ACS 5.1 - EAP-PEAP - Imported public cert - Clients still get cert error

Similar Messages

• Flash CC on W7 . By importing fl.controls like 'import fl.controls.Button';  I get compilation error 1172. Solution?

  Flash CC on W7 . By importing fl.controls like 'import fl.controls.Button';  I get compilation error 1172. Solution?

  Can you show the relevant code and the complete error message?  Before running go into your Flash Publish Settings and choose the option to Permit Debugging - it can help by adding information to the error message.

• When importing photos into iPhoto I get an error Unreadable Files:

  When importing photos into iPhoto I get an error Unreadable Files: The following files could not be imported (they may be an unrecognized file type or the files may not contain valid data).
  I can open the JPG in question with PREVIEW, photoshop etc.. actually if I try to import a photo that I had originally imported it also fails..
  Please help... Thank you..

  I too had this error message (and to be honest, it was becoming a bit of a pain). I resolved it in a slightly different way to Terence.
  I had 10 photos that were allegedly unreadable; however, as Terence rightly says, they are duplicates. When I opened iPhoto I mad a note of each of the files concerned and did a Spotlight search throughout my hard drive.
  For each photo, there were four or five duplicates. I deleted all but one of each of the photos and then reopened iPhoto. No more error message.
  The original problem stemmed from importing my files directly from an external device I was using with a previous computer [that was running XP].
  Anyway, hope this helps.
  Andy

• When importing my Tournament PDF I get a error

  Is there a limit on how many fields that can be imported as I am getting a error message when importing and detail of problems don't tell me anything. I have about 100 date fields on my Tournament sign up entry form.

  I am not aware of any limit. Would you mind send your PDF to me at [email protected]?
  Thanks
  Ken

• While importing a certificate I'm getting an error. What to do?

  I am trying to import a certificate, but after filling in my password I am getting the following error:
  PKCS #12-processing failed, reason unknown.
  (I translated this from Dutch, so it may not literally be the same...)
  Hope someone out there knows what to do...

  You can contact the iTunes Store Customer Service department at no charge using the form on their Support page (select the category and subcategory closest to the issue you're reporting and you'll find an "Email Us" button) and explain your problem to them.
  Copied from Varjak Paw in :https://discussions.apple.com/thread/2598671

• While trying to import an audio CD, I get an error message, "you don't have the privilege to make changes"

  I'm trying to import an audio CD into iTunes, but I keep getting a message saying, "Error occurred while converting the file . . . You do not have the privilege to make changes." I've tried selecting all the different encoders, WAV, MP3 and AAC, and still nothing works.  I would appreciate the help.

  Try HT203242: iTunes for Windows: Optical drive is no longer recognized, or "Disc burner or software not found" alert after install.
  tt2

• ACS 4.1 PEAP using public signed certificate (verisign)

  Hi,
  Could you give me some advice about the PEAP implementation with ACS server. I undestand that self-signed certificate should work well but I have this thoughts. The self signed certificate is valid for 1 year and after this period a new self-signed certificate has to be created. What should be the impact on the wireless users at this point? What I undestand is that the new certificate should be also imported to the clients so they can validate the server certificate. If that is correct (not sure though) this will bring huge amount of work when the certificate is expired and having hurderds of wireless clients.
  Is it possible (and what are the requirements of the certificate itself) to install any publicly signed certificate like Verisign's one to the ACS for the PEAP process? Will that ease the workload when the certificate has to be renewed? I  assume that any windows machine for example, has by default trusted root certificates - Verisign in its store and no further interaction should be needed on the client side.
  kind regards
  Boris

  hi there ..
  First we need to understand why a cert is importnat. A cert is used to create a tunnel that allows the wireless client to send their logon in a secure fashion. So if you could image a tunnel over wireless/wired between your client and the radius server.
  The idea of trusting the cert is SPECIFIC to the wireless client . You can choose to TRUST the cert or NOT. Totally client independent. Why this is important, suppose for a moment that someone comes into your place of business and broadcast from their AP your SSID. Your clients could attach to this AP. And suppose the run FREERADIUS on a small box. From this radius server this person sends a BOGUS cert. If you client isnt trusting the correct cert or not trusting ANY, your client will accept the bogus cert, build a TLS tunnel, and send their logon.
  Can you get a signed cert. Yes, most folks do as it eases deployment. Or if you have a PKI you can push your own cert.
  Also, note you can have your client really analyze the cert and only trust specific certs and cert common namesl exmaple ACS01-ABC.
  I hope this helps ..
  Please support the rating system if you find any of this helpful!

• Nokia Belle - EAP-PEAP authentication without Cert...

  Its time for my half yearly bickering about the still non-support for EAP-PEAP authentication without server Certificates on Symbian Phone.
  Here is my last thread begging for help from Nokia when Anna was released.
  /t5/Software-Updates/EAP-PEAP-Authentication-without-Certificate-Is-it-fixed-in/td-p/1072133
  My question remain the same.Does the new Nokia Belle support EAP-PEAP authentication without the requirement that a server certificate be present.
  I have been living a life of ridicule and becomes an object of jokes and punchlines in office when it comes to the Phone that I carry. Lot of people now don't even know that there is company called Nokia. And when I tell them about it that say "Are you the guy carrying the phone that does not connect to our corporate network?".
  If you read that earlier thread you know that none of the exotic workaround that some have been able to do, does not work with my office as our network administration has not installed any server certificate whatsoever on the access point.
  I am fed of hearing from Nokia techs that this is supposed to be the secure and right way of doing things. When every other device, every smartphone, tablet, laptop supports this way of connecting to a EAP-PEAP access point why does Nokia has to keep this stance?
  Nokia has kept everything open on the Nokia N8, it has everything that a anyone can ask for in a smartphone, so why is Nokia so adamant on this small matter of not requiring a server certificate?
  Now that the WP7 line of Lumia devices are in the market can someone tell me if the problem exists on those phones too. I wont be surprised if this restriction is still there.
  With Nokia going downhill so fast it does not help with this kind of attitude towards diehard Nokia followers.
  Can someone from Nokia tech say once and for all if I can ever expect this thing to be fixed?
  raman

  ramany wrote:
  What should be an appropriate title for this thread. There was an older thread for the same that i started six months back when Anna was released. So i this expecting something to happen with Belle.
  If nothing happens I will probably start a new one when future updates to Symbian in Clara. Donna, Emma, Florina, Georgia, Hanna, Isabelle, Jenna, Kate, Linda, Marie, Nancy, Olivia, Patty, Quinn, Rita, Sabina, Terry, Uma, Vega, Wyome, Xandra, Yetta and Zoe are released.
  I hope Symbian (Nokia) lasts that long, but the support of this comes in Belle.
  I see no jokes yet...common guys.isn't anyone subjected to jokes because of this.
  At least give me some so i can feed more to the one going around.
  Well, I believe the example of EAP-TTLS + PAP authentication isn't 'without certificates'... it does use certificates, but EAP-TTLS + PAP just doesn't happen to be a supported authentication method with recent Symbian phones.
  I'm not any sort of wireless authentication guru, but there's probably a better, more precise description of the authentication support (probably a few methods) that's currently missing in Symbian.
  And a couple more details for some wireless authentication methods... I believe Windows users typically have to grab a third-party 'securew2' utility to support some of the more robust (read better, more secure) authentication methods for some networks.
  I think one of the more valid arguments for EAP-TTLS + PAP in general, is that I believe it may be part of the 'Eduroam' standard, although MSCHAPv2 may also be substituted for PAP, IIRC... but again, I'm not a wireless authentication guru.
  In any case, if well-known, widely-implemented (or soon to be implemented, for good reason) authentication methods aren't supported in Symbian, it just makes Symbian just looks a bit ridiculous and irrelevant.
  Your previous thread was quite good, and it may make sense to keep bumping that thread for updates periodically. I noticed that someone mentioned an MSCHAPv2 scenario in that thread, but again... that's not actually helpful for resolving EAP-TTLS + PAP support, and I think that there's probably a concise way to describe the current 'missing authentication methods support' in Symbian.
  It continues to baffle me how Nokia seems to have such a quiet, secretive presence on these forums, when I think it would make much more sense to publicly acknowledge relevant threads/discussions, and make a statement about planned fixes, updates, etc... rather than just have people wonder if/when Nokia is paying any attention to the discussions here.

• Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921

  Hi All,
  I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
  Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
  For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
  I confront PEAP and Eap-TLS for now:
  1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
  2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
  so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
  If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
  I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
  I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
  can you help me to know if I understood everything good ? I would be please to exchange experience on that
  thanks ;)
  bye

  I am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
  Setup a Microsoft Certificate server as my
  CA. You can use same machine wih your ACS and CA.
  Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
  On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
  At that poit you should be able to connect you r wireless client using EAP-TLS.

• WIFI: EAP-PEAP

  Hi everybody,
  I'm in a US university and i'm trying to set up my E65 to connect to their wireless network in order to contact my family in belgium through VOIP. unfortunately, I'm unable to connect to the network. Can someone please help me out?
  This is a screenshot of how my computer is configured (sorry it's in french):
  http://img57.imageshack.us/img57/8995/wlanbl8.jpg
  After that I have to put my username and password and i have to leave the domain field blank.
  this is the configuration on my E65:
  Connection Name: msu1x
  Data Bearer: Wireless LAN
  WLAN netw. name: msu1x
  Network Status: hidden
  WLAN network mode: Infrastructure
  WLAN security mode: WPA/WPA2
  WLAN security settings =>
  WPA/WPA2: EAP
  WPA2 only: disabled
  EAP plug-in settings =>
  EAP-PEAP selected and first. All others disabled.
  EAP-PEAP configure =>
  User Certificate: not defined
  CA Certificate: none
  User Name in Use: User-configured
  User Name: my_user_name
  Realm in Use: User-configured
  Realm: Empty
  Allow PEAPv0: yes
  Allow PEAPv1: yes
  Allow PEAPv2: yes
  EAP-types: =>
  EAP-MSCHAPv2 selected and first. All others disabled.
  EAP-MSCHAPv2 configure: =>
  User Name: my_user_name
  Prompt Password: no
  Password: my_user_name
  Ciphers:
  RSA,3DES,SHA selected and first. All other selected.
  I'm really sad because I wanted this phone to use VOIP and now I can't use it...
  I'd really appreciate if any of you could help me out !
  Thanks in advance

  I used these setting a while back on several model:
  /discussions/board/message?board.id=connectivity&message.id=6472&query.id=153958#M6472
  WLAN security mode: 802.1X
  WLAN security settings:
  WPA mode: EAP
  EAP plug-in settings: EAP-PEAP (only one checked, top of the priority list)
  EAP-PEAP->Options->Configure:
  [General] tab
  User Certificate: (not defined)
  CA certificate: (Cisco ACS CA)
  User name in use: From Certificate
  User name: (Blank)
  Realm in use: From Certificate
  Realm: (Blank)
  Allow PEAPv0: Yes
  Allow PEAPv1: No
  Allow PEAPv2: No
  [EAP] tab
  EAP-MSCHAPv2 (only one checked, top of priority list)
  TKIP encryption: disabled (not displayed)
  EAP-MSCHAPv2 ConfigurationUsername: (AD Domain name)\(Username)
  Prompt password: No
  Password: (domain password)
  [Encryption] tab
  (All algorithms are checked)
  Remember to choose hidden in network status, if you have hidden SSID !
  Also I use DHCP and a web-proxy.
  You may wonder why there is notthing in username and realm, but this is since PEAP doesnt verify the certificate, hence you do not need any.
  Allthough must of my other tests I did have user name and domain, but this failed ! Wierd.
  A note: When I installed the ACS CA Certificate I shoose Internet=Yes and Cer-control online = No
  (Find this under tools-security-Certificate control - choose the Cert and choose "trust settings"
  Anyway the above settings works.
  So the E60,E61,E70 and N80 works with LEAP and PEAP !!

• How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

  I am trying to connect to the company network, but it always shows "PEAP authentication failed".
  There are only instructions for iPhone and PC.
  security : WPA2-Enterprise
  authority certificate : None
  Security Type : PEAP
  Inner Link Security : EAP-MSCHAPv2
  additionally MAC address filtering.
  The access point I set is as follows:
  network status: public
  wLAN network mode: infrastructure
  security: WPA/WPA2
  WPA2 only mode: off
  EAP plug-in setting: EAP-PEAP enable only
  personal certificate: not defined
  authority certificate: not defined
  user name: user-defined   BLANK
  realm in use: user-defined   BLANK
  allow PEAPv0
  MSCHAPv2
  user name: username
  password: mypassword
  We have domain, but there are no command about domain in iPhone guide. 
  Is there anything wrong of my setting?

  WPA2-Enterprise is not supported on your device.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• WLC 5508 Web Auth and EAP / PEAP

     Morning all, I'm looking for some clarification.
  Current setup:
  I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
  This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
  Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
  Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
  In line with child protection policies I need an 'auditable' trail when students access wireless resources.
  Planned setup:
  I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
  There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
  Clarification:
  With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
  Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
  Many thanks.

  If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
  But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
  or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
  Check the following link which contain couple of EAP config examples:
  http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
  Please make sure to rate correct answers

• EAP-PEAP and EAP-TLS on same switched network

  Hello,
  I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
  The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
  I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
  Thanks,
  Guy

  You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
  Good Luck,
  --Jean Paul

• 802.1x EAP-PEAP - Radius Question

  We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
  1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
  802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
  getting a Cisco ACS to run a simple RADIUS server which is all I need.
  Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
  and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

  Hey John,
  Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
  http://www.youtube.com/watch?v=YIxG4OEfwtY
  The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
  http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
  So yes it sounds right and you should be good.
  Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
  Thanks John!
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."