AP1242-ag as a supplicant

Similar Messages

• Using AnyConnect as wireless supplicant

  Hello All,
  I used to utilize CSSC as a wireless supplicant on my machine when I had windows XP.
  I tried yesterday to install it on windows 7 (I tried vista version) but it does not seem to work with windows 7.
  I was searching and I found somewherein this forum that CSSC is being deprecated and the anyConnect is bieng used to connect to the wireless networks as supplicants.
  I was able to install the NAM (Network Access Manager) from which I can configure the wireless network profiel and generate a xml file.
  The question is: where should I use this xml file? what is the exact program that should I use to import this file?
  When I try to install AnyConnect Secure Mobility client to my machine it jus tappears on the taskbar  saying that web-security service is not running (I tried to install web-security but it asks for a license by then).
  can anyone tell me how can I use the anyConnect as a supplicant for the wireless?
  I tried to search for some docs but none helped.
  Many thanks.
  Amjad

  Hussam,
  Why would you not suggest the benefits of Anyconnect NAM, it is CSSC's successor.
  Back to the original thread, here are the install directions when installing NAM, you can just install the msi you have to install the secure mobility client package first.
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac02asaconfig.html#wp1601325
  So basically you have to install the core module which is the vpn client, then you can install the optional modules, whicn for you will be the NAM.
  Thanks,
  Tarik Admani
  Please rate helpful posts

• ISE 1.2, Supplicant configured for 802.1x but need to MAB

  I posted this yesterday but deleted the thread thinking I had fixed the issue - alas I was wrong. In summary I have a scenario where I am doing wired 802.1x and also wired MAB/CWA. The issue is that a certain number of external/BYOD hosts have supplicants configured for 802.1x at their "home" organisations which for obvious reasons can't authenticate on this network. The idea is that MAB and CWA become a fallback but these hosts in question don't efficiently fail to MAB.
  If the host has validate server certificates enabled (and doesn't have our root selected) then 802.1x fails and goes to MAB as per the tx timers etc. Hosts that don't validate certificates essentially fail authentication, abandon the EAP session and start new... this process seems to continue for a very long time.
  Does anyone have any similoar experiences and if so can you provide some info? I am looking into tweaking 802.1x port timers to make this fail quicker/better but am not confident this will fix the issue.
  Thanks in advance

  Maybe the held-period and quite-period parameters would help.  I would not change the TX period to anything shorter than 10 seconds.  Every cisco doc that I have ever seen has said this same recomendation and I can tell you from experience you will have devices at times that will authenticate via MAB when you dont want them to if you decrease lower than 10 seconds. 
  Read this doc for best pratices including the timers listed below.  
  I hope this link works.  http://d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKSEC-3698.pdf
  If not goto www.ciscolive365.com (signup if you havn't already) and search for
  "BRKSEC-3698 - Advanced ISE and Secure Access Deployment (2014 Milan) - 2 Hours"
  Change the dot1x hold, quiet, and ratelimit-period to 300. 
  held-period seconds
  Configures the time, in seconds for which a supplicant will stay in the HELD state (that is, the length of time it will wait before trying to send the credentials again after a failed attempt). The range is from 1 to 65535. The default is 60.
  quiet-period seconds
  Configures the time, in seconds, that the authenticator (server) remains quiet (in the HELD state)
  following a failed authentication exchange before trying to reauthenticate the client. For all platforms except the Cisco 7600 series Switch, the range is from 1 to 65535. The default is 120.
  ratelimit-period seconds
  Throttles the EAP-START packets that are sent from misbehaving client PCs (for example, PCs that send EAP-START packets that result in the wasting of switch processing power). The authenticator ignores EAPOL-Start packets from clients that have successfully authenticated For the rate-limit period duration. The range is from 1 to 65535. By default, rate limiting is disabled.

• ISE 1.2 - MAB Guest and MAB Supplicant Provisioning

  In short trying to provide a configuration whereby a Guest utilises MAB and a set of sponsor created credentials to gain access to Internet via the portal. In addition to this I am also trying to provide MAB for "Corporate BYOD" utilising AD credentials resulting in supplicant provisioning. I am aware of other ways of doing this in terms of utilising PEAP and a NSP redirect but in this instancemy only real option is MAB. Could anyone provide me with an example of how they have approached this situation.
  I tried to to do CWA redirect for both use cases but provided a separate "2nd auth" for each of them. My BYOD 2nd auth was the actual NSP redirect - which worked except the MAC address could not be populated into the field (See flow below for BYOD redirect).
  MAB > CWA Redirect (AD credentials) > "2nd Auth"  = NSP Redirect

  Please disregard I have it fixed. Long story short I was over engineering it. I was unaware that ISE was able to differentiate between Guest users and other users with regards to the "Enable Self Provisioning flow".
  Thanks

• ISE 1.2 - CWA supplicant provisioning with anchor WLC

  Hi all,
  Having an issue with supplicant provisioning via CWA on an anchor controller. I am able to connect via CWA and authenticate etc no problems but when the device registration page appears it says "unable to connect to the network at this time" - the mac address is populated but the button says try again. Once I click try again it cycles back to the original guest portal login page. In the reports section the failed supplicant provisioning message is "Error while trying to determine access privileges: Fail to get hostName from session cache.".
  I have tried the same policy without the anchor (ie local controller) and it works perfectly. Interestingly enough if I manually register the device first then connect to the guest portal it allows me to click register and proceed to supplicant provisioning. I have also tried the anchor setup using peap and the NSP redirect - this also works perfectly.
  I can confirm ahead of time that firewalls etc are not an issue with permit IP any any between all working parts - no blocks no drops etc. The policy is the standard trustsec CWA setup with Enable self-provisioning ticked. For what it is worth I am absolutely confident with the config having deployed this before - albeit without an anchor controller.

  Stephen,
  I was able to work with TAC the customer account team to find a resolution.  The issue is with the Anchor WLC and the session not being replicated.  I was able to get around it by disabling radius accounting for the ssid on the anchor controller, but when looking at the bug it looks like an alternative fix is to disable fast ssid switching, which would cause issues with BYOD in the dual ssid world.  I'm still doing testing, but the accounting change seems to have solved it.  The bug ID is: CSCui38627

• Inactive Windows 7 supplicant tries to reauthenticate every 4 to 10 minutes in Cisco ISE 1.2.1.899

  Hi,
  We have a dashboard windows 7 supplicant which is being used to monitoring the network activities. There is noone working with this supplicant so it goes inactive.
  What we see in our ISE log, is the supplicant trying to reauthenticate itself every 4 to 10 minutes. It goes on like this the whole day. We dont want this continous behaviour afterall.
  Swith port configuration looks likt this:
  interface FastEthernet0/31
  description 802.1x Poort
  switchport access vlan xxx
  switchport mode access
  switchport nonegotiate
  switchport voice vlan xxx
  no logging event link-status
  priority-queue out
  authentication control-direction in
  authentication host-mode multi-domain
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 120
  mab
  no snmp trap link-status
  dot1x pae authenticator
  dot1x timeout quiet-period 300
  dot1x timeout tx-period 10
  dot1x timeout supp-timeout 300
  dot1x max-reauth-req 3
  dot1x timeout held-period 300
  dot1x timeout auth-period 3
  no mdix auto
  storm-control broadcast level 10.00
  storm-control multicast level 10.00
  no cdp enable
  spanning-tree portfast
  service-policy input xxxx
  end
  Has anyone got this same issue? Is this an normal behaviour of an Idle'd supplicant? or other issue around ISE/Switch? Are there any switch configuration we missing to get rid off this behaviour?
  ISE Version: 1.2.0.899
  Patch Information: 5,6,8
  Help would be much appreciated

  Hi Jan,
  Thank you for your reply. Indeed those timer values were not covered in the ISE design guide. We have implemented this timer to tweak the standard design. However we have finally discovered the solution for this issue.
  "authentication timer inactivity 120" was the route cause of the issue. So when a workstation goes to idle, ISE tries to re-authenticate after 2 minutes because of this switch port configuration.
  We have tried to expand the timer to 3600 and it worked, issue fixed. But you will have then every one hour the same result (not a big issue).
  And yes, we have deleted all those timer values to keep the configuration simple as possible. Now we don't have the issue anymore.

• Windows XP built-in 802.1x supplicant problem

  Hi, we are deploying PEAP for wireless access, we had no problem to get this working with laptop vendor supplied wireless management software (which includes 802.1x supplicant), but when I switch to Windows Zero configuration and let Windows XP management wireless, the laptop can not associate with wireless SSIDs, back end Radius server (MS IAS) log shows that user (with AD credentials) is successfully authenticated, but Windows XP supplicant seems did not receive authentication successful response from Radius server, and keeps retrying and finally gives up. Any idea what is going on with Windows XP dot1x supplicant? Laptop is running XP SP3.

  Not exactly sure what could be the problem. It should be working - it's definitely supported (I'm currently typing this via a XP SP3 machine using PEAP WPA2/AES via WZC). The only things I can think of to check are:
  - Make sure your wireless drivers are up to date *this is a must*
  - Make sure the other supplicant is completely disabled (uninstall it if you really need to rule it out)
  - Try disabling the server certificate check in the WZC profile for this network (do you know for sure that your laptop trusts the IAS server's certificate)?
  - Are you doing machine or user authentication for PEAP - make sure you have the WZC profile properly configured
  - Are you 100% sure that you've configured everything properly for the network (WPA vs WPA2? AES vs. TKIP? etc.)

• Auth-Fail Feature and Windows 802.1x Supplicant Compatibility

  As per Cisco IOS design when authentication fails the switch sends a simulated EAP-Success message to the client so that DHCP can be implemented by the client. Taking into consideration the dot1x auth-fail command is configured.
  However we have noticed that when using the built-in Windows XP SP2 802.1x supplicant and authentication fails, the Windows supplicant does not like this Cisco simulated EAP-Success message and drops the packet, therefore never re-initiating the DHCP process.
  I have attached the Microsoft supplicant log indicating the dropped EAP-Success.
  We are using catalyst 3750 with IOS 12.2(25)SEE. We have also tried release 12.2(35)xxx but issue persists.
  Your suggestions would be appreciated.
  Thank You,
  ET

  An EAP-Failure is by design. This occurs on all failures. The session fails rather normally. After the third (default but configurable) successive failure, the port is conditionally enabled (and placed in the auth-fail-vlan) even though 1X is configured and operating.
  At this point, it's up to the supplicant to access the network if it wants to, since the port has been enabled. Without the notion of a controlled port on a supplicant, there's no reason it shouldn't try and access the network ;-).
  Once a workstation is authorized on the network, and then subsequently fails for whatever reason, and put on the auth-fail vlan then it's also up to the machine to renew it's IP if it needs to. Optionally, you can configure the auth-fail-vlan to be the same as your default vlan. I guess it's worth pointing out, that you'd have this problem without 802.1X (changing VLANs on the fly for example). Some supplicants can deal with this though.
  If an EAPOL-Logoff does not come from a supplicant (and it doesn't by default with Windows-XP) then there's nothing to get the port out of the Auth-Fail-VLAN either (short of link down). You can configure this through registry though. So the answer to your earlier question was no .. it shouldn't.
  I'm not sure I understand the "IB" and "OOB" references here though.
  Hope this helps,

• Anyone rolled out 802.1x supplicant in a large Microsoft AD environment?

  Morning all, anyone have any suggestions how I can rollout Microsoft's native 802.1x supplicant to a large number of PC's.  I've got ISE and serveral different versions of Windows (xp, 7) working in a lab, but not being a Microsoft AD guy I'm kind of clueless how to pull this off.  Can it been done via a group policy?  If so has anyone got a good document how to pull this off? 

  It is really simple, you can follow the guide here in the technet kb:
  http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/7220c686-e033-4903-b40e-bf3b7e581d05
  There are other threads that can show you how to do this on the wireless side as well. Make sure the AD guys set the correct eap types (peap or eap-tls) and you should be good to go.
  Tarik Admani
  *Please rate helpful posts*

• Native Supplicant "NAK requesting to use PEAP instead"

  Hello,
  We have a Cisco ISE infrastructure in place and we're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the native Windows supplicant to use EAP only?
  "Microsoft: Smart Card or other certificate" is selected under network authentication method, by group policy, and I thought that wouldn't allow PEAP, but our ISE logs show "NAK requesting to use PEAP instead", after which authorization
  fails because we're not using PEAP.
  For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or
  a supplicant problem, but I'm leaning towards supplicant.
  Thanks,
  Andrew

  Hi,
  About this issue, please contact Cisco Tech Support for help.
  Karen Hu
  TechNet Community Support
  I've already been in contact with them and they've verified our configuration. All that can be done on the Cisco side is to "propose" the client to go through EAP-TLS as the first option, which we are doing. This will not block any clients trying to connect
  using other protocols, and, though this will propose EAP-TLS, there is now way to enforce it at the supplicant level. This will be a client decision always. From Cisco: 
  Please monitor this after the  change we applied,   but if the issue persists,   since we are dealing with windows supplicant,   it would be a good idea to involve the native supplicant support.

• ISE problem with EAP-TLS Supplicant Provisioning

  Hi All,
  I have a demo built using ISE v1.1.3 patch 1 and a WLC using v7.4.100.0 software.  The aim of the demo is to provision a device's supplicant with an EAP-TLS Certificate...  'device on-boarding'
  The entire CWA / Device Registration process is all fine and works well.  I'm using a publically signed Cert on ISE that is built from [Root CA + Intermediate CA + Host Cert] which is used for both HTTPS and EAP and I also have SCEP operating against my Win 2k8 Enterprise Edition CA that is part of my Active Directory.  All of this works fine.
  The problem is that when ISE pushes the WLAN config down to the device, it instructs the Client to check for the Root CA, but the RADIUS processes within ISE are bound to the Intermediate CA.  This leads to a problem where the Client doesn't trust the Certificate presented to it from ISE.  There doesn't seem to be any way to configure this behaviour within ISE.
  Has anybody else encountered this? Know a solution? Have suggestions for a workaround?
  Cheers,
  Richard
  PS - Also using WinSPWizard 1.0.0.28

  Hi Richard,
  This is a misbehavior that ISE is provisioning the intermediate CA certificate during the BYOD registration process in similar (hierarchical certificate authority) scenarios. It is going to be fixed soon. Engineering is almost ready with the fix.
  Istvan Segyik
  Systems Engineer
  Global Virtual Engineering
  WW Partner Organization
  Cisco Systems, Inc
  Email: [email protected]
  Work: +36 1 2254604
  Monday - Friday, 8:30 am-17:30 pm - UTC+1 (CET)

• MAC OS X unable to download Cisco ISE supplicant agent

  Hi,
  I have a problem with MAC OS X clients unable to download the Cisco ISE supplicant agent using Safari browser but able to login on the ISE guest portal. If the same client was to login to the ISE guest portal using Firefox; it has no issues downloading the ise supplicant and posture agent.
  I have tried to update the Java version on the client to the latest; however it does not resolve the issue. As I am new to MAC OS clients; I was wondering what may be the cause of the issue?
  I have summarized the issue as follows:
  1. MAC OS X 10.8 with safari 6 -- unable to download agent but can login successfully on the Cisco ISE guest portal
  2. MAC OS X 10.8 with Firefox -- able to login to Cisco ISE guest portal and download agents; no issues
  3. MAC OS X 10.7 with safari and firefox ---  unable to download agent but can login successfully on the Cisco ISE guest portal
  4. Windows XP & Windows 7 & Iphone/Ipad/Android -- able to login/download agent without any issues
  Any suggestions is appreciated.
  Thanks.

  For Agent Download Issues on Client Machine
  • Ensure that a client provisioning policy exists in Cisco ISE. If yes, verify the
  policy identity group, conditions, and type of agent(s) defined in the policy.
  (Also ensure whether or not there is any agent profile configured under Policy >
  Policy Elements > Results > Client Provisioning > Resources > Add > ISE
  Posture Agent Profile, even a profile with all default values.)
  • Try reauthenticating the client machine by bouncing the port on the access
  switch.
  Remember that the client provisioning agent installer download requires the following:
  • The user must allow the ActiveX installer in the browser session the first time an agent is installed
  on the client machine. (The client provisioning download page prompts for this.)
  • The client machine must have Internet access.
  Client Machine Operating Systems and Agent Support in Cisco ISE
  Check the following link
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp95449

• ISE 1.1.1 Android supplicant

  Hi Folks,
  I'm giving ISE 1.1.1 a go in the lab before I deploy it into our live wireless and I've hit a problem with the Android supplicant. I've finally gotten iOS to register and obtain the wireless profile, but when we try with an Android, the device registers and we download the supplicant software from the Google Play (so far so good) but once the software opens it starts the provisioning process and returns 'unable to locate server'. Looking at the registration flow, it would appear that its unable to relocate the ISE. Is there anything that I've missed? Our provisioning ACL on the WLC allows full access to the ISE, any DNS and any port 5228 (google play).
  Any help would be amazing as its starting to drive me a bit crazy!
  Thanks
  Kev
  Sent from Cisco Technical Support iPad App

  Can you check your DNS again, try to access the Play Store from any Laptop browser.
  May be your DNS cannot solve the Play Store either the DNS forwarder is not set properly.
  DNS is very important for Identity Service Engine.
  Cheers,
  Pongsatorn M.

• Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

  Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
  Regards,
  Scott

  Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
  Sent from Cisco Technical Support iPhone App

• BOYD ISE Native Supplicant Windows 7

  Connects to BYOD-SSID
  and go through the process, including self registration
  once everything is done, my windows machine does not automatically selects certificate (TLS) for authentication
  maunally need to go under proprites and select certificate and then it authenticates.
  I though this all should be automatic!!!

  Are there multiple certificates installed on the client OS at the time of onboarding? Also are you running the latest supplicant provisioning wizard for windows on your ise deployment?
  Thanks,
  Tarik Admani
  *Please rate helpful posts*