802.1x with PEAP fails on Unified

We have an issue with a Fujitsu Siemens Amilo Laptop. It uses 802.1x with dynamic WEP and PEAP-MSCHAP (MS-IAS), Verisign Imported Certificate. It works fine in a Autonomous environment but fails in Unified environment. Other laptops work fine in both environments with the same setup. Debug on the WiSM shows the EAP request identity/start message send to the client. But there's no answer from the client; Reached Max EAP-Identity Request retries (21) for STA
Any help is welcome!

If the issue is with the certain brand of laptop, look at the wireless card firmware. What type of card are in these laptops? What configuration has changed between the Autonomous and the LWAPP (basic settings). What does the log show on the IAS server?

Similar Messages

[WLAN] Use 802.1x with PEAP without Certificates?

Hello there,
is it possible to use 802.1x with PEAP authentication via MS-CHAPv2 without cheking for the servers certificate? I can't find an option to disable it

On whitch device? You can set the autorithy certifacte to none or choose one from the list.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

Wired 802.1x with PEAP

I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
Setup:
C3750 switch - Cisco ACS 3.2 - Windows AD
Sequence of events:
1. 802.1x machine authentication
2. User logs in to domain
3. 802.1x with user credentials
But, I have the following issues:
i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
Any solution for this?
Tks

2 issues here:
*Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
* Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

Wireless 802.1x with Window 7

I have a WLC 6.0, ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication. The clients are using Windows 7 to connect to wireless. To get the clients connected they have to go into there network properties if the wireless card, configure the client to use PEAP, uncheck validate server certificate, and also uncheck use computer name to login into windows. This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password. The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect. If wireless could also be setup to use there windows username and password would be a bonus. I'm basically looking for a solution that is simple but is also secure as well. I know that's an oxymoron. Is there anything I could do to make the wireless process simpler. Either by going with a different security authentication or by doing something different on the clients computers. Thanks for any help and suggestions.

This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
https://sourceforge.net/projects/su1x/
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
Features include:
- Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
- Can set EAP credentials without additional user interaction (avoids tooltip bubble)
- Installation of a certificate (silent)
- Checks for WPA2 compatibility and falls back to a WPA profile
- Third party supplicant check -SSID removal and priority setting
- Support tab: (checks: adapter, wzc service, profile presence, IP)
- Outputs check results to user with tooltip and/or to file
- Printer tab to add/remove networked printer
This tool is very cleverly written by Gareth Ayres at Swansea University

802.1X PEAP fails when using special characters in login

I am using MS AD & NPS for 802.1X Enterprise authentication with PEAP (no client certificate - MS-CHAPv2 user credentials for login). This works fine for iOS devices on 8.1 (iPhone 5 and iPad mini) and 6.1.6 (iPhone 3GS) when the user has standard "English" ASCII characters in the username and password.
However, when I introduce Unicode special accented characters in the login name or password such as French é/ù or Spanish ñ then after accepting the server cert authentication fails with "Incorrect username or password for <WLAN name>". Windows 7 and CentOS 6.5 laptops have no problem authenticating to the same setup with either "English" credentials or ones with special accented characters. I also tried an old iPod touch on ancient software version and that fails, so its not something recently introduced.
I tried using a different access point (TP-Link instead of Ruckus) and had exactly the same issue, so highly unlikely this is an AP issue.
Then I setup FreeRadius with and see exactly the same issue, so its highly unlikely to be a MS AD/NPS issue.
When comparing a working/failed authentication Wireshark packet capture on the NPS server, I see the failed attempt is missing the last 4 packets in the authentication exchange. The last packet sent is an Access-Challenge from the NPS server and no response from the iOS device, so the NPS server never even sends an Access-Reject. The iOS device appears to have decided it can't resolve the special characters and terminates the authentication attempt.
To me this seems to be an Apple iOS software deficiency when using Unicode special characters in the username or password for 801.2X authentication?

Enterprise support:
Call enterprise support (866) 752-7753 to create a case ID number
Get an account at
http://developer.apple.com/ then submit a bug report to http://bugreporter.apple.com/
Once on the bugreporter page,
   -- click on New icon
   -- See if you need to attach a log file or log files, clicking on Show instructions for gathering logs. Scroll down to find the area or application that matches the problem.
   -- etc.
Developers:
"Submitting Bugs and Feedback
Your feedback goes a long way towards making our products even better. With Apple Bug Reporter, you can submit bug reports or request enhancements to APIs and developer tools."
https://developer.apple.com/bug-reporting/

Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

Hello,
I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
The RADIUS SERVER is M$ IAS.
Authentication is working with a laptop, but it is not with my phone
The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
Does somebody know what should I change in my phone's configuration to make it work ?
Thanks,
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein

Hi,
Sorry for the late answer since I was "out of the office" for a while
So here is the process to get the certificate.
Log in to you IAS Server.
Open the IAS Service Application.
Go to "Remote Access Policies".
Choose the policy that apply to "Wireless Connection"
Click "Edit Profile" button.
Choose "Authentication" Tab.
Click "EAP Methods"
Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
The Next Window will show you the Certificate Issuer Name & Expiration Date.
Then, click "Start" Button.
Choose "Run".
Type "mmc" in the "Run" box.
Click "File" & Choose "Add/Remove Snap-In".
Click "Add" Button.
Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
Click "Close" & "OK" Button.
Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
"Right click" on the certificate, choose "All Tasks", the "Export".
In the new window, click "Next" Button.
Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
Choose a suitable location.
Click "Next" Button & "Finnish" Button.
Certificate is now exported.
You have to install it on your Phone now.
The most simple way is to copy the certicate on a Web Server and access it with your phone.
Hope that Help, if you did not already succeed.
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein

Having a problem with PEAP and Cisco 2960 Switch

Hi All,
    I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
    The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?

Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828   Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843   Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps.

802.1x with AD support via ACS 4

Hello ,
I have been trying to configure 802.1x Authentication on a test switch . Authentication will be provided by the ACS server . This worked when I had the client setup for EAP-MD5 and had local user accounts on the ACS server . However this is impractical if we were to deploy this on a large scale. How can i configure 802.1X authentication to occur via the ACS with the ACS looking at the AD database . The trouble is AD does not support EAP-MD5. It supports PEAP but the problem I am having is "EAP-TLS or PEAP authentication failed during SSL handshake "
Has anyone here setup 802.1x with AD integration via ACS 4.0 . Please help.
Thanks.
Karthik

Hi Karthik,
The SSL handshake will fail in our experience for any of the following reasons:
- The supplicant cannot access the private key corresponding to it's certificate - check that the system a/c has pemissions over the private key found in c:\documents and settings\all users\application data\microsoft\crypto\rsa\machine keys
- The ACS sever does not trust the Root Certificate for the PKI that issued the supplicants certificate - Is the Supplicants Root CA present in the ACS Certificate Trust List?
- CRL checking is enabled and the CRL has expired or is inaccessible
If you up the logging levels to full and examine the csauth log closely you should get more detail as to the reason
Hope that helps
Andy

802.1x EAP-PEAP over Ethernet need help !!!

I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
troubleshooting this, I am not sure what else to do. Need help. Here
is the scenario:
- Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
- Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
with IP address of 129.174.2.7. This device is connected to the same switch above.
Firewall is OFF on the server, allow ALL,
- Windows 2003 Enterprise Server supplicant with the latest Service pack and patches. Again,
Firewall is OFF on the server, allow ALL. Juniper has verified the configuration settings
on the Supplicant machine. The supplicant has a static IP address of 129.174.2.15, same subnet
as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
the port is activate to be "hot".
- Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
and that everything is looking fine,
I have verified that the switch can communicate fine with the radius server.
- Configuration on the switch for 802.1x:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
interface FastEthernet0/39
description windows 2003 Supplicant
switchport access vlan 401
switchport mode access
dot1x port-control auto
no spanning-tree portfast (does not matter if this is enable or disable)
lab-sw-1#
.May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
.May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
.May 20 07:52:47.338: EAPOL pak dump Tx
.May 20 07:52:47.338: EAPOL Version: 0x2 type: 0x0 length: 0x0005
.May 20 07:52:47.338: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
.May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
lab-sw-1#
lab-sw-1#sh dot1x interface f0/39
Dot1x Info for FastEthernet0/39
PAE                       = AUTHENTICATOR
PortControl               = AUTO
ControlDirection          = Both
HostMode                  = SINGLE_HOST
Violation Mode            = PROTECT
ReAuthentication          = Disabled
QuietPeriod               = 60
ServerTimeout             = 30
SuppTimeout               = 30
ReAuthPeriod              = 3600 (Locally configured)
ReAuthMax                 = 2
MaxReq                    = 2
TxPeriod                  = 30
RateLimitPeriod           = 0
lab-sw-1#
I am at a complete lost here. don't know what else to do. Someone with expertise in this realm please
help me how to make this work.
Many thanks in advance,

#1: dot1x system-auth-control is already in the switch configuration
#2: Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
The case is being worked on by Cisco TAC. One of the issues is the windows 2003 server supplicant refuses to work. Windows XP supplicant uses machine-authentication instead of user-authentication. Cisco TAC is looking into this issue.

802.1x with ACS and Windows AD

Hi
Im trying to setup 802.1x with ACS 5.2 but am struggling as its very differnet to ACS 4.2.
I have setup the ACS to be the domain and think i have setup up the External Idnetity Store, however when i try to authenticate a pc using authentication Medthod 'PEAP (EAP-MSCHAPv2), i get a failure reason '22056 Subject not found in the applicable identity store'
Marco

Hi Marco,
i guess you've missed a mapping configuration in the Access Policy Section.
Create a Access Service name it AS-802.1x select User Select Service Type and select Network Access. Select the Policy Structure Identity and Authorization. Select PEAP as allowed Protocol. Click Finish
You'll see the new service click Identity.
Select the identity source you've created then save.
Click on authorization
Select a default authorization rule permit access and save.
Create a Service Access Rule name it 802.1x
Select Protocol Radius as Condition and as Compound Condition select RADIUS-IETF:Service-Type match Framed then select the service you created before.
then you can try again.
regards
alex

802.1x with EAP-TLS and dACLs

Hi,
i'm looking to enable 802.1x on the wired network using EAP-TLS. The radius server will be an ACS5.2 running on the appliance. We'd also need some authorization for different machines - we'd like to use dACLs for that so that machine A will get full access while machine B will get restricted access (both client machines are related to different business units). So machine based auth (clients run XP SP3 or Vista).
I'm not very clear about the following...based on the presented client machine certificate, we should be able to apply an authorization policy (dACL). How can we set this up...anyone else tried this before?
in 'worst' case we could do machine auth (EAP-TLS) to validate it's a corporate machine connecting, followed by user authentication & authorization (EAP-PEAP) to apply access policies based on the user id..with PEAP is see it might be easier to extract user info out of AD to make policy decision...?
Thanks,
Guy

Hi Guy,
provided that the dACL is just part of the Authorization profile that you return to the client, you need to make sure that you have the correct attributes so to allow the authorization policy evaluation.
In ACS 5 when you configure a "Certificate Authentication Profile", the basic option is just to validate the client certificate.
So as long as ACS can validate the cert using the trusted CA certificates installed on ACS, the authentication is successful.
However, if you do so the only attributes you can base your authorization policy evaluation are the non-binary attributes of the certificate itself, as there's no query done to any backend DB in this case.
If you want to evaluate the authorization policy where you want to check for additional attributes that are stored on an external DB (e.g. Active Directory), you can do it in two ways:
1) enable certificate binary comparison on the "Certificate Authentication Profile": this will both perform the binary comparison of the cert and it will fetch the user attributes from AD; this of course requires that the certificate for the user is also stored on the "userCertificate" attribute in Active Directory.
2) configure an "Indentity Store Sequence" where you select:
- Authentication Method List : Certificate based : "Certificate Authentication Profile"
- Additional Attribute Retrieval Search List : Add "AD1" among the selected Identity Stores
In this case ACS won't perform binary comparison of the cert, but it will look for the corresponding user account in AD so to fetch additional attributes (group membership, etc..)
You can find relevant documentation about this on the ACS user guide:
- Configuring "Certificate Authentication Profile"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054057
- Configuring "Identity Store Sequence"
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1054132
- Managing policy elements:
http://www.cisco.com/en/US/customer/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/pol_elem.html
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

802.1x EAP-PEAP - Radius Question

We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
getting a Cisco ACS to run a simple RADIUS server which is all I need.
Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
and how does it differ from the username you provide after the secure TLS tunnel has been configured.

Hey John,
Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
http://www.youtube.com/watch?v=YIxG4OEfwtY
The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
So yes it sounds right and you should be good.
Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
Thanks John!
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

802.1x issues PEAP +Security Update

This is the error I get when I try to join our network with PEAP authentication. I cannot seem to find out what this means. It has worked before; however, ever since the last security update I have not been able to connect.
2006-12-12 15:03:35.133 Internet Connect[239] Error: Unable to join 802.1x wireless network 88001000!
So I was thinking that it might be the network issue. So I took out my old TiBook with a Aria Extreme card and it hooked up with no problems. I also tried it with another Macbook Pro and it was unable to connect also. I'm sooooo lost.
~D

I have been having similar problems on my MBP C2D recently. My iMac C1D gets about 12mbps on the same wireless connection where my MBP gets about 500kbps. They are both connected to an AirPort Express connected directly to a cable modem.
At home today, on my MBP I have been having problems connecting to the internet and staying connected. When I am connected it is very slow. This is on a d-link modem.
I first noticed these problems after installing the airport update and bringing my MBP to my uncles, getting around 500kbps on a linksys wired/wireless router.
2 of these 3 networks have passwords, (the last one I talked about didn't)
MBP 17" 2.33GHz 2GB, iMac Core Duo 17" 1.83GHz 1GB Mac OS X (10.4.8)

WoL over 802.1X with Vlan Assignement

Hello
I have a switch 3560, and an ACS v4
In phase of test i have an infrastructure with 802.1X PEAP with automatic VLAN assignation by the ACS according to the Machine.
My question is:
it possible to implement Wake One Lan on 802.1x with a assigantion of vlan not statics (i.e. without use of command Switchport access vlan XXX)
PS: if I do in statics the VLAN on a port Wake one Lan work without Pb with 802.1X

Ok, on interface 0/19 :
Switchport mode access
speed 100
duplex Full
dot1x pae authenticator
dot1x port-control auto
dot1x control-direction in
spanning-tree portfast
The software use is like "wolcmd" with configuration of
MAC address of the PC
IP of the PC (give by DHCP reservation)
Subnet mask
Remote port Number : 7
The authentication on ACS work fine and on ACS whe have this field
[064] Tunnel-Type
value : VLAN
[065] Tunnel-Medium-Type
Value : 802.
[Tunnel-Private-Group-ID]
Value : 69
In fact, the only difference between config is assignation static or dynamic of VLAN
I don't know if this what you wan't
thanks

871 802.1x with vlan assignment aka dynamic vlan

you can do vlan assignment on 871W wireless using the local radius server but unfort only LEAP which is N.G.
I have been pounding on wired 802.1x PEAP (which works) trying to get vlan re-assignment. Have tried with IAS which I am using to do vlan reassignment with the WLC so I have the idea of how it works with IAS. With 871, no go. Have also tried ACS for radius with same results: can't escape the switchport's vlan. With debug radius local you can see the tunnel attributes for reassignment plainly but with debug radius with IAS or ACS, nada.
Using 12.4(6)T advanced IP.
I have just seen that 12.4(4)CX2 has "802.1x with vlan reassignment" but the download is MIA. Wonder what's up with that?
Has anybody got this to work? Any info much appreciated
Greg Turner

SSH isn't available on the SI version of the 2950 as you require the Crypto features and these are not available for the SI (the documentation is a little vague here but trust me I have upgraded one and it doesn't like it...). The documentation says 'Switches that support only the SI cannot run the cryptographic image.'
802.1x with VLAN assignment is available only in the latest IOS - or at least since 12.1(22).
SNMPv3 is supported.
HTH
Andy

802.1x with PEAP fails on Unified

Similar Messages

Maybe you are looking for