ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

Hello Community,
i have a problem, one Notebook in our enviroment authenticates successfully with Host-Lookup (MAC-Adress) and get the right VLAN but then also sends permanantly PEAP (EAP-MSCHAPv2) requests with a diffrent Username ( Username is not an MAC-Adress) It is the Computername of Windows.
What is the Problem here ?
Thanks

Hello Sebastian. A few questions:
- How is the supplicant configured on the Windows machines?
- Is 802.1x enabled on the supplicant?
- If possible please attach screenshots of the supplicant's configuration
- Is this for wireless, wired or both?
- Can you post screenshots of the ACS log page for those events along with a screenshot of the "detailed screen" for one of those events
Thank you for rating helpful posts!

Similar Messages

ISE MAB Host Lookup - PAP or EAP-MD5

In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols.
Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
How could we dictate to our switch to start using EAP-MD5 to pass the MAC? If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key. Is that it?
Thank you.
Cath.

Hello Cath-
Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
     interface fa0/1
     mab eap
Things to conisider:
     1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
     2) Because the MAC address is sent in the clear text "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
     3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
Here is a good document that you can reference as well:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
Hope this helps...
Thank you for rating!

Host lookup with full domain fails

Hi,
we have a couple of Macs that live in a Windows Active Directory domain. They are not part of the domain (i.e. joined), but they get their DHCP config from the Active Directory Controller (ADC). The active directory has the name "company.local" (in reallife the company name dot local).
Since updating to Yosemite we have found that host lookups using the full domain name no longer works, example:
# This work
ping wifi-controller
# This doesn't work
ping wifi-controller.company.local
The main problem with this is that all links on the intranet (that are using FQDN) is now broken for Mac users...
# Doing name lookups with host both works
# 192.168.x.y is the ADC
host wifi-controller 192.168.x.y
host wifi-controller.company.local 192.168.x.y
The ADC gives out the domain name "company.local" and itself as DNS.
I have cleared out all manually entered entries in Network Control Panel and the search domain and DNS server listed are not possible to delete from the list. No WINS entered. On the first "page" of the Network panel, DNS and domain is displayed in gray under the DHCP info picked up.
Any help greatly appreciated,
/Mattias

Greetings,
the ADC needs needs to have dns records for itself and for any client wishing to bind to it.
I would start by checking the AD machine and make sure his dns is working, and have the clients use the same.
Verify NTP settings on both.
hope this helps.

PEAP & EAP-TLS together on ACS

We have recently deployed lightweight APs/WLCs in my organization and the authentication mechanism for WLANs is PEAP. We plan to add a new wireless LAN and want to use certificate based authentication, EAP-TLS for this new wlan. Our authenticating server is Cisco ACS, and want to use the same authenticating server for authenticating these two wlans. I haven't found a way to configure exclusively to assign a particular authentication mechanism for a wlan on ACS. Neither the sub authentication be specified in WLC. Any clues?
Thanks,
Vijay

In ACS 5.x, you can specify both EAP type and then also have a condition to grant access to a certain AD OU. If users are in a different OU, then you create two policies that look at conditions for EAP type, SSID and OU.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html

Why the host ports are also seen in the spanning-tree output ?

Why the host ports are also seen in the spanning-tree output ?
Switch1#show spann
VLAN0001
Spanning tree enabled protocol ieee
Root ID    Priority    32769
             Address     0000.0CA2.138B
             This bridge is the root
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     0000.0CA2.138B
             Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 20
Interface        Role Sts Cost      Prio.Nbr Type
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg FWD 19        128.2    P2p
Fa0/15           Desg FWD 19        128.15   P2p
interface FastEthernet0/15
description PC0 Interface
switchport mode access
spanning-tree portfast
interface FastEthernet0/16
I read somewhere that all the ports of a switch will participate in STP by default. Is there any way to remove the STP operation on host ports ?
Regards,
Chandu

All ports participate in Spanning Tree by default.
Spanning tree is there to block redundant L2 paths in order to prevent loops. All ports are capable of causing a loop so you would not want to turn spanning tree off, in fact I don't think you can switch it off on a per port basis. You can switch it off on a per vlan basis.
You are already using portfast which allows host ports to transition into a forwarding state without going through the listening and learning states of STP. If you switch off STP on a port, you risk the chance of a L2 loop.
https://supportforums.cisco.com/docs/DOC-5180

ACS 5.1 mab reauthentication in every 1 mintues

Hello,
I am using Cisco ACS 5.1. I would like to authenticate my ip phones with mab (Avaya phones) and the commputers with dot1x.
Everything works fine except that the phones which are successfully authenticated with mab tries to authenticate again
and again and again ... and this fills up the ACS logs. Every authentication is successfull and the phone does not hang up. But this fills
up my logs and makes them unusefull.
switch version: cat4500-ipbasek9-mz.122-53.SG3.bin
port config:
interface FastEthernet2/25
switchport access vlan 107
switchport mode access
switchport voice vlan 502
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
no logging event link-status
load-interval 60
speed 100
duplex full
qos vlan-based
authentication event fail action authorize vlan 109
authentication event server dead action authorize vlan 101
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
no snmp trap link-status
dot1x pae authenticator
dot1x timeout quiet-period 30
dot1x timeout server-timeout 25
dot1x timeout tx-period 15
dot1x timeout supp-timeout 25
dot1x max-req 3
tx-queue 3
priority high
no cdp enable
spanning-tree portfast
ip dhcp snooping limit rate 10
end
Thanks,
Andras

Hi,
If you remove the commands:
switchport port-security maximum 3
switchport port-security
switchport port-security aging time 1
switchport port-security aging type inactivity
Does the phones stop authenticating every minute?
Please note that you have set the aging time to 1 minute, which means that if the phone is not sending any traffic, the switch will delete its mac address fro mthe mac table, therefore, the dot1x process will kick.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?

We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
Any suggestions?

Matt,
How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
Scott

How to solve the error message Podcast cover art must be at least 1400 X 1400 pixel JPG or PNG, in RGB color space, and hosted on a server that allows HTTP head requests."

please help!! I've been trying to solve this error message for hours
the feed url is http://feeds.feedburner.com/goodstewards
the artwork url is http://www.goodstewards.com/wp-content/uploads/2014/11/logo.jpg
this is a wordpress domain that i am using with feedburner

"Your Blogger feed has no 'itunes' tags and is lacking the 'iTunes declaration' in the second line, so you have no image as far as the Store is concerned. You need to set Blogger to provide an itunes-compliant feed."
So, how do I set Blogger to do that? I was Googling for the answer, but nothing. I have "Allow Blog Feed" set to full and Title Links and Enclosure Links enabled.
"Your Feedburner feed link goes to a text page containing the code of a feed - this feed does have the 'itunes:...' tags. However in both feeds you are using Google Drive as a server for the image and media files and the URLs are prefaced with https (encrypted connection) - this may work in the Store but it is inadvisable and your URLs should begin with http."
Yeah, I couldn't think of another way to get you straight to the actual XML file. I guess what you are saying is that Google Drive does not have an appropriate server, which is why it gives https instead of http as a head.

802.1x - EAP-MSCHAPv2 / LDAP on ACS 4.2

Is possible to use PEAP EAP-MSCHAPv2 with LDAP ?

No LDAP doesnt support mschapv2, here are the authentication protocols/database matrix:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/eap_pap_phase.html#wp1014889
Thanks,
Tarik

Hello. MAC - Android. Is there such a thing as using a program for my MAC Notebook Pro that I'm also able to use on my android phone?

Thank you sooo much ahead of time. Specifically I'm looking for a good finance app like iBank 4 that I could also access on my android phone. Please and thank you for any help you can share.

The only way to do that is find an application that has been written for two different systems. The operating systems of the MacBook Pro and Android are not the same and apps will not run on both of them.

Dacl on ACS 5.1 and Catalyst switch 3560

Dear all
I have ACS 5.1 and Catalyst switch 3560 with version 12.2(53)SE. I configure a dacl on the ACS and I use it on authorization profile.
This authrization profile is used on access policy.
I tried the authentication but it doesn't work. I checked the ACS logs and I found that the user is authenicated successfuly but the dacl gives this error (The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected)
Steps:
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11025 The Access-Request for the requested dACL is missing a cisco-av-pair attribute with the value aaa:event=acl-download. The request is rejected
11003 Returned RADIUS Access-Reject
DACL:
deny ip host 1.2.3.4 1.2.3.0 0.0.0.255 log
permit ip any any log
Thanks on advance,

Dear Tiago
I applied the command "radius-server vsa send". Now I can see the dacl is applied but I can't see it on the switch and even the authentication is succueeded ont the ACS logs but it give me unauthoized on the switchport. You can see the logs( started with the username acstest and the access-list is applied but it doesn't work and you can see theat it goes for mab after eap timed out). I hope you can help on this issue.
Dec 13,10 10:29:00.513 AM
00-23-AE-7A-58-A6
00-23-AE-7A-58-A6
Default Network Access
Lookup
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
22056 Subject not found in the applicable identity store(s).
Dec 13,10 10:28:29.186 AM
#ACSACL#-IP-Guest-4cfcc14d
Dot1x-3560-Switch
1.2.3.4
TESTACS
Dec 13,10 10:28:28.726 AM
acstest
00-23-AE-7A-58-A6
Default Network Access
PEAP (EAP-MSCHAPv2)
Dot1x-3560-Switch
1.2.3.4
FastEthernet0/5
TESTACS
Thanks,

Testing Windows 8 Consumer Preview with ACS 5.2 PEAP auth

We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
Anyone have any ideas? Is there any other information I can provide to help troubleshoot? I know Windows 8 is not even out yet. But, it would be nice to have it working.
Thanks!
Jodie

Thanks Tarik! I appreciate the detailed steps to collect the information to help troubleshoot this issue.
Here are the logs requested:
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'ping' in thread 3029719968
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute executing request 'MS-RPC user authentication' in thread 3054898080
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute I:IPCClient1::doNetLogonSamLogon - user=SH-HIS\jcrouch
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Find GUID: fa61e77fbfc98044b7153bf5abc9fd78 (7)
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB Connect to server sh-dc03.shv.lsuhsc-s.edu
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.LSUHSC-S._sites.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindSrvFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findsrv FindFromDns(0): _kerberos._tcp.SHV.LSUHSC-S.EDU
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.controllers Updated controller info: last update = Wed May 2 08:01:16 2012, siteName = 'LSUHSC-S', m_serviceType = KDC, domain = 'SHV.LSUHSC-S.EDU', site list = (sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88), inferior list = (afm-dc01.shv.lsuhsc-s.edu:88)
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : initSecurityContext - gss_init_sec_context failed (reference ../smb/utils/gsskerberos.cpp:198 rc: -1765328352)
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG smb.rpc.schannel SecureChannel::close: m_fh=0x0
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG com.centrify.smb.smbserver SMB disconnect from server sh-dc03.shv.lsuhsc-s.edu
May 2 08:16:36 sh-netacs2 adclient[7987]: DEBUG daemon.execute O:IPCClient1::netLogonSamLogon - user=SH-HIS\jcrouch (ntStatus=0xc0000001)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main now = Wed May 2 08:16:46 2012, nextPasswordChange: Wed May 2 08:50:46 2012, lastKrb5ConfUpdate: Thu Jan 1 00:00:00 1970, lastKrb5Renew: Wed May 2 08:03:16 2012, lastBindingRefresh: Wed May 2 08:16:16 2012, lastCacheCleanup: Wed May 2 08:16:16 2012, lastPrevalidate: Wed May 2 08:03:16 2012, lastChkDatadir: Wed May 2 08:12:46 2012, lastAzmanRefresh: Wed May 2 08:15:16 2012
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu(GC) failed: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing trying unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent (re)acquiring Init credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers acquiring machine credentials
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Using keytab WRFILE:/etc/krb5.keytab
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent Domain Level for '' is not PreW2K8
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 18) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 17) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.kerberos.adhelpers Encryption (id 23) is not supported by KDC. Try next in the list
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG dns.findkdc Kerberos lookup of SHV.LSUHSC-S.EDU: DNS resolve to sh-dc03.shv.lsuhsc-s.edu:88 sh-dc04.shv.lsuhsc-s.edu:88 sh-epic-dc01.shv.lsuhsc-s.edu:88 afm-dc01.shv.lsuhsc-s.edu:88
May 2 08:16:46 sh-netacs2 last message repeated 3 times
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.osutil Module=Kerberos : KDC refused skey: Clock skew too great (reference base/adhelpers.cpp:215 rc: -1765328347)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.cache postStart/getInitCreds threw: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.bind.healing unexpected disconnect reconnect sh-dc03.shv.lsuhsc-s.edu failed: KDC refused skey: Clock skew too great
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo start updateDomainInfoMap
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using existing search marker
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC-S.EDU <-> LSUHSC-S
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: SHV.LSUHSC-S.EDU <-> SH-HIS
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: EAC.LSUHSC-S.EDU <-> LSUMC-EAC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: LSUHSC.EDU <-> LSUHSC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adagent addMap: MASTER.LSUHSC.EDU <-> LSUMC-MASTER
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo Using domainInfoMap from cache, it was not expired (size=5)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = LSUHSC-S.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-4197722968-216021789-2322446462
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUHSC-S
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=shv,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = SHV.LSUHSC-S.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-341470825-1660045691-689510791
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = SH-HIS
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo DC=eac,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = EAC.LSUHSC-S.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-1451108202-1290631035-623647154
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x20
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUMC-EAC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = YES
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=lsuhsc.edu,CN=System,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = LSUHSC.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-2419512895-2621689230-2851238096
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x8
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 3
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUHSC
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = NO
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo CN=master.lsuhsc.edu,CN=System,DC=shv,DC=lsuhsc-s,DC=edu
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     CN              = MASTER.LSUHSC.EDU
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     SID             = S-1-5-21-2113824390-172908180-308554878
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_ATTRS     = 0x4
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_DIRECTION = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     TRUST_TYPE      = 2
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     NTLM NAME       = LSUMC-MASTER
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG base.adgent.domaininfo     LOCAL FOREST    = NO
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG util.except (TryAgain) : start up not complete (reference base/adagent.cpp:2201 rc: 0)
May 2 08:16:46 sh-netacs2 adclient[7987]: DEBUG daemon.main Delay /etc/krb5.conf update, start up not complete
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[357] [daemon]: obtained repos-mgr lock
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: config:repository: rm_repos_cfg.c[251] [daemon]: scanning the tmp dir
May 2 08:16:59 sh-netacs2 debugd[2553]: [8075]: locks:file: lock.c[371] [daemon]: released repos-mgr lock

FlexConnect Access Point - Wired 802.1X or MAB Authentication

Hi all,
We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
Thanks in advance.
Regards,
Stephen.

Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
1. AP, authenticates via MAB and profiling
2. Client authenticates via PEAP/EAP-TLS, etc
3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
So I have ran into this issue in my deployments and you have the following options (listed in preference order):
1. Eliminate FlexConnect :)
2. Utilize AutoSmartPorts where:
- If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
- If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
More info on auto smart ports:
http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
Hope this helps!
Thank you for rating helpful posts!

ACS 5.3 WLC Certificates RADUIS Active Directory

Hi,
I have a wireless controller and an ACS 5.3. I would like to create a wireless network where a corporate laptop would use the certificates installed to connect to the wireless and then authentication with AD and laptop certificates to the ACS. So if a user from work brings a home laptop this won't be able to connect as they don't have a certificate installed on the laptop.
I have setup ACS to connect to AD.
I have added the local certificate with my company's CA
acs.blah.com
acs.blah.com
SubCA3-1
09:50 28.09.2012
09:50 28.09.2018
EAP, Management Interface
I create a very simple rule and then try connect through the laptop. I select the certicate on the client and click connect. The connection works fine and I am on the network.
Authentication Summary
Logged At:
October 2,2012 3:06:37.996 PM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
blah\Eddy
MAC/IP Address:
18-3d-a2-26-7f-b9
Network Device:
L39-WC-5508-01 : 10.49.2.150 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
Wireless AD
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I then just try a laptop I brought from home I used my AD username and password and this also connected. This Laptop doesn't have a certificate how can I make it so only work laptops with certificates be allowed to connect to the wireless?
any help would be great happy to send screen shots of my setup.
Cheers
Eddy

Hi Guys,
Well I configured the ACS following Scott's information, and I then tried to connect with the laptop and I got this.
Logged At:
October 12,2012 2:50:17.866 PM
RADIUS Status:
Authentication failed : 15039 Selected Authorization Profile is DenyAccess
NAS Failure:
Username:
blah\eddy
MAC/IP Address:
00-21-6a-07-31-88
Network Device:
-WC-5508-01 : 10.10.2.10 :
Access Service:
WirelessAD
Identity Store:
AD1
Authorization Profiles:
DenyAccess
CTS Security Group:
Authentication Method:
PEAP(EAP-MSCHAPv2)
I copied the two rules used in the setup by Scott and I still get this. I have copied and pasted the logs below any ideas on how to get this to work? I dont have MARS is MARS required for this PEAP setup?
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24101 Some of the retrieved attributes contain multiple values. These values are discarded. The default values, if configured, will be used for these attributes.
24420 User's Attributes retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
Evaluating Group Mapping Policy
11824 EAP-MSCHAP authentication attempt passed
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12314 PEAP inner method finished successfully
12305 Prepared EAP-Request with another PEAP challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12304 Extracted EAP-Response containing PEAP challenge-response
12306 PEAP authentication succeeded
11503 Prepared EAP-Success
24423 ACS has not been able to confirm previous successful machine authentication for user in Active Directory
any ideas guys?
thanks for the help.

Cisco ACS 4.2.1.15 for Windows and Network Access Profiles

We are attempting to configure ACS 4.2.1.15 on Windows Server 2008 Member Server. Initially I only have the need to authenticate Network Admins for device administration and authenticate Windows AD groups using PEAP authentication. The general problem that I am having is that if I configure a Cisco 1200 Access Point for PEAP and also setup The Access Point for Radius authentication pointed to the ACS server it always maps to the the first Network Access Profile and rather than it trying the second it will error sayiing some condition is not met depending on what changes I make. Can someone tell me what the criteria that is used to determine what NAP is used? According to the manual if all 4 criteria are not met then the Profile will not apply.
I am using one ACS group that is mapped to an AD group for Wireless Access and a Second ACS group mapped to an AD group that includes the Net Admins. This group mapping appers to be working as the user group name seems to mapped correctly in the logs. In short I have tried only configuring the Wireless NAP to only Allow EAP authentication using PEAP EAP-MSCHAPv2 and the Netadmins profile to include all protocols. Bascially what happens is if I have the Wireless NAP first it works fine for PEAP authentication on Wireless but if I try to administer the access point and provide credentials I get a message in the failed log that the authentication profile is not allowed in this Network Access Profile. Why does this not just go onto the next Network Access profile?
I am familiar with version 3.2 but it does not seem to work the same.
Any help would be appreciated on what I am missing.
Thanks

Hi Surenda,
Thanks for your reply. Nop, there is no WLC yet, but the WLC will be installed shortly.
Thanks,
Jean Paul

ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

Similar Messages

Maybe you are looking for