Apple macosx machine authentication with ISE using EAP-TLS

Similar Messages

• L2TP/IPSec with PIX using EAP-TLS

  Hi,
  i have big problems with using my PIX515 (SW 7.2.1) for L2TP/IPSec VPN-Connections using EAP-TLS. With the option EAP-Proxy activated on PIX a RADIUS Access-Request Message reaches the configured RADIUS-SERVER (IAS2003), but the request is rejected by Radius. I did inspection of the packets with a sniffer and see following strange behavior:
  - There is a Tunnel-Client-Endpoint AVP with no value and, even stranger, an existing AVP titled User-Password with an encrypted value.
  I dont understand where the encrypted Password comes from in the first RADIUS Access-Request message received from the PIX, since the authentication method should be certificate-based (EAP-TLS). And I dont know either if the Tunnel-Client-Endpoint MUST be present in the message. Fact is the RADIUS responds with an Access-Reject Message.
  The other AVPs in the request seem to be OK, and there is an existend AVP titled EAP-Message (79) that seems alright...
  Other detail: In the event log on the IAS the request is logged as Type "PAP" (and not EAP as it should be!) and the log tells me about a problem with wrong username/password.
  Tested the same client and Radius configuration using a RRAS-Server from Microsoft instead of the PIX and it worked fine! Could this be a bug of the Pix EAP-Proxy function?
  EAP-Proxy should pass all EAP packets unmodified to the Radius, right? This seems not to be the case. Comparing the RADIUS Access-Request Message received from the Pix (which fails) with the RADIUS Access-Request Message received from the RRAS-Server (which successes) shows significant differences.
  Every help appreciated. Please ask me for further infos if needed or if you would like me to post the Packet Capture file (Ethereal format)/Configuration information.
  Thank you very much!!
  Best regards,
  Matthias

  The Cisco Secure PIX Firewall Software Release 6.0 supports VPN connections from the Cisco VPN Client 3.5 for Windows.Refer the following URL for more information
  http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml#configuringthepixfirewall

• Is roaming transparent to users when authenticating with LEAP or EAP-TLS?

  We are planning the installation of a number of Access Points with LEAP authentication to ACS. We want to know upfront whether the users have to reautenticate everytime they roam from one Access Point to another. Is it the same with EAP-TLS or EAP-TTLS?

  Your users will have to re-authenticate to each AP but it happens automaticaly throught the client. IF all of your APs are on the same segment/subnet you shouldn't have a problem.

• Machine authentication with Windows 7

  Version: ISE 1.2p12
  Hello,
  I'm doing user and machine authentication with ISE.
  I use a first authorization rule to authenticate the machine against the AD. If it's part computers of the domain.
  Then I use an authorization rule to check if the user's group in AD with the credential he used to open the session + "Network Access:WasMachineAuthenticated = True"
  Things seems to be working and I see my switch port is "Authz Success" but shortly after the Windows 7 machine is behaving like 802.1X authentication fails. The little computer on the bottom right has a cross on it.
  If I disable and enable again the network card of that windows machine it works.
  Does any one of you have an idea about this problem ? something to tweak on Windows 7 like timers...
  Thank you

  Hi Mika. My comments below:
  a) You told me that MAR ("Network Access:WasMachineAuthenticated = True") has some drawbacks. When hibernation is used it can cause problems since the MAC address could have been removed from the cache when the user un-hibernate its computer. Then why not increasing the MAR cache to a value of 7 days then ? Regarding the roaming between wire and wireless it's a problem indeed.
  NS: I don't believe that the MAR cache would be affected by a machine hibernating or going to sleep. There are some dot1x related bug fixes that Massimo outlined in his first pos that you should look into. But yes, you can increase the MAR timer to a value that fits your environent
  b) You suggest to use one authorization rule for the device which should be part of the AD and one authorization rule for the user with the extra result "IdentityAccessRestricted = False". By the was, are we really talking about authorization rules here ? I will try this but it's difficult for me to imagine how it would really work.
  NS: Perhaps there is some confusion here but let me try to explain this again. The "IdentityAccessRestricted" is a check that can be done against a machine or a user account in AD. It is an optional attribute and you don't have to have it. I use it so I can prevent terminated users from gaining access to the network by simply disabling their AD account. Again, that account can be either for a "user" or for a "machine"
  z) One question I was asking myself for a long time. All of us want to do machine+user authentication but Windows write Machine OR User Authentication. This "OR" is very confusing.
  NS: At the moment, the only way you can accomplish a true machine+user authentication is to use the Cisco AnyConnect supplicant. The process is also known as "EAP-Chaining" and/or "EAP-TEAP." In fact there is an official RFC (RFC 7170 - See link below). Now the question is when and if Microsoft, Apple, Linux, etc will start supporting it:
  https://tools.ietf.org/html/rfc7170
  Thank you for rating helpful posts!

• AD Machine Authentication with Cisco ISE problem

  Hi Experts,
  I am new with ISE, I have configured ISE & Domain computers for PEAP authentication. initially machine gets authenticated and then starts going MAB.
  Authentication policy:
  Allowed protocol = PEAP & TLS
  Authorization Policy:
  Condition for computer to be checked in external identity store (AD) = Permit access
  Condition for users to be checked in external identity store (AD) plus WasMachineAuthenticated = permit access
  All of the above policies do match and download the ACL from ISE but computer starts to mab authentication again...
  Switchport configuration:
  ===============================================
  ip access-list extended ACL-DEFAULT
  remark Allow DHCP
  permit udp any eq bootpc any eq bootps
  remark Allow DNS
  permit udp any any eq domain
  permit ip any host (AD)
  permit icmp any any
  permit ip any host (ISE-1)
  permit ip any host  (ISE-2)
  permit udp any host (CUCM-1) eq tftp
  permit udp any host (CUCM-2)eq tftp
  deny ip any any
  ===============================================
  switchport config
  ===============================================
  Switchport Access vlan 10
  switchport mode access
  switchport voice vlan 20
  ip access-group ACL-DEFAULT in
  authentication open
  authentication event fail action next-method
  authentication event server dead action authorize vlan 1
  authentication event server alive action reinitialize
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication timer inactivity 180
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 100
  ====================================================
  One more problem about the "authentication open" and default ACL. Once the authentication succeeds and per user is ACL pushed though ISE to the switch. The default ACL still blocks communication on this switchprort.
  Your help will highly appreciated.
  Regards,

  You need to watch the switch during an authentication, see if the machine is passing authentication and the user may be failing authentication causing the switch to fail to mab.  If your switch configuration is on auth failure continue to next method, then this makes sense.  The question is why is the user failing auth but the machine is passing, could be something in the policy.  Make sure your AD setup has machine authentciation checked or it may not tie the machine and user auth together and the user may be failing because ISE can't make that relationship so the machinewasauth=true is not beeing matched.  Easy way to check is remove that rule from your policy and see if the same thing happens.
  I've also seen this happen when clients want to use EAP-TLS on the wired, machines passes auth, then the user logs into a machine for the first time.  The user auth kicks off before the user gets a cert and fails auth with a null certificate, since this is a auth failure the switchport kicks over to MAB.
  I don't think wasmachineauth=true is that great, I prefer to use EAP-FASTv2 using Cisco Anyconnect NAM with eap-chaining.  This is great because you can do two part authentication.  EAP-FAST outer with EAP-TLS inner for the machine auth, and MSCHAPv2 for the inner of the user auth. You get your EAP-TLS auth for the machine and don't have to worry about a user logging into a machine for the first time and switching to MAB because the user doesn't have a cert yet.  I also do my rule to say if machine pass and user fail, then workstaion policy, if machine and user pass then corp policy.

• Machine Authentication with PEAP on Wireless with ISE1.2

  Hi All,
  We are facing issues while doing machine authentication in ISE1.2 with wireless PEAP authentication. Without machine authentication normal PEAP works very fine but as soon as we enable machine authentication and create policy for machine authentication and in user authentication policy we put condition "was machine authenticated" then it works for some machine properly but does not work for other machines. Its totally random behaviour sometime it stopped working for machines which were authenticated before.
  I just want to know if I m missing some configuration or its a bug in ISE. Can some body share step by step configuration for machine authentication with PEAP.
  Really It would be a great help.
  Thanks
  Ninja

  Did you Apply service pactch 4?
  Sent from Cisco Technical Support iPhone App

• IBNS with two groups of XP Machines, one PEAP-MSCHAPv2 & one EAP-TLS

  Hello,
  I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
  1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
  2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
  Thanks in advance for your help.

  Hello,
  I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
  1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
  2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
  Thanks in advance for your help.

• ISE and EAP-TLS

  Hi
  We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
  22045  Identity policy result is configured for password based authentication  methods but received certificate based authentication request
  I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
  EAP-TLS is enabled in  the 'Default Network Access' authentication result.
  Can anyone shine a light on where I'm going wrong?
  Thanks
  Martin

  Martin,
  Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
  http://support.microsoft.com/kb/814394
  Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
  The IAS or the VPN server computer certificate is configured with the  Server Authentication purpose. The object identifier for Server  Authentication is 1.3.6.1.5.5.7.3.1.
  Here is the Cisco eap-tls deployment guide which references the same as above:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Cisco ACS with External DB - EAP-TLS

  Hi Guys,
  I understand how the EAP-TLS exchange works (I think), but If I have a client (wireless or wired) that is using EAP-TLS with an ACS, can I confirm the following.
  Let say both user and computer certs are employed:
  1. Both Client and ACS perform check with each others certs to ensure they are know to each other. The eap-tls exchange.
  2a. At some stage and I am assuming before the eap-tls success message is sent back to the client, the ACS has to check if either the username or computer name is in the AD database?
  2b. Wot is the paramater that is checked against the AD database?
  I read here that it can be : http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/peap_tls.html#wp999517
  Client Certificates
  Client Certificates are used to positively identify the user in EAP-TLS. They have no role in building the TLS tunnel and are not used for encryption. Positive identification is accomplished by one of three means:
  CN (or Name)Comparison-Compares the CN in the certificate with the username in the database. More information on this comparison type is included in the description of the Subject field of the certificate.
  SAN Comparison-Compares the SAN in the certificate with the username in the database. This is only supported as of ACS 3.2. More information on this comparison type is included in the description of the Subject Alternative Name field of the certificate.
  Binary Comparison-Compares the certificate with a binary copy of the certificate stored in the database (only AD and LDAP can do this). If you use certificate binary comparison, you must store the user certificate in a binary format. Also, for generic LDAP and Active Directory, the attribute that stores the certificate must be the standard LDAP attribute named "usercertificate".
  3. With the above, if options 1 or 2 are used (CN or SAN comparison), I assume this is just a check between a value pulled out of the CERT by the ACS and checked with AD, is that correct? With option 3, does the ACS perform a full compaison of the certificate between what the client has and a "client stored cert" on the AD DB?
  Please can someone help me with these points.
  I am so lost in this stuff :)) I think.
  Many thx and many kind regards,
  Ken

  only TLS *handshake* is completed/succcessful, but because user authentication fails,
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client key exchange A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read certificate verify A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write change cipher spec A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 write finished A
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 flush data
  CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSL negotiation finished successfully
  EAP: EAP-TLS: Handshake succeeded
  EAP: EAP-TLS: Authenticated handshake
  EAP: EAP-TLS: Using CN from certificate as identity for authentication
  EAP: EAP state: action = authenticate, username = 'jatin', user identity = 'jatin'
  pvAuthenticateUser: authenticate 'jatin' against CSDB
  pvCopySession: setting session group ID to 0.
  pvCheckUnknownUserPolicy: session group ID is 0, calling pvAuthenticateUser.
  pvAuthenticateUser: authenticate 'jatin' against Windows Database
  External DB [NTAuthenDLL.dll]: Creating Domain cache
  External DB [NTAuthenDLL.dll]: Loading Domain Cache
  External DB [NTAuthenDLL.dll]: No UPN Suffixes Found
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust dwacs.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust enigma.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust acsteam.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Failed to get Domain Controller for trust vikram.com, [Error = 1355]
  External DB [NTAuthenDLL.dll]: Domain cache loaded
  External DB [NTAuthenDLL.dll]: Could not find user jatin [0x00005012]
  External DB [NTAuthenDLL.dll]: User jatin was not found
  pvCheckUnknownUserPolicy: setting session group ID to 0.
  Unknown User 'jatin' was not authenticated
  So the EAP-Failure(Radius Access-Reject( is sent, not EAP-Success(Radius Access-Accept).
  And any port/point wont be allowed to pass traffic unless the NAS device gets an EAP-Success(Radius Accept) for the user.
  HTH
  Regards,
  Prem

• Cisco 7921 - Does anyone Use EAP-TLS in their VoWLAN Deployments?

  Hi Guys,
  I am looking at making a technology decision, in regards to VoWLAN and authentication.
  For our Data Deployment, we use EAP-TLS with a PKI infrastructure and ACS. The ACS passes fields from the certs to AD for verification.
  Can I do exactly the same for the Voice Deployment?
  Has anyone used EAP-TLS with Voice? Are there any problems? Or should I just go ahead and get some certs minted for the phones, setup some AD accounts and whey hey, its time to party?
  Many thx indeed,
  Ken

  Hi Michael,
  So looking at the deployment guide, this is worded (imho) in a confusing manor? Sorry.
  CCKM is listed under authentication, where i though CCKM is an authentication "key managment" protocol?
  It also says 802.1x authentication with AES encrytion, under the authentication heading?
  It says eap-tls, should this not say 802.1x eap-tls or collapse this with the 802.1x authentication?
  ahh, when it says 802.1x, does that mean 802.1x dynamic wep?
  Would it be correct to say, that I want to use 802.1x eap-tls with tkip and CCKM?
  Sorry, this hurts :)
  Thx,
  Ken
  Wireless Security
  When deploying a wireless LAN, you must provide security. The Cisco Unified Wireless IP Phone 7921G supports the following wireless security features.
  Authentication
  - Cisco Centralized Key Management (CCKM)
  - 802.11i (802.1x authentication + TKIP encryption)
  - 802.11i (802.1x authentication + AES encryption)
  - 802.11i (Pre-Shared key + TKIP encryption)
  - 802.11i (Pre-Shared key + AES encryption)
  - Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling (EAP-FAST)
  - Extensible Authentication Protocol - Transport Layer Security (EAP-TLS)
  - Protected Extensible Authentication Protocol (PEAP)
  - Lightweight Extensible Authentication Protocol (LEAP)
  - Open and Shared Key
  Encryption
  - Advanced Encryption Scheme (AES)
  - Temporal Key Integrity Protocol (TKIP) / Message Integrity Check (MIC)
  - 40-bit and 128-bit Wired Equivalent Protocol (WEP)
  Cisco Centralized Key Management (CCKM)
  When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time. TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• Machine and User authentication with ISE 1.2.1

  Hi ,
  Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
  Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
  Thanks 
  Pranav

  is this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf

• [ISE] EAP-chaining by using EAP-TLS internal authc for machine cert & user cert

  Hi Guys,
  I'm taking the EAP-chaining into our enterprise workspace authenticaiton, now i meet following issue:
  my anyconnect make the network xml profile which decide the method of  eap-fast authencation ,both  the machine authc & user authc are use the cert.
  Then i found that the client always knock the authoraztion policy about the machine authenticaiton(i set this policy result which is permit access), i believe the " EAP-fast result machine & user are passed " , even though its result using the dacl "permit all", but it doesn't knock the following policy.
  and about the result of  machine authentication , i set the "permit access" , is it too loose? but i check the instance and cisco document , everyone told me that this policy rusult " permit access".
  it would be appreciated that anyone can help this issue.
  lately i will upload my policy and live authencation pic catch. Thanks.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• Apple & Windows 7 Authentication Methods Cisco 1242AP EAP

  Hi CSC Members,
  I'm pretty new to wireless (so go easy on me): My situation is I need to be able to provide secure wireless internet access to guests with BYODs. Namely Apple iPads, iPhones, Windows PCs and Apple Macs, without them being under my administrative control, namely I cannot add them to a domain or indeed do I want to be able to have to interact with the user and install Certificates on their machines.
  I'm looking for the 'best method' to achieve this, WPA2/AES with a PSK and MAC filtering was a suggestion but I don't really want to have to audit their MAC addresses. I'm just looking for a 'quick and dirty' secure username/password combination I'm guessing. I'm not using a WLC, just one or possibly a couple of 1242 Autonomous APs. I don't want to have to personally enter a PSK on their machines either as they can easily find this out and give the password to someone else, so I need to be able to change/add user accounts and user passwords centrally NOT on their devices.
  I have an example configuration below, using the Cisco 1242AP as a Local Radius WHICH WORKS for me on Apple iPads and iPhones, however I cannot for the life of me get it to work with a Windows 7 Laptop. I'm not even totally sure exactly what type of authentication I've configured (Help!!), but entering the username and password on an iDevice just works! Is it EAP-FAST? My Windows 7 client doesn't seem to support EAP-FAST, only Microsoft PEAP, which I "believe" requires a certificate or some kind of machine authentication. So I'm not sure how to access this wifi network I've created using a Windows machine. I'd prefer to use a Windows 2008 NPS Radius Server if at all possible but couldn't get it working with the 1242AP, hence I went for Local Radius as a starting point.
  1) Does anyone have a sensible suggestion as to what the best solution for my needs is? (I have access to a new Windows 2008 R2 Server)
  2) How do I configure a Windows 7 as well as an Apple machine to authenticate to the suggested 'best' method.
  3) I'd be really grateful if someone could clarify exactly what my configuration is using for Authentication.
  Thanking you in advance for your guidance and recommendations,
  Mike
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Media_AP
  enable secret 5 $1$k3.3$QU/yBNYeOJM7BDxzRTq1g/
  aaa new-model
  aaa group server radius rad_local
  server 192.168.1.2 auth-port 1812 acct-port 1813
  aaa authentication login eap_local group rad_local
  aaa session-id common
  no ip dhcp use vrf connected
  ip dhcp excluded-address 192.168.1.1 192.168.1.10
  ip dhcp pool Media_DHCP_Pool
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.2
  dot11 syslog
  dot11 ssid MediaCafe
     authentication open eap eap_local
     authentication network-eap eap_local
     authentication key-management wpa version 2
     guest-mode
     infrastructure-ssid
  username Cisco password 7 13261E010803
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm
  ssid MediaCafe
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio1
  no ip address
  no ip route-cache
  shutdown
  no dfs band block
  channel dfs
  station-role root
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 192.168.1.2 255.255.255.0
  no ip route-cache
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  radius-server local
    no authentication mac
    nas 192.168.1.2 key 7 0505071C32444F1B1C010417081E013E
    user sky nthash 7 013150277A52525774146B5F492646375B2F277C7300716062734455335224000A
  radius-server host 192.168.1.2 auth-port 1812 acct-port 1813 key 7 11071816041A0A1E012E38212B213036
  bridge 1 route ip
  line con 0
  line vty 0 4
  end

  The best senerio for guest to to have an open SSID.  Autonomous AP's your sort of out of luck.  With the WLC you can incorporate a splash page.  That being said, you might want to look at some free hotspot software unless you want to pay for one.  Here are some free ones, but you can just search around.
  http://www.hotspotsystem.com/en/hotspot/free_hotspot_software.html
  http://www.antamedia.com/free-hotspot/
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Machine authentication with MAR and ACS - revisited

  I'm wondering if anyone else has overcame the issue I'm about to describe.
  The scenario:
  We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.
  We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.
  The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".
  The passed authentications log does successfully show the machines authenticating.
  The challege:
  We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).
  In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.
  In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.
  So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.
  The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.
  Has anyone seen / over come this ?
  Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

  Here's the only thing I could find on extending the schema (I'm not a schema expert):
  http://msdn.microsoft.com/en-us/library/ms676900%28VS.85%29.aspx
  If all of your clients are Windows machines, it's easier to stick with PEAP for machine auth, user auth, or both.  However, your RADIUS (ACS) server should have a certificate that the clients trust.  You can configure the clients to ignore the RADIUS server cert, but then your clients will trust any network that looks/works like yours.  Get a cert/certs for your RADIUS server(s).
  You can have PEAP and EAP-TLS configured on your ACS server without causing problems for your PEAP clients (be aware that most of my experience is with 4.1/4.2.  Earlier versions may not work the same way).  Your comment about what you're testing is confusing me.  Let's say you have (only) PEAP configured for machine auth on both the client and the ACS server (no user auth is configured on the client, or in ACS).  Your client will offer it's machine account AD credentials to the ACS server in order to authenticate to the network.  Those credentials will be validated against AD by your ACS server, and then the machine will get an IP address and connect to your network.  Once your machine is on the network, and a user tries to log on, then the user's AD credentials will be validated against AD (without any involvement of ACS).  You should not need PEAP and EAP-TLS together.  Both are used for the same purpose: 802.1X authentication for network access.  PEAP only uses AD to validate machine credentials (or user credentials), because you configured your ACS server to use AD as a user database for validating 802.1X credentials.  You could just have easily used PEAP on the client side, but told ACS to an LDAP connection to a Linux box with a user/machine database. Validating credentials for network access (802.1X) is not the same thing as authenticating to AD for server/printer/email/whatever access.  I wish I could explain this better...