ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP
Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?
I have come up with bunch of incompatibilities between the offered support e.g.
1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.
2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC
We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"
I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.
Hi,
We have tried to do the exact same setup as you and we also failed.
When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.
MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.
When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.
A list with EAP protocols supported by the RSA is in attach.
Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the
table "EAP Authentication Protocol and User Database Compatibility "
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699
What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.
Similar Messages
-
Why Unable to identify a user for 802.1X authentication (0x50001)?
Hello,
We are trying to set up wifi single-sign-on. When logging to a laptop get a message
"Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
Server: windows server 2003 (with all updates)
laptop: windows 7 professional SP1 (with all updates)
When looking to event log i found this error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-10-10 10:38:01
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sba01-nb
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID:
Account Name: -
Account Domain: -
Logon ID: 0x0
Network Information:
Name (SSID): Pivot_Users
Interface GUID: {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
Local MAC Address: C4:85:08:12:77:44
Peer MAC Address: 00:24:97:83:8E:61
Additional Information:
Reason Code: Unable to identify a user for 802.1X authentication (0x50001)
Error Code: 0x525
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
Event Xml:
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>5632</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12551</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
<EventRecordID>37791</EventRecordID>
<Correlation />
<Execution ProcessID="760" ThreadID="2224" />
<Channel>Security</Channel>
<Computer>sba01-nb</Computer>
<Security />
</System>
<EventData>
<Data Name="SSID">Pivot_Users</Data>
<Data Name="Identity">
</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="PeerMac">00:24:97:83:8E:61</Data>
<Data Name="LocalMac">C4:85:08:12:77:44</Data>
<Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
<Data Name="ReasonCode">0x50001</Data>
<Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
<Data Name="ErrorCode">0x525</Data>
<Data Name="EAPReasonCode">0x0</Data>
<Data Name="EapRootCauseString">
</Data>
<Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Thank you for answer and help.
Regards,
TadasHi,
Thanks for your post.
Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
Here is the process that is followed.
1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
3. The Authenticator cannot validate and the authentication would fail.
4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
it will just ignore them
5. You will see event 15506 after the event 15514.
Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
0x50001 = Dec 327681
Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name:
ONEX_UNABLE_TO_IDENTIFY_USER
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
802.1x Authentication using Cisco Phone LSC and IAS 2003
I'm trying to authenticate Cisco 7975 phones using the LSC and Microsoft IAS 2003.
The CA was generated from the IAS server (Domain Controller) and was imported and used to generate the LSC that have now been deployed to the phones.
Does anyone know how to configure the IAS server to authenticate the phones?HI Saad,
Check this link to get info about EAP Types:
http://www.networkworld.com/article/2223672/access-control/which-eap-types-do-you-need-for-which-identity-projects.html
I will prefer to use EAP-TLS because of the security.in This type you need certificate on both side(Client and Server), also you can add AD to authenticate user.
Regards
Dont forget to rate helpful posts -
Hi, I am new in Apple Computer, I bought a used Power Mac G5. I want to buy a blue tooth card for the same to use wireless keyboard and mouse. so why it is mandatory to provide the serial number of the machine?
Hello, Serial# not needed...
At the Apple Icon at top left>About this Mac.
Then click on More Info>Hardware and report this upto *but not including the Serial#*...
Hardware Overview:
Machine Name: Power Mac G5 Quad
Machine Model: PowerMac11,2
CPU Type: PowerPC G5 (1.1)
Number Of CPUs: 4
CPU Speed: 2.5 GHz
L2 Cache (per CPU): 1 MB
Memory: 10 GB
Bus Speed: 1.25 GHz
Boot ROM Version: 5.2.7f1 -
I use Windows Vista and Microsoft Outlook. After migrating to iCloud, the calendar of iCloud tranferred only part of my past Calendar items to the folder iCloud Calendar in my Outlook. How can I transfer all the entries? In iCloud's site all are there.
If the calendar is on iCoud.com, all you would need to do to get it on your phone is go to Settings>iCloud on your phone, sign into your iCoud account and turn Calendars on. The iCloud calendars will then download to your phone.
-
Using ACS for Cisco Prime authentication
I'd like to use our Tacacs server running ACS to be the authentication method for user accounts in Prime, but don't even know where to start with this..
Any pointers?The configuration on the Prime Infrastructure side is minimal: define the authentication server Prime is to use and select a mode for Prime Infrastructure to use with it.
Administration > AAA > TACACS+ Servers > add tacacs server.
Administration > AAA > AAA Mode Settings > tacacs+ and enable fallback to local.
The bulk of the configuration is on the authentication server side, particularly indefining groups, services and authorization tasks. This is covered in the "Performing Administrative Tasks" chapter of the Prime Infrastructure Configuration Guide, starting with the topic "Configuring ACS 5.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1595935
"Configuring ACS 4.x"
http://www.cisco.com/en/US/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1625896
https://supportforums.cisco.com/docs/DOC-17909
In case it doesn't work, please get the logs from the ACS reports and monirtoring for tacacs authentication and error message while accessing cisco prime.
Jatin Katyal
- Do rate helpful posts - -
How can i deploy macbooks and 802.1x authentication using PEAP/MSChap version 2
How can i deploy macbooks and 802.1x authentication for wireless connectivity using PEAP/MSChap version 2. The Cert is generated by a 2008 Windows CA authority. I am trying to get to join but the MAC doesnt seem to want to accecpt the cert. Can i not validate the cert and still have it join the 802.1x wireless netqwotk? The wireless netwotk is using a Cisco 5508 wireless controller and Cisco 1142 access points. All works fine with Windows devices.
Hi Tarik,
Thanks for your answers,
I've attached my configured AuthZ rules and AuthZ profile for provisioning,
I want the process to be the same for iPhone, Android and Windows.
1) Connect to the SSID
2) Login using your AD credentials PEAP-MS-CHAP-v2
3) Redirect to device registration portal (So I can set a limit of 3 devices per employee)
4) As soon as the client click "register" no more redirects and PERMIT-ALL
I think that I don't need to rely on profiling because In terms of AuthZ policies it should be something like this:
1) if WIRELESS802.1x and PEAP-MS-CHAPV2 and BYODREGISTRATION=!YES(Unknown or not reg) then "Redirect to device registration(that is NSP right?)"
2) if WIRELESS802.1x and PEAP-MS-CHAPV2 then PERMIT-ALL(no redirection)
3) everything else = DENY-ALL
But the NSP looks for Client Provisioning policies, so if I don't configure any policy it should Allow Network Access(See attachment photo3.png) but as I said on the post it shows that cannot retrieve the MAC-Address so the client can't register his device and don't have access to the network. (To grant access I've configured provisioning policies, that way the clients can register their devices but they are redirected to google play or are forced to install the profile at iOS and this is what I don't want because it is not necessary)
What screenshoot do you need after the registration? the Auth report?
Thank you very much for your time! -
Authentication Properties button not functional for 802.1x authentication
With version 4.52 for Windows XP, Build 7TCX26WW of ThinkVantage Access Connections, the 'Authentication Properties' button doesn't work for 802.1x for Ethernet. Has anyone else been experiencing this? Had to work-around by using the Windows Network Connections properties pages for the Ethernet device. Would be nice to have this utility working fully. Found it useful for someone who shifts from one work environment to another.
Thanks in advance.Hi
Welcome To Lenovo Community
We are really sorry to hear about the issue you are facing,
Please try uninstalling the Access Connection
Restart the unit, download and install Access Connection from below link
http://support.lenovo.com/en_IN/downloads/detail.page?DocID=DS013683
Do give this a try and let us know
Hope This Helps
Cheers!!!
WW Social Media
Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
Did someone help you today? Press the star on the left to thank them with a Kudo!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
Follow @LenovoForums on Twitter!
How to send a private message? --> Check out this article.
English Community Deutsche Community Comunidad en Español -
I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....
Very simple:
1- install RSA Server on host A,
2- install ACS server on host B,
3- create an agent host on host A with host B
ip address,
4- copy the sdconf.rec file over to %Windows\system32 directory of host B,
5- install RSA agent software on host B,
6- create RSA user in host A,
7- use the RSA test utility on host B to test
authentication from host B over to host A,
8, configure ACS to use RSA SecurID. Read
the instruction on cisco web site, in the
External database,
9- run log monitor on host A RSA server,
10- try to log into a router,
11- enter the username create in step 6,
you should see that you will be able to
authenticate with RSA securID and ACS
integration.
Last but not least, if you use TACACS, you
will NOT be able to use Next-PIN mode on
RSA Server. Next-PIN mode only works with
Radius.
Easy right? -
802.1x Wired using EAP-TLS with Microsoft SCCM 2007
Hi,
I'm currently in the process of deploying 802.1x across 10,000 devices - Avaya IP phone, Hp t510 Thin Clients and a mixture of WinXP SP3 and Windows 7
The bombshell has been dropped that our desktop guys are going to use SCCM 2007 to manage/re-image PC's
Can anyone point me to any useful info as to how SCCM works on a Wired 802.1x network with User and Computer certificate authentication??
The most basic query I have is this, if we re-image a PC, both User and Computer certs will disappear therefore 802.1x authentication will fail and the device subsequently drops off the network :-(
Any ideas or suggestions?
Many thanks,
MattHello Matt-
The only other thing that I can think about is the device enrolment via SCEP. However, that process will not be fully automated and it will require users intervention. In addition, you can create a "White List" authorization rule where you can temporary and manually add/remote MACs. You can add the MAC(s) for the machine(s) that have to be re-imaged and then remove it when all set and done. Other than that I am not aware of any other methods that you can do this.
Thank you for rating! -
Step by step instructions for recovering your system using ThinkVantage Rescue and Recovery
Official Instructions for using ThinkVantage Rescue and Recovery.
Message Edited by carbon_unit on 11-04-2008 03:24 PM
T60 2623-D7U, 3 GB Ram. Dual boot XP and Linux Mint.
T400 2765-T7U Windows 7
Registered Linux User #160145
FYI: I am not employed by LenovoI installed Win 7 Pro 64 on my T400, ran TVSU and installed R&R 4.3. Fortunately, I didn't read those instructions first, or I might not have done it
Have you tried just installing R&R? If it needs anything else, it should ask for it during the install. IIRC, it does require the VCC+ package.
Z.
The large print: please read the Community Participation Rules before posting. Include as much information as possible: model, machine type, operating system, and a descriptive subject line. Do not include personal information: serial number, telephone number, email address, etc. The fine print: I do not work for, nor do I speak for Lenovo. Unsolicited private messages will be ignored. ... GeezBlog
English Community Deutsche Community Comunidad en Español Русскоязычное Сообщество -
Best format for SSD when i use os x and windows
Which is best format for my new SSD when i want use OS X and Windows together ? I mean when i will be in windows i can copy folders from windows to OS X folders and conversely ? Thank you for all info
Before you do anything make sure that anything you have on your external hard drive is moved somewhere else as all information will be lost in this process. Then make sure it is plugged into your mac
Here's what you need to do next. If you click on your Macintosh HD on your desktop then click on applications. Then scroll down and click on utilities. In there you need to click on disk utilities. When this opens you need to select your external hard drive from the list on the left.Then on the tabs at the top click on partition but just leave it all as is except you need to change the format from Mac Journaled to Fat 32 then click apply. It will then be ok for use on both Mac & PC but be warned they don't like each other so some stuff will work and some stuff won't. If it formatted for Fat 32 then mac will sometimes not read it through a wireless connection. (I am trying to figure this at the moment and can't seem to get it to work).
Good Luck -
Font problems using Adobe CS and Microsoft Office
I am having problems with using my installed fonts in software like Adobe CS and Microsoft Office. The fonts do not appear in the font lists of these programs, while they do appear in TextEdit (and in the Font Book).
I already did the following:
- disabling/enabling the fonts
- entering the save mode (cleaning the cache)
- cleaning the cache using a third party program (cannot recall the name)
- reinstalling OS X
Can somebody help me?A little update.
Often when I boot my iMac and open for example Adobe Illustrator not every font (original and newly installed) show up in program's font list, but sometimes all fonts do appear.
So this is a very strange phenomenon.
Problem is that I am working on a design for which I need to use custom fonts, but I can't. I'm stuck!
So please, can anybody help me? -
I currently use Snow Leopard with Microsoft Word, Excel and Entourage on my iMac. If I upgrade to Mavericks, can I still use those applications?
If the Microsoft Office is 2004 then no.
Mavericks System requirements.
http://support.apple.com/kb/ht5842
Note I would recommend a minimum of 4GB RAM.
You need to check all you software and hardware including any peripherlas you use, printers etc that they are compatible with Mavericks.
Any software that is PPC and uses Rossetta will not work with any OS X verson later than 10.6.8 Snow Leopard.
If you decide to upgrade have a tested backup of your current system in case of problems and you could return the computer to its previous configuration. -
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
Maybe you are looking for
-
Getting Error while Installing Workflow Manager 1.0 on Sharepoint 2013 On-Prem server
I am trying to install Workflow Manager 1.0 on our SharePoint Server 2013 which is On-Prem installation. The SharePoint Server 2013 is functioning correctly. During the installation of Workflow Manager 1.0 on the same SharePoint 2013 server, I receiv
-
Inbound shipment for tracking of vendor del mat & payment of service agents
HI, Experteese, we are going to implement transportation mgmt and exclusively for inbound shipment can any body give the details of inbound shipment and how to settle the payments to the service vendors is there any approval process apartfrom po, aga
-
How to handle spaces in string?
Hi, I am trying to filter out servers and certain OS from my powershell line below but I am getting an error. I think it is because of the Mac OS X line with spaces?: The string is missing the terminator: ' $AllADClientObjects=@(Get-ADComputer -Filte
-
Videos for replacing ThinkPad parts available for streaming to your smartphones
Hello all, Lenovo Service and Support Training site has added an additional feature to the site which is viewing videos on how to replace FRU parts I've tested it on the iPhone which I think is pretty helpful to watch the video on how to replace the
-
How to on -gathering statistics of how much a VM is actually used?
I have a SCVMM 2012 SP1 system managing a bunch of 2012 R2 host servers. What I am looking to do is to gather statistics and create a report that would tell me how often a system is being used. I can figure out how to get uptime, but what I am look