ISE 1.1 Corporate Laptop authentication like Guest on WIFI network
Hi all,
I have all Laptop on Microsoft Active Directory(AD) and Wifi access point 4410N. The problem is that we don't have a WLC and when coporate Laptop is connect, the device is authentified like guest device. The device is redirect to guest portal, and user have to put AD username and password.
How can i do to guet Laptop AD name and avoide guest portal for corporate users on Wifi network.
Best regards.
Can you check your authorization policies and make sure the ad users policy is above the guest policy. It uses a top to bottom logic and a first match xondition.
Also can you check the report and check the authentication method attribute?
Thanks
Similar Messages
-
ISE 1.1.1 - EAP-TLS / User Cert - Determine if corporate laptop?
Greets. Is there a way to determine if the machine a user has authenticated from via EAP-TLS / user cert (or PEAP / mschapV2) is an active directory computer or not. I understand that EAP-Chaining using EAP-FAST and the Anyconnect client would work for this, but what about using the native windows supplicant and a user cert (or PEAP / mschapv2)?
Long story short, what I'd like to do is:
User authenticates to ISE via EAP-TLS / user cert (or PEAP / mschapV2)
Authorization based on whether it's a personally owned device or a corporate laptop (different AuthZ rule/ACL's based on this)
personally owned devices only allowed to do ICA,
corporate device can use SQL, RDP, etc...
Thoughts, ideas?Not sure i understand your response, or perhaps my original question isn't clear.
User authenticates with EAP-TLS / User cert
User is authorized based on user cert CN Name, Active Directory lookup, group membership matched, and proper ACL applied
Unable to determine if the machine that the user is authenticating from is an active directory computer or not which would need to be determine in order to allow further ACL refinement (permit/deny certain protocol's based on if it is a personally owned device or a domained device, etc...).
My question is, is it possible to do this using the native windows suplicant and EAP-TLS / user? I am only able to look up details based on the user cert (since this is what the supplicant is using), and not sure how to validate the PC as being a member of the domain or not (since the machine cert wasn't used in EAP-TLS). -
Generate one time authentication for Guest on Cisco WLC
Hi All
Sorry for my question, because I just started to work with Cisco WLC.
I have created some WLAN for local users with authentication by 802.1x + Radius by certificate.
For Guest I used PSK with MAC-filtering.
But I see that is not comfortable for Guests, each time they come and want to access our wireless, we have to come and get their MAC.
I checked on Internet and find that the wireless solution for Hotel, Resorts are very easy.
I also googled and see that Cisco WLC support Lobby Ambassador to generate Guest username/password. But as I checked, this username/password might only use with Web-Auth, this method is not comfortable for Guest who don't know they have to go to Web-Auth to do authentication (e.g: when they only get pop3 email, or vpn, ... not use browsers)
Could I use this method (or another method) for creating one time Guest wireless username/password or Guest PSK that can be used for authentication when Guests click to Wireless-SSID name only (no need to open web browser to do Web-Auth).
Regards
HaiHi Choudhary
Thank you much for your information
Could I reconfirm about my concern.
With Cisco WLC, I can use WebAuth with Guest user only
If I want to use Guest user for authentication when guests connect to SSID (not by WebAuth, I means use Layer 2 security only, not Layer 3), I will have to use additional Radius Server.
And if I understand right, could you please recommend me software based Radius Server with support generate one time username/password for Guest, because I checked IAS/NPS on windows server may not have this function (ISE is not appropriate for us at this time, due to high expense)
Regards
Hai -
NAC guest server with RADIUS authentication for guests issue.
Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin WoodhouseWell I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion. -
ISE 1.1 - 24492 Machine authentication against AD has failed
We implement Cisco ISE 802.1X and Machine Authentication With EAP-TLS.
Authentication Summary
Logged At:
March 11,2015 7:00:13.374 AM
RADIUS Status:
RADIUS Request dropped : 24492 Machine authentication against Active Directory has failed
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
RadiusPacketType=Drop
AuthenticationResult=Error
Related Events
Authentication Details
Logged At:
March 11,2015 7:00:13.374 AM
Occurred At:
March 11,2015 7:00:13.374 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
host/LENOVO-PC.tdsouth.com
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:
TDS-PEAP-TLS
Service Type:
Framed
Identity Store:
AD1
Authorization Profiles:
Active Directory Domain:
tdsouth.com
Identity Group:
Allowed Protocol Selection Matched Rule:
TDS-WLAN-DOT1X-EAP-TLS
Identity Policy Matched Rule:
Default
Selected Identity Stores:
Authorization Policy Matched Rule:
SGA Security Group:
AAA Session ID:
ISE-TDS/215430381/40
Audit Session ID:
c0a801e10000007f54ffe828
Tunnel Details:
Cisco-AVPairs:
audit-session-id=c0a801e10000007f54ffe828
Other Attributes:
ConfigVersionId=7,Device Port=32768,DestinationPort=1812,RadiusPacketType=AccessRequest,Protocol=Radius,Framed-MTU=1300,State=37CPMSessionID=c0a801e10000007f54ffe828;30SessionID=ISE-TDS/215430381/40;,Airespace-Wlan-Id=1,CPMSessionID=c0a801e10000007f54ffe828,EndPointMACAddress=00-26-82-F1-E6-32,GroupsOrAttributesProcessFailure=true,Device Type=Device Type#All Device Types,Location=Location#All Locations,Device IP Address=192.168.1.225,Called-Station-ID=e0-d1-73-28-a7-70:TDS-Corp
Posture Status:
EPS Status:
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15048 Queried PIP
15004 Matched rule
11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12502 Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12809 Prepared TLS CertificateRequest message
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
12571 ISE will continue to CRL verification if it is configured for specific CA
12571 ISE will continue to CRL verification if it is configured for specific CA
12811 Extracted TLS Certificate message containing client certificate
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12509 EAP-TLS full handshake finished successfully
12505 Prepared EAP-Request with another EAP-TLS challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12504 Extracted EAP-Response containing EAP-TLS challenge-response
Evaluating Identity Policy
15006 Matched Default Rule
24433 Looking up machine/host in Active Directory - [email protected]
24492 Machine authentication against Active Directory has failed
22059 The advanced option that is configured for process failure is used
22062 The 'Drop' advanced option is configured in case of a failed authentication request
But the user can authenticated by EAP-TLS
AAA Protocol > RADIUS Authentication Detail
RADIUS Audit Session ID :
c0a801e10000007f54ffe828
AAA session ID :
ISE-TDS/215430381/59
Date :
March 11,2015
Generated on March 11, 2015 2:48:43 PM ICT
Actions
Troubleshoot Authentication
View Diagnostic MessagesAudit Network Device Configuration
View Network Device Configuration
View Server Configuration Changes
Authentication Summary
Logged At:
March 11,2015 7:27:32.475 AM
RADIUS Status:
Authentication succeeded
NAS Failure:
Username:
[email protected]
MAC/IP Address:
00:26:82:F1:E6:32
Network Device:
WLC : 192.168.1.225 :
Allowed Protocol:
TDS-PEAP-TLS
Identity Store:
AD1
Authorization Profiles:
TDS-WLAN-PERMIT-ALL
SGA Security Group:
Authentication Protocol :
EAP-TLS
Authentication Result
[email protected]
State=ReauthSession:c0a801e10000007f54ffe828
Class=CACS:c0a801e10000007f54ffe828:ISE-TDS/215430381/59
Termination-Action=RADIUS-Request
cisco-av-pair=ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-PERMIT_ALL_TRAFFIC-508adc03
MS-MPPE-Send-Key=5a:9a:ca:b0:0b:2a:fe:7d:fc:2f:8f:d8:96:25:50:bb:c8:7d:91:ba:4c:09:63:57:3e:6e:4e:93:5d:5c:b0:5d
MS-MPPE-Recv-Key=24:fa:8d:c3:65:94:d8:29:77:aa:71:93:05:1b:0f:a5:58:f8:a2:9c:d0:0e:80:2d:b6:12:ae:c3:8c:46:22:48
Airespace-Wlan-Id=1
Related Events
Authentication Details
Logged At:
March 11,2015 7:27:32.475 AM
Occurred At:
March 11,2015 7:27:32.474 AM
Server:
ISE-TDS
Authentication Method:
dot1x
EAP Authentication Method :
EAP-TLS
EAP Tunnel Method :
Username:
[email protected]
RADIUS Username :
[email protected]
Calling Station ID:
00:26:82:F1:E6:32
Framed IP Address:
Use Case:
Network Device:
WLC
Network Device Groups:
Device Type#All Device Types,Location#All Locations
NAS IP Address:
192.168.1.225
NAS Identifier:
WLC-TDS
NAS Port:
4
NAS Port ID:
NAS Port Type:
Wireless - IEEE 802.11
Allowed Protocol:Hello,
I am analyzing your question and seeing the ISE logs i can see that the machine credentials was LENOVO-PC. Do you have shure that these credentials has in your Active Directory to validate this machine ? The machine certificate has the correct machine credentials from the domain ? The group mapped in the ISE rule has the machine inside this group ?
Differently from the user authentication that happens with success because the domain credentials can be validate from the Active Directory and get access to the network. -
HT1338 Hi How can i reinstall OS Mavericks to make my laptop run like the first time?
Hi,How can i reinstall OS Mavericks to make my laptop run like the first time?
Hardware Information:
MacBook Pro (17-inch, Early 2011)
MacBook Pro - model: MacBookPro8,3
1 2.2 GHz Intel Core i7 CPU: 4 cores
6 GB RAM
Video Information:
Intel HD Graphics 3000 - VRAM: 384 MB
AMD Radeon HD 6750M - VRAM: 1024 MB
System Software:
OS X 10.9.2 (13C64) - Uptime: 0 days 0:59:22
Disk Information:
TOSHIBA MK7559GSXF disk0 : (750.16 GB)
EFI (disk0s1) <not mounted>: 209.7 MB
Macintosh HD (disk0s2) / [Startup]: 749.3 GB (407.34 GB free)
Recovery HD (disk0s3) <not mounted>: 650 MB
MATSHITADVD-R UJ-898
USB Information:
Apple Inc. FaceTime HD Camera (Built-in)
Apple Inc. Apple Internal Keyboard / Trackpad
Apple Inc. BRCM2070 Hub
Apple Inc. Bluetooth USB Host Controller
PIXART USB OPTICAL MOUSE
Western Digital External HDD 500.11 GB
EFI (disk1s1) <not mounted>: 209.7 MB
WD-KENKEN (disk1s2) <not mounted>: 499.76 GB
Apple Computer, Inc. IR Receiver
FireWire Information:
Iomega eGo HDD 800mbit - 800mbit max
disk2s1 (disk2s1) <not mounted>: 262 KB
Iomega_HDD (disk2s2) <not mounted>: 1 TB
Thunderbolt Information:
Apple Inc. thunderbolt_bus
Kernel Extensions:
at.obdev.nke.LittleSnitch (4050 - SDK 10.8)
Launch Daemons:
[System] at.obdev.littlesnitchd.plist 3rd-Party support link
[System] com.adobe.fpsaud.plist 3rd-Party support link
[System] com.adobe.SwitchBoard.plist 3rd-Party support link
[System] com.blackmagic-design.desktopvideo.XPCService.plist 3rd-Party support link
[System] com.blackmagic-design.DesktopVideoHelper.plist 3rd-Party support link
[System] com.blackmagic-design.streaming.BMDStreamingServer.plist 3rd-Party support link
[System] com.microsoft.office.licensing.helper.plist 3rd-Party support link
[System] com.noiseindustries.FxFactory.FxPlug.plist 3rd-Party support link
Launch Agents:
[System] at.obdev.LittleSnitchUIAgent.plist 3rd-Party support link
[System] com.adobe.AAM.Updater-1.0.plist 3rd-Party support link
[System] com.blackmagic-design.DesktopVideoFirmwareUpdater.plist 3rd-Party support link
User Launch Agents:
[not loaded] com.adobe.AAM.Updater-1.0.plist 3rd-Party support link
User Login Items:
iTunesHelper
Dropbox
RealPlayer Downloader Agent
Internet Plug-ins:
FlashPlayer-10.6: Version: 12.0.0.44 - SDK 10.6 3rd-Party support link
QuickTime Plugin: Version: 7.7.3
Flash Player: Version: 12.0.0.44 - SDK 10.6 Outdated! Update
AdobePDFViewer: Version: 10.1.1 3rd-Party support link
Default Browser: Version: 537 - SDK 10.9
SharePointBrowserPlugin: Version: 14.0.0 3rd-Party support link
JavaAppletPlugin: Version: 14.9.0 - SDK 10.7 Outdated! Update
Safari Extensions:
Slick Savings: Version: 1.0
Searchme: Version: 1.3
Amazon Shopping Assistant: Version: 1.1
Ebay Shopping Assistant: Version: 1.1
Audio Plug-ins:
BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9
AirPlay: Version: 2.0 - SDK 10.9
AppleAVBAudio: Version: 203.2 - SDK 10.9
iSightAudio: Version: 7.7.3 - SDK 10.9
iTunes Plug-ins:
Quartz Composer Visualizer: Version: 1.4 - SDK 10.9
User Internet Plug-ins:
RealPlayer Plugin: Version: (null) 3rd-Party support link
3rd Party Preference Panes:
Blackmagic Desktop Video 3rd-Party support link
Flash Player 3rd-Party support link
Tuxera NTFS 3rd-Party support link
Old Applications:
dynamiclinkmanager: Version: 6.0.0 - SDK 10.5 3rd-Party support link
/Library/Application Support/Adobe/Common/dynamiclink/CS6/dynamiclinkmanager.app
SA Color Finesse 3 UI: Version: 3.0.6(275) - SDK 10.5 3rd-Party support link
/Applications/Adobe After Effects CS6/Plug-ins/Effects/Synthetic Aperture/(CF3 Support)/SA Color Finesse 3 UI.app
dynamiclinkmediaserver: Version: 6.0.0 - SDK 10.5 3rd-Party support link
/Library/Application Support/Adobe/Common/dynamiclinkmediaserver/1.0/dynamiclinkmediaserver.app
Time Machine:
Mobile backups: OFF
Auto backup: NO - Auto backup turned off
Time Machine not configured!
Top Processes by CPU:
8% storeagent
4% WindowServer
1% EtreCheck
1% PluginProcess
1% RealPlayer Downloader Agent
Top Processes by Memory:
227 MB Safari
104 MB com.apple.IconServicesAgent
104 MB Messages
98 MB mds_stores
80 MB Dropbox
Virtual Memory Information:
2.62 GB Free RAM
2.06 GB Active RAM
182 MB Inactive RAM
1.13 GB Wired RAM
338 MB Page-ins
0 B Page-outs -
My laptop makes like a wierd grinding noise. I took it in for repair less than a week ago and the fan was replaced. However after getting it back it has returned to its usual grinding noise . It will make the same noise every couple of seconds. I have recorded a video of the sound and uploaded it here http://www.youtube.com/watch?v=HfkICMGyxH8, could it be a problem with the hardrive as I have read somewhere else, please help
I agree, that isn't coming from the Hard Drive, I've never heard a hard drive make a sound like that. When you got it back from repair did it make that sound right away or did it take a while? Is it making the exact same sound that it was making before you brought it in? Where was it that you got it repaird at? I ask because it sounds like it is coming from the fan, but if it was just replaced, then there is something that the fan is hitting or something, but I doubt that. Almost sounds as if a bearing in the fan is gone and that is what all that noise is about. Just making sure that they actually replaced it!
-
I updated my itunes program on laptop , reset like prompted, then itunes dissapears?
i updated my itunes program on laptop , reset like prompted, then itunes dissapears? what the **** did i update for?
I have the same problem, but not only won't iTunes 7 launch, but my HP Photosmart all-in-one printer (on my LAN) freezes, with buttons flashing and a cryptic error message, whenever I try to launch iTunes!
I have found that if I turn off my printer, then I can launch iTunes 7 and it works fine, but I cannot use the printer AND use iTunes at the same time.
Is this weird or what??? Anybody have any ideas on what might be causing this? HP printer support was no help.
HP Windows XP -
Can i use a private CC (Photographer) license on Corporate laptop without Audit problems
I have a corporate laptop, that i also use with my Creative Cloud license for Lightroom and Photoshop CC (im a private Photographer)
This is allowed within the company. But now i'm asked to remove al non (Corporate) licenced Adobe software because of an Audit.
They say that adobe only allows adobe software with a company license. Is this true?Hi reinierh
It might be best to check with your company what they mean by this.
Companies can choose what type of license they wish to use - individual or volume licensing, for example - and providing you follow the terms of the licensing agreement there shouldn't be any issues- Licenses and terms of use | Adobe
Thanks
Bev -
I just recently updated to the OS X soft wear and every time I go on iPhoto or iMessage my computer shuts down. This problem doesn't occur when I log into my laptop as a guest. I have a Mac book pro made in 2010.
Any error message?
-
ISE 1.2 IOS device re-auth (device drops WiFi)
My guest users use web-auth for authentication. An issue I've run into is that IOS devices drop WiFi during lock/sleep. This means if they were authenticated, then they will have to reconnect/reauthenticate to the SSID. I would like to find a way for these users to automatically reauthenticate (assuming they are still within their original session's timeout value). Think two hour meeting. Is there a way for me to set this up in ISE policy?
Something like:
IF user was authenticated within the session timeout value (6hrs)
THEN automatically let them back on without having to re-authenticate
Thanks.OK, I'm seeing a lot of "Correct Answer" type replies in another similar posting, but not a complete answer. I have a similar issue, but only on a 2504 running 7.4.110. I have two 5508s running 7.4.115, and they don't seem to have this issue, however I could be wrong. Also, I'm running ISE 1.2, patch 2, soon to be patch 3 with the 5508s. I no not yet have ISE working with the 2504, but that is coming. We're not running Flex-Connect.
My users are a mix of guest users via the ISE Sponsor Portal, and employees, who authenticate via Active Directory. I am having problems putting the specifications into user-friendly terms. If I have to add a Registration Portal, I need to be able to explain who would use it and under what situation(s)
So, I guess what I'm looking for is what is the minimum OS I should be running on each platform to support ISE, WebAuth, and Apple & Android devices.
I don't seem to have Security --> Local Policy on either of my builds, so I'm guessing that this was added in 7.5. Given ISE 1.2, is there some mimimal WLC builds I should be using. Alternatively, is there ANY reason to NOT upgrade to 7.6
Tarik's link seems to include ISE 1.1.1, so I'm not sure how applicable it is to ISE 1.2. I'm not opposed to using device registration for employee devices, but I do not believe I wishto do this for guest/sponsored devices. I am not planning on a full BYOD rollout, so I do not wish to complicate things with an advanced license. My understanding is that with AD integration, I probably don't need a MyDevices portal.
In short, I'd like guest devices to have to auth at most once per day, and employees should be good until their AD credential expires. Again, I thought I had this working on a pilot using WLC 5508s and 7.4.115, but this definitely is not working in WLC 2504 with 7.4.110.
The only other thing I'd want to to be able to put the guest devices on one VLAN/SSID and the employee devices on another, but that's not as important at this time. -
Can we still use PEAP-MSCHAPV2 for authenticating to a WPA2-Enterprise network?
L.S,
For authenticating to a BYOD wireless network a lot of companies use WPA2-Enterprise connected to a Microsoft IAS/NPS server to authenticate against Active Directory. There seems to be a way to intercept this wireless traffic using a roque accesspoint using the same (company) SSID-name and tools like freeradius-WPE and cloudcracker.
If the BYOD client doesn't check the certificate provided by the fake radius server, the MSCHAPv2-negotiation can be discovered and the hacker will get the username AND hashed password which can be lookup'd by rainbow tables sites like cloudcracker.
Is there still a safe way to deploy AD-authentication to BYOD clients?
Kind Regards,
ArjenI have tested the WPA2-enterprise/PEAP-MSCHAPv2 exploit this week placing a laptop in my car on the company parking lot with a Kali image, using hostap and freeradius-wpe configured with the company SSID. It was very easy to find out the mschapv2 challenge/responses of a number of android/windows phones that there just walking past my car. Also iPhone has a bad WPA2-enterprise implementation (see: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf), so bye bye WPA2-enterprise/PEAP-MSCHAPv2.
Wonder what other (large) companies are using for their BYOD wireless networks! EAP-TLS using certificate sounds like the only feasible option, however, we are afraid that the enrolment of certificates to the BYOD-clients will be a total disaster. I heard stories that some android phones lose their client certificate after a reboot :( -
How to set up guest wifi network on 1200 series APs with disclaimer web portal?
I've been thinking about this one for awhile. I want to set up a guest wifi network without any security (AES / TKIP) that allows guests to connect. Ideally, their web browser would be redirected to a web portal containing legal disclaimers, and they would need to accept the terms and conditions to use the guest wifi. I would also like to have them be required to visit the web portal again every 8 hours after that to accept the terms and conditions again.
I have a Cisco 1240AG access point already. What else do I need to make this work?I don't believe you can do this just with an AP running in autonomous mode you would need to have a WLC to configure the splash page.
Have a look here:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70users.html#wp1049273
Alternatively you can use software running on a PC/Server. Something like http://www.antamedia.com/hotspot/
Hope that helps!
Matty -
Hp laptop doesn't boot with wifi module
Hi,
After I changed the motherboard on a hp pavilion g7 laptop i realised that it only boots if the wifi module is out. if i put the wifi module in the laptop won't boot. it starts and remains at a black screen. if i plug the wifi module after booting into windows the laptop works fine even with wifi.Hello Deebw,
Welcome to the HP Forums, I hope you enjoy your experience! To help you get the most out of the HP Forums I would like to direct your attention to the HP Forums Guide First Time Here? Learn How to Post and More.
I have read your post on how your notebook does not boot when the WiFi module is attached on your new motherboard, and I would be happy to help you in this matter!
For further assistance, I will need to know:
The part number for you wireless module.
If you replaced the motherboard yourself, or if it was serviced in an HP Center.
The Product and Model Number of your notebook computer.
The version of Windows you have installed on your computer.
If your computer has completed all of its important Windows Updates.
If you have updated your HP drivers using the HP Support Assistant.
If this is an on-going, or recent issue.
Please re-post with the necessary information, this way I will be able to research this further for you. I look forward to your reply!
Cheers!
MechPilot
I work on behalf of HP
Please click “Accept as Solution ” if you feel my post solved your issue, it will help others find the solution.
Click the “Kudos, Thumbs Up" on the right to say “Thanks” for helping! -
AppleTV in corporate, WPA2-enterprise wifi networks
Hello,
I would like to use AppleTV in my institution's corporate WPA2 secure wifi network, in order to mirror my iPad. I am looking for a stable solution.
iOS devices require the installation of a profile. I have tried to install a profie in an AppleTV (2nd generation). I don't think the profile "stuck". Should a profile stay in the AppleTV, would iOS devices "see" the Apple TV across the secure network? Also, I've read that the problem is that first time the AppleTV tries to connect to the internet, it tries to set date and time, and it remains in there in a loop unless it sets it from a wired connection (then, it can connect to the wifi network)
Another solution would be using an Airport Express to distribute dynamic IP's to the AppleTV and the iOS devices. But, can a WPA2-enterprise profile be installed permanently in Airport Express?
Linking the AppleTV or the Airport Express to ethernet (RJ45 cable) is not viable: those are fixed IP's which must remained assigned only to desktop computers. The solution must be wifi to wifi.
I would greatly appreciate any suggestions.
Thank you very much,
-celsoThat depends on the settings in the network you're trying to connect to. You need to check with the administrator of that network.
- Official Sony Xperia Support Staff
If you're new to our forums make sure that you have read our Discussion guidelines.
If you want to get in touch with the local support team for your country please visit our contact page.
Maybe you are looking for
-
I use iTunes for my iPhone 4 and iPad 1 . When I did the ios5 update on my iPhone iTunes reported that threvwas a problem , tgatvsone of my data did not get copied . Well none of my data got copied , ios5 got installed ok but I lost all my photos , m
-
I've downloaded Firefox version 9.While running setup a request for rebooting was observed. After having finished the setup another reboot followed, thereafter an "Unpack" icon appeared in the taskbar. Upon pressing it I was requested to reboot again
-
Heavy FTP usage causing performance and stability issues
We have been having out-of-the-ordinary issues with DMS for the last couple weeks. Examples: - There have been cases where certain people could not log in, while others could. - Increased numbers of help requests for "DMS not responding". - Search is
-
Pdfcreator invokes LabVIEW run-time engine installer!
Okay, so I'm a desktop tech, know little about LabView, but can at least install it. We also use pdfcreator on our desktops. For some reason, however, whenever pdfcreator is used (for ANYTHING, not just LabView stuff), a windows installer fires up,
-
Parent.lock is impossible to delete
When I try to set the profile folder off read-only it says I do not have permission to do that to parent.lock. I uninstalled FF and deleted all personal data but parent.lock is still there. In the properties of the parent.lock file itself it just say