EAP-PWD with windows 7

Similar Messages

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• EAP-TLS with IAS

  Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
  Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
  Any suggestions?

  Hi,
  I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
  Regards,
  Davy

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!

• EAP with Windows 2000 client and IAS server

  Several messages on this site point to peole using EAP on a Windows 2000 client and authenticating against an IAS server. I am running an Aironet 350 AP and trying to setup my Windows 2000 clients to use EAP only and authenticate against a Windows 2000 AD forest via IAS. The access point and client are on the latest firmware and drivers (12.0 for AP). I have two basic questions.
  1. It is my understanding that by enabling Network-EAP as the only authenticaiton type that users will authenticate and then dynamic WEP keys will be used, greatly reducing the risks of compromised WEP keys while at the same time keeping the data encrypted.
  2. Does anyone have a quick HOW-TO or point-by-point list of how to configure the Windows 2000 client to authentication using the Network-EAP method? I am currently running into a situation where no matter what I configure on the client, the IAS server reports and error with "Reason: The authentication type is not supported on this system." I also noticed that the "Authentication-Type" and "EAP-Type" fields shown in the IAS messages in the Windows 2000 Event Viewer log have the value "<undetermined>". Has anyone else run into this?

  I'm having a similar problem. I'm trying to do PEAP and it appears that IAS is not handling the request properly. It keeps trying to log the user PEAP-##### in instead of setting up the TLS and then asking for Username, Pass, Domain. The IAS error message I'm getting is:
  User PEAP-00097CFCD901 was denied access.
  Fully-Qualified-User-Name = APPLY\PEAP-00097CFCD901
  NAS-IP-Address = 172.16.200.31
  NAS-Identifier = AP1
  Called-Station-Identifier = 004096570d87
  Calling-Station-Identifier = 00097cfcd901
  Client-Friendly-Name = WirelessAP
  Client-IP-Address = 172.16.200.31
  NAS-Port-Type = 19
  NAS-Port = 37
  Policy-Name =
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 8
  Reason = The specified user does not exist.
  So if anybody has the needed settings for Win2k (SP3 and 802.1x patch) IAS it would be much appreciated.
  Ben
  Note: if I had PEAP-####### as a user in Win2k I get:
  User PEAP-00097CFCD901 was denied access.
  Fully-Qualified-User-Name = apply.org/Users/PEAP TEST
  NAS-IP-Address = 172.16.200.31
  NAS-Identifier = AP1
  Called-Station-Identifier = 004096570d87
  Calling-Station-Identifier = 00097cfcd901
  Client-Friendly-Name = WirelessAP
  Client-IP-Address = 172.16.200.31
  NAS-Port-Type = 19
  NAS-Port = 37
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type =
  Reason-Code = 16
  Reason = There was an authentication failure because of an unknown user name or a bad password.

• ISE EAP-Chaining with machine, certificate and domain credentials

  Good morning,
  A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
  Corp. wireless to authenticate with 2-factor authentication:
  •1. Certificate
  •2. Machine auth thru AD
  •3. Domain creds
  When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
  Clients are Windows laptops and corporate iPhones.
  Certs can be issued thru GPO and MDM for iPhones
  Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
  My first question is: can this be done?
  Second question: how would i implement this from an AuthC/AuthZ perspective?
  Thanks in advance,
  Andrew

  You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
  For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
  Good luck and keep in touch.
  http://support.microsoft.com/kb/2743127/en-us

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• Getting existing wireless solution working with Windows 7 client

  A bit new to this so need some help
  I have been asked to do some innovation around an existing operational wireless solution.
  Setup is;
  1. Wireless client - running Juniper Odyssey client. This authenticates user on logon to Windows using username / SecurID token / pin. Configuration via WAP / TKIP
  2. Cisco Aironet Wireless Access Point
  3. Cisco 4402 Wireless LAN controller
  4. Cisco ACS v4.1 - configured as RADIUS server with connection to external RSA Authentication Manager 6.1
  As part of a transformation programme I have been asked to investigate whether this existing wireless infrsatructure will work with Windows 7 as the client operating system. Also to look whether the wireless functions in Windows 7 will allow the Odyssey client to be removed.
  I am unsure what client if any I need to install on the Windows 7 client in order to try and get this working. Do I need the VPN client from Cisco, the RSA EAP client or will Win 7 allow me to do this.
  Any help appreciated.

  I am still struggling with this concept of suplicants
  I have tried to set this up with the wireless capabilities in Windows 7 to no avail. I see that Windows 7 only supports certin EAP types - how can I find out what my EAP type is on the ACS server?

• PEAP config with windows server 2003

  Hi all,
  I hope you will help me ... I try for few days to configure PEAP authentication on a win 2003 serv (.net) and I cannot put the certificate on the IAS server.
  Nothing is documented or there are very few info.
  The certificate is present in the certificate store but when I want to configure PEAP, a error tells me that no certificate is installed for EAP.
  The windows server is configured as standalone server.
  regards
  Frederic

  IAS supports PEAP with .NET version of windows so do you have .NET version of IAS ? If not IAS
  does not support PEAP ( That is my understanding , you can search more on this on Microsoft side )
  Also refer the following URL,
  http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a0080154867.html

• Syncing iphone with windows 7 contacts - error message outlook.pst not foun

  I have set set up ITunes to sync my Iphone GS with Windows Contacts. When I sync I get an error message :
  The file c:\Program Files\Common Files\System\Mapi\1033\Outlook.pst could not be found
  Sometimes the error message comes up 2 or 3 times.
  Secondly, my Iphone is syncing with something because an old version of my windows address book is now on my iphone. Of course if I add a new contact to Windows Contacts, it does not appear on my iphone.
  I dont have Outlook installed on my PC. It was removed, but I guess I do have an old outlook.pst file from my old times with Windows XP.
  So how does Itunes manage the sync and how can I stop it syncing with my old address book and use Windows Contacts? I have tried resetting my sync history but it did not work.
  I am running Windows7 (upgrade from Vista).

  I am also having issues with syncing my Iphone 3GS with the latest version on Itunes. I have for a long while now been doing just great. My contacts, phone numbers, emails have all synced very nicely, no problems. As soon as I downloaded the new Itunes 9.1 I can no longer sync contacts, and calendars, as usual.
  I tried several things that were suggested to me in the troubleshooting but nothing has helped. It usually tells me that my computer is not set up for syncing, and after arranging that it still doesn't work. As well, it says it cannot find the requested services.
  Please help.
  I am running windows 7, and have been for a while, it's not windows 7, it's the new Itunes upgrade.

• IPod Classic - ok with Windows, not with iTunes

  Hi,
  I have a Classic 160GO iPod.
  Suddenly this problem appeared :
  - no music or pictures were recognized by my iPod, but the disk space was used for "Other"
  - this iPod is not known with iTunes
  - This iPod is known as a removable hard disk, via Windows 7 (Main computer), Windows XP (secondary computer), a linux thing (a friend computer).
  1. I already checked this iPod with the diagnostics mode (see https://discussions.apple.com/message/19048752#19048752)
  result is :
  - reallocs : 0
  - Pending sectors : 32
  My understanding is that my iPod hard disk is ok and valid.
  2. I followed most of the recommended way to repaird the iPod as per Support (8 out of 10)
  NOthing is working.
  I confirm I have installed the latest version of iTunes.
  3. I read the following page : https://discussions.apple.com/message/19158071#19158071 to find the relevant firmware.
  But the iPod Classic 160GO is not in the list.
  My questions
  --> Do you have an idea to solve my problem ?
  --> What could happend i I format my iPod with windows ? It would be only a hard disk after, wouldn't it ?
  --> I f I format, is there a solution to re-install the iPod software (= firmware ?)
  Thank you for your help.

  The iPod hardisk is  looks new from the Reallocs and ON Hours, but, it is rebooting more to get the correct spin for data verification, causing tImeouts,  so the Pending Sector will increase.
  There maybe something, near the iPod environment, that is causing the drive to fail, and overheat, if it has not already been damaged, or maybe it is just one Hardisk, that slipped through poor quality control.
  You can bring the Retract, Realloc and pending number low, by doing low level format, see this article, but your problem of Hardisk rebooting to find a good cluster, wont go away
  Just my thoughts.
  Magnets are the primary cause of hardisk crashes,  I would also suspect, using your handphone, while it is near the iPod would also be bad, see the YouTube video on hardboiled eggs using handphone.

• Does a 7th generation ipod nano work with windows 8?

  we bought a new HP laptop with Windows 8 and are having difficulties wtih our 7th generation Ipod nano's not being recognized by the computer. Is Windows 8 compatible with the Ipod nano 7th generation?

  Hello LCREW,
  The article linked below provides some useful troubleshooting steps that can help get your iPod to appear in iTunes.
  iPod: Appears in Windows but not in iTunes
  http://support.apple.com/kb/TS1363
  Cheers,
  Allen

• Does the Ipod Nano work with Windows XP SP1???

  I studied the system requirements for the ipod nano and there was written, that I need a WinXP with SP2 for it.
  Because I use Sound-Software that only works with Windows XP SP1 I have to keep this system, and I now would like to know if that works. Could anyone answer this question??

  Have you try putting your ipod into disk mode if you need help putting it in disk mode here's a page from apple
  of how to put your ipod nano into disk mode: http://support.apple.com/kb/ht1363

• IPod Nano Video with Windows Movie Maker

  I found this page by Apple that explains how to use video from the 5G iPod Nano, http://support.apple.com/kb/HT3837
  But, I cannot find Windows Movie Maker V2.5, and V2.1 with Windows XP will not import the video from the iPod Nano. Anybody have any ideas on how to solve this? (Besides buying a Mac...)
  Also, Windows Media Player 11 will not play the video created with the 5G iPod Nano either.
  Message was edited by: trubol

  You can use the AVS Video Editing software to import MPEG-4 Movie files in the same way you'd import .avi files into Windows Movie Maker. Also, the AVS Video Editor will allow you to import iTunes .mp4 audio files and incorporate them into your soundtrack. If you still want to use Windows Movie Maker for your video editing you can also use video conversion software from the same company, i.e. AVS Video Converter 6, to convert from MPEG-4 into .avi or .wmv format. I've found converting to .wmv to be considerably slower than converting to .avi though. Here's a link to the AVS video software offerings below. BTW, the AVS Video Editor can be used for free, while there's a charge for the Converter.
  * As always, exercise caution when using Shareware. So far my own experience has been good.
  http://www.avs4you.com/AVS-Video-Editor.aspx?type=GoogleAdWordsSearch&gclid=CMKa 0-yPqp8CFQ975QodU24Y1Q

• Ipod sync issues with Windows 7

  I just purchased a new computer with the Windows 7 operating softeware and now I cannot sync my Ipod Touch (3rd generation) but I do not experience this issue with my old computer with Windows Vista.  When I need to update my Ipod I have to connect it to my old computer.  Help.  I do not want to pay Apple for support when I see countless post about this issue.

  Diane Wordsmith wrote:
  Are you set to manually manage on both computers? If not, an auto sync on one of them will erase the iPod and place that computer's library on it.
  No that wouldn't be it. The manual vs. Auto sync setting is stored on the iPod, not on iTunes. So if you take a manually managed iPod and plug it into an iTunes it has never connected to before, the new iTunes will still recognize the iPod as manually managed and not do anything bad to it (in theory).
  Patrick