EAP-TLS with Radius Server configuration (1130AG)

Similar Messages

• 3850 switch configure with radius server

  wifi useres authenticate with radius server configure required
  Posted by WebUser Raja Sekhar from Cisco Support Community App

  Kindly check the following links for configuring 802.1x
               http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_0101.html
               http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_01110.html

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

  Hi Guys,
  I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
  The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  I go through some references:
  3.5  RADIUS-Based VLAN Access Control
  As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
  There are two different ways to implement RADIUS-based VLAN access control features:
  1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
  2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
  extract from: Wireless Virtual LAN Deployment Guide
  http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
  ==============================================================
  Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
  ==============================================================
  Controller: Wireless Domain Services Configuration
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
  Any help on this issue is appreicated.
  Thanks.

  I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
  I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
  Hope this helps

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• Problems with Radius Server

  Hi
  I am trying to setup the Radius server on my Mac OSX 10.5.2 server. I have two Airport Extreme 802.11n base stations connected to my network, one which we use normally for wireless access and another that I am using to test and get the Radius Server configured. One has an address of 192.168.10.5 and the other is 192.168.10.6. All my wireless clients can browse the net without any issues.
  When I go into Server Admin and select Radius and then Configure Radius Service, I select the default certificate and am then presented with a screen where I add my base stations. Now, the puzzling thing is that both of my base stations appear, but they are showing 169.254.xxx.xxx addresses. So, my first question is why do they show self assigned IPs? Is it because they are being found using Bonjour?
  If I then back out of this screen and select the Base Stations icon in the menu, I can click browse and again it shows the AEBSs but again with a self assigned IP. Another interesting point is that if I select my normal base station, in the info below it shows the Ethernet and Airport ID info showing V7.3.1 software version but a picture of the old dome shape Airport Extreme Base Station. If I select the test base station, I get the same info but THE RIGHT PICTURE !
  If I then select the test base station and enter the password, it says it's the wrong password, even though I know it's the right one.
  I'd like to get past this point, but can't see how to proceed until the IPs are right. What's going on? Any ideas gratefully received.
  Paul

  I have just purchased a new AirPort Extreme to begin testing to rollout wireless using RADIUS on our Mac OS X 10.5 server.
  I am having a bit of trouble setting up the actual base station. I too was having the same problem with the IP address showing up on the RADIUS server as self-assigned 169. but noticed that when I changed the Primary RADIUS IP address to something different to the AirPorts Ethernet IP address it showed up correctly. Maybe I am wrong but that's what I think happened.
  The problem I am having is this: I have created a wireless RADIUS network. My client was able to log in and connect to the wireless system, but I am not getting any DHCP information from my DHCP server running on Mac OS X Server. What am I doing wrong. What settings should be entered for Primary RADIUS IP Address, Shared Secret, etc. I am a bit confused an Apple hasn't provided technical documentation on this aspect.
  Help!

• Windows EAP-TLS with machine cert only?

  Hey all. Seems like this should be an easy question, but after doing some reading, I'm still a little confused.
  Can I authenticate a windows computer against ISE using EAP-TLS with a computer-only certificate and stay authorized when the user logs in? Or will it always try to authorize the user when they log in and break the connection if that fails?
  Thanks for any clues.

  Hello Leroy-
  EAP Chaining (Official name:EAP-TEAP [RFC-7170]) is a method that allows a supplicant to perform both machine and user authentication. In ISE, EAP-Chaining is enabled under the "EAP-FAST" protocol. For more info check out the the following links
  Cisco TrustSec Guide:
  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  RFC:
  https://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01
  Thank you for rating helpful posts!

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• EAP-TLS with IAS

  Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
  Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
  Any suggestions?

  Hi,
  I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
  Regards,
  Davy

• Question about RADIUS server configuration with a MacBook Pro

  Hello,
  I own a modem router which is capable of WPA2 Enterprise and I want to use it with a RADIUS server for authentication and security purposes.
  However, I have a few doubts about this.
  MY CONFIGURATION:
  The modem router would be connected to a fixed PC with Windows and to a MacBook Pro (both with Ethernet)
  The RADIUS server would be running on the MacBook Pro (freeRADIUS)
  The bold is the issue, that comes when I disconnect the MBP (it's a notebook, so I use it disconnected from the router sometimes).
  Supposing the router would have recognized it (correct configuration), it would disconnect from it.
  My questions:
  Would Wi-Fi be lost in this manner? Or would the modem router automatically switch to another Wi-Fi authentication?
  If I reconnected the MBP to the modem router and re-run the RADIUS server, would I need to access the control panel and re-configure the WPA2 Enterprise in order for Wi-Fi to work again?
  Thanks in advance,
  Tyrexionibus

  "Full HD 3DD camcorder..." Marketing at it's best.
  This is HDV, right? HDV has the same data rate as DV...13.6GB/hour. But because of the MPEG-2 Long GOP format the HDV format employs, it can be a bit tough to edit, but mainly when rendering effects. IT will be slower than DV, and you can't monitor thru the camera like you can with DV, but a simple FW400 drive and Intel Mac will be fine. Better if you can convert to ProRes upon ingest, but then that eats up a LOT more space and requires at least FW800...
  http://library.creativecow.net/articles/poisson_chris/hdv-prores.php
  Shane

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• 802.1x EAP-TLS with NPS/W2008 - Authentication result 'timeout'

  Hello
  [Env on my lab investigation]
  supplicant - W7 with cert
  authenticator - Catalyst 2960 with IOS 15.0(1)SE2 /newest/
  authentication server 2x - W2008/NPS like a RADIUS server
  [Config some part of authenticator]
  interface FastEthernet0/1
  switchport access vlan 34
  switchport mode access
  authentication event fail retry 1 action authorize vlan 47
  authentication event server dead action authorize vlan 35
  authentication event no-response action authorize vlan 47
  authentication event server alive action reinitialize
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 15
  dot1x timeout tx-period 15
  spanning-tree portfast
  [Symptoms]
  After reboot authenticator the supplican connected to FE0/1 finally put into the Guest VLAN 47 and before that I saw on the authenticators console Authentication result 'timeout', but when the switch is up and running the the same port authenticator FE0/1 the same supplicant W7 with cert now I connect to authenticator finally supplicant put into static VLAN 34.
  [Summary]
  The problem is the end station that are still connected to the supplicant port /use a EAP-TLS/ after the reboot supplicant! All of them will be put into the Guest VLAN instead of static VLAN 34!
  [The question]
  What is wrong and how to configure/tune and what authenticator or authentication server to prevent after the reboot to observe a authentication timeouts?
  Of course the supplicant after 20 minutes /next EAPOL start farmet put into VLAN 34 .
  [Logs]
  During this I observed the wireshark supplicant and authenticator console and NPS wireshark, below:
  1. supplicant and authenticator orderflow at wireshar:
  - supplicant EAPOL Start
  - authenticator EAP Request Identity
  - supplicat  Response Identity, 3 times
  - supplicant EAPOL Start
  - authenticator EAP Failure
  - authenticator EAP Request Identity x2
  - supplicat  Response Identity x2
  and again, more detail about flow from whireshar chart at the end
  2. authenticator console saw like this:
  *Mar  1 00:02:51.563: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:02:51.563: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:02:51.563: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  krasw8021x>
  *Mar  1 00:03:52.876: %DOT1X-5-FAIL: Authentication failed for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:03:52.876: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  *Mar  1 00:03:52.876: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (5c26.0a12.cf80) on Interface Fa0/1 AuditSessionID 0A0E2E96000000030000EAF2
  and finaly
  *Mar  1 00:05:00.286: %AUTHMGR-5-VLANASSIGN: VLAN 47 assigned to Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
  *Mar  1 00:05:01.167: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (Unknown MAC) on Interface Fa0/1 AuditSessionID 0A0E2E96000000040003C914
  *Mar  1 00:05:01.302: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
  3. Authentication server:
  - NPS doesn'e recived any RADIUS Access-Request/Response.
  [supplicant EAPOL flow chart, source wireshark]
  |Time     | Cisco_f9:98:81                        | Dell_12:cf:80                         |
  |         |                   | Nearest           |                  
  |0,041    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |0,045    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |0,051    |                   |         Start     |                   |EAPOL: Start
  |         |                   |(0)      <------------------  (0)      |
  |0,065    |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |0,075    |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |18,063   |                   |         Start     |                   |EAPOL: Start
  |         |                   |(0)      <------------------  (0)      |
  |18,065   |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |18,268   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |18,303   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |18,307   |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |18,307   |                   |         Response, Identity            |EAP: Response, Identity [RFC3748]
  |         |                   |(0)      <------------------  (0)      |
  |37,073   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
  |         |(0)      ------------------>  (0)      |                   |
  |67,941   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
  |         |(0)      ------------------>  (0)      |                   |
  |98,805   |         Request, EAP-TLS [R           |                   |EAP: Request, EAP-TLS [RFC5216] [Aboba]
  |         |(0)      ------------------>  (0)      |                   |
  |129,684  |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |144,697  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |160,125  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |175,561  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |190,996  |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |206,002  |         Failure   |                   |                   |EAP: Failure
  |         |(0)      ------------------>  (0)      |                   |
  |206,204  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |212,103  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |227,535  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  |242,970  |         Request, Identity [           |                   |EAP: Request, Identity [RFC3748]
  |         |(0)      ------------------>  (0)      |                   |
  /regards Piter 

  Hi,
  Did you ever try to configure re-authentication?
  Is the client is up and running if you connect it to the switch?
  Sent from Cisco Technical Support iPad App

• WLC not integrating with Radius Server

  Hello world,
  I have the following situation:
  One WLC 2000 Series (software version 7.0.230.0) with multiple SSID`s, one is with 802.1x integrated with a Radius Server.
  Everything worked fine until fiew days ago, when users were unable to logon via they`re certificates on Windows XP.
  The infrastracture didn`t suffer modifications.
  What i have checked: Radius certification isn`t expired, client certification isn`t expired, the password between controller and Radius is correct.
  There are no ACL`s between the WLC and the remote Server. I can ping the devices, other SSIDs on the same controller (wpa/psk) are working correct.
  The AP`s are 1242.
  I have tried deleting the SSID, configure it back. The OS on Windows Server is  2003 Standard. The AP`s are configured H-Reap.
  I have increased the Server Timeout from Radius Authentication Servers from 2 to 30 sec.
  The message logs recived on WLC Trap Logs:
  RADIUS server X.X.X.X:1812 failed to respond to request (ID 161) for client xx.xx.xx.xx.xx.xx/ user 'unknown'
  The message from the debug dot1x aaa enable:
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLING_STATION_ID(31) index=1
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_CALLED_STATION_ID(30) index=2
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT(5) index=3
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_INT_CISCO_AUDIT_SESSION_ID(7) index=4
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IP_ADDRESS(4) index=5
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_IDENTIFIER(32) index=6
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_VAP_ID(1) index=7
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_SERVICE_TYPE(6) index=8
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_FRAMED_MTU(12) index=9
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_NAS_PORT_TYPE(61) index=10
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_EAP_MESSAGE(79) index=11
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_RAD_STATE(24) index=12
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Adding AAA_ATT_MESS_AUTH(80) index=13
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df AAA EAP Packet created request = 0x1cff348c.. !!!!
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df Sending EAP Attribute (code=2, length=6, id=10) for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00000000: 02 0a 00 06 0d 00                                 ......
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.318: 00:15:e9:33:75:df [BE-req] Sending auth request to 'RADIUS' (proto 0x140001)
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] AAA response 'Interim Response'
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df [BE-resp] Returning AAA response
  *radiusTransportThread: Mar 06 09:37:07.328: 00:15:e9:33:75:df AAA Message 'Interim Response' received for mobile xx.xx.xx.xx.xx.xx.
  *Dot1x_NW_MsgTask_7: Mar 06 09:37:07.329: 00:15:e9:33:75:df Skipping AVP (0/27) for mobile xx.xx.xx.xx.xx.xx.
  The messages on Windows 2003 Standard:
  User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.User Y was denied access.
  Fully-Qualified-User-Name = xx.domain.com/Users_T/user
  NAS-IP-Address = X.X>X.X
  NAS-Identifier = Cisco_
  Called-Station-Identifier = ---------------------
  Calling-Station-Identifier = ---------------------
  Client-Friendly-Name = ---------------------
  Client-IP-Address = ---------------------
  NAS-Port-Type = Wireless - IEEE 802.11
  NAS-Port = 1
  Proxy-Policy-Name = Use Windows authentication for all users
  Authentication-Provider = Windows
  Authentication-Server = <undetermined>
  Policy-Name = Wireless Policy
  Authentication-Type = EAP
  EAP-Type = Smart Card or other certificate
  Reason-Code = 262
  Reason = The supplied message is incomplete.  The signature was not verified.
  Can anyone help why i cannot log the users via 802.1x ?

  Okay that is good..... this is what I would do next.  I would create a test ssid that uses PEAP MSchapv2 and create a new policy in IAS that is basic.  Allow 802.1x wireless and user group only and see if you can reconfigure one of the XP machines for PEAP.  Can you also post a screen shot of your polices (connection and network) so we can review it. 

• Trouble with EAP-TLS with Wireless before Windows logon

  Ill start with a list of equipment;
  5508 WLC
  3502i AP's
  Cisco ACS 5.3
  Windows 7 clients
  WLAN is configure with WPA2/AES with 802.1x for key management.
  Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication.  The client is configured to use a certificate on the computer.  "It only works if user or computer auth is seected."  If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
  ACS is configured to only allow for protocol EAP-TLS.
  We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
  This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials.  Once I log off the Windows 7 client, I lose connection to the WLAN.  We would like to stay logged on to the WLAN.  PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
  Any ideas??
  Thanks in advanced,
  Ryan

  Hi Ryan,
  You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
  Richard

• EAP-TLS with Novell NDS

  I configured EAP-TLS for the wireless LAN in the Novell 6 environment. However encountered a problem on the ACS with Novell NDS. Attached is the error messge, any advice on how to overcome ? I have generated the server key and the client key from Windows 2000 server. The error message is 'AUth type not supported by Ext DB'

  EAP-TLS is not supported with Novell NDS as per the compatability matrx shown in the following document,
  http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm