ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

Similar Messages

• Why Unable to identify a user for 802.1X authentication (0x50001)?

  Hello, 
    We are trying to set up wifi single-sign-on. When logging to a laptop get a message
  "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
  Server: windows server 2003 (with all updates)
  laptop: windows 7 professional SP1 (with all updates)
  When looking to event log i found this error:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2012-10-10 10:38:01
  Event ID:      5632
  Task Category: Other Logon/Logoff Events
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      sba01-nb
  Description:
  A request was made to authenticate to a wireless network.
  Subject:
  Security ID:                
  Account Name:                -
  Account Domain:                -
  Logon ID:                0x0
  Network Information:
  Name (SSID):                Pivot_Users
  Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
  Local MAC Address:        C4:85:08:12:77:44
  Peer MAC Address:        00:24:97:83:8E:61
  Additional Information:
  Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
  Error Code:                0x525
  EAP Reason Code:        0x0
  EAP Root Cause String:        
  EAP Error Code:                0x0
  Event Xml:
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5632</EventID>
      <Version>1</Version>
      <Level>0</Level>
      <Task>12551</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
      <EventRecordID>37791</EventRecordID>
      <Correlation />
      <Execution ProcessID="760" ThreadID="2224" />
      <Channel>Security</Channel>
      <Computer>sba01-nb</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SSID">Pivot_Users</Data>
      <Data Name="Identity">
      </Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="PeerMac">00:24:97:83:8E:61</Data>
      <Data Name="LocalMac">C4:85:08:12:77:44</Data>
      <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
      <Data Name="ReasonCode">0x50001</Data>
      <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
      <Data Name="ErrorCode">0x525</Data>
      <Data Name="EAPReasonCode">0x0</Data>
      <Data Name="EapRootCauseString">
      </Data>
      <Data Name="EAPErrorCode">0x0</Data>
    </EventData>
  </Event>
  Thank you for answer and help.
  Regards, 
    Tadas

  Hi,
  Thanks for your post.
  Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
  Here is the process that is followed.
  1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
  2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
  3. The Authenticator cannot validate and the authentication would fail.
  4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
  it will just ignore them
  5. You will see event 15506 after the event 15514.
  Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
  http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
  0x50001 = Dec 327681
  Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
  ONEX_UNABLE_TO_IDENTIFY_USER
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• 802.1x Authentication using Cisco Phone LSC and IAS 2003

  I'm trying to authenticate Cisco 7975 phones using the LSC and Microsoft IAS 2003.
  The CA was generated from the IAS server (Domain Controller) and was imported and used to generate the LSC that have now been deployed to the phones.
  Does anyone know how to configure the IAS server to authenticate the phones?                  

  HI Saad,
  Check this link to get info about EAP Types:
  http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-which-identity-projects.html
  I will prefer to use EAP-TLS because of the security.in This type you need certificate on both side(Client and Server), also you can add AD to authenticate user.
  Regards
  Dont forget to rate helpful posts

• Hi, I bouhgt a used Apple Power Mac G5, I want to buy a blue tooth card for the same to use wireless keyboard and mouse, i am just curious that why do i need to provide the serial number of my computer, is there any compatibilty issue?

  Hi, I am new in Apple Computer, I bought a used Power Mac G5. I want to buy a blue tooth card for the same to use wireless keyboard and mouse. so why it is mandatory to provide the serial number of the machine?

  Hello, Serial# not needed...
  At the Apple Icon at top left>About this Mac.
  Then click on More Info>Hardware and report this upto *but not including the Serial#*...
  Hardware Overview:
  Machine Name: Power Mac G5 Quad
  Machine Model: PowerMac11,2
  CPU Type: PowerPC G5 (1.1)
  Number Of CPUs: 4
  CPU Speed: 2.5 GHz
  L2 Cache (per CPU): 1 MB
  Memory: 10 GB
  Bus Speed: 1.25 GHz
  Boot ROM Version: 5.2.7f1

• I use Windows Vista and Microsoft Outlook. After migrating to iCloud, the calendar of iCloud tranferred only part of my past Calendar items to the folder iCloud Calendar in my Outlook. How can I transfer all the entries?

  I use Windows Vista and Microsoft Outlook. After migrating to iCloud, the calendar of iCloud tranferred only part of my past Calendar items to the folder iCloud Calendar in my Outlook. How can I transfer all the entries? In iCloud's site all are there.

  If the calendar is on iCoud.com, all you would need to do to get it on your phone is go to Settings>iCloud on your phone, sign into your iCoud account and turn Calendars on.  The iCloud calendars will then download to your phone.

• Using ACS for Cisco Prime authentication

  I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
  Any pointers?

  The configuration on the Prime Infrastructure side is minimal:  define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
  Administration > AAA > TACACS+ Servers > add tacacs server.
  Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
  The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks.  This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
  "Configuring ACS 4.x"
  http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
  https://supportforums.cisco.com/docs/DOC-17909
  In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
  Jatin Katyal
  - Do rate helpful posts -

• How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2

  How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.

  Hi Tarik,
  Thanks for your answers,
  I've attached my configured AuthZ rules and AuthZ profile for provisioning,
  I want the process to be the same for iPhone, Android and Windows.
  1) Connect to the SSID
  2) Login using your AD credentials PEAP-MS-CHAP-v2
  3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
  4) As soon as the client click "register" no more redirects and PERMIT-ALL
  I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
  1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
  2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
  3) everything else = DENY-ALL
  But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
  What screenshoot do you need after the registration? the Auth report?
  Thank you very much for your time!

• Authentication Properties button not functional for 802.1x authentication

  With version 4.52 for Windows XP, Build 7TCX26WW of ThinkVantage Access Connections, the 'Authentication Properties' button doesn't work for 802.1x for Ethernet.  Has anyone else been experiencing this?  Had to work-around by using the Windows Network Connections properties pages for the Ethernet device.  Would be nice to have this utility working fully.  Found it useful for someone who shifts from one work environment to another.
  Thanks in advance.

  Hi
  Welcome To Lenovo Community
  We are really sorry to hear about the issue you are facing,  
   Please try uninstalling the Access Connection   
  Restart the unit, download and install Access Connection from below link
  http://support.lenovo.com/en_IN/downloads/detail.p​age?DocID=DS013683
  Do give this a try and let us know  
  Hope This Helps
  Cheers!!!
  WW Social Media
  Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
  Follow @LenovoForums on Twitter!
  How to send a private message? --> Check out this article.
                          English Community   Deutsche Community   Comunidad en Español

• RSA tokens and AAA

  I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....

  Very simple:
  1- install RSA Server on host A,
  2- install ACS server on host B,
  3- create an agent host on host A with host B
  ip address,
  4- copy the sdconf.rec file over to %Windows\system32 directory of host B,
  5- install RSA agent software on host B,
  6- create RSA user in host A,
  7- use the RSA test utility on host B to test
  authentication from host B over to host A,
  8, configure ACS to use RSA SecurID. Read
  the instruction on cisco web site, in the
  External database,
  9- run log monitor on host A RSA server,
  10- try to log into a router,
  11- enter the username create in step 6,
  you should see that you will be able to
  authenticate with RSA securID and ACS
  integration.
  Last but not least, if you use TACACS, you
  will NOT be able to use Next-PIN mode on
  RSA Server. Next-PIN mode only works with
  Radius.
  Easy right?

• 802.1x Wired using EAP-TLS with Microsoft SCCM 2007

  Hi,
  I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7
  The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's
  Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??
  The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(
  Any ideas or suggestions?
  Many thanks,
  Matt

  Hello Matt-
  The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.
  Thank you for rating!

• Step by step instructions for recovering your system using ThinkVantage Rescue and Recovery

  Official Instructions for using ThinkVantage Rescue and Recovery.
  Message Edited by carbon_unit on 11-04-2008 03:24 PM
  T60 2623-D7U, 3 GB Ram. Dual boot XP and Linux Mint.
  T400 2765-T7U Windows 7
  Registered Linux User #160145
  FYI: I am not employed by Lenovo

  I installed Win 7 Pro 64 on my T400, ran TVSU and installed R&R 4.3. Fortunately, I didn't read those instructions first, or I might not have done it
  Have you tried just installing R&R? If it needs anything else, it should ask for it during the install. IIRC, it does require the VCC+ package.
  Z.
  The large print: please read the Community Participation Rules before posting. Include as much information as possible: model, machine type, operating system, and a descriptive subject line. Do not include personal information: serial number, telephone number, email address, etc.  The fine print: I do not work for, nor do I speak for Lenovo. Unsolicited private messages will be ignored. ... GeezBlog
  English Community   Deutsche Community   Comunidad en Español   Русскоязычное Сообщество

• Best format for SSD when i use os x and windows

  Which is best format for my new SSD when i want use OS X and Windows together ? I mean when i will be in windows i can copy folders from windows to OS X folders and conversely ? Thank you for all info

  Before you do anything make sure that anything you have on your external hard drive is moved somewhere else as all information will be lost in this process. Then make sure it is plugged into your mac
  Here's what you need to do next. If you click on your Macintosh HD on your desktop then click on applications. Then scroll down and click on utilities. In there you need to click on disk utilities. When this opens you need to select your external hard drive from the list on the left.Then on the tabs at the top click on partition but just leave it all as is except you need to change the format from Mac Journaled to Fat 32 then click apply. It will then be ok for use on both Mac & PC but be warned they don't like each other so some stuff will work and some stuff won't. If it formatted for Fat 32 then mac will sometimes not read it through a wireless connection. (I am trying to figure this at the moment and can't seem to get it to work).
  Good Luck

• Font problems using Adobe CS and Microsoft Office

  I am having problems with using my installed fonts in software like Adobe CS and Microsoft Office. The fonts do not appear in the font lists of these programs, while they do appear in TextEdit (and in the Font Book).
  I already did the following:
  - disabling/enabling the fonts
  - entering the save mode (cleaning the cache)
  - cleaning the cache using a third party program (cannot recall the name)
  - reinstalling OS X
  Can somebody help me?

  A little update.
  Often when I boot my iMac and open for example Adobe Illustrator not every font (original and newly installed) show up in program's font list, but sometimes all fonts do appear.
  So this is a very strange phenomenon.
  Problem is that I am working on a design for which I need to use custom fonts, but I can't. I'm stuck!
  So please, can anybody help me?

• I currently use Snow Leopard and Microsoft Word, Excel and Entourage o my Mac.  If I upgrade to Mavericks, can I still use those applications?

  I currently use Snow Leopard with Microsoft Word, Excel and Entourage on my iMac.  If I upgrade to Mavericks, can I still use those applications?

  If the Microsoft Office is 2004 then no.
  Mavericks System requirements.
  http://support.apple.com/kb/ht5842
  Note I would recommend a minimum of 4GB RAM.
  You need to check all you software and hardware including any peripherlas you use, printers etc that they are compatible with Mavericks.
  Any software that is PPC and uses Rossetta will not work with any OS X verson later than 10.6.8 Snow Leopard.
  If you decide to upgrade have a tested backup of your current system in case of problems and you could return the computer to its previous configuration.

• Using Cisco ACS for Solaris login authentication

  Hi all
  I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
  Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
  Thanks, David

  Hard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.