Alternatives to MS workstation authentication certificates for 802.1x?

Similar Messages

• Cisco ISE User Authentication Certificates for Wired and Wirless Users (BYOD)

  Can any one tell me from where we can purchase User Authentication Certificates for Wired and Wireless Users (BYOD) for Cisco ISE. Also Confirm what certificates we required for the purpose.
  Please suggest the Website form where we can purchase and ipmort in Cisco ISE certificate Section.
  Thanks.

  Dear Mohana,
  Thanks for your reply, Can you please confirm me in regards EAP-TLS certificate, which authorities you recomend if i go to Go dadday or very Sign to buy it and then import in ISE.
  Looking forward for your reply.
  Regards,
  Muhammad Imran Shaikh
  Resident Engineer, IT Network Section - PPL
  Mobile : 0092-312-288-1010
  LinkedIn : pk.linkedin.com/pub/muhammad-imran-shaikh/10/471/b47/

• Lost my Certificate for 802.x authentication

  Somehow my Active Directory setting for my cerificate is missing. I had a vendor install this originally and I thought it was on the Raidus server somehwere but it is nowhere to be found. I know that because computers that don't have it tell me it is missing and it can't authenticate. If I create another cert on the same Radius server will it match the original or do I have to basically install a whole new and push that out etc.? I am using the self signed one out of the Windows Resource kit as per teh Ultimate Guide to Wireless on TechRepublic.
  thanks
  Gary

  You can regenerate a cert for the user on AD and push it via a GPO. I don't have the procedure under my hand but that should be easily documented on microsoft side. The radius server will have no role in this

• Creating a certificate for 802.1x wireless access....

  I know this is a complicated issue.  We are trying to setup 802.1x access to our corporate WiFi using computer identity with certificates.
  The video provided by apple here: http://www.apple.com/education/resources/information-technology.html#authenticat ion_on_mac at the 3:04 mark the instructors talk about importing a computer identity certificate into the key chain but doesn't mention how it's generted in the first place.
  This is where we are stuck.
  When we think about generating the proper certificate and click on Configure under Authenticition with TLS checked we get the following:
  No Certificates Found...
  We are using a Microsoft Windows Server 2008 Certificate Authority server as our in house certificate server.
  Any help would be greatly appreciated.  Thanks in advance!
  -Paul

  step 1a create Wirelesscert.mobleconfig with the following changing the defaults to match your needs
  The "Certtemplate key" must match the name of the Cert template on the server.
  You can use the same machine cert template as the PCs. use UUID are done in the next step
  CertServer Key use http or https depending on you cert server config
  Generic config file sortof :
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <dict>
          <key>PayloadContent</key>
          <array>
              <dict>
                  <key>CertServer</key>
                  <string>https://Server.domain.name/certsrv</string> 
                  <key>CertTemplate</key>
                  <string>Your_Computer_template_name</string>
                  <key>PayloadDisplayName</key>
                  <string>Enter_your_name_fort_the_policy</string>
                  <key>PayloadIdentifier</key>
                  <string>Create_payload_ident</string>
                  <key>PayloadType</key>
                  <string>com.apple.ADCertificate.managed</string>
                  <key>PayloadUUID</key>
                  <string>Change-me-to-a-new-UUID</string>
                  <key>PayloadVersion</key>
                  <integer>1</integer>
                  <key>deleted</key>
                  <false/>
              </dict>
          </array>
          <key>PayloadDescription</key>
          <string>Enter_Description_here</string>
          <key>PayloadDisplayName</key>
          <string>Enter_Display_name</string>
          <key>PayloadIdentifier</key>
          <string>Enter_paylode_name</string>
          <key>PayloadOrganization</key>
          <string>Enter_paylode_orgname</string>
          <key>PayloadRemovalDisallowed</key>
          <false/>
          <key>PayloadType</key>
          <string>SystemConfiguration</string>
          <key>PayloadUUID</key>
          <string>Change-me-to-a-new-UUID</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
      </dict>
      </plist>
  Step 1b. Create two UUID on the mac command shell past into the file replace Change-me-to-a-new-UUID with two different UUIDs
  the command is "uuidgen" You must run uuidgen once for each number. Paste the resulting numbers into Wirelesscert.mobleconfig
  This must be done for every computer you install the policy on so that they are Unique to that computer.
  Do these steps in a local machine admin account  not logged into the domain
  step 2. In Lion 7.2 (only) Turn off the Cert checking to prevent a endless loop  (a known bug should be fixed in a update)
     a. open Key Chain Access
     b. Click on Keychain Acess in the apple tool bar
     c. Select Preferences
     d. Select the Certificates Tab
     f. Turn off OCSP and CRL   ( this can be turned back on after you get the Cert from ad)
  Step 3 Connect using safari to you Microsoft AD certificate server and trust the locally self signed Cert
  Step 4 copy Cert in key chain from user to system
  Step 5 open a shell for steps 6 and 7
  Step 6 type Sudo kinit -k (machinenamelowercase)$    ! the dollarsign is appended to the computer name
  Step 7 type klist -l   ! verify that a ticket in kerberos is listed under the machine name
  Step 8  double click on the file Wirelesscert.mobleconfig to import the profile and create the Certificate
  Step 9  Verify in the Key Chain that you have a system Certificate
  In the network wireless click on the Join the ssid  
  Mode is EAP-TLS
  Identity X509 Certificate  (the one just created)
  Username: host/(Your_Macs_Fully_qualified_name)
  I hope this helps now I now have a Cert from ad on the machine and I think when it expires the plugin will renew.
  Read the Original document this is based on at http://support.apple.com/kb/HT4784
  I just need to figure out how to set a policy that uses the Cert on the machine
  Message was edited by: daveBoxElderSD

• How to export/import the certificates for/from 'Partner company' step-by-step in exchange 2013

  Dear  EXCHANGE EXPERTS,
  I am a newbie in "Exchange World" and I try hard to learn and figure out how Exchange messaging works.
  Sometimes the searches for information are gratified with wonderful articles and blogs, but sometimes days of searches bring you nothing but tiredness.
  I cannot find a clear information (step-by-step) how to exchange the certificates with the Partner company for TLS mutual communication in Exchange 2013.
   I would appreciate the help of experts.
  Vi

  Hello
  "You can do it on several ways. If both organizations are using publicly trusted certificate on Exchange servers, you are good to go. If that’s not the case you will have to cross-import Root CA certificates on both sides. Alternatively, you can also
  issue certificates for SMTP for both Exchange organization from a single trusted RootCA. Anyway, the point is that each Exchange server must trust the certificate installed (and assigned to SMTP service) on another Exchange server"
  'Trusted Root Certification" -->yes /local computer/
  if your company and partner company have a public cert and assigned to smtp service not need do
  anything with cert.
  if not have public cert but have cert from own internal ca booth company, you need
  cross-import Root CA certificates to exch servers and is ok. you send root ca caert to company and partner company send  his own root  certificate and that inport to local computer 'Trusted Root Certification"
  store on exch server.
  if not have internal ca only self signed you need send self signed cert
  sorry my english

• Use smart card for 802.1x secured WiFi authentication

  Hi,
  is it possible to use a certificate stored on a USB Security Token for WiFi 802.1x authentication?
  I have setup a test environment with all required components (AD, Enterprise CA, NPS, WPA2-Enterprise capable WiFi Access Point, all required certificates, all Server 2012 R2 / Windows 8.1 Pro) and created a user certificate for WPA2-Enterprise secured
  WiFi access (802.1x). Everthing works fine as long as the user certificate is stored in the local certificate store of the user's client computer: The user can connect to the WiFi network and the NPS logs show that the user has been authenticated correctly
  and granted access.
  To test this scenario with a Smart Card (Safenet USB Token), I stored that same user certificate on the token (incl. private key). The Safenet software on the client computer automatically makes the certificate stored on the token available in the local
  certificate store as soon as the token has been plugged in (checked via MMC Certificates snap-in). But the certificate can't obviously be used for the desired WiFi authentication: If I try to connect the secured WiFi (the same as in scenario 1) the connection
  fails.
  As I'm using exactly the same certificate in both scenarios, I don't think there's anything wrong with the settings in the certificate, the NPS or any other infrastructure component. The reason for failure in scenario 2 must be lying somewhere in either
  the local client computer configuration or in the Safenet software on the client computer.
  I'm very familiar with all the PKI and authentication stuff, but I'm new to smart cards. Are there differences between different types of smart cards and for what purpose one can use them? (USB tokens, chip cards, virtual tokens, etc.?)
  Has anybody experience in creating a 802.1x secured WiFi access with smart card based user certificates who could advise?
  Thanks + Best Regards
  Matt

  Hi,
  I found some links form technet site which can be helpful in this case
  Network access authentication and certificates
  http://technet.microsoft.com/en-us/library/cc759575(v=ws.10).aspx
  Enable smart card or other certificate authentication
  http://technet.microsoft.com/en-us/library/cc737336(v=ws.10).aspx
  Quote:
  Client certificate requirements
  With EAP-TLS or PEAP-EAP-TLS, the server accepts the client authentication attempt when the certificate meets the following requirements:
  The client certificate is issued by an enterprise CA or mapped to a user or computer account in Active Directory.
  The user or computer certificate on the client chains to a trusted root CA, includes the Client Authentication purpose in EKU extensions (the object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2), and fails neither the checks that are performed
  by CryptoAPI and specified in the remote access policy nor the Certificate object identifier checks that are specified in IAS remote access policy.
  The 802.1X client does not use registry-based certificates that are either smart card-logon or password-protected certificates.
  For user certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN).
  For computer certificates, the Subject Alternative Name (SubjectAltName) extension in the certificate must contain the client's fully qualified domain name (FQDN), which is also called the DNS name
  Yolanda Zhu
  TechNet Community Support

• Cisco ISE and authentication for 802.1x printer

  Hello
  What is the best practice to authenticate a 802.1x printer in Cisco ISE?
  The printer can store a certificate for authentication and support EAP-TLS.
  Thanks for answer.
  Marco

  EAP-TLS is the way to go. It is way way way more secure than MAB and profiling. However, the question is "How much of a hassle is it going to be to put a certificate on each printer?" Moreover, "What methods do I have (if any) to renew those certificates when they expire?" If have to manually generate a CSR and install a cert on each printer then it can quickly become an administrative overhead nightmare. With that being said, you can use MAB and profiling but just make sure that you lock down the access that those printers get. For instance, do they need access to the internet? Do they need access to anything else but the print server and/or open to all IPs access but only on the printing ports. 
  I hope this puts you in the right direction!
  Thank you for rating helpful posts!

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.

• Why Unable to identify a user for 802.1X authentication (0x50001)?

  Hello, 
    We are trying to set up wifi single-sign-on. When logging to a laptop get a message
  "Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
  Server: windows server 2003 (with all updates)
  laptop: windows 7 professional SP1 (with all updates)
  When looking to event log i found this error:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          2012-10-10 10:38:01
  Event ID:      5632
  Task Category: Other Logon/Logoff Events
  Level:         Information
  Keywords:      Audit Failure
  User:          N/A
  Computer:      sba01-nb
  Description:
  A request was made to authenticate to a wireless network.
  Subject:
  Security ID:                
  Account Name:                -
  Account Domain:                -
  Logon ID:                0x0
  Network Information:
  Name (SSID):                Pivot_Users
  Interface GUID:                {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
  Local MAC Address:        C4:85:08:12:77:44
  Peer MAC Address:        00:24:97:83:8E:61
  Additional Information:
  Reason Code:                Unable to identify a user for 802.1X authentication (0x50001)
  Error Code:                0x525
  EAP Reason Code:        0x0
  EAP Root Cause String:        
  EAP Error Code:                0x0
  Event Xml:
    <System>
      <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
      <EventID>5632</EventID>
      <Version>1</Version>
      <Level>0</Level>
      <Task>12551</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8010000000000000</Keywords>
      <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
      <EventRecordID>37791</EventRecordID>
      <Correlation />
      <Execution ProcessID="760" ThreadID="2224" />
      <Channel>Security</Channel>
      <Computer>sba01-nb</Computer>
      <Security />
    </System>
    <EventData>
      <Data Name="SSID">Pivot_Users</Data>
      <Data Name="Identity">
      </Data>
      <Data Name="SubjectUserName">-</Data>
      <Data Name="SubjectDomainName">-</Data>
      <Data Name="SubjectLogonId">0x0</Data>
      <Data Name="PeerMac">00:24:97:83:8E:61</Data>
      <Data Name="LocalMac">C4:85:08:12:77:44</Data>
      <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
      <Data Name="ReasonCode">0x50001</Data>
      <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
      <Data Name="ErrorCode">0x525</Data>
      <Data Name="EAPReasonCode">0x0</Data>
      <Data Name="EapRootCauseString">
      </Data>
      <Data Name="EAPErrorCode">0x0</Data>
    </EventData>
  </Event>
  Thank you for answer and help.
  Regards, 
    Tadas

  Hi,
  Thanks for your post.
  Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
  Here is the process that is followed.
  1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
  2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
  3. The Authenticator cannot validate and the authentication would fail.
  4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
  it will just ignore them
  5. You will see event 15506 after the event 15514.
  Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
  http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
  0x50001 = Dec 327681
  Reason code:  327681   Event log message:  The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.]   # def name: 
  ONEX_UNABLE_TO_IDENTIFY_USER
  Best Regards,
  Aiden
  Aiden Cao
  TechNet Community Support

• Radius server for 802.1x port authentication

  Does anybody know if CiscoSecure for Unix version 2.3.6.2 can be used as a Radius server for 802.1x port authentication? I know the Windows version will do this and can be configured to assign a user to a specific VLAN, but can the UNIX software do the same?
  Thanks

  Check connectivity between the PIX and the server.
  If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
  aaa-server group_tag (if_name) host server_ip key timeout 5
  If you are using TACACS+, verify that the PIX and server are communicating on the same port (Transmission Control Protocol (TCP)/49).
  If you are using RADIUS, verify that the PIX and server are communicating on User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server is using port 1812, verify that the PIX is using software version 6.0 or later, and then issue the aaa-server radius-authport 1812 command to specify port 1812.
  Ensure that the secret key is correct.
  Check the server logs for failed attempts. All servers have some kind of logging function.

• Authentication Properties button not functional for 802.1x authentication

  With version 4.52 for Windows XP, Build 7TCX26WW of ThinkVantage Access Connections, the 'Authentication Properties' button doesn't work for 802.1x for Ethernet.  Has anyone else been experiencing this?  Had to work-around by using the Windows Network Connections properties pages for the Ethernet device.  Would be nice to have this utility working fully.  Found it useful for someone who shifts from one work environment to another.
  Thanks in advance.

  Hi
  Welcome To Lenovo Community
  We are really sorry to hear about the issue you are facing,  
   Please try uninstalling the Access Connection   
  Restart the unit, download and install Access Connection from below link
  http://support.lenovo.com/en_IN/downloads/detail.p​age?DocID=DS013683
  Do give this a try and let us know  
  Hope This Helps
  Cheers!!!
  WW Social Media
  Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
  Did someone help you today? Press the star on the left to thank them with a Kudo!
  If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
  Follow @LenovoForums on Twitter!
  How to send a private message? --> Check out this article.
                          English Community   Deutsche Community   Comunidad en Español

• What is the option client certificate for user authentication used for?

  Hi All,
  I have to work on a FTPS - XI -SAP scenario.
  I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
  P.S: I went through sap help but couldnt quite understand.

  Thanks a lot Mark.
  So for a FTPS -> XI -> SAP scenario the following settings are required.
  1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
  2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
  the above 2 steps are mandatory.
  If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
  Will this certificate be used for encryption?
  To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
  The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

• How can i specify a specific certificate for client authentication

  hi all,
  i'm currently using a pkcs11 smartcard device to authenticate aigainst a directory server from java.
  everything works perfectly when using cards with the authentication certificate as the first in the keystore.
  unfortunately the cards i need to handle can have both auth or sign as first certificate.
  is there a way to select explicitely which certificate to present during the ssl handshake ?
  thanks a lot in advance

  Look into the following:
  -- page protect property of the repeating frame
  -- Maximum number of records per page property

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.