ACS Radius + Peap + MSChapV2

Similar Messages

• How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

  Hi:
  My name is Ivan, I have a trouble
  I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
  Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
  I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
  I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
  Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
  I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
  Regards
  Ivan

  See the below URL - multiple config guides on what you want to do:-
  http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
  HTH>

• PEAP-MSCHAPV2 problems

  Hi,
  I have a problem with PEAP-MSCHAPV2 authentication in combination with Wireless Service Module en Cisco ACS 4.1(and later i tested with IAS).
  When i use the Windows Supplicant i can get no connection with my wireless network, when i used the Intel Pro Client its works very good. The Windows supplicant asked very 5 seconds my usercredentinals and in the log files of the RADIUS is nothing to see.
  Can somebody help me with this problem ?

  Hi,
  Apply this MS hotfix.
  Regards,
  ~JG

• Can we still use PEAP-MSCHAPV2 for authenticating to a WPA2-Enterprise network?

  L.S,
  For authenticating to a BYOD wireless network a lot of companies use WPA2-Enterprise connected to a Microsoft IAS/NPS server to authenticate against Active Directory. There seems to be a way to intercept this wireless traffic using a roque accesspoint using the same (company) SSID-name and tools like freeradius-WPE and cloudcracker.
  If the BYOD client doesn't check the certificate provided by the fake radius server, the MSCHAPv2-negotiation can be discovered and the hacker will get the username AND hashed password which can be lookup'd by rainbow tables sites like cloudcracker.
  Is there still a safe way to deploy AD-authentication to BYOD clients?
  Kind Regards,
  Arjen

  I have tested the WPA2-enterprise/PEAP-MSCHAPv2 exploit this week placing a laptop in my car on the company parking lot with a Kali image, using hostap and freeradius-wpe configured with the company SSID. It was very easy to find out the mschapv2 challenge/responses of a number of android/windows phones that there just walking past my car. Also iPhone has a bad WPA2-enterprise implementation (see: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf), so bye bye WPA2-enterprise/PEAP-MSCHAPv2.
  Wonder what other (large) companies are using for their BYOD wireless networks! EAP-TLS using certificate sounds like the only feasible option, however, we are afraid that the enrolment of certificates to the BYOD-clients will be a total disaster. I heard stories that some android phones lose their client certificate after a reboot :(

• Cisco ACS 5.4 + Anyconnect 3.1 NAM with 802.1x, problem with changing ACS Radius user password

  Dear all,
  Presently, we are testing 802.1x using Cisco ACS 5.4 and Cisco Anyconnect v3.1 as 802.1x supplicant. We have created predefined NAM profiles (with Cisco Profile Editor) and applied as default in on our test machine. We are using PEAP (MsCHAPv2) and ACS local user credentials for authenticating process. We have noticed that, when we try to authenticate the network with predefined profile (network profile has Administrator Network privileges) and Windows user on test machine has no Admin privileges we are not able to change ACS user password (checked "Change password on next login" in the ACS user profile). In the Monitoring and Report View we get Failure Reason "24203 User need to change password"  but no popup window apears in Anyconnect. When we change Windows local user privileges to Admin or create Anyconnect network profile localy (privileges User Network) then, we are able to finish the process.
  Have you ever been facing the problem described above. Is it Anyconnect bug? How can we fix it?
  Best regards,
  Piotr

  If this happens with all machines then if a microsoft guy can look the app logs/privileges. It seems the app is requesting privilege that it is not authorized to and that's why the propmt window fails to appear. If we know what that privilege is we can probably fix it. If that privilege is not even required for smooth work Cisco need probably to fix this behavior.
  I am sorry if I am not able to help but I am not using the anyconnect for production.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

  I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
  autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
  Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
  even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
  Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
  in the username password Setting.
  Is it possible edit or change the way the client PC is sett up to prevent this?
  Is there any way make a policy setting? or is there other solutions?
  I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
  Thanks

  Hi,
  As I know, this goal cannot be achieved.
  Reference:
  Use the 802.1X Wizard to Configure NPS Network Policies
  For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
  Microsoft: Smart Card or other certificate, click
  Configure, click
  OK, and then click
  Next.
  For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
  Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Smart Card or other certificate, click the
  Move Up button to position a smart card or other certificate at the top of the list, click
  OK, and then click
  Next.
  For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
  version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
  Eap Types, click
  Add, click
  Secured password (EPA-MSCHAP v2), click the
  Move Up button to position the secured password authentication type at the top of the list, click
  OK, and then click
  Next.
  Regards,
  Sabrina
  TechNet Subscriber Support
  in forum.
  If you have any feedback on our support, please contact
  [email protected]
  This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
  This can be beneficial to other community members reading the thread.

• PEAP-MSCHAPv2 & MAC-AUTH with WEP on same AP

  Hi,
  is it possible to have PEAP-MSCHAPv2 authentication and MAC Authentication against Central Cisco ACS, on the same Access Point on different SSID's without conflicting with each other?
  Thanks
  Jorge

  The answer would depend upon the configuration done on the AP..
  a) if you have configured vlans on your AP then you can set SSID , map it to each vlan and accordingly configure encryption to each vlan
  b) if there are no vlan then too the two ssid would work but you then you have to have the same encryption on both the ssid.

• Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

  Help!
  After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
  When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
  I have included a picture that describes my problem exactly:
  Does anyone have this problem? Can anyone help me?
  Thanks!

  The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
  According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
  So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
  Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
  Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

• ISSUE: Wifi and Enterprise Networks - No PEAP-MSCHAPv2 & PEAP-GTC support.

  Since owning my HP Touchpad i have not been able to connect to my schools Wifi network making the unit a digital photo frame.
  The issues seems to be well documented across many forums with no aknowledgement from hp/webOS.
   A post from another forum
  Davegarbs Wrote:
  At least for me, importing the cert did nothing, as WiFi appears to be broken with both PEAP-GTC and PEAP-MSCHAPv2. I have had a bug report open with HP for 3 weeks now and haven't heard a single word. I even captured a ton of logs from the device that I thought would help get things taken care of.
  The only way I found to fix this is to use wpa_cli to reconfigure wpa_supplicant with the proper config for your network. This HAS to be done right as you log into the network in the WiFi app. Judging by the following link, this has been a problem for a long time:
  Advanced Wifi - WebOS Internals
  I'll be really surprised if HP gets back to me, but I'll update this thread if/when I hear from them. 
  So there seems to be a fix, but some users might find that a little bit difficult.
  Can HP/PALM/webOS/OBAMA/Astronaught please fix this issue?, it also seems to effect webOS phones.
  I can confirm both android and apple ipad/iphone/imac do not have this issue.
  I would like to be able to use my HP Touchpad to its full potential rather than just slide showing photos.
  Cheers
  Post relates to: HP TouchPad (WiFi)
  Post relates to: HP TouchPad (WiFi)

  I'm in the exact same boat at Texas A&M Health Science Center. I seriously wonder if this is part of the reason they dropped the line. They released a product that can't function in business/school environments.

• IBNS with two groups of XP Machines, one PEAP-MSCHAPv2 & one EAP-TLS

  Hello,
  I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
  1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
  2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
  Thanks in advance for your help.

  Hello,
  I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
  1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
  2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
  Thanks in advance for your help.

• FWSM user and administrator multi-contexts authentication under ACS radius

  Hi,
  I’m preparing the setup of an ACS radius server for FWSM-related authentication operations.
  FWSMs will be in release 2.2, inserted in Catalyst 6500 (MSFC – IOS), in routed mode, in multi-switch active / standby setup, with multiple contexts configured.
  User and administrator access management will be performed thanks to a radius ACS server.
  I intend to install ACS onto an armored windows 2000 server SP4 , using a local database.
  PDM 4.0 is needed in order to manage multiple-contexts on FWSMs.
  Are there any points I should be aware about such a configuration, especially regarding the user and administrator authentication access management setup ?
  The fact is that administrators will have to be defined and restricted to their own context, without privileges onto other contexts. Do you have feedback about such a setup or relevant information to point to me ?
  Many thanks in advance for your attention.
  Best regards,
  Arnaud

  Each of the contexts will behave like individual firewalls for your purposes here. So, they each get a AAA config, and you could put them into their own groups for access control. Protect the Admin context especially well, it controls system resources for the others. Depending on how many FWSMs you have, you may want to look into the Pix MC, which is similar to PDM, but works for multiple FWSMs. It is a part of CiscoWorks VMS.
  -Paul

• Unable to move between PEAP (MSCHAPv2) to WPA2 Personal

  I just started to have a problem changing from my wireless network at work to my home network. At the office, I authenticate using PEAP (MSCHAPv2) and connect just fine. I put the computer to sleep, to go home and when my MBP tries to connect to my WPA2 Personal wireless at home, it times out. The only way to make the connection work is to reboot. It will then connect perfectly. For the record, I don't have the problem in the other direction, meaning that I can go from WPA2 Personal to PEAP seamlessly.
  Thanks for any help!
  Message was edited by: BocaBoy

  No great ideas here, but you could try removing wireless protection from home for a brief period of safe use; resetting the router; and then setting up WPA2 again.

• Migrate WPA2 to ACS RADIUS

  Hello Guys Again me I hope you can help me as well
  I'm working with five SSID's they're using WPA2 with PSK, I wanto to migrate to 802.1x Authentication so I'm goin to set a ACS RADIUS.
  I have some remote offices and they're working with WPA2 and PSK
  My questions is what happen if I migrate this SSID's to 802.1x, my remote users are will available to join at one SSID? And what happen if my RADIUS goes down? Right now if my WLC goes down my remote AP still work and accept new clients.  But if change this authentication method.. they will working as now?
  And what happen with my local user if my RADIUS goes down?
  Thank you everyone

  Dear Scott as Well I really Aprecciate your help and Abhishek
  One more questions I'm really concern about this migration, right now I have a WLC 4402 with 1131AG AP's this AP's has an IOS version 12.4 (3g) JA and the AP's are working as LWAPP. I founf on cisco page this Matrix.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  My news 5508 have 7.2.103 version, that matix says I need as minimun 12.4 (25e)JA So... I'm not sure if I need to upgrade the IOS version to my AP's.
  I was reading the 7.2 configuration text for 5508 and in some part of the tex say this
  The WGB can be any autonomous access point that supports the workgroup bridge mode and is running Cisco IOS Release 12.4(3g)JA or later releases (on 32-MB access points) or Cisco IOS Release 12.3(8)JEB or later releases (on 16-MB access points). These access points include the AP1120, AP1121, AP1130, AP1231, AP1240, and AP1310. Cisco IOS releases prior to 12.4(3g)JA and 12.3(8)JEB are not supported.
  I know is talking about WGB,  but I can read between the lines that the version of IOS12.4 (3g) JA of AP should no problem joining the new controller?
  This part of the document make me guess I don't have to do anything.
  Thanks!!

• E6 EAP-PEAP MSCHAPv2 authority certificate

  I am unable to connect to our company WLAN. I tried various username/domain/realm combinations for the EAP-PEAP MSCHAPv2 settings but it keeps giving message authentication failed. Our ocmpany does not have authority certificate and hence I select "not defined". I was told by our network admin that Nokia phones have this problem that they cannot connect without authority certificate.
  Is there any work around? I tried excporting an interim certificate of our company from my laptop but to no avail. Pls help.

  If there is actual workaround to get EAP-PEAP MSCHAPv2 to use with WLAN to use Eduroam, that would help me and many other people.
  Maybe Nokia has not build it to Nokia E6 phones.
  But if there would be an update for Belle OS to use this security authentication with WLAN that would help as well.
  greetings
  IT Support, helpdesk (not for Nokia).