LAP 802.1x supplicant and H-REAP

Similar Messages

• Auth-Fail Feature and Windows 802.1x Supplicant Compatibility

  As per Cisco IOS design when authentication fails the switch sends a simulated EAP-Success message to the client so that DHCP can be implemented by the client. Taking into consideration the dot1x auth-fail command is configured.
  However we have noticed that when using the built-in Windows XP SP2 802.1x supplicant and authentication fails, the Windows supplicant does not like this Cisco simulated EAP-Success message and drops the packet, therefore never re-initiating the DHCP process.
  I have attached the Microsoft supplicant log indicating the dropped EAP-Success.
  We are using catalyst 3750 with IOS 12.2(25)SEE. We have also tried release 12.2(35)xxx but issue persists.
  Your suggestions would be appreciated.
  Thank You,
  ET

  An EAP-Failure is by design. This occurs on all failures. The session fails rather normally. After the third (default but configurable) successive failure, the port is conditionally enabled (and placed in the auth-fail-vlan) even though 1X is configured and operating.
  At this point, it's up to the supplicant to access the network if it wants to, since the port has been enabled. Without the notion of a controlled port on a supplicant, there's no reason it shouldn't try and access the network ;-).
  Once a workstation is authorized on the network, and then subsequently fails for whatever reason, and put on the auth-fail vlan then it's also up to the machine to renew it's IP if it needs to. Optionally, you can configure the auth-fail-vlan to be the same as your default vlan. I guess it's worth pointing out, that you'd have this problem without 802.1X (changing VLANs on the fly for example). Some supplicants can deal with this though.
  If an EAPOL-Logoff does not come from a supplicant (and it doesn't by default with Windows-XP) then there's nothing to get the port out of the Auth-Fail-VLAN either (short of link down). You can configure this through registry though. So the answer to your earlier question was no .. it shouldn't.
  I'm not sure I understand the "IB" and "OOB" references here though.
  Hope this helps,

• SPS224 and Windows XP SP3 802.1x supplicant problem

  Hi everybody
  We run MS Active Directory based network (Windows Server 2008, MS NPS as RADIUS server) and have Windows XP SP3 and 7 in it. We have a lot of SPS224 (with the latest SW version 1.0.6) as the access switches, and we are trying to implement 802.1x in our network to authenticate users by their AD domain computer accounts. Also, we want to use dynamic VLAN assignment using RADIUS attributes. The authentication by PEAP-MSCHAPv2 works fine on all workstations but we have a problem with the dynamic VLAN assignment in case Windows XP machines are used. The problem is that after a successful authentication and VLAN assignment on a switch port, the Windows XP supplicant is trying to re-authenticate after several seconds. However, the switch port state remains authorized and the workstation does not lose connection. So, the only problem we see is that the state of supplicant does not correspond the switch port state. We have notice that the problem occurs when the "multiple sessions mode" is used (it is needed to enable VLAN  assignment by RADIUS attributes). We have tried the built-in Windows XP SP3 supplicant and Cisco Secure Services Client with the similar result. At the same time, the Windows 7 workstation works just fine, without any problems. Is anybody has faced this problem with Windows XP and has a workaround? Any help will be appreciated!

  Not exactly sure what could be the problem. It should be working - it's definitely supported (I'm currently typing this via a XP SP3 machine using PEAP WPA2/AES via WZC). The only things I can think of to check are:
  - Make sure your wireless drivers are up to date *this is a must*
  - Make sure the other supplicant is completely disabled (uninstall it if you really need to rule it out)
  - Try disabling the server certificate check in the WZC profile for this network (do you know for sure that your laptop trusts the IAS server's certificate)?
  - Are you doing machine or user authentication for PEAP - make sure you have the WZC profile properly configured
  - Are you 100% sure that you've configured everything properly for the network (WPA vs WPA2? AES vs. TKIP? etc.)

• Windows XP built-in 802.1x supplicant problem

  Hi, we are deploying PEAP for wireless access, we had no problem to get this working with laptop vendor supplied wireless management software (which includes 802.1x supplicant), but when I switch to Windows Zero configuration and let Windows XP management wireless, the laptop can not associate with wireless SSIDs, back end Radius server (MS IAS) log shows that user (with AD credentials) is successfully authenticated, but Windows XP supplicant seems did not receive authentication successful response from Radius server, and keeps retrying and finally gives up. Any idea what is going on with Windows XP dot1x supplicant? Laptop is running XP SP3.

  Not exactly sure what could be the problem. It should be working - it's definitely supported (I'm currently typing this via a XP SP3 machine using PEAP WPA2/AES via WZC). The only things I can think of to check are:
  - Make sure your wireless drivers are up to date *this is a must*
  - Make sure the other supplicant is completely disabled (uninstall it if you really need to rule it out)
  - Try disabling the server certificate check in the WZC profile for this network (do you know for sure that your laptop trusts the IAS server's certificate)?
  - Are you doing machine or user authentication for PEAP - make sure you have the WZC profile properly configured
  - Are you 100% sure that you've configured everything properly for the network (WPA vs WPA2? AES vs. TKIP? etc.)

• Anyone rolled out 802.1x supplicant in a large Microsoft AD environment?

  Morning all, anyone have any suggestions how I can rollout Microsoft's native 802.1x supplicant to a large number of PC's.  I've got ISE and serveral different versions of Windows (xp, 7) working in a lab, but not being a Microsoft AD guy I'm kind of clueless how to pull this off.  Can it been done via a group policy?  If so has anyone got a good document how to pull this off? 

  It is really simple, you can follow the guide here in the technet kb:
  http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/7220c686-e033-4903-b40e-bf3b7e581d05
  There are other threads that can show you how to do this on the wireless side as well. Make sure the AD guys set the correct eap types (peap or eap-tls) and you should be good to go.
  Tarik Admani
  *Please rate helpful posts*

• 802.1x Machine and User Auth Vlan assignments

  I have machine and user auth working between Win2K PC and ACS 3.3 but not sure how to best use the Vlan assignment feature. I use Vlans for different departments and if I assign a vlan in ACS to a machine when it authenticates but the user is assigned to a different Vlan, I don't get a renewed IP.
  Here is how it's working now:
  1. Machine authenticates to ACS and assigned to a Vlan
  2. User logs in and if they are assigned to the same Vlan as the machine, works fine. If assigned to another vlan, the switchport does get changed but the PC still has an IP from the initial Vlan it was assigned to. Releasing and renewing doesn't work but I really don't expect it to.
  So, I figure the solution to this is just not set a per user vlan and only set it per machine. But, the group mapping in ACS looked like a great way to assign Vlans based on a user's Active Directory group but it doesn't appear to recognize the different computer OU's we have. So I can assign vlan's based on user groups but not computer groups. As machines are added to ACS, I could change them to an ACS group with the Vlan set but this would be a lot more work than an automated method like unknown user policy.
  So, how are others assigning machines to vlans in large multi-vlan networks using ACS and 802.1x?

  By default users and computers belong to different global groups. "Domain Users" vs. "Domain Cmpouters" for example.
  As for your example, it seems like you have a misbehaving supplicant, and authentication is attempting and then timing out and starting over .. that never actually gets to fail, so the auth-fail stuff won't help.
  Note: A good way to troubleshoot this is to notice it in action via show command:
  Here's an example of what you should see on a switch port.
  AuthSM State = State of the 802.1X Authenticator PAE state machine
  VALUES:
  AUTHENTICATED -- Auth Succeeded
  AUTHENTICATING -- Auth is attempting
  CONNECTING -- Dot1x is up and configured and trying to locate a supplicant.
  HELD -- Auth probably failed.
  BendSM State = State of the 802.1X back-end authentication state machine
  VALUES:
  IDLE -- Nothing is happening.
  REQUEST -- Switch sent some EAP data to AAA, and is waiting to get something back.
  RESPONSE -- AAA sent the switch back some data, and the switch in turn asked the supplicant for more data.
  NOTE: You should rarely see the RESPONSE state above. If you see it for more than a second or so i nthe middle of an auth attempt, that's a smoking gun that you might have a mis-behaving supplicant, b/c it shouldn't take that long to send an EAPOL frame. The switch will eventually time out, and start auth over.
  Hope this helps,

• AnyConnect NAM 802.1x supplicant question

  Hello everyone,
  I am using the AnyConnect Network Access Manager as a 802.1x supplicant (with an ACS 5.4 as authentication server). The authentication process works like a charm but there is one issue that the users here do not like. There is a popup window from AnyConnect with a "cancel" button after the users enter their username and password...
  Now you would think that this should not be an issue but I have experienced otherwise. The users here seem to like to click cancel buttons which in this case interrupts that authentication process (so they get placed in the guest VLAN). I have attached a photo of the popup window. Does any of you know a way to hide this popup window completely or at least make the cancel button unclickable ?
  Thank you in advance,
  Ron Aarts

  Hi,
  Can you check the link below and see if the client policy helps:
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/ac04namconfig.html#wp1124492
  Check and see if the disable client option is not checked and test.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• Anyconnect 4 as 802.1x supplicant replacement for Windows - where to put config xml file?

  I want to try out Anyconnect NAM as a 802.1x supplicant replacement in Windows 8.1
  And I have made myself a fine little config xml file that I want to test.
  But where do I put that config file?
  Should I rename it to something special, or should Anyconnect NAM have some extra startup parameters?
  Thank you.

  The file must be called "configuration.xml" and if you already installed NAM, then put the file in \Users\All Users\Cisco\Cisco AnyConnect Secure Mobility Client\Network Access Manager\newConfigfiles\ and restart the anyconnect service
  If instead you are creating an install package for deploying, you can put the configuration in a directory named Profiles/NAM/  together with the msi package, the installation will import the config itself.when you run the msi file.

• REAP and H-REAP

  I have a question regarding design and protocol. I have a network consisting of four buildings all connected through a combination of fiber and MPLS. These building need wireless. I would like to implement a solution using one 4402 WLC with LAPs in the buildings. My question regards the REAP and H-REAP protocols. Each building will have servers that the wireless users will need to access. I do not want all the traffic coming over the WAN only to return the way it came. It seems like implementing the LAPs with H-REAP is the solution to my problem. I want to ask the community if this seems correct and also ask anyone to add any other information that may be helpful as I may be missing something.
  My concern is unnecessary traffic on the WAN. I want the ease of managing one controller without wasting bandwidth on my WAN. Is there a way to have traffic that is destined for a server that may be local to the LAP not use the WAN? What if the wireless users are on a seperate VLAN/subnet than the servers in the same building?
  Please ask any questions if possible. I hope I was clear enough.
  Thank you.

  Yes... H-REAP is your answer. With H-REAP as you know, you can traffic egress out of the AP's interface directly into the local LAN just as an autonomous AP would. Only centrally switched SSID's will need to be tunneled back to the WLC, but it is up to you on what you want locally and what you want tunneled back. Traffic will stay local since the wireless device will have a gatway local and routing will not send traffic out the WAN if it is destined for another local subnet.

• Have a problem where I'll occasionally shift my computer (i.e. physically move it, say from the coffee table to my lap on the couch) and it will freeze and the screen will turn into a bunch of horizontal multicolored lines (closer to 100 lines than 5). Us

  Have a problem where I'll occasionally shift my computer (i.e. physically move it, say from the coffee table to my lap on the couch) and it will freeze and the screen will turn into a bunch of horizontal multicolored lines (closer to 100 lines than 5). Usually restarting (by holding the power button to turn it off) works. A few times that has resulted in the three beeps (RAM issue? -- I've since replaced my RAM [it *seemed* to stop it for a while, but maybe not]), but the second time it always works. Attempting to SSH into the computer during this state does not work. Please advise as to what to do/what reports I can run and post. I will take a pic next time it happens.
  Here's this info:
    Model Name:          MacBook Pro
    Model Identifier:          MacBookPro7,1
    Processor Name:          Intel Core 2 Duo
    Processor Speed:          2.4 GHz
    Number Of Processors:          1
    Total Number Of Cores:          2
    L2 Cache:          3 MB
    Memory:          8 GB
    Bus Speed:          1.07 GHz
    Boot ROM Version:          MBP71.0039.B0B
    OS 10.6.8

  Sounds like a problem with your GPU. Do you have an external display you could connect your machine to in order to test this? If the external display renders the same way, then your GPU is damaged. If the external renders fine, then the CPU display is damaged.

• My i pad is new at xmas it keeps disconnecting from internet my lap top is fine and ive tried resetting wi fi on i pad. can u help.

  my i pad was brand new at xmas but keeps disconnecting from the internet. my lap top is fine and i have tried resetting the i pad. can u suggest anything else

  Hi and thanks for your help, it was only my ipad that kept disconnecting from the internet but i think this happens when there are a lot of users on the same channel. it has been ok today so far, so, thanks again.

• Does ISE 1.1 support TACACS and H-REAP?

  Hello,
  Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
  Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
  Thanks
  Olu

  EAP-TLS does not rely on AD.
  CA root cert is installed on ACS for trust and identity.
  you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
  Users and Identity Stores >
  Certificate Authentication Profile >
  Edit: "CN Username"
  see the checkbox at the bottom.
  I do EAP TLS machine auth only without integrating AD into the policy at all.
  hth,
  jk

• I just bought a new lap-top, installed iTunes and transfered all my music, but iTunes is freezing

  I just bought a new lap-top, installed iTunes and transfered all my music, but iTunes is freezing

  Try this Article
  http://support.apple.com/kb/TS1717

• Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?

  Cisco ISE FlexAuth with 802.1X PCs and IP Phones as MAB multi-domain Q?
  Im trying to follow the trustsec 2.1 guide on IP Phones into LowImpact mode.
  I can get a PC on its own to authenticate via dot1x/tls
  I can get a Cisco IP Phone on its own to authenticate via MAB.
  When the two are on the same switchport, the phone will authenticate but not the PC.  ISE logs EAP timeouts.
  The switchport has the LowImpact port ACL of
  ip access-group ACL-DEFAULT in
  The IP Phone gets a dACL that allows it ok.
  I assume MAB phone and dot1x PC is supported?  Any ideas?
  Thanks in advance.

  The ISE log detailed steps are as follows:
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15048  Queried PIP
  15048  Queried PIP
  15004  Matched rule
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12501  Extracted EAP-Response/NAK requesting to use EAP-TLS instead
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  12625  Valid EAP-Key-Name attribute received
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12502  Extracted EAP-Response containing EAP-TLS challenge-response and accepting EAP-TLS as negotiated
  12800  Extracted first TLS record; TLS handshake started
  12805  Extracted TLS ClientHello message
  12806  Prepared TLS ServerHello message
  12807  Prepared TLS Certificate message
  12809  Prepared TLS CertificateRequest message
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12504  Extracted EAP-Response containing EAP-TLS challenge-response
  12505  Prepared EAP-Request with another EAP-TLS challenge
  11006  Returned RADIUS Access-Challenge
  5411  No response received during 120 seconds on last EAP message sent to the client

• 802.1x NAC and per-user ACLs

  Can 802.1x NAC and per-user ACLs be used together on the same port? I know some of the NAC documentation says that 802.1x NAC does not support downloadable ACLs but it looks like it might be outdated and according to http://cisco.com/en/US/products/ps7077/products_configuration_guide_chapter09186a0080817284.html , it appears that there is not preventing this.
  Also, when will URL redirection to a remediation server be supported with 802.1x NAC?

  You just need to configure it differently on ACS. "Downloadable IP ACLs" used to be "Downloadable PIX ACLs" on ACS. It changed to "IP" when VPN concentrators started supporting this with ACLs too. You saw this with NAC, if I remember .. and EOU does it this way as well.
  802.1X with per-user ACLs was already shipping at the time though (has been for some time) and the mechanism is opertionally the same .. just functionally different.
  With per-user ACLs, you'd configure a VSA like:
  ip:inacl#1=deny ip any host 10.1.8.3
  ip:inacl#2=permit ip any any
  The "downloadable IP ACL" config would look like:
  deny ip any host 10.1.8.3
  permit ip any any
  In the end, both techniques use the same VSA. This VSA is 026\009\001. In "per-user-ACLs, there's no sort of handshake though to see if the ACL is already there, etc. It slaps the ACL on for you unconditionally as an authorization rule b/c you told it to. (hence the "ip:inacl" stuff above). With "downloadable", there's a handshake before actually applying the ACL .. to see if there's an earlier copy of the ACL, and it'll only update what changed, etc.
  So, it really boils down to semantics. Both techniques work. AAA config is subtely different on the backend. Look for this to get consistently deployed soon, but in the meantime, it's still supported ;-).
  Hope this helps,