. Everything seems to be fine with corporate computer (connection and authentication are good). But I have an issue with guest computer (i.e
  personal laptop). I am able to connect to my Enterprise wireless connection using my corporate credentials. Even if my personal laptop don't have any corporate certificate, the connection is granted because I use my credentials. Is there a way to use User
  certificate AND computer certificate for wireless at the same time? So that personal laptop will not have access to the enterprise wireless network even if I enter my corporate credentials. 
  Let me know if you need more information.
  Thank you

  Hi,
  One way to solve it would be to only allow "Domain Computers" or another computer Group in the NPS policy and then create a corresponding Group policy to only authenticate to the wireless with the computer account.
  Another way would be to actually use the user certificate (instead of secured password that you are using now). That would require you to autoenroll user certificates though.
  See screenshots above on alternative 1 and 2.
  Microsoft Certified Trainer
  MCSE: Desktop, Server, Private Cloud, Messaging
  Blog: http://365lab.net

• 802.1x wireless authentication not working via RADIUS

  I've tried to implement 802.1x authentication in a windows 2012 domain environment using protected-EAP authentication. I read through guide after guide and still i am unable to get it to work. I'm confident the server side and WLC config is all correct. I have run the command debug client d0:df:9a:f6:30:40 which is my test laptop and i can see the WLC sending EAP-Request/Identify messages but it seems it never gets a reply. I have attached a copy of the debug. 
  Please can someone help me if possible?
  Laptop > AP > WLC > RADIUS SERVER

  Hmmm, peap. So PEAP requires the server be validated via a certificate trust. Did you download the WLC certificate and install it on the client (use self-signed cert), or did you install a new certificate on the WLC? In either case your client has to "trust" the Certificate Authority who signed the certificate used by the authentication device. If you use the self signed certificate you have to download the cert from the WLC and install on the client to validate the server, then the client is validated on the WLC with windows credentials or a saved username/password.
  Are you trying to do single sign-on? Is the client a member of the domain? Does the user belong to the domain? Did you do the certificate stuff above? if you need to test this without validating the server (JUST FOR TESTING PURPOSES) you can go under the WLAN profile on the client chose security, settings and uncheck validate server certificate. Then on user credentials verify you are using the correct client credentials on the client and try again. 
  If this works the certificate is the issue, you can troubleshoot from there. You DO NOT WANT TO LEAVE validate server certificate unchecked as that can create a BIG SECURITY HOLE. Just based on your description I am leaning towards a cert issue. If you can provide more details, would be great. Screenshots of your client EAP-PEAP setup, screenshot of windows cert store showing trusted root certification authorities with trusted CA your WLC is using. 
  Do you ever see logs on the AD server, with login attempts? If not the client is not able to verify the WLC's certificate and therefore won't send credentials. 
  LDAP configuration is pretty straightforward, if you just want to test this for the first time and are having issues with just getting a PEAP client to work you can attempt with a LOCAL EAP user on the WLC to verify the client and WLC are correct then add the LDAP server as Authentication Source, just ensure your server priorities are correct if you do this.
  Hopefully this helps
  ~Please rate useful post~

• 802.1x Failed Authentication with WS-C3750G-24T

  Hi,
  I have already set up a lab  comprising of  1x2950-24 switch, 2x3750-24T in stack mode and 2x MS Domain Controller with AD 2008 Servers and NPS enabled (Domain level 2008). I use NPS as a Radius Server. I am trying to test the 802.1x framework in two scenarios.
  1.     I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant. As authenticator use the 2950 switch and as authentication servers I use the two NPS integrated in MS DCs. Everything is working fine as I expected with basic configuration guidelines from Cisco & Microsoft.
  2.      I use as client a domain laptop with Windows XP SP3 with the embedded 802.1x MS supplicant (the same as before). As authenticator I use the 3750 Stack switch and as authentication servers I use the two NPS integrated in MS DCs (the same as before). I have configured the supplicant for both machine or user authentication in both scenarios. However the client never pass the authentication in the second one. I disconnect and connect the same supplicant in the 2950 switch and the authentication is completed successfully. Getting back to the 3750 stack the authentication failed and the laptop gains network access in the configured Auth-Failed Vlan. I have tried several configuration changes without success. I cannot understand why does this happen. I have made some debugs and I am sending them a long with a partial basic configuration of 3750 stack switch.
  If anyone could check it and suggest  anything it could be appreciated!!!
  Thank you in advance!                 

  Hi,
  basically what happens is that the maximum EAP packet size for communication between client and RADIUS server is negotiated. Therefore, in your case the switch notifies NPS that the client is capable of handling packets up to 9000 bytes in size.
  EAP messages, especially those containing the server certificate, are usually bigger than 1500 bytes and arrive at the switch in multiple fragments:
  Mar  6 15:50:11.881: RADIUS(0000002C): Received from id 1645/41
  Mar  6 15:50:11.881: RADIUS/DECODE: EAP-Message fragments, 253+253+253+253+253+253+253+253+20, total 2044 bytes
  Having learned that 2044 bytes is acceptable for the client, the switch forwards the full message in one chunk, but since your client is likely to have set the interface MTU to 1500, the packet is oversized and never reaches its destination.
  And yes, I think changing the System Jumbo MTU to 1500 bytes would lead to the same result. If my memory serves me right, a new setting takes effect only after a reboot, so I'd suggest giving it a go in your lab first.
  Best regards,
  Josef

• 802.1X wireless network problems with Intel Mac

  To login to the wireless network at my school I have to use an 802.1X connection authenticating with TTLS, TLS, EAP-FAST and PEAP protocols.
  This works intermitently. Some days my MacBook logs on quickly with no problems at all but most days it has a self assigned IP address and I can't use the internet. My friend also uses a MacBook, which acts in the same way. Some days she manages to get on, some days I can get on and some days we are both on together. The problem is really irritating!! We get no support from the techs as we are the only Mac people in the school. The rest of the staff have PCs. The techs are just trying to use this issue to justify why letting people lease Macs is a problem and stop other staff from leasing them in the future.
  I did find a solution at
  http://discussions.apple.com/thread.jspa?threadID=425113&tstart=0
  but this was written in 2006 and I wonderered if this was still valid.
  Can anyone help? please???

  I am a tech at our school and we have the same problems. still trying to find a permanent solution!
  If you turn airport off, then turn on again, (from system prefs > network) does it change from "self-assigned IP Address" to "Authenticated via PEAP)?
  the macs are more and more popular at our school, so its becoming more and more of an issue.
  cheers,
  Harry

• 802.1x & windows Authentication

  Hi There, Any body has implemented 802.1x port authentication with ACS & windows AD. which authentication is supported in this kind of setup ms-chap or MD5 or PEAP (on the clients).
  and what are the challenges if windows user accounts password changed frequently..
  can any body explain adv & dis adv of 802.1x before I deploy it in network..

  There's a decent guide in the ACS 4.2 documentation on enabling machine access (chapter 12). Basically, you just enable it on the client and the ACS server, and POOF! On the client side, you should have a "Authenticate as computer..." option on your wireless networks tab. Wired is the same, unless you are running XP SP3, Vista, or Windows 7 where machine auth is enabled when you enable user auth.
  MAB with Guest VLAN *should* work, but I have not configured/tested it. Just be aware that MAF on the ACS side is just another form of auth where the user id and password is the MAC address of the client. For this reason, I recommend you put the MAC "users" in your ACS database, not in AD. Otherwise, you'll probably need to create an AD password group policy object for the user group holding your "mac address user accounts" so that they can have a password that matches their user name.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACSug.pdf

• Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  You've posted in the wrong forum. This is Feedback about Discussions. Try Networking and the Web maybe.

• Pb 802.1X Computer authentication

  Hello
  I want to know if some GPO parameters can prevent computer authentication 802.1X ?
  Because we use ACS4.1 and 802.1X PEAP authentication with Vlan assignement and MACHINE authentication Only
  And certain PC works fine and other not
  And if we disconnect the PC to the domain and after we reconnect th PC to the donain, all works fine ==> Authentication is OK
  If you have a solution to prevent out/in PC in the domain ?
  Thanks for your help

  Hello
  When i do the command csagent -v the result is:
  ACSRemoteAgent version 4.1(3.12)
  and I have an Appliance ACS:
  Cisco Secure ACS 4.1.3.12
  Appliance Management Software 4.1.3.12
  Appliance Base Image 4.1.1.4
  CSA build 4.0.1.543.2 (Patch: 4_0_1_543)
  and in the file cswinAgent i have this error
  CSWinAgent 08/07/2007 11:32:33 A 0386 6040 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
  CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 08/07/2007 11:32:33 A 0332 6040 0x0 NTLIB: Reattempting authentication at domain DOMAIN-TEST
  CSWinAgent 08/07/2007 11:32:33 A 1711 6040 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 08/07/2007 11:32:33 A 1712 6040 0x0 NTLIB: Attempting Windows authentication for user GVAL0594$
  CSWinAgent 08/07/2007 11:32:33 A 1764 6040 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 08/07/2007 11:32:33 A 0452 6040 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  I don't know if this that you want
  I have just change the domain name (DOMAIN-TEST) to confidential resaon
  Thanks

• Wireless authentication through AD

  I have a 2106 LAN controller with 1250 AP. I need to authenticate via my Active Directory users. Can this be done and how? I am also looking to get better range from my antennas, what the best omni or Bi antenna I can use with my 1250 AP
  Thank you in advance.

  Hi Tabish:
  Unfortunately, there is no specific document for wireless authentication with ACS 5.x
  If you wish you can check the below listed sections from acs 5.1 user guide:
  You can configure AD on Windows to use as external database, you can use the following link to integrate your AD
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
  For authorization using TACACS+
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1074366
  For configuring managing access
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• Wireless authentication issues

  I am using NM 5.5.5195 for a WRT160Nv3 router with firmware 3.0.02.  The router installed and set up quickly and easily a few days ago.  I am using a desktop running direct (wired) into the router and a laptop remote (wi-fi) Worked great for a day and a half.  But today there is little or no connectivity.  Initially I had wireless d/l speeds about 10,500-11-600 kbps and u/l speeds about a third of that.  Then today, I had d/l speeds of 650 kbps and u/l speeds that I didn't let finish measuring.  Now no connectivity at all.  I have tried a system restore - no luck.  I have reset the router to the Factory Defaults - No luck.  This is not a network adapter problem in the Laptop.  It sees the router/network with "excellent" signal strength.  But it will not authenticate...  Same situation with a PSP.  It will scan and sense the network signal but can not pass the access point in the authentication process.  Both units were able to access the network yesterday.  This leads me to believe that it is not a firewall/antivirus issue in the laptop.
  Desktop is running xp-pro...
  Laptop is running win-7 
  My hardwired desktop running through the router can access the net perfectly.  It is only the wireless units that can see but not authenticate to the network.

  Hi skadee,
  Do  a Factory Reset on the Router, via the Button in the back of the Router. Then use your Wired Computer to reenter the information for the Wireless portion of the Router, as well as reentering the other information like the Router's Password.
  Don't forget the Wireless' Security Code or passphase.
  thecreator - Running Network Magic version -5.5..9195.0-Pure0 on Windows XP Home Edition SP 3
  Running Network Magic version -5.5.9195.0-Pure0 on Wireless Computer with McAfee Personal Firewall Build 11.5.131 Wireless Computer has D-Link DWA-552 connecting to D-Link DIR-655 A3 Router.