EAP-TLS User and machine authentication question

Hello,
i have a question regarding EAP TLS authentication in a wireless environment. We use Cisco AnyConnect NAM client and an ACS 5.1 to do EAP-TLS authentification. The Laptop and the user can be successfully authenticated using a certificate from our internal CA. i can also check the in our corporate AD if the user and machine are member of a certain group and based on the membership a can grant access to the network.
i can see in the ACS when the laptops after a reboot logs on to the network, but i don't see a log when the laptop comes back from hibernate mode, i guess this is normal because the laptop sends only the autentication equest after rebooting.
What i'd like to achive is, when a user logs on the it should always be checked if the machine was authenticated prior the user can get access to the network. Is there a way to do this with EAP-TLS and a LDAP connection to Active Directory.
thanks in advanced
alex

Sounds like you rather want to use PEAP/MSChapV2

Similar Messages

  • 802.1x Wireless - Enforce user AND machine authentication

    I am using ACS v5.6 and I'd like to confirm that it is not possible to enforce both user and machine authentication against AD before allowing wireless access to Windows 7 clients, using PEAP/MSCHAPv2 and the built-in 802.1x supplicant.
    The only workaround seems to involve MAR (Machine Access Restrictions), which has pretty significant drawbacks.
    I'd rather not have to deploy user and machine certificates.
    All I want to do is allow access to the wireless network only if the device and the user are in AD.
    It's such a simple scenario that I must be missing something.
    Any suggestions are welcome. Thanks in advance for your comments.
    Lucas

    In my opinion, the only solution that works is using NAM and EAP-Chaining with ISE as radius backend, last time i looked in ACS release notes was 5.4, and it didn't have eap-chaining support.
    Using the built-in windows supplicant will only authenticate user or machine at any time, not both. As you discovered, the feature called MAR used to be what was being recommended (mostly because nothing else existed), What most people miss when they say this will work fine with windows supplicant and acs, is the fact that you cannot be sure that when the user authenticates, he is doing it from an authenticated machine, this is mainly due to the shortcomings.of MAR. You should consider migrating to ISE if you are not using any TACACS features on ACS.

  • ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?

    Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
    Long story short, what I'd like to do is: 
    User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
    Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
    personally owned devices only allowed to do ICA,
    corporate device can use SQL, RDP, etc...
    Thoughts, ideas?

    Not sure i understand your response, or perhaps my original question isn't clear.
    User authenticates with EAP-TLS / User cert
    User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
    Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
    My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS).

  • EAP-TLS client security policy enforcement question using ISE

    Hi Experts ,
    I have remote site connected to HQ wireless controller and cisco ISE used as RADIUS server . I am using EAP-TLS authentication method where client will validate the server certificate and server will validate the client certificate.
    I am using EAP-TLS and machine authentication.
    In case of server certificate installation using internal PKI (Root CA ) server , I am quite clear that we can create certificate in ISE and can be signed by CA which will be used for EAP-TLS as well. however I am trying to under the client certificate installation.
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    I am not sure ... will it get pushed through AD ? how will it happen ?
    It would be really helpful if someone could put light on this ..

    Hello Vino,
    Some answers below :
    how does client gets certificate from CA. is there any mechanism used by AD to import the certificate automatically to all the clients ?
    You have templates in the certificate authority to user or machine certificate and you can apply these certificates to a group of machines or users using GPO in the Windows Server 2008.
    It can be automatically because the machine can get it using GPO from domain and after can authenticates using 802.1X using these certificates received from this policy.
    If you want a user certificate and get it manually you can access the CA too using the URL https://X.X.X.X/certsrv and request manually the user certificate using your domain credentials and install manually to authenticate using EAP-TLS with this user certificate.
    In the Cisco ISE Side it needs to have a local certificate from the same client CA or from another CA and the Cisco ISE needs to trust in the clients CA Issuer to accept the client certificate and allow this one to access the network.
    In the client side the same happens, the client needs to trust in the Issuer CA for the Cisco ISE certificate to validate ISE certificate and get access to the network.
    and more important is , which certificate will be installed on client machines. Do we need to create certificate first from CA and save in repository and later can be installed same to client machines .... Sorry it could be microsoft AD related question however i am pretty sure that since we as a wireless techie , need to know even client side configuration.
    If you have a Windows Server with GPO and a CA configured you can use some templates to apply automatically a machine certificate or user certificate to a group of machines or user, in the case of machines it can be get from the domain using GPO and in the case of user certificate it can be get manually or using GPO too.
    This is all about certificate installation . how about entire security policy which is used for EAP-TLS ?
    The EAP-TLS is the most secured method to use to authenticate devices in the network because you have certificates and you have trusted certificate authority that you trust and only devices who has certificates from these CAs will be allowed to access the network.
    Another method very secured is EAP-FAST with machine and user certificate that the ISE will validade both the machine and user certificate before allow this one to get access to the network.
    how will client wireless network adapter properties automatically configured with same SSID which is configured with EAP-TLS along with certificate validation ?
    You can apply it too using GPO in the Windows Server to a domain machine but when you have a machine that is not a domain machine you can use a user certificate to authenticate this one and need to install manually the user certificate in that machine to authenticate the user to wireless network and create SSID specifying the policy that is EAP-TLS.
    Remember that client machine needs to have the CA issuer for the Cisco ISE certificate to trust in the Cisco ISE and get access to the network and the opposite too (ISE needs to have the CA Issuer to trust in the client)
    I hope it helps.

  • EAP-TLS User Certificate Question

    I've setup a test ACS server and have everything functioning correctly including the WLAN. However, is there anyway for EAP-TLS to use ONLY the machine certificate and not the user certificate? We are not currently setup with per-user certificates. I'm guessing not on this... My primary question then is with User Certificates, how do you handle the following scenerio:
    I have many CoW's (computer on wheels) through out the hospital that nurses use for inputting patient information. They all have a simple generic username/password (BADDD!!!!) so with this user it won't be hard to have default_user certificate install on the machines. But what if Doctor X decideds to walk up to one of these CoW's and wants to logout and log back in with his user/password on a machine he's never used before. How do we handle making sure he's able to connect if doesn't already have a cert on this computer? I'm quite mistified by this.
    Thanks
    -Raun

    If you are using the MS Supplicant, you need the following registry settings:
    "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\AuthMode", 2, "REG_DWORD"
    "HKLM\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode", 3, "REG_DWORD"
    This forces it to only use hardware certificates and sets the authentication to do the correct RFC polling.
    As for the other issue, MS CA user certs do not "roam". Yet. There is discussion of roaming credentials being in Windows 7, but not entirely what that means. Roaming certificates can be easier with a product like Venafi. There "Encryption Management" tools are certificate management suites. The do have roaming management, or at least did when we talked to them.
    Oh, and if you use two CAs (hardware and user), the separation keeps it straight too.

  • 8021.x EAP-TLS "User" vs "System" profile problems

    Hello. I have a macbook using EAP-TLS (wired) with digital certificate authentication. Finally, it's working but I have the following workarounds/questions.
    1. I have had to set the Username field to "HOST/<machine FQDN>". Other systems (ie: Windows) prepend "HOST/" automatically. Is this a known limitation or is there something I can/should do to have OS/X pull out the certificate identity and put it in as "host/identity" in response to the Identity EAP request?
    2. This works fine for USER profiles, but I cannot get a SYSTEM profile to work. When I setup a SYSTEM profile, it screws with the keychain (my root CA has to be explicitly trusted, and the SYSTEM profile only turns on Trust for eapolclient), and the auth fails. There's not enough logging detail (LogLevel=1 only gives you a network trace...) to see what's going on, so I'll ask the experts here - what's going on?
    I concede that I have played around with System profiles quite a bit, so maybe I need to delete the system profile and restart but I don't know how to do that.
    Thanks!

    Assuming you're using the stock XP wifi client.
    When running XPSP3, you need to set two things:
    1) force one registry setting.
    According to
    http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
    You need to force usage of machine cert-store certificate:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
    "AuthMode"=dword:00000002
    2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
    - show available wireless networks
    - change advanced settings
    - wireless networks tab
    - select your SSID, and then hit the "properties" button
    - select authentication tab, and then hit "properties" button
    - search for your signing CA, and check the box.
    I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
    Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
    please cross reference to
    https://supportforums.cisco.com/message/3280232
    for a better description of the whole setup.
    Ivan

  • EAP-TLS with windows machine

    I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
    I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
    Just list of RDS.log appears some activity ended with
    NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
    If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
    Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
    Please let attentions to Attachments and let me know
    what could be a problem of my unsuccessness of use EAP-TLS.
    configuration of interface which I use for testing:
    interface GigabitEthernet0/42
    description Test 802.1X klient - Filip
    switchport access vlan 34
    switchport mode access
    switchport voice vlan 31
    authentication host-mode multi-domain
    authentication open
    authentication port-control auto
    authentication periodic
    authentication violation protect
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    end

    Hi Filip,
    Just noticed your post...
    In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
    Microsoft has done some changes in SP 3 for wired 802.1x
    Changes to the 802.1X-based wired network connection settings in Windows XP
    Service Pack 3
    http://support.microsoft.com/kb/949984/
    In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
    * The WZCSVC service
    * The Wired AutoConfig service (DOT3SVC)
    As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
    If you are an end-user who has already installed Windows XP SP3, follow
    these steps:
    1. Click Start, and then click Run.
    2. In the Open box, type services.msc, and then press ENTER.
    3. Locate the Wired AutoConfig service, right-click it, and then click
    Start
    Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
    CERTIFICATE REQUIREMENT IN EAP-TLS:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
    ACS CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
    MICROSOFT XP CLIENT CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
    As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
    Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
    Also, let me know the full ACS version and platform.
    HTH
    JK
    Do rate helpful posts-

  • ACS 5.4 and machine authentication

    Hi,
    I am installing ACS 5.4 for WiFI user and using EAP-TLS/ certificate based authentication.
    I have Authorization profile created as shown in attachement.
    Under authorization profile i have selcted "Was Machine Authenticated=True"Condition.
    Somehow clients are not able to connect. When I looked at logs on ACS it shows that the requests are not matching this rule bu default rule.
    As soon as I disable this condition, user gets connected
    I have already selected "Enable Machine Authentication" under AD & "Process host Lookup" in allowed protocol.
    Any Suggesions?
    Regards,
    Shivaji

    Shivaji,
    The purpose of the "wasmachineauthenticated" attribute is for user authentication, this is your typical "chicken or the egg" scenario since machine authentication needs to be performed without this attribute for successful authentication.
    When successful machine authentication occurs there is a MAR cache within ACS uses to track the mac address of the device. In your case you are forcing ACS to look for a "WasMachineAuthenticated" during the initial machine authentication which will not succeed.
    In my experience it is best to set this in environments where users' can only authenticate through registered workstations (typically machines that are joined to AD), so when a user attempts to use their 802.1x credentials on a smart phone or non-registered asset, they get denied since the device does not have machine credentials to join the network.
    I hope this bring some clarification to Edward's recommendation.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • WPA2 security with EAP-TLS user cert auth

    I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
    When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
    It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
    Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

    Well Well
    WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
    The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
    In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
    Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
    Please make sure to rate correct answers

  • 802.1X EAP-TLS User Certificate Errors

    I'm trying to implement 802.1x using EAP-TLS to authenticate our wireless users/clients (Windows 7 computers).  I did a fair amount of research on how to implement this solution and everything seems to work fine when authentication mode is set to: Computer
    Authentication.  However, when authentication mode is set to "User or Computer" or just "User" it fails.  I get a "certificate is required to connect" pop up and it's unable to connect.
    No errors on the NPS side but I enabled logging on the client (netsh ras set tracing * ENABLED) and this is what I can see.  It seems as if there is a problem with the client certificate:
    [236] 06-04 09:26:35:704: EAP-TLS using All-purpose cert
    [236] 06-04 09:26:35:720:  Self Signed Certificates will not be selected.
    [236] 06-04 09:26:35:720: EAP-TLS will accept the  All-purpose cert
    [236] 06-04 09:26:35:720: EapTlsInitialize2: PEAP using All-purpose cert
    [236] 06-04 09:26:35:720: PEAP will accept the  All-purpose cert
    [236] 06-04 09:26:35:720: EapTlsInvokeIdentityUI
    [236] 06-04 09:26:35:720: GetCertInfo flags: 0x40082
    [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
    [236] 06-04 09:26:35:720: DwGetEKUUsage
    [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
    [236] 06-04 09:26:35:720: FCheckSCardCertAndCanOpenSilentContext
    [236] 06-04 09:26:35:720: DwGetEKUUsage
    [236] 06-04 09:26:35:720: Number of EKUs on the cert are 3
    [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
    [236] 06-04 09:26:35:720: Acquiring Context for Container Name: le-8021xUsers-84adbdd0-a706-4c71-b74a-61a1bd702839, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
    [236] 06-04 09:26:35:720: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
    [236] 06-04 09:26:35:720: FCheckUsage: All-Purpose: 1
    [236] 06-04 09:26:35:720: DwGetEKUUsage
    [236] 06-04 09:26:35:720: Number of EKUs on the cert are 1
    [236] 06-04 09:26:35:720: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
    Also, in the event viewer I get the following:
    Wireless 802.1x authentication failed.
    Network Adapter: Dell Wireless 1510 Wireless-N WLAN Mini-Card
    Interface GUID: {64191d46-0ea6-4251-86bb-7d6de5701025}
    Local MAC Address: C4:17:FE:48:F2:79
    Network SSID: *****
    BSS Type: Infrastructure
    Peer MAC Address: 00:12:17:01:F7:2F
    Identity: NULL
    User: presentation
    Domain: ****
    Reason: Explicit Eap failure received
    Error: 0x80420014
    EAP Reason: 0x80420100
    EAP Root cause String: Network authentication failed\nThe user certificate required for the network can't be found on this computer.
    I created user and computer certificates by duplicating the "User" and "Computer" templates in AD CS.  I modified the "Subject Name" to "Build from Active Directory information".  "Subject Name Format" is set to "Fully Distinguished Name" and "User
    Principal Name (UPN) is checked.  All other boxes are cleared.  I verified that certificates for both user, computer , and root CA are all correctly auto enrolled.  I also verified that the user certificate
    exists in the "Personal" user certificate store on the client.
    There is clearly something wrong with the user certificate but what? I'm at wits ends as I have tried everything.  Please help!

    Hey,
    I am precisely in the same situation now. I have  a win7 client with server2008R2(having AD, and DNS) with NPS running. I have certificate templates and auto enrollment configured. My Win7 machine is able to authenticate using its certificate but
    when I use the user certificate it doesn't work. Both  user/computer certificates are coming from the AD root CA enterprise. NPS has the right certificate. I have verified on client user/local machine , both have their respective certificates in their
    personal stores.
    I have tried all possible combination and even tried changing the key provider but no use.[6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
    [6472] 12-10 13:39:04:327: FCheckSCardCertAndCanOpenSilentContext
    [6472] 12-10 13:39:04:327: DwGetEKUUsage
    [6472] 12-10 13:39:04:327: Number of EKUs on the cert are 1
    [6472] 12-10 13:39:04:327: FCheckUsage: All-Purpose: 1
    [6472] 12-10 13:39:04:327: Acquiring Context for Container Name: le-LM-USER-4aa6cf55-b6b7-491e-ad5b-735e44eaf3c7, ProvName: Microsoft Software Key Storage Provider, ProvType 0x0
    [6472] 12-10 13:39:04:327: CryptAcquireContext failed. This CSP cannot be opened in silent mode.  skipping cert.Err: 0x80090014
    [6472] 12-10 13:39:04:327: No Certs were found in the Certificate Store.  (A cert was needed for the following purpose: UserAuth)  Aborting search for certificates.
    [6472] 12-10 13:39:04:327: EAP-TLS using All-purpose cert
    [6472] 12-10 13:39:04:327:  Self Signed Certificates will not be selected.
    [6472] 12-10 13:39:04:327: EAP-TLS will accept the  All-purpose cert
    I am stuck at it for last few days with no real cause known as yet.!
    Any help will be thoroughly appreciated!!!

  • 802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

    Hello
    [Env on my lab investigation]
    supplicant - W7 with cert
    authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
    authentication server 2x - W2008/NPS like a RADIUS server
    [Config some part of authenticator]
    interface FastEthernet0/1
    switchport access vlan 34
    switchport mode access
    authentication event fail retry 1 action authorize vlan 47
    authentication event server dead action authorize vlan 35
    authentication event no-response action authorize vlan 47
    authentication event server alive action reinitialize
    authentication port-control auto
    dot1x pae authenticator
    dot1x timeout quiet-period 15
    dot1x timeout tx-period 15
    spanning-tree portfast
    [Symptoms]
    After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
    [Summary]
    The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
    [The question]
    What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
    Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
    [Logs]
    During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
    1. supplicant and authenticator orderflow at wireshar:
    - supplicant EAPOL Start
    - authenticator EAP Request Identity
    - supplicat  Response Identity, 3 times
    - supplicant EAPOL Start
    - authenticator EAP Failure
    - authenticator EAP Request Identity x2
    - supplicat  Response Identity x2
    and again, more detail about flow from whireshar chart at the end
    2. authenticator console saw like this:
    *Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    krasw8021x>
    *Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    *Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
    and finaly
    *Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
    *Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
    3. Authentication server:
    - NPS doesn'e recived any RADIUS Access-Request/Response.
    [supplicant EAPOL flow chart, source wireshark]
    |Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
    |         |                   | Nearest           |                  
    |0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,051    |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,063   |                   |         Start     |                   |EAPOL: Start
    |         |                   |(0)      <------------------  (0)      |
    |18,065   |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
    |         |                   |(0)      <------------------  (0)      |
    |37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
    |         |(0)      ------------------>  (0)      |                   |
    |129,684  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |190,996  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,002  |         Failure   |                   |                   |EAP: Failure
    |         |(0)      ------------------>  (0)      |                   |
    |206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    |242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
    |         |(0)      ------------------>  (0)      |                   |
    /regards Piter 

    Hi,
    Did you ever try to configure re-authentication?
    Is the client is up and running if you connect it to the switch?
    Sent from Cisco Technical Support iPad App

  • ISE and machine authentication

    Hi
    I have ISE 1.1  : user authentication is working fine
    Now I need to implement machine authentication
    But I have 2 requirement
    1- User must remove and plug his network cable as he want (without close windows session or restart his computer) and his computer should be authenticated evry time as with user authentication
    2- I must not install any software or client applicatin on the computer
    Is there any method of machine authentication that respect thise 2 requirements above
    Regards

    I guess you need to review the below listed thread as we are discussing the same thing. You have to create an authorization rule highlighted in the screen shot.
    https://supportforums.cisco.com/message/4044276#4044276
    ~BR
    Jatin Katyal
    **Do rate helpful posts**

  • OS-X - 802.1x and machine authentication

    Hi all
    I have a customer with a large installed base of MacBooks Pro running MAC OS-X, connected via WLAN to a centralized Cisco WLC 5508. He also has installed a Cisco ACS 5.x as RADIUS server and Open LDAP as directory services.
    The customer wants to do machine authentication based on cthe lients MAC addresses, which means that the ACS 5.x has to check the clients MAC address against the LDAP.
    Obviously MACs are not able to send "host/" to differentiate between client- and user-authentication, which by the way works perfect.
    - Does anybody have made the same experiences ?
    - Has anyone managed to get this running ?
    - Can anyone provide me config examples, hint or tipps ?
    Everything is very much appreciated since this is an urgent request.
    Many thanks in advance
    Best regards
    Roman

    Hi Danny. Older thread here, but I can confirm 10.8.4 did indeed resolve a very specific bug in circumstances where the netbios name did not match the domain name. We worked with Apple's engineers on resolution for this fix and can confirm that until we got our Macs to 10.8.4, we experienced similar issues with machine-based configuration profiles failing to authenticate as a result of incorrectly passing the wrong domain.
    Glad you found resolution with a later version of the OS.
    Reference: http://lists.psu.edu/cgi-bin/wa?A2=MACENTERPRISE;Zrq7fg;201303271647570400

  • WLS Users and Groups interface questions / observations

    I'm new to WLS, having just installed OBIEE 11g for the first time. There are some oddities in WLS around setting up Users that I'd like to ask about, to see if I'm just missing something, or if the interface really IS this bad. Please feel free to comment in any way, or to correct any statements that are erroneous. Here goes:
    1. The use of Previous and Next buttons instead of a vertical scroll bar for finding users and groups in their respective lists. What if you have several hundred users, and the one you want to modify starts with the letter 'Z'? That means clicking the Next button several dozen times. (Security Realms … myrealm … Users and Groups … Users) Not only is there no scroll bar, there's no search box either. The only way to get to a user near the end of the alphabetical listing is the Next button. Is that correct?
    2. After adding a new user, what's the next most logical thing to want to do? How about assigning that user to Groups? So why do I have to click Next several times to find that new user in the alphabetical list? I don't see a sortable 'Date Modified' field for the table of users, nor a link to the "Most Recently Added" user. Nor can I assign groups during the same action as creating the user. In the example in #1, I might have to click Next several dozen times to get to the user I just added. Is that correct?
    3. When creating a new User, immediately after clicking New, where is the most likely place that I'd want to go? How about the Name field? Right now, the cursor rests in some indeterminate location. I have to hit the Tab key 14 times, or move the mouse into the Name box and click it. The active cursor position does not default to the Name box when creating a new user. Is that correct?
    4. I don't see a 'Create Like' button for creating Users, so that existing group membership can be easily replicated. I'd like to be able to add a new employee by clicking to highlight an existing user from the same department, clicking a 'Create Like' button, then entering a new user name and password, with all group memberships assigned automatically based on the source user. The same could be said for replicating groups. I don't think that exists. Is that correct?
    5. I don't see a clean way to return to the User list on the page on which I clicked a user name. Imagine that I'm going through my entire list of users one at a time to set an attribute. I click on the user JSMITH and set the attribute. The only way to get back to JSMITH's page and select the next user list is to hit the browser's back button three times, or to click the Users and Groups breadcrumb at the top of the screen and use the Next link multiple times to find that page again. Is that correct?
    6. I don't see a way to bring up a Group and assign Users to it from a list. It appears that the only way to assign a User to a Group is to access a User profile and click Groups. If we're creating a new group that has 200 users selected from a list of 500 users, that could potentially represent somewhere between 5000 and 10000 mouse clicks. It would be much more efficient to be able to bring up a group, then select its members from a list of users. That does not appear to be possible. Is that correct?
    7. It also appears that when assigning groups for Users, the list of Available Parent Groups sorts the lowercase entries after all uppercase entries, so that groups that start with the letter 'a' fall after groups that start with 'Z'. That is not the case with the list of users. The User table uses a case-insensitive sort. Is that correct?
    8. When I want to delete more than one User, and the ones that I want to delete are on different pages, there appears to be no way to select those users from multiple pages at the same time. So, imagine that I have 500 users, and I want to delete two users, one of whom is listed on page 48, and the other on page 50. I would have to click the Next button 47 times to find the first user and delete it. At that point, the interface returns to page 1, and I have to click the Next button 49 times to reach the second user. Is that correct?

    Hi,
    Regarding your first question, you might want to press the "Customize this table" button, then select the maximum allowed amount of rows in "Number of rows displayed per page:" that would resolve some of the problems you're having with the interface. I do think this is not a great graphical tool, and there are some usability issues.
    Regarding the adding of users to groups, it seems the way you describe is the only way of doing it, however you could try using a script instead of the graphical console, the easiest way of making it is adding a user to a group while using the "Record" button on the top of the screen to get a wlst script to use as a model, then create a new script with all new users you want to add/modify.
    Regards,
    Franco.

  • ISE 1.1 EAP-TLS User Authentication in Multiforest

    Hello,
    we are currently evaluating the ISE 1.1 in a multiforest environment and we have problems to authenticate users which based in other domains (domain2) then the ISE (domain) is based.
    This is the setup:
    In domain1 is a MSFT CA with OCSP, DC and ISE
    In domain2 is a DC and the users
    there is a two way trust between the domains.
    This is my authentication scenario:
    1. agent connect to a wireless network (ok)
    2. client exchanges certificate information with ISE (ok)
    3. ISE exchanges certificate status with CA (ok)
    4. ISE extracts the subject Alternative Name from the certificate [email protected] (ok)
    5. ISE queries Active Directory store for the user  [email protected] (not ok fails with  22056 Subject not found)
    in the log i can see the other forest (domain2) is not even queried to retrieve user data only domain1.
    I could query the other domain during AD setup and was able to add groups from the other domain bet i could retrieve attributes of the user in domain2.
    Any Ideas?
    Regards
    Alex
    Extract from Log File
    DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
    DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person
    [email protected]
    options=2
    DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
    DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
    DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames:
    [email protected]#012name
    [email protected]
    type=SAM domain=domain1.LAN#012
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
    [email protected]
    )), attrs 7e638646 (cacheOps=40f, GC=0)
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
    DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
    [email protected]
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
    DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
    [email protected]
    )), attrs e4a3aa15 (cacheOps=40f, GC=1)
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
    DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))(
    [email protected]
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
    DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
    DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="
    [email protected]
    " (GC=0)
    DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper
    '[email protected]'
    is not a canonical name
    DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 executing request 'CAPIGetObjectByName' in thread 2951601040
    DIAG  <fd:34 CAPIGetObjectByName > daemon.ipcclient2 doCAPIGetObjectByName: category=Person [email protected] options=2
    DEBUG <fd:34 CAPIGetObjectByName > dns.findsrv FindSrvFromDns(0): _kerberos._tcp.domain2.ch
    DEBUG <fd:34 CAPIGetObjectByName > base.adagent.domaininfo rejecting domain domain2.ch.  Blocked, not in DNS or our domain list
    DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject ADNames: [email protected]#012name: [email protected] type=SAM domain=domain1.LAN#012
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs 7e638646 (cacheOps=40f, GC=0)
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 60, cutoff time 0, refresh 15, negative=true, cacheOps 40f
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper.ad Cache expired 96fe94aa2a7249bca2f59766075e7859, CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN
    DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.10:389 search base="DC=domain1,DC=lan" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
    DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=96fe94aa2a7249bca2f59766075e7859>;CN=SearchMark,CN=CENTRIFY MARKER,DC=domain1,DC=LAN : update indexes No
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search base , filter (&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected])), attrs e4a3aa15 (cacheOps=40f, GC=1)
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper age 6, expire age 3600, cutoff time 0, refresh 15, negative=true, cacheOps 40f
    DIAG  <fd:34 CAPIGetObjectByName > base.bind.ldap 10.0.128.9:3268 search base="" filter="(&(objectClass=User)(|(objectCategory=Person)(objectCategory=Computer))([email protected]))"
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache ADCB::search: refresh list returns 0 objects
    DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=7c68c59bc09f4775a14d6a7f521e491c>;CN=SearchMark,CN=CENTRIFY MARKER,DC=$ : update indexes No
    DEBUG <fd:34 CAPIGetObjectByName > base.adagent findObject: NotFound:[email protected] Category:user
    DEBUG <fd:34 CAPIGetObjectByName > base.bind.cache making negative response for Person userPrincipalName="[email protected]" (GC=0)
    DEBUG <fd:34 CAPIGetObjectByName > base.cache Cache store <GUID=972f489502d74f49afdef7f38206e909>;CN=CENTRIFY NEGATIVE RESPONSE,CN=Person,DC=domain1,DC=LAN : update indexes Yes
    DEBUG <fd:34 CAPIGetObjectByName > base.objecthelper '[email protected]' is not a canonical name
    DEBUG <fd:34 CAPIGetObjectByName > daemon.ipcclient2 request 'CAPIGetObjectByName' complete

    Tarik,
    from the ISE cli i can nslookup domain2.lan and i get this result
    nos-ch-wbn-ise1/admin# nslookup domain2.lan
    Trying "domain2.lan"
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57373
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 5
    ;; QUESTION SECTION:
    ;domain2.lan.              IN      ANY
    ;; ANSWER SECTION:
    domain2.lan.       600     IN      A       192.168.68.21
    domain2.lan.       600     IN      A       172.28.1.3
    domain2.lan.       600     IN      A       172.28.1.2
    domain2.lan.       600     IN      A       192.168.68.20
    domain2.lan.       3600    IN      NS      labdc01.lab.lan.
    domain2.lan.       3600    IN      NS      labdc02.lab.lan.
    domain2.lan.       3600    IN      NS      labex01.lab.lan.
    domain2.lan.       3600    IN      NS      bsdehepdc01.domain2.lan.
    domain2.lan.       3600    IN      NS      bsdehepfs01.domain2.lan.
    domain2.lan.       3600    IN      NS      mordor.softlink.ch.
    domain2.lan.       3600    IN      NS      shire.softlink.ch.
    domain2.lan.       3600    IN      NS      labex02.lab.lan.
    domain2.lan.       3600    IN      NS      icm60.icm60domain.lan.
    domain2.lan.       3600    IN      NS      bsfs02.domain2.lan.
    domain2.lan.       3600    IN      NS      bsfs03.domain2.lan.
    domain2.lan.       3600    IN      SOA     bsfs02.domain2.lan. admin.domain2.lan. 217091 900 600 86400 3600
    ;; ADDITIONAL SECTION:
    labdc01.lab.lan.        3600    IN      A       172.28.2.196
    bsdehepdc01.domain2.lan. 311 IN    A       192.168.68.20
    bsdehepfs01.domain2.lan. 2771 IN   A       192.168.68.21
    bsfs02.domain2.lan. 1649   IN      A       172.28.1.2
    bsfs03.domain2.lan. 595    IN      A       172.28.1.3
    So i assume dns is working fine.
    Do i have to see the GC of the trusted domain as well in the ISE Active Directory Configuration ?
    thanks & regards
    Alex

Maybe you are looking for

  • Email regarding change to Verizon Outgoing & Incoming Email Settings. Is it SPAM???

    Received this yesterday. Can anyone from Verizon chime in and state where it's spam or legit? Dear Verizon Internet Customer, At Verizon, we continue our efforts to enhance your online experience as well as ensure ongoing security for our Internet cu

  • Is there any source that I can find "prel" files?

    Hi all, Is there any source that I can find "prel" files! I realized that the best way of learning for me is to open prel files and examine ready projects and adjust according to my needs! This method is fastest according to reading books or watching

  • Need Intsalll on drivers help

    Hi, i have managed to to put windows on my mac air. However i cant acess the internet. I understand that i need the drivers of which i have downloaded the support software on to a flash drive. How do i install this onto the windows version. not sure

  • Assign cost object by condition type for accounting

    Hello All, Our scenario is that we have a single billing line with a service order assigned as the cost object on the line item.  This line has multiple condition types going to different GL accounts on the RV document. Once the service order is on t

  • Urgent: How to append Item text

    HI Friends, I am using SAVE_TEXT Fm to Update the Item text in ME22n. Currently i need to append few text to the already existing text using SAVE_TEXT is it possible . If it is possible please give some text. Is there any FM which can both append and