IAS and CTA 802.1x wired client?

Similar Messages

• How about joining IEEE 802.1X wired client to a AD domain ?

  http://technet.microsoft.com/en-us/library/bb727033.aspx
  This nice Technet link says clearly that there is three methods could be used for joining Wireless IEEE 802.1X client to a domain. Do these methods also apply for joining Wired IEEE 802.1X clients to a domain ?

  Hi,
  In some cases, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.
  Did you use NPS for authentication?
  Follow this procedure to lower the maximum size that NPS uses for EAP payloads by adjusting the Framed-MTU attribute in a network policy.
  Configure the EAP Payload Size
  http://technet.microsoft.com/en-us/library/cc755205%28v=ws.10%29
  Hope this helps.

• Question about Airport Express in WDS bridge mode with wired clients

  I am looking to buy an Airport Extreme N router, and then use the Express I already have to extend my network using WDS. I intend to setup the Express as a bridge in WDS mode and then connect a wired client to the Express. The question is can I connect a multi port switch or hub to the Express so that multiple wired clients can use the bridge or does Express only support one wired client. I looked at the FAQ at http://docs.info.apple.com/article.html?artnum=108038 but it doesn't address that.
  Thanks

  Hmmm, I haven't actually tried that myself, but it should work since, as a Remote Base Station in a WDS, the Ethernet port on the AX acts like a LAN port.

• CTA (2.1.103) - Wired Client does not Launch

  Hi,
  I installed the CTA 2.1.103 with Wired Supplicant on a Windows XP \ SP2 machine. The installation completed without any errors. However when i try to bring up the CTA Wired Client's GUI , Nothing Happens ?
  The cursor changes to busy for 1-2 seconds and then No Window Appears. There is no Icon in the System Tray also.
  Any Ideas ?
  Thanks \\ Naman

  Was accessing it over Remote Desktop , which was the issue.
  Local Access Or VNC works fine.

• Systemd with wpa_supplicant 802.1X wired and dhcpcd - Need help

  Hi,
  At work we use 802.1X wired authentication on the network to get access. If successfully authenticated then I get 10.x.x.x network address from DHCP,
  and if not successfully authenticated, I get a 172.x.x.x address from DHCP.
  Now I've configured wpa_supplicant with certificates in its configuration file so that one is working fine.
  What I have problems with is the startup, this is what I need in order:
  * I need wpa_supplicant to start up
  * wpa_supplicant needs to authenticate completely
  * now dhcpcd may run and I should get 10.x.x.x address.
  I've tried two (b*ttfugly) ways of solving this under systemd:
  wpa_auth.service
  [Unit]
  Description=WPA 802.1X
  Requires=sys-subsystem-net-devices-eth0.device
  After=sys-subsystem-net-devices-eth0.device
  [Service]
  Type=simple
  ExecStart=/usr/sbin//wpa_supplicant -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
  [Install]
  Alias=multi-user.target.wants/wpa_auth.service
  And in [email protected] I've added:
  After=wpa_auth.service
  However this won't work since wpa_supplicant isn't done authenticating when dhcpcd starts up.
  I've also tried using -B option to wpa_supplicant and forking in wpa_auth.service like this:
  Type=forking
  ExecStart=/usr/sbin//wpa_supplicant -B -ieth0 -Dwired -c/etc/wpa_supplicant/wpa_supplicant.conf
  Now if I'm lucky this works, but it's still a race condition.
  So: Next things I've tried is to make the wpa_auth.service start up a script (Type=forking) that executes wpa_supplicant, and adds a sleep 1, this gives wpa_supplicant 1 second to authenticate, but its still a shitty and unsafe solution.
  Last solution I tried was using the above solution but replaced sleep with wpa_cli -a script that according to man page executes the script when it recieves an event. So right now the chain looks like this:
  In chronological order:
  - wpa_auth.service (systemd)
  Type=forking
  - script
  - wpa_supplicant
  - wpa_cli -a script2 (will block until recieving an CONNECTED/DISCONNECTED event from wpa_supplicant, then run script2)
  - script2
  -pkill wpa_cli
  - exit 0
  done - dhcpcd may start
  I just want to find a way to start dhcpcd after wpa_supplicant has authenticated so I get a correct IP address.
  How do I do this in a correct way? Can I use dbus somehow to make wpa_supplicant signal that it is done authenticating?
  Thanks
  Last edited by dimman (2012-11-23 15:56:01)

  From the sample wpa_supplicant.conf:
  # scan_ssid:
  # 0 = do not scan this SSID with specific Probe Request frames (default)
  # 1 = scan with SSID-specific Probe Request frames (this can be used to
  # find APs that do not accept broadcast SSID or use multiple SSIDs;
  # this will add latency to scanning, so enable this only when needed)
  So... looks like that likely isn't the solution. Of course, this is all just speculation now, until I can resolve the hardware issues or get a new laptop.

• Prime Infrastructure 2.2 - Wired Clients and Trunk Ports

  We have our VMWare ESX hosts connected to our server access switches via trunk ports. Prime doesn't seem to track clients on trunk ports (to avoid showing clients on uplink ports between switches, I'm sure). Since these are not switch-to-switch connections, is there a way to enable Prime to track wired clients on these specific trunk ports so we have MAC/IP client info in Prime for our virtual environment?

  Hi,
  PI discards all the MAC table entries that are on trunk ports for a switch. This enhancement was added from PI 2.1 & later.
  - Ashok
  Please rate the useful post or mark as correct answer as it will help others looking for similar information

• Sharing internet to wired client using Airport Express

  hey
  I'm trying to connect a client to my home network through ethernet to a airport express which is wirelessly connected to a Airport extreme base station (802.11n).
  This is what i would like my setup to be.
  ADSL to modem to Airport extreme wirelessly to Airport Express wired to client (will eventually be a xbox media center).
  It says in the apple FAQs that this is possible by configuring the AX as a WDS remote or relay. Since i have no desire to extend the rage on the network, I've made it a WDS remote, but I tried to connect my macbook to it over ethernet to test, which didn't work. Is there any settings that need to be changed it the connection is going to be shared to a wired client?
  Thanks
  Mike

  I have the xact same question as Mcgio. Earlier in this thread there was mention of WDS. From what I have gathered elsewhere, WDS is only necessary if you want to extend your wireless network? That is not what I want to do - I essentilly want to extend my wired network using the AX wirelessly.
  I ask about WDS because it does not appear that my Netgear WNR834M router supports WDS (nothing about it in config or the manual).
  Will what we are trying to work and what do we need to do?

• Windows 7 802.1x (Wired) Authentication Failure when logging into Lync 2010

  Hi
  My company has implemented 802.1x Wired authentication, we use GPO to specify a
  Wired Profile that uses a COMPUTER certificate.
  We are finding that when a Windows 7 laptop comes out of sleep or hibernation, the laptop fails 802.1x authentication and does not connect to the network.
  This issue only occurs intermittently, but have been proven to occur only when Lync 2010 is open.  If we close Lync 2010 the issue does not occur.  Lync 2010 installs a self signed USER certificate for authentication.
  I am aware that there are some issues around Windows 7 not selecting the correct certificate when responding to authentication requests (KB2710995,
  KB2769121) but these always specify that the issue occurs when 802.1x authentication uses USER certificates, not a mix of USER and COMPUTER.  We have installed these hotfixes and the
  issue still occurs.

  Hi,
  From the description, you suspect the DHCP request cause this issue. Would you please send us the packets? Since it seems that you have looked into the traffic and found some clues.
  Meanwhile, I found the following hotfix which may related to this issue.
  No response to 802.1X authentication requests after authentication fails on a computer that is running Windows 7 or Windows Server 2008 R2 http://support.microsoft.com/kb/980295/en-us
  Next Action Plan:
  1.Clean Boot
  a. Click Start, click Run, type "msconfig" (without the quotation marks) in the Open box, and then click OK.
  b. In the Startup tab, click the "Disable All" button.
  c. In the Services tab, check the "Hide All Microsoft Services" checkbox, and then click the "Disable All" button.
  ======================================================
  Clean Boot + binary search
  In a Clean Boot, all the 3rd party services and startup programs are disabled. If the server can start normally in Clean Boot, we can be sure that the issue was caused by some 3rd party service or application. And then we can do a "binary search".
  You can enable half of all the services in Services tab, and then restart the server to check the result. If the issue reoccurs, it means the culprit is in this list; if not, the culprit is in the other half. And then, we can continue the binary search, until
  we find out the root cause. Please let me know if this action plan is OK for you.
  2.Collect etl trace on the problematic client.
  netsh trace start capture=yes overwrite=yes tracefile=c:\net.etl filemode=circular
  ****Try to reproduce this issue****
  netsh trace stop
  Please send the net.etl to us for underlying analysis.
  For any concerns, please let us know.
  Best regards,
  Steven Song
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• 802.1x wired problems

  Hello.
  I'm trying to install arch, but I've been stuck on configuring network for a day already.
  The point is: I need to connect to the local university network (wired) to be able to connect to the Internet via PPPoE. The university network has PEAP MSCHAPv2 security and I can't connect to it.
  I haven't found anything on the forums I hadn't tried so far, so, maybe you can help me find my mistakes.
  Here's what I'm doing:
  /etc/wpa_supplicant.conf:
  ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=wheel
  ap_scan=0
  network={
  key_mgmt=IEEE8021X
  eap=PEAP
  phase2="auth=MSCHAPV2"
  identity="username"
  password="password"
  eapol_flags=0
  ip link set enp4s0 up
  wpa_supplicant -i enp4s0 -B -Dwired -c /etc/wpa_supplicant.conf
  dhcpcd enp4s0
  pppoe-setup
  pppoe-start
  Update: I managed to advance a bit further, pppoe-start finally says
  . Connected!
  But now I can't seem to get DNS to work, since my provider's server won't send one to me. Apart from that, everything seems to work, so I'll just leave this here so other newbies with the same problem would have less trouble lookng for solution.
  Last edited by tstheworm (2013-03-21 17:03:49)

  Hi Hartmut,
  Suggest using CSSC with CTA.
  CTA 802.1x supplicant have limitation.
  CSSC is free for basic features, advanced features (support wireless) need license.
  You may need to un-install CTA with 802.1x supplicant first, follow by install CSSC + CTA (without 802.1x) because CSSC have built-in 802.1x features.
  Please take note of the installation sequence. Because if you make mistake about the installation sequence, you may get a error and the thing didn't work.
  Hope this help
  Thanks

• CSSC 4.05 and CTA 2.0.14

  Hi,
  Does anyone use 802.1x in combination with NAC framework and see 'invalid protocol data' messages in ACS (4.01)?
  We see this appear when we run it in parallel, when we deactivate the NAC policy in ACS or shut down the CTA services om the client PC 802.1x it works ok.

  Yes, we are having it on one XP. It was working before, but suddenly it stopped working. We uninstalled nad re-installed, but with no luck. Cisco CTA has no answer yet.
  ACS SE : 4.0(1)
  CTA: 4.0.2(4423)
  thanks,
  Audie

• Cisco Prime Infrastructure 2.1 wired client show Wrong port speed.

  Hi,
  i have odd issue for some reason the port speed in the wired clients shown a wrong speed,
  can some explain how the speed detremained and why i'm getting a wrong speed port of 10mb for a pc/host when my network is at least 100mb,
  thanks

  Hi all,
  after a TAC with cisco they open a new BUG # CSCur33328    
  https://tools.cisco.com/bugsearch/bug/CSCur33328/?reffering_site=dumpcr
  thanks

• Web based authentication for wired client, Crendentials submission failure.

  Hi,
  I am trying to set up the functionnality "cisco web based authentication" for the wired clients.
  The problem i encountered is that my switch doesnt forward the client's password to the ACS.
  When the user validate his credentials on the login page only the login seems to be forwarded.
  The result of the command "show ip admission cache" always show the client in the init state.(i use the default cisco web login page).
  the connection between aaa servers and the switch is working.
  You will find in attachements the running-config and the debug file.
  Thanks for your help, any ideas are welcome :) (its t os version c3750e-ipbasek9-mz.150-2.SE7).

  Well i took a look on your documents but i didnt find anything that helped me ;S.
  I'm still stucked on the same step.

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Wired clients going through AP-Manager interface

  I've attached my config from my 2811. There are a couple things I can't figure out.
  Why is VLAN1 up / down?
  cao-va_colh#sh ip int brief
  Interface                  IP-Address      OK? Method Status                Protocol
  FastEthernet0/0            172.18.4.1      YES NVRAM  up                    up
  FastEthernet0/1            unassigned      YES NVRAM  administratively down down
  FastEthernet0/1/0          unassigned      YES unset  up                    down
  FastEthernet0/1/1          unassigned      YES unset  up                    down
  FastEthernet0/1/2          unassigned      YES unset  up                    down
  FastEthernet0/1/3          unassigned      YES unset  up                    down
  FastEthernet0/1/4          unassigned      YES unset  up                    down
  FastEthernet0/1/5          unassigned      YES unset  up                    down
  FastEthernet0/1/6          unassigned      YES unset  up                    down
  FastEthernet0/1/7          unassigned      YES unset  up                    down
  FastEthernet0/1/8          unassigned      YES unset  up                    down
  Serial0/2/0:0              unassigned      YES NVRAM  up                    up
  Serial0/2/0:0.500          63.x.x.x         YES NVRAM  up                    up
  wlan-controller1/0         172.19.4.1      YES NVRAM  up                    up
  Vlan1                      172.20.4.1      YES NVRAM  up                    down
  NVI0                       unassigned      NO  unset  up                    up
  The second and more pressing matter is this sh ip account.
  cao-va_colh#sh ip accou | excl 63.123.252.
     Source           Destination              Packets               Bytes
  208.251.211.34   209.67.103.41                    2                 104
  208.251.211.34   69.171.163.144                  30                1708
  172.19.4.3       172.18.4.53                    207              108648
  208.251.211.34   75.34.199.78                    35                2016
  208.251.211.34   65.190.77.48                    11                 512
  208.251.211.34   76.120.201.71                   42                2424
  208.251.211.34   74.196.123.78                    4                 595
  208.251.211.34   69.247.176.164                   4                 178
  10.11.1.73       172.18.4.7                       1                  40
  172.18.4.7       10.11.1.73                       1                  40
  Accounting data age is 0
  Why is a wired, LAN device going through the AP-Manager? All wired clients should get 172.18.4.x addresses. All wireless clients should get 172.19.4.x addresses and WAPs should get 172.20.4.x addresses. Since WLAN1 is up / down, I understand why WAPs aren't getting 172.20.4.x but why would a wired device be using the AP-Manager as it's source to the internet?

  Hii , can you privide more information .
  How are making sure traffic going via AP manager , are you doing trace route ?
  Do you have dynamic AP manager
  Do you have Guest LAN (wired) configured on controller.
  Can you share o/p from "show interface summary and show interface detail " ?
  Thanks

• Setting up authentication using IAS and an AP1200

  I'm trying to get RADIUS authentication working using Windows 2003 IAS and an AP1200, client is an AIR-CB21AG with latest drivers (2.1). Can anyone point me to a "how to" guide or advise how to configure each component to get it all working?
  Thanks in advance!

  Gerardo
  A customer that I work with has set up lots of VPN connections to remote sites where the remote site is behind a cable network connection including actiontech routers. We are using the 1841 router but I would think that the 1861 would be able to do this without much problem.
  As to the specific questions that you ask:
  - We use GRE/IPSec tunnels and it works well.
  - there should not be any configuration changes on the actiontech router.
  - as far as caveats:
  + make sure that the image on the 1861 is the advanced security feature set or the advanced services feature set so that you get support for the encryption needed for VPN.
  + in our implementation we require that the remote site have a fixed IP address which allows each end of the VPN to uniquely specify its peer and allows either end of the VPN to initiate the connection. I assume that your user is getting an address via DHCP from the actiontech. This will mean that your head end will have to accept connection requests from anyone and authenticate to verify that it is an authorized request. And it will mean that the remote must initiate the connection.
  If it is a single user at this remote location would it be feasible to set it up as a remote access VPN rather than a site to site VPN and to have the user use the VPN client which would eliminate the requirement for a router at the remote site?
  HTH
  Rick