EAP-PEAP and EAP-TLS on same switched network
Hello,
I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices use TLS. Over time all will be using TLS, but for now both will the there.
The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
Thanks,
Guy
You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
Good Luck,
--Jean Paul
Similar Messages
-
Cisco ISE - eap-peap and eap-tls
Hi,
Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
If peap use this identity source, if tls use 'this certificate authentication profile'.
ThxOK,
so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
The authentication policy was allowing EAP-TLS & EAP-PEAP.
I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
Hope that helps.
Mario -
Hi,
Does Cisco have any plan to support PEAP and EAP-TLS in the next release version of ACU?
Thank you.
Regards,
DelonAs far as I know, there is no such plan as of now.
-
E61i, Acces point config with WPA2, EAP-PEAP and ...
How can you activate the AES encryption on a Nokia E61i.
I'm running the 1.0633.62.05 firmware.
In documentation I've found there is mentioned I need to disable the TKIP encryption but this option is not available
Select “WLAN security sett.”
• In “WPA mode” choose EAP
● In “TKIP encryption” choose Not allowed (thus enabling AES encryption)
Disable everything except EAP-PEAP
Highlight EAP-PEAP
• Choose “EAP plug-in settings”le
They mention firmware above 2.xxx but this one is not available
Any hints ?Hey all, It seems I have the same problem!!! I don't know whats the problem. I asked the guys in IT support in my school about this problem and they told me that the phone has to support PEAP-Enterprise in order to be able to connect.. I don't know what does that mean but if anyone guys can help here, it will be soooo respected!! I am using the new firmware ,by the way. TKIP is not exist in the connection settings anywhere!!! and the message is exactly "Unable to Connect. WPA authentication failed" .... help help pleaseeeeeeeeeeeeeeeee
-
Other LEAP upgrade options besides PEAP and EAP-FAST?
Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
Good Luck
Scott -
No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?
Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router? I am replacing with an Asus router.
thanks,
KGHi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.
-
I want to run PEAP and LEAP at the same time...
I have an environment where I have 25 Laptops connected to my wireless network using PEAP and TKIP over an XP wireless client with a certificate. I also just purchased 25 IPAQ's with built-in wireless and they have the ability to do LEAP or PEAP. I am having issues getting the certificate to take up residence on the IPAQ's, so I thought I could do LEAP instead. What are the caveats of running both protocols at the same time and what configuration issues will I run into with this on the IPAQ's?
I tried to setup LEAP yesterday without success, basically because I don't know what step I am leaving out. Maybe its TKIP that is causing the problem, I don't know.
Any help would be greatly appreciated.
David BeaverThe access point doesn't know or care which EAP flavor you're using; LEAP vs PEAP is configured on the client, and you have to specify on your server which flavor(s) you'll allow.
Supporting both PEAP and LEAP is inelegant, though, and exposes some of your clients to the dictionary attacks LEAP is subject to. You'd be better served by getting PEAP working correctly on your iPaqs.
You don't need clientside certificates for PEAP, and you don't need to put the server certificate on the iPaq unless you're self-signing. If you are and the problem is that the iPaq isn't accepting your root cert, then the problem may be that it's not in a format the iPaq recognizes. Try importing the root cert into IE and then re-exporting it in DER format, then see if the iPaq will take that.
Also make sure that your pda's are flashed with the latest OS and firmware patches. I've got PEAP working just fine on my HP 5500, but it did take a little tweaking to get it there. -
Problem with FWSM and L3 interface in same switch
I have two 6513s with an 802.1q trunk connecting them. Each switch has redundant Sup720s running in Native mode, IOS ver 12.2(18)SXF (they were initially running SXD3). A FWSM (ver 2.3(3), routed mode, single context) is in each switch, setup in failover mode.
I can not get a PC, in a vlan that has the layer 3 interface defined on the switch with the active FWSM in it, to communicate with devices "behind" the FWSM. If I move the layer 3 configuration for that vlan to the other 6513, everything works fine.
The MSFCs are on the inside of the firewall, they have a layer 3 interface configured in the same vlan as the FWSM "inside" interface. Several "same security level" interfaces are defined on the FWSM and used to protect server farms. I am using OSPF on the MSFCs and FWSM and the routing table is correct.
The FWSM builds connections for attempts made by the PC with the layer 3 interface defined on the same switch as the active FWSM just fine, so this is not a FWSM ACL problem.
A ping of the FWSM "inside" interface from a PC with the layer 3 interface defined on the same switch as the active FWSM fails, even though debug icmp trace on the FWSM shows the request and the response. A packet capture, using the NAM-2, shows only the request packets. I have captured on the common vlan and the FWSM backplane port channel interface.
Just to add to the confusion, if I capture in the same places, but do the ping from a PC that is in a vlan with the layer 3 interface defined in the 6513 that does not contain the active FWSM, which works fine, I see the request and reply on the common vlan capture, but only the request on the port channel capture.
This problem has been there from the beginning of this implementation and has not changed with IOS and FWSM software upgrades. I have experienced this with any and all vlans that I tried to define the layer 3 interface for on the switch with the active FWSM. I have MLS turned on.
If anyone else has experienced this and solved it, or knows what is going on, I would appreciate any insight.
Thanks.
KeithI will have to get setup to record more data, but I do know the FWSM showed a ping request and a ping reply at the "inside" interface.
I believe my problem is related to the IOS command "firewall multiple-vlan-interfaces" which I put in place to allow IPX traffic to be brought around the FWSM. The little documentation that there is for this command, states that policy routing may need to be implemented to prevent ip packets from going around the firewall. I do not have any policy routing in place.
I also do not have any active layer three interfaces defined for any of the vlans assigned to the firewall except the "inside" interface. So my resoning was that I did not need to be concerned about ip packets having a way around the FWSM. My suspicion is that this command and the fact that I have mls on is causing some type of a problem which results in the packet being "lost" when it needs to be going through the MSFC in the switch with the active FWSM to get to the PC. Hopefully that makes some sense.
Do you have any idea where better documention on using the "firewall multiple-vlan-interfaces" may be, or a better explanation of all that is happening inside the switch when that command is used?
Thanks. -
AEBS and TC - wired connection, same wireless network
I need some advice.
I have AEBS and TC. Currently, the connection between them is "Extend wireless network". They are located on the opposite ends of my condo. I am doing some work on my unit and I have a chance to draw an ethernet cable between them. However, I'd like both of them to be the same wireless network, so that I have good coverage in and around my unit and have good speeds for accessing NAS units on the network.
Which ports would I connect with the ethernet cable and how would I configure the wireless network?
Thank you!Main unit has eithernet cable from LAN port that connects to WAN port of second unit.
Second unit is set up in bridge mode. You should not use "WDS" or "Extend Network" These are only for wirelessly extending the network.
The second base station should be set to a "DIFFERENT" wireless channel, however the network name and security settings should be identical to the main base station.
As long as the base stations have the same network name, roaming will work between them.
Again, they need to be set to different channels so that they don't interfere with each other.
Message was edited by: Tom Alperin -
WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS
I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
thanks !!!WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
WPA and WPA2 are actually are of 2 types respectively.
WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
The following document might clarify your doubts.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml -
802.1x/EAP-TTLS and EAP Certificate Policies
Hello,
I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
Just kind of a weird problem. -
Multicast performance and Unicast performance on same switch
Hi ,
I have a question about multicast performance.
As I know, the switch performance are depends on switch fabric bandwidth and packet forward efficiency..
For example.
In our case is CAT4506-E with SUP7-E.
The switch fabric per slot is 48G and total PPS for IPv4 is 250mpps.
Is this for Uni cast and multicast?
The only difference between them is routing table entries?Alessandro Ilardo wrote:
Hi there,
a colleague of mine raised some doubts on installing Oracle database 11.2 on the same host server where multiple Virtual Box guest instances are running.
He pointed that threads allocation and consequently performance could be unbalanced.
Database server is not for production but it must supply its services for about 20 enterprise applications, so I do not expect to serve thousands of requests but definitely complex queries.
Considering these points, does it make sense what he's said?
Where can I find more information about Oracle DB 11.2 threads allocation?
thanks in advance
The host server is a DELL with two sockets Intel® Xeon® E5520, 2.26Ghz, 8M Cache, 5.86 GT/s QPI, Turbo, HT, 1066MHz Max Memory
RAM
RAM 24GB Memory for 2 CPUs, DDR3, 1333MHz
(12x2GB Dual Ranked UDIMMs)
OS RedHat 5.3If I understand what you are saying, then as far as the OS is concerned, the oracle rdbms is just another application alongside a virtual machine (or several virtual machines) process. I can't see where there should be any inherent conflict between them, except of course all processes running on any computer are competing for finite hardware resources. Typically you'd want the database server to be dedicated to running the database. -
TACACS+ PEAP and MAC in the same AP
Hi,
we are having a configuration in our Access Points, which I would like to know if can create troubles, because in some AP's it works perfectly, in some others we are having issues with PEAP auth.
We have TACACS+ for the Telnet into the AP's, Mac Authentication for compatibility reasons, and are now introducing PEAP.
the aaa part looks like this:
aaa authentication login default group tacacs+ local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods group rad_mac
aaa authentication enable default group tacacs+ enable
but can we have troubles with the first line where is "default" ?
JorgeJorge,
No, that is not going to give you any trouble unless there is any software bug.
You will bind "method list" to a specific interface. Once done, default will ignore that interface.
Please rate if helps.
Regards,
~JG -
Printing problems with 10.4 and 10.6 on same airport network
We have an HP LaserJet 1160 connected by USB to a Mac wireless hub (Airport). On the wireless network there are three Mac computers, two of them pre-Intel running OS 10.4 and the third an Intel machine that has recently been upgraded from 10.4 to 10.6. A consequence of the upgrading is that after we have printed to the 1160 from the OS 10.6 machine we cannot print to the 1160 from the 10.4 machines: the printer status window states 'Opening printer connection' for an indefinite period and no printing occurs. On the two 10.4 machines I have updated the 1160 driver to version 2.0 . The work-around is to power-down and restart the Airport hub after printing from the 10.6 Mac and before printing from one of the 10.4 machines, but that doesn't feel like the 21st century! Any help will be greatly appreciated.
Hi Johnny,
Is it possible to put on 10.5/ 10.6?
Nope G3s are left out for 10.5, and every G3,G4, & G4 (PPC) is left behind by 10.6.
Tiger Requirements...
To use Mac OS X 10.4 Tiger, your Macintosh needs:
* A PowerPC G3, G4, or G5 processor
* Built-in FireWire
* At least 256 MB of RAM
* DVD drive (DVD-ROM), Combo (CD-RW/DVD-ROM) or SuperDrive (DVD-R) for installation
* At least 3 GB of free disk space; 4 GB if you install the XCode 2 Developer Tools
http://support.apple.com/kb/HT1514
The big trouble is going to be finding a Retail Tiger Install Disk!
Leopard requirements...
* Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor
minimum system requirements
* 512MB of memory
* DVD drive for installation
* 9GB of available disk space
Snow Leopard requirements...
General requirements
Intel Core 2 Due
* Mac computer with an Intel processor
* 1GB of memory
* 5GB of available disk space
* DVD drive for installation
Snow Leopard requirements...
General requirements
Intel Core 2 Duo
* Mac computer with an Intel processor
* 1GB of memory
* 5GB of available disk space
* DVD drive for installation
See Tom's, (Texas Mac Man), great info on where/how to find/get Tiger...
http://discussions.apple.com/thread.jspa?messageID=9755670� -
Hi guys
I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.
I create a second policy for wired dot.1x with EAP - PEAP enabled
The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
Thanks in advance.
Sent from Cisco Technical Support iPad AppHi,
There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
Thanks,
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
How to remove data from stolen iPhone?
I'd recently went to a gathering and had my iPhone stolen. Unfortunately I didn't get around to starting an iCloud account so It's definitely not coming back (Fingers crossed though) I was hoping if there was some way of removing all my data to stop
-
Hey, what is very irritating about the Firmware atm, is it counts music most played even if it starts and you skip it. It would be better if songs were only counted as having been played at the END of the song, so when it finishes. This would make th
-
my iphone 4 with 4.3.3 upgrade to 5.1.1,it said to me I should active it,I buy a active-card but it say 'Your request couldn't be processed.We're sorry, but there was an error processing your request. Please try again later.' What's wrong with my ip
-
Why can't I get a Skype Number for Canada?
Why can't I get a Skype number for Canada? Post transferred to create its own new thread. Subject/title amended accordingly.
-
While reviewing my account I used master debit card it didn't accept
I just wanted to know its the fault of debit card it can be. If yes debit cards are not acceptable I'll use credit card next time. Their is one more thing does apple accept master card. If no is visa card is accepted