EAP Authentication Configuration for EAP-FAST and PEAP

Hi Everyone,
I pretty much got EAP working, however using LEAP 
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xD

EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation. 
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed. 
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password  back to AD for example. 
Hope this helps .. 

Similar Messages

  • EAP-TLS for Wireless network and PEAP for wired network

    Hello,
    it is possible to use EAP-TLS for Wireless network and PEAP for wired network on the same laptop (Windows 7).
    Thank you in advance.
    Thibault

    Yes, this is possible. You just need to properly configure each interface to use the EAP type you want.
    HTH,
    Steve
    Sent from Cisco Technical Support iPad App

  • Cisco ISE with EAP-FAST and PAC provisioning

    Hi,
    I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
    Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
    If you have any documents, it would be appreciated for me.
    Thanks,
    Pongsatorn

    From what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
    Is that what you are trying to get clarification on.
    Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
    Sent from Cisco Technical Support iPad App

  • Eap-fast and CWWLSE-1030

    HI,
    I configure a Wireless Lan with 3 AP1131G-E-k9 and a radius serveur CWWLSE and Eap-Fast AND WPA2
    All seem's to be OK but some Laptop are obliged to re-authenticate several time a day ?
    Anybody has a idee if thre is a timer or
    others paramatter I should do set ?
    Thanks for your Help

    I recently ran into this issue. What I found although not that technical....if the user is prompted for the PAC and does not accept, I had a hard time getting them to authenticate afterwards. I was able to remove the user from the AAA server and once I added them back in they were able to authenticate with no issues. Again this is a very basic finding  and I have not had time to test my theory. I believe it has someting to do with the way AAA caches the user account, perhaps there is a denial of service or time-wait before the next login attempt is permitted. If you are using AD and not local accounts use the option, on the Radius server to Remove Dynamic Users.
    hardware userd Version 7.0...5508 WLC, 3500i AP's, WCS, MSE, Cisco ACS/Radius 4.2 WPA2, 802.1x, EAP-FAST

  • Client context error message while configuring for social login and personalization

    Hi,
    I am getting the below exception while configuring for social login and personalization.
    27.12.2012 11:21:25.463 *ERROR* [127.0.0.1 [1356587485463] GET /etc/cloudservices/facebookconnect/sample_fb.login.html/callback/connect HTTP/1.1] com.day.cq.wcm.core.impl.designer.DesignerImpl No design at /etc/design/cloudservices. Using default.
    27.12.2012 11:21:46.549 *ERROR* [127.0.0.1 [1356587485463] GET /etc/cloudservices/facebookconnect/sample_fb.login.html/callback/connect HTTP/1.1] com.adobe.granite.auth.oauth.impl.oauth2.Oauth2Helper Problems while creating connection.
    27.12.2012 11:21:46.549 *WARN* [127.0.0.1 [1356587485463] GET /etc/cloudservices/facebookconnect/sample_fb.login.html/callback/connect HTTP/1.1] com.adobe.granite.auth.oauth.impl.oauth2.Oauth2Helper token was null or not in UNAUTHORIZED state:1
    27.12.2012 11:21:46.549 *ERROR* [127.0.0.1 [1356587485463] GET /etc/cloudservices/facebookconnect/sample_fb.login.html/callback/connect HTTP/1.1] com.adobe.granite.auth.oauth.impl.servlet.OAuthProfileImportServlet requestAccessToken: could not retrieve user
    27.12.2012 11:21:46.549 *ERROR* [127.0.0.1 [1356587506549] GET /etc/cloudservices/facebookconnect/sample_fb.login.html HTTP/1.1] com.day.cq.wcm.core.impl.designer.DesignerImpl No design at /etc/design/cloudservices. Using default.
    27.12.2012 11:21:48.455 *ERROR* [127.0.0.1 [1356587508455] GET /etc/clientcontext/default/contextstores/profiledata/loader.json HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Uncaught SlingException org.apache.sling.api.SlingException: An exception occurred processing JSP page /libs/cq/personalization/components/profileloader/command/load/load.json.jsp at line 41
    at org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.handleJspExceptionInterna l(JspServletWrapper.java:574)
    at org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.handleJspException(JspSer vletWrapper.java:499)
    at org.apache.sling.scripting.jsp.jasper.servlet.JspServletWrapper.service(JspServletWrapper .java:451)
    at org.apache.sling.scripting.jsp.JspServletWrapperAdapter.service(JspServletWrapperAdapter. java:59)
    Thanks,
    Shankar .A

    Hi Shankar,
    Any luck with this issue. I am also seeing the same issue
    Thanks
    Pushparajan

  • Setup and configuration for system monitoring and IT Reporting for Java sys

    Hi all,
    How to setup and configuration for system monitoring and IT Reporting for Java system ?
    How to connect Java system to Solman system?
    Regards,
    Neni

    HI,
    What is your OS? You can use SAPCCMSR.exe to monitoring  IT Reporting Java system on Solman.
    Go to solman rz21 create a csmreg user. and configuration fil for agent. copy configuration fil on usr/sap/ccms/..
    Go to comman line cd ../user/sap/xxx/sys/exe/.../ wite SAPCCMSR.00 -R pf=< ...../sys/profile/instans profile> .
    You can se agent on rz10 and use this connaction on rz20 to monitoring and IT Reporting Java system on Solman.
    I hope this help

  • EAP-Fast or PEAP ??

    Dear All,
    we are not sure if we should use EAP-FAST as authentication method or if we should use PEAP or EAP/TTLS. Could you please inform us which one is safer ? For PEAP or EAP/TTLS we would need a Radius Server such as ACS while we could assign an Access Point as local authentication server if we used EAP-Fast. Is the extra cost for an ACS server justified only to be able to use PEAP ? Thanks for your help.

    Also you don?t need ACS for PEAP. MS IAS can do that for you. The thing about ACS is that
    it is there for many other things thatn wireless. TACACS authentication on you devices, security logs. VPN authentication, and can connect OTP solutions on top of ACS (From other vendors like RSA) When migrating from LEAP EAP-FAST is the easiest way to go since EAP-FAST was designed to take over LEAP with less impact on your configuration and migration is easy since you are then running a ACS. The market acctually demanded EAP-FAST cause there was need for a solution that was mroe secure than LEAP and PEAP-mschapv2 (both shared secret mecanisms) and something less complicated that PKI solutions. The answer was EAP-FAST with its easy to setup "mini certificate" setup which can be preety well automated. PKI PEAP with certificates is a major decission and you have to be ready to manage a PKI solution all year long. This might require extra presonell to take care of it. But of course those solution will be the most secure.
    regards. Kristjan Edvardsson
    Sensa ehf. Cisco Silver Partner

  • NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net

    Hi!
    (Sorry, if this is a wrong forum.)
    Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
    I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
    Access-Requests with User-Name="anonymous"
    Access-Challenges (I see certificate is sent from ACS)
    Access-Reject
    CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
    So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
    The following is excerpt from the CS ACS documentation:
    "EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
    SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
    So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
    Any help is greatly appreciated.

    Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
    POD1-SW#sh run int fa1/0/1
    Building configuration...
    Current configuration : 378 bytes
    interface FastEthernet1/0/1
    switchport access vlan 999
    switchport mode access
    dot1x mac-auth-bypass
    dot1x pae authenticator
    dot1x port-control auto
    dot1x timeout reauth-period server
    dot1x timeout tx-period 10
    dot1x reauthentication
    dot1x critical
    dot1x critical recovery action reinitialize
    dot1x guest-vlan 91
    dot1x critical vlan 11
    spanning-tree portfast
    end
    After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
    Thx.

  • Eap-fast and cckm

    Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
    It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.

    If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.

  • Eap tlas and peap

    Dear
    How can i configure the both security tls and peap
    but first the client must enter the user name and password (peap) then check the tls (certification)
    that?s mean using the two way to authentication in the same time
    Am already configured the tls and peap but how to add both together that?s not
    Thanks in advance

    Hi,
    I'm not sure why you want to have both EAP type. If you set up TLS that is itself two way authentication.
    In TLS you install CA on both server and on client, so
    Client verify server
    Server verify client
    Regards,
    ~JG

  • ACS EAP-FAST and LEAP restrictions. regarding 7920 wireless phones

    Hello, The 7920 still doesn´t support EAP-FAST. So I´m wondering if it is possible to restcrict EAP-FAST users from turning LEAP on. Is there a way in ACS to do that ?

    Hi
    Kristjan's question above is a good one - I'm looking for a similar answer...
    I.e. can I add all my 7920 handset usernames to a group, and only allow these to do LEAP?
    Also can I restrict LEAP users to a set of pre-defined MAC addresses?
    Thanks
    Aaron

  • EAP-Fast and Cisco 340 Adapters

    Does anyone know if the 340 adapters support EAP-Fast? The docs that I have looked at talk about 350 adapters... I thought the only difference between 340 and 350's was the anntena.

    Based on this document seems like its supported,
    http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a0080204ae1

  • OWSM 11g : Authentication Providers for X.509 and SAML policies

    Hi All,
    I am currently trying to implement the X.509 and SAML policies. As per the documentation for these polices I need to configure an authentication provider(or Identity Assertion provider) that can handle perimeter authentication via the NameCallback. I had configured an authentication provider(default authentication provider) that handled the namecallback and passwordcallback. What I can't figure out is how do these two authentication providers differs. And, incase one has to configure for the X.509 and SAML policies how to do the same.
    Any pointers will be useful. Especially, from anyone who has worked and implemented the above policies.
    Thanks in advance.
    Edited by: Shomit Sahdev on ८ अप्रैल, २०१० १२:२५ पूर्वाह्न

    After research by Oracle Support it actually turns out that this problem was a combination of factors:
    1) some clients were effectively using an invalid certificate so it is corrrect they got an error and everything worked fine when they started using the right certificate
    2) it does, however, turn out that, in the case of an error the error handling has been obfuscated in WLS 10.3.6 as compared to WLS 10.3.4 which gives a more descriptive error stating the nature of the problem (missing certificate, invalid certificate, unknown user, ...). Apparently this was deemed a security issue and has thus been replaced by a generic "internal server error". It is however possible to re-activate this older behaviour using a couple of JAVA_OPTS that you pass during server startup:
    -Dweblogic.wsee.security.debug=true -Dweblogic.wsee.security.verbose=true
    The above reintroduced the behaviour we had in WLS 10.3.4 and thus solves our problem!

  • ALE Configuration for PEXR2002 IDoc  and PAYEXT message type sending to XI

    Hi all,
              I need ALE Configuration for PEXR2002(Basic Type) IDoc , it's message type PAYEXT.
    I don't know ALE Configuration for sending data from SAP IDS to SAP XI.????
    I need ALE Configuration doc/pdf??
    Please give me some guidline for this..
    Regards,
    Umesh

    Umesh,
    I was wondering if you have had any luck creating the configuration for PEXR2002 Idoc, PAYEXT message types, and sending the result set to XI. 
    I need to perform the same task within our R3 environment using the FTP protocol in XI to send the file to the Bank to be processed.
    Any help or direction would be great.
    Thanks,
    Dave

  • Adding second 5508 Wireless Controller, how to best configure for load balancing and redundancy?

    We recently purchased a second 5508 wireless controller (both licensed for 100+ AP's).  What is the easiest way to configure and add the second controller so I can split the load between the 2 controllers and provide failover capability?  I do not want to run in an active/standby mode since that will effectively cut our AP capacity by half even with both controllers running. 
    Should I just manually configure the new controller (long and drawn out process to configure all the parameters), backup the current controller configuration and import to the second controller (then change the ip address) or is their an easier way to cause the two controllers to synchronize the configurations? 
    We are currently running 7.0.240.0 on our active controller and I would rather not upgrade it until we get the new controller online so I can have less downtime and fail AP's between controllers.
    What can you recommend? 
    Jim

    I'm assuming then, when I update the software on the controllers I won't be able to choose which controller is primary for an AP anymore and will lose access to the 100 AP licenses (and the capability to have 100 AP's registered, 100 licenses on each Controller).
    Read the Deployment Guide.  It should mention that you can choose which controller is the "primary" and which one is the "secondary".
    If I'm not concerned about quick failover can I still assign a primary and secondary controller for each AP and utilize all 200 AP licenses that are split between the 2 controllers?
    You sure can.  But this "old school" method is a very expensive method.  Why?  Because this means that you have two controllers with similar AP licenses.  The newer AP SSO means one controller has a full license and the other has only an HA SSO license, which is a lot cheaper.

Maybe you are looking for