ACS 4.0 EAP-TLS Cert not working

Similar Messages

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• TLS patch not working

  Hi all!
  I'm trying to apply a patch and it's not working. I've searched the web, metalink included and nothing... plus, the version numbers confuse me. Please advise.
  Thanks in advance!
  Here goes the apply verbose output (I'm sorry for the long output):
  [oracle10@as1 6370967]$ opatch apply -verbose
  Oracle Interim Patch Installer version 1.0.0.0.63
  Copyright (c) 2009 Oracle Corporation. All Rights Reserved..
  Oracle recommends you to use the latest OPatch version
  and read the OPatch documentation available in the OPatch/docs
  directory for usage. For information about the latest OPatch and
  other support-related issues, refer to document ID 293369.1
  available on My Oracle Support (https://myoraclesupport.oracle.com)
  Oracle Home : /opt/oracle/product/10g
  Oracle Home Inventory : /opt/oracle/product/10g/inventory
  Central Inventory : /opt/oracle/oraInventory
  from : /etc/oraInst.loc
  OUI location : /opt/oracle/product/10g/oui
  OUI shared library : /opt/oracle/product/10g/oui/lib/linux/liboraInstaller.so
  Java location : /opt/oracle/product/10g/jre/1.4.2/bin/java
  Log file location : /opt/oracle/product/10g/.patch_storage/<patch ID>/*.log
  OPatch Version 1.0.0.0.63
  Perl Version 5.008003
  Performing pre-patch installation checks.
  .patch_storage exists, checking its perms and changing it if necessary.
  Creating log file "/opt/oracle/product/10g/.patch_storage/6370967/Apply_6370967_03-26-2010_15-15-05.log"
  Starting OPatch Apply session at 03-26-2010_15-15-05.
  Command arguments parsed by OPatch are: apply -verbose
  OPatch version is: 1.0.0.0.63
  The contents of the file: /etc/oraInst.loc
  inventory_loc=/opt/oracle/oraInventory
  inst_group=oinstall
  Performing RAC prerequisite checks...
  Accessing inventory ... (retry 10 times, delay 30 seconds each time)
  System Command: /opt/oracle/product/10g/jre/1.4.2/bin/java -Doracle.installer.invPtrLoc=/etc/oraInst.loc -Dopatch.retry=10 -Dopatch.delay=30 -classpath "/opt/oracle/product/10g/oui/jlib/OraInstaller.jar:/opt/oracle/product/10g/oui/jlib/srvm.jar:/opt/oracle/product/10g/OPatch/jlib/opatch.jar:/opt/oracle/product/10g/oui/jlib/xmlparserv2.jar:/opt/oracle/product/10g/oui/jlib/share.jar:/opt/oracle/product/10g/jlib/srvm.jar" opatch/O2O "/opt/oracle/product/10g" "/opt/oracle/product/10g/oui" opatch.pl 1.0.0.0.63
  Result:
  output to OPatch:
  NODE_LIST=NULL
  NODE_COUNT=0
  LOCAL_NODE=NULL
  IS_CFS=0
  RAC_CODE=0
  HOME_INDEX=1
  This is not a RAC system
  Backing up the rollback script as "/opt/oracle/product/10g/.patch_storage/6370967/rollback_6370967.sh_03-26-2010_15-15-06"
  Interim Patch ID: 6370967
  Checking the patch inventory.
  Component Name: oracle.rdbms.rsf
  Component Version: 10.2.0.3.0
  This is a rolling patch.
  Bugs fixed by this patch 6370967:
  6370967 : TLS 1.0 HANDSHAKE FAILS WHEN THE CLIENT IS RUNNING ON VISTA
  Reading patch XML files and doing sanity checks.
  Read the command to action file map.
  Performing initial safety check.
  Oracle Configuration Manager (OCM) is included with this release of OPatch.
  This is a OCM patch.
  Home has OCM installed but not configured.
  Invoking fuser to check for active processes.
  Skipping invocation of fuser on "/opt/oracle/product/10g/bin/oracle" as the file does not exist or is a directory.
  Checking active processes:
  Accessing inventory ... (retry 10 times, delay 30 seconds each time)
  System Command: /opt/oracle/product/10g/jre/1.4.2/bin/java -Doracle.installer.invPtrLoc=/etc/oraInst.loc -Dopatch.retry=10 -Dopatch.delay=30 -classpath "/opt/oracle/product/10g/oui/jlib/OraInstaller.jar:/opt/oracle/product/10g/oui/jlib/srvm.jar:/opt/oracle/product/10g/OPatch/jlib/opatch.jar:/opt/oracle/product/10g/oui/jlib/xmlparserv2.jar:/opt/oracle/product/10g/oui/jlib/share.jar" opatch/CheckConflict "/opt/oracle/product/10g/oui" "/opt/oracle/product/10g" opatch.pl 1.0.0.0.63 6370967 "6370967 " "/home/oracle10/ano/as/9_patch_6370967/6370967/etc/config/actions" "/home/oracle10/ano/as/9_patch_6370967/6370967/etc/config/inventory"
  Result :
  MISSING_COMPONENT : oracle.rdbms.rsf, 10.2.0.3.0
  MISSING_COMPONENT : oracle.rdbms.rsf, 10.2.0.3.0
  ERROR: OPatch failed during prerequisite check.
  And the lsinventory output:
  [oracle10@as1 6370967]$ opatch lsinventory
  Oracle Interim Patch Installer version 1.0.0.0.63
  Copyright (c) 2009 Oracle Corporation. All Rights Reserved..
  Oracle recommends you to use the latest OPatch version
  and read the OPatch documentation available in the OPatch/docs
  directory for usage. For information about the latest OPatch and
  other support-related issues, refer to document ID 293369.1
  available on My Oracle Support (https://myoraclesupport.oracle.com)
  Oracle Home : /opt/oracle/product/10g
  Oracle Home Inventory : /opt/oracle/product/10g/inventory
  Central Inventory : /opt/oracle/oraInventory
  from : /etc/oraInst.loc
  OUI location : /opt/oracle/product/10g/oui
  OUI shared library : /opt/oracle/product/10g/oui/lib/linux/liboraInstaller.so
  Java location : /opt/oracle/product/10g/jre/1.4.2/bin/java
  Log file location : /opt/oracle/product/10g/.patch_storage/<patch ID>/*.log
  Creating log file "/opt/oracle/product/10g/.patch_storage/LsInventory__03-26-2010_15-11-32.log"
  Result:
  Installed Patch List:
  =====================
  1) Patch 8555288 applied on Fri Mar 05 15:52:21 WET 2010
  Unique Patch ID: 11437032
  [ Bug fixes: 8555288  ]
  OPatch succeeded.
  ###############################################3

  Tell us about the product, type of OAS, version and what patch are you trying to apply.
  Frankly, digging from the logs of your output some of this information and you would get fewer responses than what you would get if you introduce your system.
  thanks,
  AMN

• InCommon Code Signing Cert not working in Profile Manager

  We acquired a Code Signing Certificate from InCommon for signing profiles, and it doesn't want to work with Profile Manager.
  In the Certificates section we have our working SSL cert for the web server, and self-signed SSL and Code Signing certs.
  When I try to import the p7s file it lists four non-identity certificates and then says that it can't be used as a code signing certificate. 
  Has anyone ever managed to get an InCommon code signing cert to work with OSX Server?

  Hello,
  In RFC SAP-OSS, i maintained my S-user id and its password.
  As already told my router connectivity and   SAPOSS rfc working fine.
  regards
  Vinayag.K.C

• Uploading 3rd Party Cert NOT Working Prime LMS 4.2

  Hi all,
  I followed the next steps but when I tried to upload the 3rd party cert into the Prime LMS using SSL Utlity Script option 5 or 6, the process is stuck. I did not get a message similar to step 4 like: "introduce the location of the certificate...."
  1.-Create a CSR using OpenSSL as usual. (it always works on Cisco ISE, ACS, etc).
  2.-Create the LMS Server Certificate on my local CA Server using the previous CSR.
  3.-Downloaded the CA Root & Intermediate Servers Certificate (Base64 Encoded - In fact the Cisco Guide DO NOT MENTION this part, only when I ran the OPTION 4, I realized I needed it instead of DER Encoded I have been using regularly).
  4.-Downloaded the Prime LMS New Certificate, again 64Base Encoded.
  5.-Using SSL Utility Script, I ran Option 4 to validate the Certificates previously downloaded and the process went sucessful. No error messages.
  6.-TRY TO UPLOAD the LMS and CA Server Certificates but the process is STUCK after introducing YES whe this is required.
  Any ideas about this (may be is a bug or similar)?
  thanks
  Abraham

  I get the identical message with a USB audio device (Cakewalk UA1G) attached to the camera connection kit. I started getting the message after I upgraded to 4.2.1.
  I started a thread about it here this morning...
  Apple has done something unpleasant to the USB power requirements in the 4.2.1 upgrade.

• Profile manager sign with cert not working with signed cert

  Hello all,
  I purchased a Code Signed Certificate from DigiCert (Who I have many other certs with)
  I downloaded it and imported it into profile manager, it origionally told me that "This certificate could not be used to sign a profile" but after a restart that error went away, but now when I click the checkbox to enable signing it tries for 5-7 seconds and then just unchecks the box, but does not show an error.
  If I change back to the self signed it works fine.
  Has anyone had success with DigiCert Code Signed cert? or with this issue with another cert company?
  Thank you,
  -Patch
  Patch Charron
  Kensington Church

  Solved.
  Got it working by calling DigiCert support.
  They had me get the cert from Firefox in Windows and transfer it and apply their own intermediate certificate.
  Thanks for Digicert support for such a responsive support team.
  -Patch

• ACS 4.2 and EAP-TLS with AD and prefix problem

  Hi there
  we have the following situation:
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
  First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
  Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
  This is the normal output of the Remote Agent, it finds the host but then nothing happens:
  CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
  CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
  CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
  CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
  So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
  test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
  CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
  CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
  Could this be the problem or does someone see any other problem?
  Best Regards
  Dominic

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• EAP-TLS Win2003 CA and IAS...not checking CRL?

  Hi
  I've got EAP-TLS setup and working using Win2003 CA and IAS as the RADIUS backend. I've issued certs to my wireless users, and now I want to revoke a certificate, so in the CA, I revoke the cert and then under Revoked Certs I click on publish...yet the user can still authenticate and communicate. How can I configure the IAS to check the CRL? Thanks

  Hi,
  I'm battling to setup EAP-TLS with AP1200,windows AD 2003 and IAS.Are there any funny tricks in setting up
  EAP-TLS with IAS.
  On the AP1200 I keep getting AAA unsupported.
  regds
  Johnny

• ACS V 4.1.1 build 23 Password Aging over SSH does not work.

  Hi, my name is Elias and I have problems with ACS Password Aging over SSH does not work and there is no password aging meseges sent by ACS to de console when I use SSH. I know that there is problems with this but I can't find any workaround or documentation that says that there is no workaroun. Can you help me with this??
  King Regards.

  Hey Elias,
  SSHv1 does not support password changes as you can do in telnet. You will need to be
  running a version of IOS that supports SSHv2.
  The following site explains what versions support this:
  http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feat
  ure_guide09186a00802045dc.html
  Rgds,
  somishra

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• 802.1x eap-tls machine + user authentication (wired)

  Hi everybody,
  right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
  You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
  Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
  1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
  <key>SetupModes</key>
  <array>
      <string>System</string>
      <string>Loginwindow</string>
  </array>
  <key>PayloadScope</key>
      <string>System</string>
  but it does not work
  2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
  Thanks

  Unfortunatelly this documents do not describe how to do what I want.
  I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
  I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
  Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
  this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
  The certificates are in my System keychain.
  Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
  Any ideas ?

• PEAP & EAP TLS

  Hi We have controller based wireless network we are running PEAP till date now we want to go for EAP-TLS along with PEAP. I have configured the EAP-TLS but not PEAP is not working as well as EAP-TLS. Can any body tell me can both work together. I have ACS running with version 4.1. We had self signed generated cert on ACS for PEAP now we have installed certificate from CA.
  but now PEAP is stopped working & EAP-TLS is also not working.
  Please help me to fix this.

  Hi friend,
  first hint: You will need one SSID per protocoll.
  Since these kind of problems may base a very wide variety of issues have a look in these documents:
  http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html
  These docs gave me the right direction.
  Good Luck.
  Frank

• Implementing EAP-TLS in the enterprise

  Hi all,
  I'm currently performing a review of our global corporate wireless network with a view to implementing user and device authentication. We currently use PEAP-Ms Chapv2 and i'm considering the move to EAP-TLS, however I understand this has its pitfalls in terms of added administrative overheads, particularly around manging user certs.
  Does anyone have any experiencing in rolling EAP-TLS that can provide me with some advice about what to look out for? We have a full PKI and I understand auto enrolment of user certs can be done using group policy and AD but has anyone seen any other issues I should be wary of?
  We have a full Cisco autonomous unified wireless network with Cisco ACS servers for our Radius, tied into AD.
  Appreciate any comments, advice or even direction to other resources where I can find some valuble info.
  cheers.
  Rob

  Rob,
  Since you are already using PEAP, moving to EAP-TLS is not that bad.  Again.... you already have a PKI infrastructure and domain computers should have a certificate already.  So with GPO, you just make a change to the wireless profile to change from PEAP to EAP-TLS.  Peolpe do look at it as more management.... well it sort of is, but if you have staff that is experience in setting up the PKI, GPO, etc, it really isn't that bad.  Client device support is what you will need to look at.  If you have devices like iPads, non domain computers that need to be on the network, then maybe you will need to add EAP-TLS and keep PEAP for those other devices.

• EAP-TLS with Novell NDS

  I configured EAP-TLS for the wireless LAN in the Novell 6 environment. However encountered a problem on the ACS with Novell NDS. Attached is the error messge, any advice on how to overcome ? I have generated the server key and the client key from Windows 2000 server. The error message is 'AUth type not supported by Ext DB'

  EAP-TLS is not supported with Novell NDS as per the compatability matrx shown in the following document,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm

• ISE: advising users that only EAP-TLS can be used

  A large school board accepts only EAP-TLS connections.  This requirement is easily dissiminated to teachers, however not to students whose personal devices keep trying to connect using PEAP.   Once users connect with EAP-TLS, they are authenticated on AD.
  1. Could we from the Switch port block PEAP but let EAP-TLS go through? I couldn't find a command for this.
  2. If we can't stop PEAP requests from reaching ISE, could we treat the PEAP connections as CWA, but have a special Authorization Rule that would say if inner tunnel is PEAP then do CWA-nonEAP-TLS web authentication which would be a customized web page that would have a message instructing the students how to use EAP-TLS? would that make sense?
  3. Do you have better suggestion how to either block PEAP before it reaches ISE or a way using ISE to let users know that they must use EAP-TLS, not PEAP if they wish to connect?
  Thanks.
  Cath.

  Hi Tarik,
  Of course, I know about the Allowed Protocol which currently has only Host Lookup and EAP-TLS enabled.  But that technique, of not allowing PEAP in ISE Authentication policies, doesn't stop thousands of students devices from hitting ISE with PEAP traffic.  Students have heard that they are allowed to connect to the school network using dot1x, so they turn it on on their PC without regards of to which EAP flavour they are supposed to use.  Thus, the ISE box getitng hit with PEAP requests which it drops.  The school board would like to deal with that PEAP traffic. 
  To alliviate this problem, of the ISE box getting constantly PEAP traffic from the same device over and over again in the course of a day, I was wondering:
  1. can we stop PEAP traffic before it arrives to ISE?  is there a way for the switch to differentiate that it's a PEAP and not EAP-TLS and to drop it before passing it to ISE? I don't think so.
  2. if the switch can't stop PEAP , how is the best way to have ISE process the PEAP traffic?   because if ISE only reject the PEAP traffic, it is constantly hit back that the same device sending over and over PEAP traffic to ISE. 
  I suggested to the client the two following possible ways:
    a. authorization rule based on Network Access: Tunnel PEAP that provides CWA with customized webpage telling the students to use EAP-TLS and not PEAP (this technique is explained in para 2. of my original posting).
    b. create a blackhole VLAN where the students personal PC that are arriving with PEAP are put.  This VLAN doesn't go anywhere, but at least the PC has stopped hitting ISE with PEAP traffic for a few minutes, until the student decides to restart his/her connection.   
  I also recommended to the client that they have a better technique to inform the students that only EAP-TLS is available, like posters on the wall, blast email, on School FB page, etc .  but information dissimination is not an IT problem, it's a communication problem. 
  Looking forward to your suggestions.