Local EAP - Using PEAP
I have a question with regards to Local EAP. After you have created your Local EAP profile and applied it to an SSID a client with the appropriate certificate and local net user ID is authenticated. Once the user is authenticated does the client re-authenticate as he roams ? Are his credentials cached on the controller ?
If the client roams across access points on the same controller, I don't think the client will have to re-authenticate as long as your client supports CCXv2 which supports CCKM (Cisco Centralized Key Management) for LEAP authentication.
http://www.cisco.com/web/partners/pr46/pr147/program_additional_information_new_release_features.html
You can use this command on the controller to see the pairwise-master key cache.
show pmk-cache all
Similar Messages
-
Hi my name is Ivan
I have a question:
How can i configuring local eap in cisco wireless lan controller with active directory and using PEAP MSCHAPv2 to authenticate the users in the wlan? Do you have any documents to do it?.
thanks for your answers
Regards.
Ivan.Hi,
You cannot directly integrate AD into the WLC< we need the RADIUS in between.. so we need Either IAS or the ACS server in the middle.
The only other way is to use WLC + LDAP and here is the link..
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
Or PEAP using Microsoft IAS..
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
Lemme know if this helps and please dont for get to rate the usefull posts!!
Regards
Surendra -
Authentication eap-tls on ACS or local EAP WLC over Lwapp and 7921
Hi All,
I install WLC to provide Wlan architecture and the project was extended for VoWLAN. we have 7921 and E51 running over the wide WLAN architecture.
Computer using Data over wirless are working over PEAP done by ACS and CA signed certificate + user secret on PC is link to the domain account and secret stay the login and password. Our problem is that user and password is link via ACS to Active Directory. The policy of password is to change frequently.
For the Phone we are actually running authentication over Leap but I'm working to define the best security solution for us.
I confront PEAP and Eap-TLS for now:
1) PEAP check the authentication of ACS via certificate trust and authenticate via MS-Chapv2 and the secret password known by user. My problem here is the phone can only be static what is potentially not acceptable
2) Eap-tls which is the best secured security due to the double side certificate authentication + (login / password) on the phone
so I need to manage here Certificate Management ? I mean I can use either the MIC CA certificate on the phone or User CA defined one which I can put on ACS or Local EAP WLC and the put the ACS CA trust on the Phone.
If I understood well I have to put User.cer and ACS_CA.cer on each phone and pout the User_CA on the ACS ?
I have already Certificate on the ACS signed by CA (like veri-signed) so I must create CSR for any phones to be able to use the same CA ?
I'm thinking to use also the local Eap certificate of Controller to manage all of that to avoid every potential money to pay to the trust CA of ACS
can you help me to know if I understood everything good ? I would be please to exchange experience on that
thanks ;)
byeI am currently using EAP-TLS authentication on my wireless users using ACS 3.2. I have had that problem before. This is what I did...
Setup a Microsoft Certificate server as my
CA. You can use same machine wih your ACS and CA.
Then, generate certificate signing request from ACS then request a server certificate from CA then copy and install a certificate to ACS. On the ACS, go to global authentication setup check the EAP-TLS cetificate. If it failed to respond means that the server certificate is not properly setup.
On the windows xp clients, connect your machine using wired LAN, then request a certificate from CA(the same CA that you have use to your ACS) using IE (ex. http://CAip/certsrv), but this time request a client certificate. The name you should put when requesting the cert must be you local windows user, use 1024, choose microsoft base cryptographic provider 1.0. then installl the certificate on the client. Verify you client certificate it i was installed properly.
At that poit you should be able to connect you r wireless client using EAP-TLS. -
ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"
We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
Personas:
Administration
Role:
PRIMARY(A)
System Time:
Apr 24 2014 08:26:58 AM America/New_York
FIPS Mode:
Disabled
Version:
1.2.0.899
Patch Information:
7,1,3
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - *****
24431
Authenticating machine against Active Directory
24470
Machine authentication against Active Directory is successful
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
15036
Evaluating Authorization Policy
24433
Looking up machine in Active Directory - host/*****
24435
Machine Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Default
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Rejectsalodh,
Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly.
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
Name
Wired-******-PC
Conditions
Radius:Service-Type EQUALS Framed
AND
Radius:NAS-Port-Type EQUALS Ethernet
AND
*******:ExternalGroups EQUALS **********/Users/Domain Computers
AND
Network Access:EapAuthentication EQUALS EAP-TLS
Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
Thanks again, sir.
Andrew -
Native Supplicant "NAK requesting to use PEAP instead"
Hello,
We have a Cisco ISE infrastructure in place and we're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the native Windows supplicant to use EAP only?
"Microsoft: Smart Card or other certificate" is selected under network authentication method, by group policy, and I thought that wouldn't allow PEAP, but our ISE logs show "NAK requesting to use PEAP instead", after which authorization
fails because we're not using PEAP.
For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or
a supplicant problem, but I'm leaning towards supplicant.
Thanks,
AndrewHi,
About this issue, please contact Cisco Tech Support for help.
Karen Hu
TechNet Community Support
I've already been in contact with them and they've verified our configuration. All that can be done on the Cisco side is to "propose" the client to go through EAP-TLS as the first option, which we are doing. This will not block any clients trying to connect
using other protocols, and, though this will propose EAP-TLS, there is now way to enforce it at the supplicant level. This will be a client decision always. From Cisco:
Please monitor this after the change we applied, but if the issue persists, since we are dealing with windows supplicant, it would be a good idea to involve the native supplicant support. -
Need help connecting to wifi using PEAP
Today is the first time I've even heard of PEAP. My condo told me that connect to the wifi here, I need to use the provided user name and password. When I tried connecting via my iPad and my android phone, they were able to detect that the wifi system is using PEAP and to connect me after I entered in the username and password.
Now I'm trying to connect my laptop running archlinuxx, and wifimenu is unable to automagically figure out how to connect; it finds the correct SSID, but after I select it, it doesn't even prompt me for a username and password. It says:
successfully initialized wpa_supplicant
WPA Authentication/Association Failed
After looking around a bit, I tried adding an entry to my /etc/wpa_supllicant/wpa_supplicant.conf file like this:
network={
ssid="MySSID"
key_mgmt=WPA-EAP
eap=PEAP
identity="myusername"
password="mypassword"
I omitted ca_cert, phase1, phase2and priority, because I've no idea what to put for those values and it seems like my other devices can connect without asking me for those values. I'm just making guesses as to what the values should be for key_mgmt and eap.You'll have to give us some more info as far as error messages or screen shots (Shift-Command-3).
-
WLC Local EAP-TLS auth, certificate ACL feature?
Hi All,
I implemented local EAP-TLS authentication according to http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080851b42.shtml. All is working fine, clients - Wi-Fi bar code scanners, WLC -2x4402, SV - 7.0.116.0 Certificates generated by Enterprise CA.
Afterwards, I discovered that certificates cannot be filtered by cname, or user name on WLC. It means that ANY certificate issued by CA will be authenticated against my WLAN. CA issues a whole lot of certificates (RRAS VPNs, WEB clients, etc. ) I want to filter access for my wireless clients using local EAP solution (WLC are at remote location). Can I accomplish it without external RADIUS server? Something like IOS certificate ACL?
Thanks in advance.Thanks Nicolas, sad but true, I failed to find any possibilites at WLC.
It seems I need to configure external RADIUS and use local EAP only in case of WAN failure. -
Planning on implementing EAP-TLS for wireless security and tryingto wrap my brain around what will be lost if I use local eap-tls vs an external radius server for authentication of the certificates. I thought I saw in some older posts (3+ years) that there is no CRL available when using the controller as built-in radius. I am running on a 3650 as the integrated wlc. If I can tidy up the wireless solution so I dont have to utilize an external radius server (this would be the first necessity to have an external radius server for this org) than it would be nice to keep it simple. I am planning on doing "computer only" auth for some clients and the ability to invalidate their cert would likely push me to the external radius server - I just don't know if there are any other trade-offs by using the built-in radius.
I also saw that you cant specify a radius server for anything else on the switch or the local built-in radius wont work, but then saw copnflictying info " You can disable RADIUS authentication for a given WLAN by using “config wlan radius_server auth disable wlan_id” CLI command." at this great page http://mrncciew.com/2013/04/21/configuring-local-eap-on-wlc/
but dont know if this is true or not either. I would like to know if I am locking myself into never having an external radius server If i go down the local eap-tls path.
Thanks,
BrianThanks Nicolas, sad but true, I failed to find any possibilites at WLC.
It seems I need to configure external RADIUS and use local EAP only in case of WAN failure. -
hi all,
For customer solution, I tried use WLC 526 with 5.2.157.0 (in release notes, local eap mentioned as new funkcionality, but when I configured it by WLC release 5.0 configuration guide - it doesnt work.
from sh wlan <ID> command i always see that,
Local EAP Authentication......................... Disabled
and CLI command (config wlan local-auth enable profile_name wlan_id) cannot be used and on GUI for that WLAN, enabling local eap is missing...
I also tried fw: 5.2.178.0 with same result
Any advice ??? Maybe BUG (not find)???
Thanks
LUKASEnsure you have created the correct profile. Use this document to Configure Local EAP on the WLC.
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml#wlc -
EAP/TLS , PEAP problem on PORTEGE with WinXP sp2 Tablet ed.
We have: ap Cisco AiroNet350 with WPA-EAP, Freeradius with configured EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2.
This problem discribed at http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
Maybe to solve this problem we need a fix ( http://support.microsoft.com/kb/885453/en-us ), but microsoft support tells to contact with notebook manufacturer.
Can anybody help me with this problem?Hmmm Im not expert on this field but it seems that the MS OS update is need. (I hope)
The preinstalled Windows OS is a simply OEM version and usually every updates should be possible. However, if the MS guys told you to contact the notebook manufacture so you can contact the Toshiba authorized service provider in your country for more details.
But I have investigated a little bit in the net and found this useful site:
http://searchnetworking.techtarget.com/originalContent/0,289142,sid7_gci945257,00.html
1. 802.1X depends on communication between your wireless router and a RADIUS authentication server. Whether you're using WPA2, WPA, or WEP with dynamic keys, the following 802.1X debugging hints can be helpful:
a. Re-enter the same RADIUS secret into your wireless router and RADIUS server.
b. Configure your RADIUS server to accept RADIUS request from your router's IP address.
c. Use ping to verify router-to-server reachability.
d. Watch LAN packet counts to verify that RADIUS requests and responses are flowing.
e. Use an Ethernet analyzer like Ethereal to watch RADIUS success/failure messages.
f. For XP SP2, turn on Wzctrace.log by entering "netsh ras set tracing * enabled"
2. If RADIUS is flowing but access requests are being rejected, you may have an 802.1X Extensible Authentication Protocol (EAP) mismatch or credential problem. Fixing this depends on EAP Type. For example, if your RADIUS server requires EAP-TLS, then select "Smart Card or other Certificate" on your wireless adapter's Network Properties / Authentication panel. If your RADIUS server requires PEAP, then select "Protected EAP" for the adapter. If your RADIUS server requires EAP-TTLS, then you'll need a third-party wireless client like AEGIS or Odyssey.
Make sure that EAP-specific properties match for your adapter and server, including server certificate Trusted Root Authority, server domain name (optional but must match when specified), and client authentication method (e.g., EAP-MSCHAPv2, EAP-GTC). When using PEAP, use the CHAP "Configure" panel to prevent Windows from automatically re-using your logon. -
Aironet 1310 using Peap Auth and AES encryption??
I have 2 1310 wireless briges in a point to point configuration with the root bridge acting as my ACS server..
I am currently running Leap Authentication and with Wep encryption but would like to upgrade this to use Peap and AES if possible??
I'm wondering if anyone has upgraded their solution to this type of encryption?
thanksWhat IOS version are you running ? 12.4(25d)JA is the last supported IOS version for this product. So you should go with that image.
If you are using AP as AAA server, then I think only EAP-FAST, LEAP & MAC authentication is supported. Not anything else.
Here is WGB (workgroup bridge) configuration with EAP-FAST & you can get an idea how to configure EAP-FAST if you choose to. (In your case you have to configure root bridge & non-root bridge in two respective AP)
http://mrncciew.com/2013/04/28/wgb-with-eap-fast/
HTH
Rasika
**** Pls rate all useful responses **** -
Hi guys,
i need to set ip my wlc as a local eap authenticator.
I create a new Wlan(test1) ad associated yo a dynamic interface.
layer 2 security--->wpa+wpa2+auth(802.1x)
aa server-->local eap
I created a local-eap profile where i checked PEAP
I create a local-database user
My wireless-pc card pc was not able to work.
did i miss any step?
thx..
Ale.Follow the steps in order to configure the devices for EAP authentication :
1. Configure the WLC for basic operation and register the Lightweight APs to the controller.
2. Configure the WLC for RADIUS authentication through an external RADIUS server.
3. Configure the WLAN parameters.
4. Configure Cisco Secure ACS as the external RADIUS server and create a user database for authenticating clients.
For the further details for configuration follow the URL It will help you :
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml -
Is local EAP + Web Authentication possible in Auto Anchor Configuration
Hi,
I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller? If so, are you able to point me in the direction of a user guide to implement.
I found the following document which describes local EAP configuration . Would this work with Web Authentication?
Thanksso, kinda but no. EAP is a layer 2 authentication that uses encryption as well.
WebAuth is a layer3 authentication only.
Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
I'm not really sure what you are looking to do based on your post.
Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
HTH,
Steve -
Hello
I have set up an wlc 2125 with local eap auth which I think is working fine for now.
But I dont want it come up a certificate warning when user log in.
Can I stop this from happening without bying a certificate?
Can I turn of https all together?
TrondThank you Trond,
So here we are talking about web authentication, which does not use local EAP, so not sure whether the local EAP profile is really being triggered for that.
Clients are being prompted with a WLC's self-signed certificate, more or less in the same way as they would be if they tried to login to the WLC via HTTPS.
Similarly, the fastest way would be to install this certificate on the user's machine, so that it can trust it from that moment on.
Or you can generate a certificate signing request for the WLC, submit it to a root CA/buy a root CA signed server certificate (with the root CA trusted by the clients) and then install this certificate on the WLC:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
For web authentication, there is no way to switch to HTTP for the WLC's certificate validation.
Regards,
Fede
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Hi. I am just about to move from the UK to Kuwait. Will I have any problems using my iPhone 4 and able to join a local carrier using this device please?
If your phone is locked to a particular carrier, you must contact them to request they unlock it. Once they've taken care of that and you've followed the instructions to complete the unlock process, you will be able to use the phone elsewhere.
~Lyssa
Maybe you are looking for
-
Capture single click in a cell in JTable
I have a Table which has a column that needs to act like a URL link. I.e. when clicked it will bring up a web page. How can I get the mouse event when a specific cell is clicked as well as what cell was clicked? The table can not be editable as well
-
I've downloaded WCS-STANDARD-K9-6.0.132.0.exe (205,164 KB). Each time I try to write this to a CD it errors out and the CD is not readable. Is anyobe else have similar problem? Is there a work around?
-
Firex crash when trying press the upload button on Amazon Cloud
Whenever i press the upload button on Amazon cloud, the flash player crash, i tried to update the flash player but it still crash
-
Extracting explanations from planning app and loading into Oracle table
Hi All, I had a requirement where I had to extract data from a planning application through ODI 11g and load it into Oracle RDBMS. I used essbase as my source in technology (since planning data is stored on essbase side) and oracle as my target. Now
-
ITunes freezes entire Macbook Pro
I bought a Macbook Pro back in December and it's great. I have consistently been having one particular problem that is irritating me quite a lot. I turn on my computer. I only open iTunes, the only thing running, and I'll start up some music. I go ab