EAP-TLS Win2003 CA and IAS...not checking CRL?

Hi
I've got EAP-TLS setup and working using Win2003 CA and IAS as the RADIUS backend. I've issued certs to my wireless users, and now I want to revoke a certificate, so in the CA, I revoke the cert and then under Revoked Certs I click on publish...yet the user can still authenticate and communicate. How can I configure the IAS to check the CRL? Thanks

Hi,
I'm battling to setup EAP-TLS with AP1200,windows AD 2003 and IAS.Are there any funny tricks in setting up
EAP-TLS with IAS.
On the AP1200 I keep getting AAA unsupported.
regds
Johnny

Similar Messages

  • How to push EAP-TLS configuration Profile and Certificates to Mac books and Iphones

    Hi Team,
    We were able to push the EAP-TLS configuration profiles and certificates to windows devices via group policy.  However, we're now looking to see how we can accomplish this for Mac book and iphones?  Is there an open source application or something we can leverage to do this?
    Thanks

    I think ammahend was looking for a rough count which is what my question was going to be. The reason I would ask this is that if the device count is low then you could manually provision certs on those devices. Not ideal since you will have to manually generate CSRs, get them signed and then installed on the machines.
    Another way to do this is if you have an MDM solution in place. You can have the MDM integrate with your CA via SCEP and then on-board devices that way. You don't have to integrate ISE with MDM (advanced licenses needed) as you can only have ISE check for the cert and only perform EAP-TLS authentications. 
    Hope this helps!
    Thank you for rating helpful posts! 

  • EAP TLS for machine and EAP PEAP for user

    Hi forum
    I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
    Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
    Just wondering if anyone has done this before:
    1. Will this work?
    2. Any gottas?
    3. what is the user experience like?
    All machines are win7 based.
    Thanks

    You can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
    Tarik Admani
    *Please rate helpful posts*

  • ACS 4.2 and EAP-TLS with AD and prefix problem

    Hi there
    we have the following situation:
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
    First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
    Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
    This is the normal output of the Remote Agent, it finds the host but then nothing happens:
    CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
    CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
    CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
    CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
    So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
    test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
    CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
    CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
    Could this be the problem or does someone see any other problem?
    Best Regards
    Dominic

    Hi Colin
    thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
    I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
    Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
    Regards
    Dominic

  • Jdev3.2 and ias: not compatible?

    Jdev3.2 support servlet2.2 api.and ias use apache jserver,which only support servlet 2.0.So our application can't run on ias when
    we update from jdev3.1 to jdev3.2 .But it was well on jdev3.2.
    for example ,with jdev3.2 ,we use session.putValue and getValue to record something,but the session is lost on ias.But it was fine with jdev3.1. So we use Servlet 2.2 api:session.setAttrubute,but it can't run on ias.
    How to slove it? urgent
    regards

    We have tried the ias9i for nt.And the problem is still there:sessionsetAttribute can not run.
    And we know that ias9i still use the jserver ,which just support servlet 2.0 and apache team said they would not update it.
    What's the problem?
    I am using the apache+tomcat.And it is fine.

  • When i conect iphone 4 to itunes using cable , its check for updates only for itunes and did not check updates for iphone 4 also when i press check for updates for iphone 4

    itunes coud not check updates for iphone4 when i connect by cable only when i put iphone4 to AIR PLANE MODE

    You must Restore the phone. It will probably only worth with an AT&T SIM, unless your friend had AT&T unlock it first. The phone may be jailbroken, also; one indication of this would be the app "Cydia" on the phone's Home screen. If it is the phone is most likely worthless to you.

  • XK05 and XK06 not checking auth the same way

    Hi all,
    I've discovered something a bit funky with XK05 and XK06. I'm splitting central block / delete access of vendors from company code / purchasing org block / delete access. One group of users, however, will have central access AND their company code and purchasing org. Here's I've got the roles defined.
    Role #1
    F_LFA1_GEN    activity 03, 05, 06
    F_LFA1_BUK    activity 03, company code *
    M_LFM1_EKO   activity 03, purch org *
    Role #2
    F_LFA1_GEN   activity 03
    F_LFA1_BUK   activity 03, 05, 06, company code CC1
    M_LFM1_EKO   activity 03, 05, 06, purch org PO1
    Both roles are assigned to the same user. The system behaves differently in XK05 than it does in XK06. Both are set to check all of the listed auth objects, but here is what happens.
    The user executes XK06 for a company code not included in role #2. The system checks F_LFA1_BUK and fails.
    The user executes XK06 for a purch org not includes in role #2. The system checks M_LFM1_EKO and fails.
    The user executes XK05 for a company code not included in role #2. The system checks F_LFA1_BUK and passes.
    The user executes XK05 for a purch org not included in role #2. The system checks M_LFM1_EKO and passes.
    I would have expected XK05 to behave the way that XK06 did. The only thing I can think of is that the two programs somehow determine what the user is authorized for differently. XK06 seems to be looking at the combination of values defined in each role. XK05, on the other hand, seems to be combining them so for example 03/* and 03/05/06/CC1 in F_LFA1_BUK becomes 03/05/06/*.
    Now I realize that I should try taking F_LFA1_BUK and M_LFM1_EKO out of my central role entirely and see if that works. I'll update with the results of that test.
    Has anyone else seen this behavior?
    Thanks!
    Krysta

    There is the same program and screen which is started by both programs, but a spagetti of IF SY-TCODE = xyz ... validations in it to determine the program behaviour and which transaction to leave to for further processing.
    It seems the difference is that XK06 follows the path of changing the account group for the company code segment of the master record and looks for the first BUKRS and EKORG for which you are marking it for deletion (LFB1 has a field for this).
    XK05 is a central lock and the BUKRS and EKORG are not considered for which the master record is being blocked. So it only checks F_LFA1_APP etc but not the BUKRS and EKORG.
    *------- Berechtigungspruefung: RM-Ebene (EKORG-Berecht.) --------------
      IF KRED-XEKOR NE SPACE.     " <---- same for BUKRS if not relevant for the activity.
         AUTHORITY-CHECK OBJECT 'M_LFM1_EKO'   "<--- same for F_FLA1_BUK, no check in = SPACE.
            ID 'EKORG' FIELD LFM1-EKORG
            ID 'ACTVT' FIELD B_ACTVT.
         IF SY-SUBRC NE 0.
           IF NOBER_SPM NE 'X'.
             NOBER_SPM = 'X'.
    *        CASE B_ACTVT.
    *          WHEN '05'.
    *            MESSAGE I333 WITH LFM1-EKORG.
    *          WHEN '06'.
    *            MESSAGE I334 WITH LFM1-EKORG.
    *        ENDCASE.
           ENDIF.
         ENDIF.
      ENDIF.
    So it looks as if it is intentional and a dependency on where (which segment) the master record field is located in.
    Perhaps of you choose MK05 and FK05 as transaction codes then you can achieve what you seem to want from the program?
    Cheers,
    Julius

  • Dynamic vlan assignment with 1242AG and IAS not working

                       I'm having trouble getting the dynamic vlan assignment to work on my 1242AG Cisco Aironet APs. I've seen multiple cases with a similar setup and configuration where it works just fine.  I've tried everything I can think of.  Any suggestions?
    IAS and AD is running on Windows Server 2003
    Everything works fine except the vlan assignment.  Wireless clients successfully authenticate through IAS and Active Directory, but instead of being switched to the appropriate vlan the client stays in whichever vlan/ssid it originally connected to.
    PEAP is the authentication method, using MS-CHAP v2.  Naturally I have the attributes in the policy set appropriately, ie:
    Tunnel-Medium-Type > 802
    Tunnel-Pvt-Group-ID > vlanid
    Tunnel-Type > VLAN
    On the AP:
    Cisco 1242AG, C1240 Software (C1240-K9W7-M), Version 12.4(3g)JA, RELEASE SOFTWARE (fc2)
    I've attached the config for the AP, which shows that I have two vlans/SSIDs set to cipher, aes, network eap, wpa, etc. I noticed that if the
    Tunnel-Pvt-Group-ID attribute is set to a vlan id that doesn't exist on the AP then the AP makes an event log saying so.

    Good! Well to answer your questions, IAS is sending numbers, i.e. Tunnel-Pvt-Group-ID > 129
    I did view the debug from an AP which showed the Tunnel attributes being recieved from the radius server (I'll have to wait until Monday to get a copy though).
    I see I don't have that line "aaa authorization network default group rad_eap",
    So I'll have give it a try, (maybe I can remote in so I don't have to wait until Monday).
    Thanks,
    Jason

  • I am having problems logging into mail and getting mail from MobilMe.  Each day I start Mail I am asked for my MobileMe password.  If I type it in and do not check the remember me box, it is fine.  If I check the box, I can't log in.

    I am having trouble using Mail.  Each time I start the program I am asked for my MobileMe password to retrieve mail.  If I give the password, without the remember me box checked, it works fine.  If I check the "remember me" box, the same same message appears asking me to input the password for MobileMe.  This is only happening for my MobileMe account.

    It sounds to me like your keyboard has been damaged and needs to be repaired or replaced.  Can you try an external keyboard?

  • Regedit, AUTOSTART and SHUTDOWN not checked

    Hello,
    Whenever I stop the OracleService<SID>, the database seems to crashes, I don't see any entry in alert log of a SHUTDOWN, and when I start the service, I need to manually startup the database, although within the registry both the parameter are set to be TRUE. During startup I can see the entry in the alert log for crash recovery, what could be the reason?, am I missing something here?
    Luckys.

    This is a known Windows issue and an Oracle documentation bug according to Metalink note ]
    ORA_SID_SHUTDOWN REGISTRY PARAMETER NOT WORKING AS DOCUMENTED
    Message was edited by:
    Pierre Forstmann

  • EAP-TLS wi-fi net for PC and iPhone

    Hi, everyone! I'm rather confused and hoped that someone could help me to make the situation clear.
    We wan't to establish a wi-fi net with WPA-2 Enterprise and EAP-TLS for computers  and mobile devices (iPhones, Nokia Symbian, Android devices).
    The connection is organised in such way: client---AP 1240---ACS 4.2---AD(server 2003)
    I have 2 testing computers with wi-fi adapters: one is connected to the  domain (has a wire connection), another has a local account, and an  iPhone. I customized the settings on these computers,iphone, AP and ACS. 
    We have our own CA, 2-tier PKI infrastructure. I have installed the ACS and client's certificates on all the devices (by the way, they are 2048 bit size of).
    I manage to connect from a computer included in the domain but the second PC and iPhone refuse to connect,respectively:
    "EAP-TLS or PEAP authentication failed during SSL handshake".
    "EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake"
    Also I saw in logs that "Machine authentication is not permitted" so the domain PC authenticates through user account and is mapped to a special group.
    So I think the reason is that only domain  devices are allowed to join the net. How can I change this thing?
    Another variant is that I issue the certificates first to wired domain computers and then export  them to non-connected to domain devices so they have inappropriate credentials.
    Please, if you have any thoughts about the reason of the problem, share them. I would appreciate any help.

    The ATV is strictly a wifi client, it doesn't function as a router or access point. You can connect it to your router either by wifi or Ethernet cable. Your pc doesn't need a wifi card to work with an ATV as long as they're both on the same network.

  • EAP-TLS on WLC 5508 agains IAS RADIUS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hi, anyone experienced issue like this?
    I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
    I got “Access-Accept” debug message received from RADIUS server.
    However the wireless client failed to connect.
    Below is partially the debug message from the WLC
    Any feedbacks are welcome
    *Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
    *Oct 07 15:08:24.403:     protocolType.................................0x00140001
    *Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
    *Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
    *Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b  f7 c9 71 dd 32 cb b7 0a  .e........q.2...
    *Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f  73 74 2f 49 44 31 30 2d  R..>."host/ID10-
    *Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e  65 75 63 2e 6e 65 73 74  0AFJ031.euc.test
    *Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13  30 30 2d 31 39 2d 37 64  01.com..00-19-7d
    *Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33  62 1e 1a 30 30 2d 33 61  -72-b4-3b..00-3a
    *Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34  36 2d 35 30 3a 57 57 53  -98-95-46-50:TES
    *Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00  01 04 06 0a 56 0c d2 20  300.........V...
    *Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43  30 30 31 1a 0c 00 00 37  .IDHOJXC001....7
    *Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06  06 00 00 00 02 0c 06 00  c...............
    *Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00  13 4f 27 02 03 00 25 01  ...=.....O'...%.
    *Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31  30 2d 30 41 46 4a 30 33  host/ID10-0AFJ03
    *Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65  73 74 6c 65 2e 63 6f 6d  1.euc.nestle.com
    *Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52  8e 63 0f 2f 87 a5 78 53  P...T.&R.c./..xS
    *Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
    *Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35  f7 be 57 75 43 ce 19 ca  .e.4>.g5..WuC...
    *Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1  03 a2 00 00 01 37 00 01  .]....1......7..
    *Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b  13 1e 16 37 00 00 00 00  .V.i..c....7....
    *Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
    *Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
    *Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
    *Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
    *Oct 07 15:08:24.405:     structureSize................................78
    *Oct 07 15:08:24.405:     resultCode...................................0
    *Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
    *Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.405:     Packet contains 1 AVPs:
    *Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
    *Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

    Thanks for your reply jedubois
    Really appreciate it.
    I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
    Below are the outputs for the eap advanced config
    (Cisco Controller) >show advanced eap
    EAP-Identity-Request Timeout (seconds)........... 30
    EAP-Identity-Request Max Retries................. 2
    EAP Key-Index for Dynamic WEP.................... 0
    EAP Max-Login Ignore Identity Response........... enable
    EAP-Request Timeout (seconds).................... 30
    EAP-Request Max Retries.......................... 2
    EAPOL-Key Timeout (milliseconds)................. 5000
    EAPOL-Key Max Retries............................ 2
    (Cisco Controller) >
    Any other suggestion?

  • EAP-PEAP and EAP-TLS on same switched network

    Hello,
    I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
    The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
    I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
    Thanks,
    Guy

    You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
    Good Luck,
    --Jean Paul

  • ISE 1.2 EAP-TLS and AD authentication

    Hi,
    I am sure I have had this working but Just cant get it to now.
    So I have a Computer that has a Certificate on it with the SAN - princible name = to [email protected] This is an auo enroled Cert from my AD.
    My Authentication profile says
    IF the SSID (called-station) contianes eduroam and Princible name containes @mydomain.com then user a certification authentication profile. (see attachemnt below) 
    Then my authorization profile says
    if active directoy group = "Domian computers" then allow access.
    When my computer trys to join it passes the certificate test, but when it gets to the AD group is get the below.
    24433          Looking up machine in Active Directory - [email protected]
    24492          Machine authentication against Active Directory has failed
    22059          The advanced option that is configured for process failure is used
    22062          The 'Drop' advanced option is configured in case of a failed authentication request
    But I know my machine is in AD? What do i need to do to get the PC to use EAP-TLS to authenicate and AD group to authorize?
    Cheers

    This accepts all requsts to one SSID and then as you can see if it is EAP TLS uses Cert store (see below), other wise AH
    This jsut says if AD Group = /user/domainComputer allow full access (simple rule)

  • EAP-TLS with windows machine

    I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
    I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
    Just list of RDS.log appears some activity ended with
    NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
    If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
    Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
    Please let attentions to Attachments and let me know
    what could be a problem of my unsuccessness of use EAP-TLS.
    configuration of interface which I use for testing:
    interface GigabitEthernet0/42
    description Test 802.1X klient - Filip
    switchport access vlan 34
    switchport mode access
    switchport voice vlan 31
    authentication host-mode multi-domain
    authentication open
    authentication port-control auto
    authentication periodic
    authentication violation protect
    dot1x pae authenticator
    dot1x timeout tx-period 10
    spanning-tree portfast
    end

    Hi Filip,
    Just noticed your post...
    In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
    Microsoft has done some changes in SP 3 for wired 802.1x
    Changes to the 802.1X-based wired network connection settings in Windows XP
    Service Pack 3
    http://support.microsoft.com/kb/949984/
    In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
    * The WZCSVC service
    * The Wired AutoConfig service (DOT3SVC)
    As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
    If you are an end-user who has already installed Windows XP SP3, follow
    these steps:
    1. Click Start, and then click Run.
    2. In the Open box, type services.msc, and then press ENTER.
    3. Locate the Wired AutoConfig service, right-click it, and then click
    Start
    Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
    CERTIFICATE REQUIREMENT IN EAP-TLS:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
    ACS CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
    MICROSOFT XP CLIENT CONFIGURATION:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
    As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
    Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
    Also, let me know the full ACS version and platform.
    HTH
    JK
    Do rate helpful posts-

Maybe you are looking for

  • Brand new iMacs with Lion will not read DVD-R

    Our business has just purchased 3 x brand new iMacs (3.4Ghz) pre-loaded with OSX Lion 10.7.2 and NONE of them will read a DVD-R containing important files I need to access. However, the trusty 2 year old iMac running Snow leopard sees the files insta

  • How to downgrade from windows 8.1 to windows 7 professional

    I just bought the new HP Envy 15.6 touchsmart laptop yesterday.  It has 8.1 & I don't like it.  I like everything else about the computer but can I replace the 8.1 windows with the windows 7?  I just can't get the 8.1 figured out.  I am too old to tr

  • Spherical Photo Gallery how to make a transparent background

    http://www.flashandmath.com/flashcs4/spheregallery/index.html http://www.flashandmath.com/flashcs4/spheregallery/spherical_gallery.zip I am pretty new to the world of flash, a flash newbie. Please check link above my question is related to making thi

  • Search help  in HR

    in an adhoc query, for one of the selection field iam not getting Text in the search help, but was only able to display only value. how should i be able to see to see both valu and text in the serach help. this is happening only in adhoc query but in

  • Adding a GIF to a GIF

    Hi, I have recently edited a picture to have animated snow coming down on it so it is an animated GIF picture. But, I also have a separate GIF picture of a little character i want to add into this background of another GIF. So I want to know how do i