Cisco ISE - eap-peap and eap-tls

Similar Messages

• EAP-PEAP and EAP-TLS on same switched network

  Hello,
  I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
  The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
  I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
  Thanks,
  Guy

  You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
  Good Luck,
  --Jean Paul

• PEAP and EAP-TLS on ACU?

  Hi,
  Does Cisco have any plan to support PEAP and EAP-TLS in the next release version of ACU?
  Thank you.
  Regards,
  Delon

  As far as I know, there is no such plan as of now.

• No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?

  Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router?  I am replacing with an Asus router.
  thanks,
  KG

  Hi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.

• E61i, Acces point config with WPA2, EAP-PEAP and ...

  How can you activate the AES encryption on a Nokia E61i.
  I'm running the 1.0633.62.05 firmware.
  In documentation I've found there is mentioned I need to disable the TKIP encryption but this option is not available
   Select “WLAN security sett.”
  • In “WPA mode” choose EAP
  ● In “TKIP encryption” choose Not allowed (thus enabling AES encryption)
   Disable everything except EAP-PEAP
   Highlight EAP-PEAP
  • Choose “EAP plug-in settings”le
  They mention firmware above 2.xxx but this one is not available
  Any hints ?

  Hey all, It seems I have the same problem!!! I don't know whats the problem. I asked the guys in IT support in my school about this problem and they told me that the phone has to support PEAP-Enterprise in order to be able to connect.. I don't know what does that mean but if anyone guys can help here, it will be soooo respected!! I am using the new firmware ,by the way. TKIP is not exist in the connection settings anywhere!!! and the message is exactly "Unable to Connect. WPA authentication failed" .... help help pleaseeeeeeeeeeeeeeeee

• Other LEAP upgrade options besides PEAP and EAP-FAST?

  Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
  Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

  A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
  TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
  Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
  You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
  If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
  There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
  Good Luck
  Scott

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE for 802.1x (EAP-TLS)

  I work for a banking organization and security is an area that needs to be improved continuously. I am planning on implementing Cisco ISE for 802.1x together with a Microsoft PKI for certificate issuing and signing.
  I am currently trying to implement this in our test environment and I have managed to do a few basic bootstrapping tasks. I need someone to push me into the right direction as to how I can achieve what i am seeking.
  I will use Cisco 2900 series switches on the access layer and a few HP switches as well which supports 802.1x.
  I want to configure the ISE to process authentication requests using 802.1x EAP-TLS (Certificate Based). All the workstations on the domain needs to authenticate itself using the certificates issued to it by the Certificate Issuing Authority.
  I have already managed to get the PKI working and have rolled out the certificates on all the workstations on the test environment. I can't seem to configure the Authentication portion on the ISE.
  I request if someone can guide me or direct me to materials that can help achieve the above requirements. The guides available on the Cisco website are  overwhelming and I can't seem to figure out how I am supposed to configure the authentication portion.
  My email: [email protected]
  Cheers,
  Krishil Reddy

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• Cisco ISE 1.2 and AD Group

  Hello,
  I have Cisco ISE installed on my EXSi server for my test pilot. I have added several AD groups to ISE as well.
  I have created an Authorization policy condition, which is WIRELESS_DOT1X_USERS (see screenshot)
  Basically, I just duplicated the default Wireless_802.1X and added Network Access:EapAuthentication, Equals, EAP-TLS.
  My problem is, I was unable to join the wireless network if I added my AD group to the Authorization policy (see screenshot). The user that I have is a member of WLAN-USERS. If I removed the AD group from the Authorization policy, the use is able to join the wireless network.
  I attached the ISE logs screenshot as well. I checked the ISE, AD/NPS, WLC, laptop time and date, and they are all in synched.
  I also have the WLC added as NPS client on my network.
  I checked the AD log and what I found was the WLCs local management user trying to authenticate. It is supposed to be my wireless user credential not the WLC.
  This is the log that I got from the AD/NPS
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:                              NULL SID
  Account Name:                              admin
  Account Domain:                              AAENG
  Fully Qualified Account Name:          AAENG\admin
  Client Machine:
  Security ID:                              NULL SID
  Account Name:                              -
  Fully Qualified Account Name:          -
  OS-Version:                              -
  Called Station Identifier:                    -
  Calling Station Identifier:                    -
  NAS:
  NAS IPv4 Address:                    172.28.255.42
  NAS IPv6 Address:                    -
  NAS Identifier:                              RK3W5508-01
  NAS Port-Type:                              -
  NAS Port:                              -
  RADIUS Client:
  Client Friendly Name:                    RK3W5508-01
  Client IP Address:                              172.28.255.42
  Authentication Details:
  Connection Request Policy Name:          Use Windows authentication for all users
  Network Policy Name:                    -
  Authentication Provider:                    Windows
  Authentication Server:                    WIN-RSTMIMB7F45.aaeng.local
  Authentication Type:                    PAP
  EAP Type:                              -
  Account Session Identifier:                    -
  Logging Results:                              Accounting information was written to the local log file.
  Reason Code:                              16
  Reason:                                        Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

  Thank you Tarik,
  I got my AD group working. What I did, I checked the user's certificate that is installed on the laptop then modified the ISE certificate authentication profile to "Subject Alternative Name". I had the ISE set to common name when I was having an issue.
  I forgot to mentioned that I have to servers in my ISE test pilot. I have AD with NPS, and CA. These servers are Windows 2008 R2.
  I am a little confuse about the attribute in certificate template you have mentioned. Is that located at Certificate Authority/server-name/Certificate Templates/Users? I am not sure where to look for that attribute on the CA server.

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Cisco ISE posture assesment and client provisioning

  Hello,
  I have Cisco ISE and Cisco IOS device. I have configured RADIUS in between these device.
  Also I have configured RADIUSbetween Cisco ISE and Cisco ASA. Now I want to know that how to do posture assesment for these devices(Cisco ISE and Cisco ASA or Cisco ISE and Cisco IOS). Please give me whole steps to do posture assesment for cisco ios device in Cisco ise.
  Also, please provide me logs related to posture assesment and client provisioning.
  Thanks in advance.

  You may go through the below listed link to download a PDF link
  Posture assessment with ISE.
  http://www.cisco.com/web/CZ/expo2012/pdf/T_SECA4_ISE_Posture_Gorgy_Acs.pdf
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ISE 1.1 and IE9

  Is anyone else having problems with ISE admin/monitoring pages not working properly under IE9?  I just completed an upgrade to ISE 1.1, and it seems more and more, when I try to manage the system with IE9, I will get the following error (host name changed to protect the inocent). I dont know if this is truly an IE9 issue, or the chrome plug-in we are forced to use.  Works perfect under Firefox 11.0.
  This webpage is not available
  The webpage at https://iseserver.domain.com/mnt/pages/dashboard/dashboard.jsp?mnt_config_write=true&token=BEGIN_TOKENXspmm4x5AwFsV6NExIBAVA==END_TOKEN might be temporarily down or it may have moved permanently to a new web address.
  Error 103 (net::ERR_CONNECTION_ABORTED): Unknown error.

  Supported Administrative User Interface Browsers
  You can access the Cisco ISE administrative  user interface using the following browsers:
  •Mozilla Firefox 3.6 (applicable for  Windows, Mac OS X, and Linux-based operating systems)
  •Mozilla FireFox 9 (applicable for Windows,  Mac OS X, and Linux-based operating systems)
  •Windows Internet Explorer 8
  •Windows Internet Explorer 9 (in Internet  Explorer 8 compatibility mode)
  Cisco ISE GUI is not supported on  Internet Explorer version 8 running in Internet Explorer 7 compatibility mode.  For a collection of known issues regarding Windows Internet Explorer 8, see the  "Known Issues" section of the Release Notes for the Cisco Identity Services  Engine, Release 1.1.

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Cisco ISE: Dot1x failing and MAB succeeded (Intermittent) /or Posture Delay

  Hi,
  We are running the cisco ise 1.1.3 and configured for the Dot1x and MAB authentications. PC's are getting access through MAB while Dot1x failing again and again. But, sometime, same PC is getting authenticating  via Dot1x. Connectivity is intermittent. Also, sometimes, stucks longer in Posture
  We have three different switches at the moment with the latest IOS version.
  1) WS-C4507R-E    =  15.1(2)SG,
  2) WS-C3560-48PS = 12.2(55)SE7
  3) WS-C3750X-24P = 15.0(2)SE1
  Could you anyone pitch the idea? or advise about the latest IOS for the switches.
  Let me know, if you need more information.
  Thanks,
  Regards,
  Mubahser

  It seems your PCs are failing dot1x and also failing MAB authentication, the switch by default will start the process again and will again fail dot1x and MAB authentication, and so on.
  It will be helpful to see the logs from both the switch and the radius servers (i take it is ACS or ISE). Also the configuration of the radius server.

• ISE 1.2 and EAP-MD5

  Hi,
  I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
  We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
  The ISE deployemnt do not run in FIPS-140 2 mode.
  And when using the switch with NPS we get this to work, so switch configuration is ok.
  Failure Reason:  12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
  Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
  Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
  Any thoughts on this?
  Cheers

  Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols
  Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
  Save the Allowed Protocol service.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**