HT4718 wpa2 enterprise 802.11x protocol with pap authentication.  Lion Reformat

Similar Messages

• WPA2 enterprise, Can not authenticate with ACS

  Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"
  The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.
  From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:
  1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?
  2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.
  Debug output on AP is attached, hope experts here can quickly identify the problem.

  Got it working by adding radius server configuration under GUI generated configuration:
  aaa group server radius your-AAA-group-name
  server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

• Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

  Hello,
  We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

  Originally Posted by djaquays
  I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
  I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
  This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
  It's a couple of years since I did this so my memory is a bit vague... :(
  Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
  http://support.arubanetworks.com/TOO...4/Default.aspx
  Thomas

• Windows 7 Home Premium with 802.1x problems with the Authentication

  We have problems with  OS Windows 7 Home Premium 802.1x, the message in ACS:
  EAP-TLS or PEAP authentication failed during SSL handshake
  ACS v4.1
  We have OS Windows 7 Professional and doesn´t have problems with the authentication.
  I hope that you can help me
  Regards

  We were investigated with specialist people of OS Windows and the conclusion was that the Home Premium Version has restrictions about authentication and domain (Active Directory). So we need change the version of OS (Proffessional for example).
  If you had another tip, please tell me and I try it for resolve this issue, if not we have to change the OS.
  Regards

• HT4718 will i lose personal files with a mountain lion reinstall??

  will i lose personal files with a mountain lion reinstall??

  Not unless you go out of your way to erase the disk, first.
  However, nothing is foolproof and the probability of something going wrong during the reinstall is inversely proportional to the number of backups you have.

• Any way to force a specific 802.11X protocol?

  We have a Cisco wifi system that offers 802.11a/b/g/n simultaneously. In viewing the network with the Cisco admin tools, we are seeing that a bunch of the Macs are connecting over 802.11b and many over 802.11a. Almost all the machines are Core 2 Duo MacBook Pros (with the N enabler). Is there a way to tell the MacBook Pros to connect to a given network forcing a SPECIFIC protocol (802.11n)?
  We will be turning off 802.11b, so that won't be a problem in the future. But for some strange reason, most of the Macs are not choosing 802.11n as their first choice. We cannot turn off 802.11a because it takes n with it.
  Any help, even if it means going to the command line, is appreciated.
  Also, a related question, is there a way on my Mac to see which protocol I'm using at the moment? That doesn't seem to be shown in System Preferences or in System Profiler. TIA!
  Cheers,
  Alex

  Alex, I have a Cisco AP-1131AG 802.11a/g WAP at home and I've overcome the problem by setting the a and g networks to different SSIDs. They also use different encryption keys. The only way I've been able to consistently get my MBP to always attach to the a network is to not have a network profile/preference set to the g network in System Preferences -> Network -> Advanced -> Preferred Networks. I use the a network and the kids use the g network.
  Periodically however, the MBP doesn't see the a network so since it doesn't have the g network information it can't connect. I suspect this is an OS X issue but I don't have another a device to verify that the a network is still connecting. The WAP reports 'authentication failed' and then 'packet to client reached max retries, removing the client'. I resolve this by disabling and then re-enabling the MBP AirPort.
  There seems to be an issue with OS X not always abiding by the Preferred Network order so only the above solution works. Incidentally, not too long ago Apple changed OS X so each network location profile maintains its own set of configurations. This is a bit of a pain for me with my cellular broadband card (I have to remember to switch between location profiles or create a configuration for every location profile). I wish OS X had an option to mark certain configurations as 'global' to work across every location.
  Anyway you can also manage the issue with say one location profile for work and another for home, etc. Is your enterprise using the same SSID for all protocols? If so, then different encryption keys would accomplish the same thing but I don't know if that's possible at the protocol level.
  Are you using an Aironet 1250? I wish there was a way to communicate these issues to Apple but this is way too technical for the AppleCare folks. There just doesn't seem to be a way for sophisticated customers to get to the higher level support folks and with no corporate level support organization, we just have to wait and hope someone notices the problem and fixes it.

• 802.1x - Issue with command: authentication open

  The issue we are running into is that when we initially deployed 802.1x we had the command “authentication open” on all of our switch ports. We ran a CscoWorks job last week Thursday to remove that command from all of our ports. Since that time we have ran into a couple of weird issues where the device was powered up but the switch port would show notconnect when doing a show int status but the speed would show a-1000 and duplex would show a-full. There would be no mac address listed when doing a “show mac add int ‘interface’” and the device would be in the MAB running state. This is happening on devices that are supposed to be doing 802.1x and MAB authentication, if we put the command “authentication open” back onto the port it showed connected and mac address. Now we have over 1000 switches on the network with this command removed and so far have only ran into a couple of these odd ball problem ports so at this time it is not happening widespread but would like to take care of the issue or figure out why this happening before it does.

  On the 2960's we are running 12.2(55)SE5, on the 6500's we are running 15.1(1)SY
  We didn't use any kind of ACL because we start all of our switch ports into a black hole vlan. I have been watching sessions from Cisco Live 2012 and looks like Cisco is now recommending that you don't go closed mode unless absolutely necessary because it is hard to maintain and function.

• Imac mid 2007 with mac ox lion reformat with what os

  hi i have a imac mid 2007 and i have with mac os x lion with it and i wanna reformat it because its so slow what os do i will install again?

  You may just need to reinstall, not reformat:
  Reinstalling Lion/Mountain Lion Without Erasing the Drive
  Boot to the Recovery HD: Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
  Repair the Hard Drive and Permissions: Upon startup select Disk Utility from the main menu. Repair the Hard Drive and Permissions as follows.
  When the recovery menu appears select Disk Utility. After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list.  In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive.  If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported click on the Repair Permissions button. Wait until the operation completes, then quit DU and return to the main menu.
  Reinstall Lion/Mountain Lion: Select Reinstall Lion/Mountain Lion and click on the Continue button.
  Note: You will need an active Internet connection. I suggest using Ethernet if possible because it is three times faster than wireless.

• Intel Mac OS X can't connect using 802.1x with TTLS authentication

  To login at the wireless network on my school I use the following settings:
  802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
  My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
  On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
  Bug in the Intel version of Mac OS X I guess?

  Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
  What I cant understand is why they have changed the
  airport express card for the intel macs, albeit the
  processor has changed but that shouldn't affect the
  card as that should be processor
  The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
  In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
  Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• MacBook connects automatically with old credentials to Wi-Fi (WPA2 Enterprise)

  Hi,
  I have this issue connecting to Wi-Fi at work with my MacBookPro5,1 (OS X 10.6.8) after changing my password (we have to change it frequently).
  The access to the wireless connection is authenticated against my personal domain credentials (our work machines are bound to Active Directory).
  Everytime since changing the password when I leave my laptop to sleep for about maybe 20 minutes or more my laptop tries automatically connect to the wi-fi so many times with wrong credentials that I get a userlock for half hour or so.  I know this cause I have seen the Wireless Connection log and can see that my username has attempted three times in a row unsuccessfully.
  My laptop must have my old wi-fi profile with the old password stored/cached somewhere. I have already resetted my Airport settings and user profile via System Preferences > Network > Advanced > and chosen the Wi-Fi profile and removed it with "-" and from the 802.1X too where the username and password is stored. But this still keeps on happening. Even after rebooting and I can´t find anywhere where the old password is stored.
  Does anyone have any suggestions? Thanks.

  Hi, I tried this too but to no effect.
  I don't know why but upgrading from Snow Leopard to Mavericks solved the problem. After this I have had no issues with the WLAN. I guess it's something to do with OS incompability with today's WPA2 enterprise protocol standards.
  Who knows?

• WPA2 Enterprise with netctl

  Hi,
  I'm trying to connect to my university wifi which I believe is WPA2 Enterprise protected. I read the wiki about using the Eduroam netctl profile example for WPA2 Enterprise networks but it doesn't seem to work for me. This is what I have:
  Connection='wireless'
  Interface=wlp4s0b1
  Security='wpa-configsection'
  Description="nyu wpa2 network"
  IP='dhcp'
  TimeoutWPA=30
  WPAConfigSection=(
  'ssid="nyu"'
  'key_mgmt=WPA-EAP'
  'eap=PEAP'
  'proto=WPA2'
  'phase2="auth=PAP"' #maybe MSCHAPv2
  'auth_alg=OPEN' #maybe
  'anonymous_identity="anonymous"' # ex: tu-dresden.de
  'identity="myusername"' # ex: [email protected]
  'password="mypassword"'
  'ca_cert="/usr/share/ca-certificates/trust-source/mozilla.trust.crt"'
  Can someone point me to related info or correct my profile? Thanks.

  Does your university have a site with some information/guidance for using eduroam?
  Have you tried other example profiles from here, such as this one and  this one? The wiki refers to this AUR package, which seems to be where you got the profile you've tried. Perhaps try the other example profiles.

• Free RADIUS/802.1X Service for WPA/WPA2-Enterprise

  Hi, just wanted to let everyone know that I recently started offering a Free Edition of our AuthenticateMyWiFi service, a hosted RADIUS/AAA service offering 802.1X authentication for use with WPA/WPA2-Enterprise encryption.
  The Free Edition features 1 user account, supports 1 AP, and includes: PEAP authentication for wireless and wired connections, web-based control panel, and activity logging.
  This is great for IT professionals wanting to experiment with 802.1X or to get enterprise Wi-Fi security in homes and small offices.
  For more info visit our site:
  http://www.nowiressecurity.com/service.htm
  - Eric Geier

  I recommend contacting Linksys support on the phone and ask them which model router has Radius or Enterprise WPA features. Some home class routers may not have this. Ask and see what is available. 

• 802.11x with 2008 R2 NPS

  Here's what I'm using for attempt at 802.11x:
  -2008 R2 NPS
  -AIR-AP1142N-A-K9
  -Lenovo T510 Laptop
  Here is what I followed:
  1. http://techblog.mirabito.net.au/?p=87&cpage=1#comment-26452
  2. http://blog.laurence.id.au/2010/03/running-peap-with-cisco-aeronet-1231g.html
  Here is my config on the AP, radius related:
  aaa new-model
  aaa group server radius rad_eap
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone EST -4
  dot11 syslog
  dot11 ssid IPC02-AP
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa version 2
     guest-mode
  encryption mode ciphers aes-ccm tkip
  interface BVI1
  ip address 192.168.1.7 255.255.255.0
  no ip route-cache
  ip radius source-interface BVI1
  radius-server local
    nas 192.168.1.38 key 7 *
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key 7 *
  Here is my part of my debug:
  RADIUS(000000C0): Received from id 1645/151
  RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  Client 0026.c750.**** failed: by EAP authentication server
  dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
  DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed RADIUS(000000C0): Received from id 1645/151
  RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
  dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  Client 0026.c750.**** failed: by EAP authentication server
  dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
  dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
  DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed
  I get a "connection failed" on my laptop.  I don't see any logs/events relating to a failure of credentials on my 2008 server.
  Any ideas?

  I have not gotten any other feedback and I have not been ablet to identify anything on technet about it.  It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings.  It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.

• Cannot connect to WIFI with WPA2 enterprise security

  I'm currently trying to switch my Wifi from WPA2 Personal to WPA2 Enterprise using a dd-wrt flashed TP-Link router and a Synology Diskstation as the RADIUS server. The diskstation also creates the CA certificate which I can download from there for all client devices.
  Configuration on the side of the router appears to be fine, I've entered all the details for RADIUS authentication and left "WPA Algorithms" at its default setting "TKIP", other options being ("AES" and "TKIP+AES"). I said it appears to be fine because my Android phone connection is established succesfully using the following (default) parameters:
  EAP method: PEAP
  Phase 2 Auth: NONE (also works with MSCHAPV2, and probably other options)
  CA cert: unspecified (didn't download it to smartphone, must be fetched automatically from router I guess)
  User cert: unspecified
  Identity: myDiskstationUsername
  Anonymous Identity: (blank)
  Password: myDiskstationPassword
  So far, so good... I still cannot manage to get a connection from my laptop running Arch. Prefered method would be via "wicd". The best match seems to be the following configuration profile:
  name = PEAP with TKIP/MSCHAPV2
  author = Fralaltro
  version = 1
  require identity *Identity password *Password
  optional ca_cert *Path_to_CA_Cert
  protected password *Password
  ctrl_interface=/var/run/wpa_supplicant
  network={
  ssid="$_ESSID"
  scan_ssid=$_SCAN
  proto=WPA
  key_mgmt=WPA-EAP
  pairwise=TKIP
  group=TKIP
  eap=PEAP
  identity="$_IDENTITY"
  password="$_PASSWORD"
  ca_cert="$_CA_CERT"
  phase1="peaplabel=0"
  phase2="auth=MSCHAPV2"
  But it's not working, both with and without specifing the optional path to the CA certificate. Any ideas what I could've been missing or any clues for debugging?
  Last edited by saciel (2013-11-07 09:55:16)

  Why don't you use netctl?
  I'm using netctl to connect to my FreeRadius Server, and I use this config...
  Description='A wireless connection using a custom network block configuration'
  Interface=wlp0s29f7u3
  Connection=wireless
  Security=wpa-configsection
  IP=static
  Address='192.168.1.200/24'
  Gateway='192.168.1.1'
  DNS=('192.168.1.1')
  WPAConfigSection=(
  'ssid="SSID"'
  'key_mgmt=WPA-EAP'
  'eap=PEAP'
  'phase2="auth=MSCHAPV2"'
  'group=CCMP'
  'pairwise=CCMP'
  'identity="user"'
  'password="password"'
  'priority=1'