Configure WLan for user certificate authentication

I have windows CA and NPS (radius server).
I want wireless clients / devices using active directory user certificates (generated by AD CA) to authenticate and encrypted to wireless WLAN.
I have setup WLAN as [WPA2][Auth(802.1X)] and pointing to Radius server (windows NPS).
My test notebook PC has ca.cer and username certificate installed in trusted and personal stores. And configure the wireless profile as "Microsoft: smart card or other certificate".
However when I try to connect I got failed. And wireshark on NPS showing no traffic on port 1812.
Could someone please help a look anything wrong on WLC setting?
Thanks.
GPING

Hi, Scott,
My WLC setting: SSID-Test, WPA2 802.1x, AES, Radius server overwrite interficace "ticked", Server1 - x.x.x.x port 1812,
Local EAP auth - Enabled and profile = "Peap"
On my NPS, I got 2 policies (enabled only one of them for test).
NPS-Policy 1: Auth method = Microsoft PEAP -> "wireless server certificate", User group ="test users".
On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft PEAP" with ca.cer installed and ticked . When "connect", I got connected with login user credential.
NPS-Policy 2: Auth method = "Microsoft Smart card or other certificate" -> wireless server certificate"
On Win7, I setup wireless profile = WPS2-Enterprise, AES, Choose auth method = "Microsoft Smart card or other certificate". Choose "use a certificate on this computer". (I have one user certificate installed on Personal store). Also ticked "Validate server certificate" and ticked the ca.cer which was installed. When "connect" I failed.
I tried some other combination, like TKIP instead of AES, but I got "
The settings saved on this computer for the network do not match the requiremen
ts of the network" - really frastrated.
Could please point me where got wrong?
THanks
GPING

Similar Messages

Configuring tomcat for form based authentication-help badly needed

hi , i want to have form based or some other way of authentication for the users comming to my site , i have access only to web.xml , but in tomcat documentations its giveni need to change server.xml and tomcat-user.xml , can i make these changes on web.xml to implement it or please tell me way out of this please , i tried even jguard but it needs changes in jvm which also not into my access

Hi,
I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

Configuring WACS for AD-kerberos Authentication in XI 3.1

Hi,
Installed WACS (WebApplication Container Server) and trying to configure CMC hosted on it, for AD-Kerberos authentication in XI 3.1.Followed all the steps inu201D XI 3.1 admin guideu201D but when trying to login to CMC using Kerberos authentication getting the error u201CAccount Information Not Recognized: Active Directory failed to log you onu2026u201D
Then installed Tomcat on the same machine and deployed Infoview and CMC on it. Able to login to CMC and Infoview hosted on tomcat using Kerberos authentication, but still Kerberos authentication is failing with WACS.
Also enabled Kerberos logging for WACS, by adding the command line parameters
u201C-Dcrystal.enterprise.trace.configuration=verbose
-Djcsi.kerberos.debug=trueu201D
But not getting any useful from WebApplicationContainerServer_stdout.log.
Could you please suggest me know how to proceed here.
Regards,
Saikrishna.

Hi Tim,
Yes. Did put the paths for krb5.ini and bscLogin.conf in the properties section of WACS.
Tried deleting the WACS server (Right click and u201CDeleteu201D the server)->Created the server again from Home->Servers->Core Services->Manage->New->New server.
But getting the same issue, able to login to WACS with enterprise authentication but AD is failing. Anything else I may need to check?
Regards,
Saikrishna.

Configure idocs for User management ack settings?

1. IDOC config idoc says acknowledgments should not be requested, and run idx_noale ? why should we turn off and how to do this ?
2. IDOCs sent to IS should not be processed by IDoc adapter, advises insert the relevant idoc types into exception table, execute report idx_select_idoctyp_without_is
why we need to configure explicitly for each relavant ido types?
thanks

Hi Kumar,
Receiver adapters that run on the Adapter Engine support system acknowledgments if they are requested by the sender. Acknowledgements are triggered when a message is successfully processed by the adapter or if an error occurs while it is being processed. Receiver adapters do not support application acknowledgments. The RNIF and CIDX adapters are exceptions to this rule, since they also support scenario-dependent application acknowledgments. Sender adapters of the Adapter Engine do not request any acknowledgments.
This means, JDBC adapter does only send system acks, however IDoc adapter is requesting application acks. Therefore as mentioned by the previous poster, you have to disable acks for this scenario using report IDX_NOALE.
Also go through these documents for any further help:
http://sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sap.km.cm.docs/library/xi/xi-how-to-guides/how to handle acknowledgments for idoc.pdf
http://help.sap.com/saphelp_nw04/helpdata/en/6a/e6194119d8f323e10000000a155106/content.htm
I hope this clears all your doubts.
Regards,
abhy
PS: AWARD POINTS FOR HELPFUL ANSWERS.

Error while configuring Webgate for simple mode authentication

Trying to convert open mode authentication to simple mode. Followed the documentation.
http://download.oracle.com/docs/cd/E12530_01/oam.1014/b32419/trnscrty.htm#BGBGEIFB
Was able to get identity server and access server configured. As in...got no error. When trying to change to simple mode for Webgate getting the following error....
Client authentication failed, please verify your WebGate ID.
Command executed for one of the webgates is below....Any thoughts??
./start_configureWebGate -i /u01/app/oracle/product/10.1.4.2.2/OAM/webgate/access -t WebGate -R
Please enter the Mode in which you want the Web Gate to run : 1(Open) 2(Simple) 3(Cert) : 2
Please enter the Password for this Web Gate :
Please note that the Global Access Protocol Pass phrase has to be the same across all Access Servers and Web Gates installed in Simple mode
Please enter the Global Access Protocol Pass phrase :
Preparing to generate certificate. This may take up to 60 seconds. Please wait.
Generating a 1024 bit RSA private key
........................++++++
.......................................++++++
writing new private key to '/u01/app/oracle/product/10.1.4.2.2/OAM/webgate/access/oblix/config/simple/aaa_key.pem'
writing RSA key
Using configuration from /u01/app/oracle/product/10.1.4.2.2/OAM/webgate/access/oblix/tools/openssl/openssl_silent.cnf
DEBUG[load_index]: unique_subject = "yes"
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Some-State'
localityName :PRINTABLE:'Locality Name'
organizationName :PRINTABLE:'Some-Organization Pty Ltd'
organizationalUnitName:PRINTABLE:'production'
commonName :PRINTABLE:'hostName.domainName.com'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Sep 29 18:20:01 2011 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
Client authentication failed, please verify your WebGate ID.

Is the Access Server already in Simple Mode, and does the AccessGate definition in the Access System Console have "Simple" transport security mode set?
Regards,
Colin

BSP for user's authentication

Hi,
I have two problems:
1.- How can I do a BSP which capture an User ID and check if that user exist in my Active Directory?
2.- I have just read weblog "/people/sap.user72/blog/2004/09/01/bsp-howto-fun-with-ldap-and-bsps" but I only can login using one user. If I try to connect using another users different that one, SAP shows an error message: "Could not logon to directory". I don't know why I can connect with one user only.
I hope your answers.
Thank you

Hi,
Go through this link....
http://help.sap.com/saphelp_nw2004s/helpdata/en/02/4b528c2a8d11d5991f00508b6b8b11/frameset.htm
Regards,
Azaz Ali.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Why Unable to identify a user for 802.1X authentication (0x50001)?

Hello,
We are trying to set up wifi single-sign-on. When logging to a laptop get a message
"Connecting to Pivot_Users" and after some time "Unable to connect to Pivot_Users" and after that we are logged in to a laptop and successfully connected to Pivot_Users wifi network.
Server: windows server 2003 (with all updates)
laptop: windows 7 professional SP1 (with all updates)
When looking to event log i found this error:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2012-10-10 10:38:01
Event ID: 5632
Task Category: Other Logon/Logoff Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: sba01-nb
Description:
A request was made to authenticate to a wireless network.
Subject:
Security ID:
Account Name: -
Account Domain: -
Logon ID: 0x0
Network Information:
Name (SSID): Pivot_Users
Interface GUID: {64773f24-bf8b-4e91-bbd7-eb199e3c2c5e}
Local MAC Address: C4:85:08:12:77:44
Peer MAC Address: 00:24:97:83:8E:61
Additional Information:
Reason Code: Unable to identify a user for 802.1X authentication (0x50001)
Error Code: 0x525
EAP Reason Code: 0x0
EAP Root Cause String:
EAP Error Code: 0x0
Event Xml:
<System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
 <EventID>5632</EventID>
 <Version>1</Version>
 <Level>0</Level>
 <Task>12551</Task>
 <Opcode>0</Opcode>
 <Keywords>0x8010000000000000</Keywords>
 <TimeCreated SystemTime="2012-10-10T07:38:01.093305500Z" />
 <EventRecordID>37791</EventRecordID>
 <Correlation />
 <Execution ProcessID="760" ThreadID="2224" />
 <Channel>Security</Channel>
 <Computer>sba01-nb</Computer>
 <Security />
</System>
<EventData>
 <Data Name="SSID">Pivot_Users</Data>
 <Data Name="Identity">
 </Data>
 <Data Name="SubjectUserName">-</Data>
 <Data Name="SubjectDomainName">-</Data>
 <Data Name="SubjectLogonId">0x0</Data>
 <Data Name="PeerMac">00:24:97:83:8E:61</Data>
 <Data Name="LocalMac">C4:85:08:12:77:44</Data>
 <Data Name="IntfGuid">{64773F24-BF8B-4E91-BBD7-EB199E3C2C5E}</Data>
 <Data Name="ReasonCode">0x50001</Data>
 <Data Name="ReasonText">Unable to identify a user for 802.1X authentication</Data>
 <Data Name="ErrorCode">0x525</Data>
 <Data Name="EAPReasonCode">0x0</Data>
 <Data Name="EapRootCauseString">
 </Data>
 <Data Name="EAPErrorCode">0x0</Data>
</EventData>
</Event>
Thank you for answer and help.
Regards,
Tadas

Hi,
Thanks for your post.
Have you configured the client to only use user authentication for 802.1X? If so, I would like to inform you that this is expected when you configure the 802.1X to user only authentication.
Here is the process that is followed.
1. As soon as client is connected to the network the Authenticator (switch) periodically sends EAP request packet/frame to the client/supplicant.
2. The client has to respond back with an identify and if its configured only for User authentication then it will send blank identity.
3. The Authenticator cannot validate and the authentication would fail.
4. Windows client is configured for a block time of 20 min. So, once the authentication fails the NIC card will go in block time for 20 min until there is a change in credentials. So, even if the authenticatior(swithch) is periodically sending EAP request
it will just ignore them
5. You will see event 15506 after the event 15514.
Here’s the technet that you we can refer for the reason code : Reason: 0x50001 that we see in the event 15514
http://technet.microsoft.com/en-us/library/cc727747(WS.10).aspx
0x50001 = Dec 327681
Reason code: 327681 Event log message: The 802.1X module was unable to identify a set of credentials to be used. [An example is when the authentication mode is set to “User” but no user is logged on.] # def name:
ONEX_UNABLE_TO_IDENTIFY_USER
Best Regards,
Aiden
Aiden Cao
TechNet Community Support

Manager password in tomcat for form based authentication

Hi all,
I have a jsp using form based authentication.I have set up the web.xml,server.xml and created my database with the various users and roles but when i try to deploy the application,it as for the manger username/password and when i enter what i have in the database it refuses to connect.
Anyone has any idea what i might be doiing wrong?
Thans in advance

Hi,
I'm a little confused. You wanted to know how to configure Tomcat for form based authentication, and I sent you an article on how to do that. Is there something more you need from me? You had offered 10 duke dollars for this post, and if there is more I can do I will help for the remaining amount, but I can't help you getting access to the Tomcat *.xml file.

User equivalence check failed for user "oracle".

Hi,
I am trying to install the Oracle Clusterware 10g as part of my RAC setup.
I have configured RHEL 4 in 2 nodes (rac and rac2). But when I run the runcluvfy utility, I get the below error:
[oracle@rac cluvfy]$ ./runcluvfy.sh stage -pre crsinst -n rac,rac2
Performing pre-checks for cluster services setup
Checking node reachability...
Node reachability check passed from node "rac".
Checking user equivalence...
User equivalence check failed for user "oracle".
Check failed on nodes:
rac
WARNING:
User equivalence is not set for nodes:
rac
Verification will proceed with nodes:
rac2
The problem is only with the first node(rac). The second node passes succesfully.
ssh works fine. Not sure what is wrong!
Thanks!

Did you do Configure SSH for User Equivalence ?
Or
Did you Establish User Equivalence ?
If yes.. please check...
$ ssh rac hostname
rac
$ ssh rac2 hostname
rac2
You should Establish User Equivalence before...
exec /usr/bin/ssh-agent $SHELL
/usr/bin/ssh-add
If You don't configure ssh for user equivalence
http://www.oracle.com/technology/pub/articles/smiley_rac10g_install.html
Or
read SSH User equivalence is not set up on the remote nodes

SPNego for user mapping

Hi All,
How to use SPNego for user mapping?
Please tell me how to configure SPNego for USer Mapping?
Kumar

Update User Mapping ID api
i followed the above thread and wrote the code in a java file as below
IPortalComponentRequest req = (IPortalComponentRequest) this.getRequest();
IUserMappingService umapser = (IUserMappingService)
PortalRuntime.getRuntimeResources().getService(IUserMappingService.KEY);
IUser userid = req.getUser();
IUserMappingData iumdata = umapser.getMappingData ("System Alias", userid);
Map map = new HashMap ();
try {
map.put("user","userid");
map.put("mappedpassword","password");
iumdata.storeLogonData(map);
} catch (Exception e) {response.write(e.getMessage());}
but problem is it is throwing compilation error for IPortalComponentRequest req = (IPortalComponentRequest) this.getRequest();(getReques() cannot be used for the type classname)
please help me in resolving this issue
points will be rewarded for sure.

What is the option client certificate for user authentication used for?

Hi All,
I have to work on a FTPS - XI -SAP scenario.
I can see an option for client certificate for user authentication when security is enabled for the FTP adapter. what exactly is this option used for?
P.S: I went through sap help but couldnt quite understand.

Thanks a lot Mark.
So for a FTPS -> XI -> SAP scenario the following settings are required.
1. I have to create a certificate in Visual Admin for the XI server , send a csr to a CA and get it signed by them, and i have to add this to the ssl_service view.
2. I have to hand over the public key to the FTPS server & this key will be used for encryption of the file
the above 2 steps are mandatory.
If i choose to use the client certificate option , i have to get the client certificate from the FTPS server and add it into the TrustedCAs list. This certificate is just to imply that the client is what it claims to be.
Will this certificate be used for encryption?
To make it clear let me put it this way. The certificate created in the XI Server is used for encryption and also for ascertaining that the its what it claims to be.
The clients certificate option is used only to make sure that the client is what its claiming to be & this is not used for encryption?

Considerations for 802.1x Port Based and Wi-Fi Certificate Authentication

Lately, we have been going back and for with the thought of doing certificate authentication for Wi-Fi and Port. We have Server 2012 PKI and CA and it seems fairly straight forward to pump out a certificate to a user and have them authenticate with their
certificate to a RADIUS/NPS. However, every time I mention our thoughts with consultants or others they seem to cringe saying that they've seen this deployment cripple networks.
We have almost 50 branch retail locations (with hub-spoke topology - all have VPN tunnels to corporate and also a disaster recovery location) and their internet isn't always super stable and they absolutely need to have network access at all times because
they are running Point Of Sale. Right now, if their internet fails, they can remain functional because we have the necessary pieces at all locations to keep a Windows network going but I'm afraid that if we force 802.1x certificate authentication for the switch
ports and Wi-Fi that if their internet goes down, they won't be able to authenticate since the authentication server will be at corporate. I am curious as to how people deal with:
1. Fail over to a disaster recovery authentication server if Corporate connection goes down
and:
2. If internet fails locally and can no longer communicate with any authentication server. Is there some sort of scale-out? It seems complicated since (if I'm not mistaken) it needs access to the CRL to validate certificates and also a Network Policy Server
for the authentication and so on.
What we're really trying to accomplish is to prevent people from bringing in a laptop or device with an Ethernet port and removing an existing device and plugging into the port in its place. MAC filtering doesn't seem like a good solution on a large scale,
nor a super secure option so it seemed like 802.1x certificate seemed to be the most flexible without having to go full NAP/NAC. Anyhow, sorry for the lengthy post and I really appreciate your time in advance!

Re-authentication could be triggered by the NPS, the switch / AP or the client:
NPS: There is a bunch of attributes to be configured in the Network Policy that determine the time a machine can remain connected such as Idle Timeout and Session Timeout. (When WEP was still common the session timeout had been used to enforce
a change of the insecure key.) Otherwise, the machine should remain connected as far as NPS is concerned.
Switch / AP: Depends on the configuration, e.g. re-authentication has to be triggered if the link went down. If a user plugs a cable or accidentally disable WLAN on his machine when the internet link he will not be able to reconnect.
Then I have seen some options similar to the NPS options, and switches could have their own session timeouts or be configured for respecting the radius server's setting.
Client: The term "re-authentication" is also used happens if you have to / want to use both machine and user authentication: When the machine starts up, the machine account is authenticated; when the user logs on the user is authenticated;
when the user logs off the machine is authenticated again. Per GPO you configure the machines for this kind of re-authentication (the default) or use machine-only or user-only authentication instead.
It might be a challenge to manage and test these settings if you have to support many different APs / switches and different WLAN devices.
I would recommend to carefully test it with a pilot group of users.
Would you have any chance to turn off 802.1x on the switches / APs in case of a major outage? I guess not as you would be able to manage them remotely?

User Certificate based Authentication Using Anyconnect (DTLS)

Hello,
I believe it is possible to set up an ASA to enforce the need for anyconnect users to have a USER certficate installed on their machine before the VPN grants them access. However, I`ve been trying to get this to work but I`m always allowed to connect with only a password. Would appreciate any guidance on how to get this working with user based certificate authenitcation. Are there any documents around specific to the full process of setting up anyconnect with user certfificate authentication??
Thank you

Hi,
I don’t believe that this functionality exists at this time on the ISA.
http://www.cisco.com/en/US/docs/security/small_business_security/isa500/administration/guide/ISA500_AG_OL-23370.pdf
From the admin guide for the ISA. “According to the user authentication settings specified on the security appliance, the SSL VPN users can be authenticated by the local database or external AAA server (such as Active Directory, LDAP, or RADIUS). For information on configuring the user authentication settings, see Configuring User Authentication Settings, page 346.
Thanks,
Jason Nickle

Retrieving personal user certificate for secure webservice

All,
I am currently creating a WLW 8.1 webservice that will interact with a non-browser client. The reason I mention non-browser is that in order to secure this webservice and also have it function correctly I need to retrieve a user's personal certificate. Our team has done this for web-content in the past with simple retrieval via the browser, but in this case the client is non-configurable and will be talking directly with my webservice.
My question is: is it possible to retrieve the user's certificate via a webservice? The certificate is not only used for security validation, but their credentials are also used to validate them in other programs on the back-end of the webservice. This allows personalized content based on the certificate.
Thanks for any help you can provide. I know that was long winded and semi-complicated so if any clarification is required please ask.
Thanks,
Sam

So in essence, then, Credential Roaming is exactly what we need.
yes.
> but if the cert needs to be in the Personal store PRIOR to the user being authenticated on 802.1x
this is one pitfall of this scenario. You need to have locally installed certificates prior to connecting to wireless network. This means, that you cannot initially connect to wireless prior logging on to domain by using wired network. Once certificates
are cached, you can connect to wireless networks with cached certificates.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.

Configure WLan for user certificate authentication

Similar Messages

Maybe you are looking for