MacBookPro and Cisco's LEAP authentication method

Similar Messages

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• Tablets and Cisco WLC Web Authentication

  Hi my name is Ivan
  I have a question:
  I would like to know which are the tablets that support Web Authentication in Cisco WLC?.
  Android, Samsung, others?
  And wich are the requeriments of the tablet to use this way to authentication?
  Regards
  Ivan

  Any device that has a browser which can generate HTTP(s) traffic utilizing a browser can use WLC Web Auth.  If you're question is regarding being presented "automatically" with the captive portal I have seen this can be dependent on OS.  From my reading about Droids (not hands on experience) the Android devices don't provide a captive portal query that would "automatically" bring up the WebAuth page when connected to an open network using L3 WebAuth security, but you then open your browser and try to hit any web page and you're fine.  Apple IOS can handle this automatically (in most cases)
  As long as the device can connect to the WLAN in question, open a browser, then try to navigate to some URL, it should work fine.

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• SCOM 2012 Unix/linux agents authentication method

  Hi everybody
  We have an environment including SCOM 2012 SP1, 10 windows server, 40 linux servers and 10 HP-UX servers. all of them are joined a trusted domain. I know the authentication method between windows agents and management server is kerberos. but about linux
  and HP-UX servers? I have read :
  "UNIX and Linux agent monitoring in Operations Manager requires certificates to secure the SSL communication channel between the Management Servers and agents. The
  Operations Manager UNIX/Linux agent is a very lightweight agent implementation, comprising a CIM Object Manager (OpenPegasus) and CIM Providers.  There are two
  protocols involved in the communication between the Management Server and the UNIX/Linux agent:  ssh and WS-Management."
  Now I want to secure the Unix/Linux agents authentication and communication to RMS. some questions:
  1- how much secure and credible is current authentication method? and in a high secure environment can I trust SCOM self signed Certificates?
  2- Considering this point that Unix/linux computers are joined to active directory domain and are using Kerberos to authenticate, can I use this authentication method between RMS and linux Agents? 
  3- if I make a decision to use certificates should I use gateway server? (considering all servers and RMS are in same trusted domain)
  any other suggestion?
  Thanks in advance

  Hi Ghasem,
  Some helpful links for your questions:
  http://technet.microsoft.com/en-us/library/hh487288.aspx
  http://blogs.technet.com/b/kevinholman/archive/2012/03/18/deploying-unix-linux-agents-using-opsmgr-2012.aspx
  Natalya

• Cisco ISE multiple EAP authentication methods question

  With Cisco ISE can you have various clients each using different EAP methods, such as PEAP for Windows machines, MD5 for legacy and TLS for others?
  My current efforts seem to fail as if a device gets a request from the ISE for an EAP method it doesnt understand it just times out.
  Thanks in advance.

  Multiple EAP Methods work fine. If your Clients are being crap you could try forcing then to use a specific set of Allowed Authentication Method by creating more specific Authentication rules.
  Sent from Cisco Technical Support iPad App

• MAC and Leap authentication

  I am using MAC address and LEAP authehtication via ACS, MAC address is configured as user in ACS database and LEAP using external windows user database.
  If this is a case, can someone use the MAC address as username and p/w to login to the network ?
  If I use both the ACS secure DB and ext Windows user DB, which one will be checked first for an username from client ?

  If I key in the MAC address in the username and password logon, will the MAC address passthrough both the MAC and LEAP authentiation ?
  First the MAC address is verified by the ACS local user database. Secondly, when come to LEAP authentication, since I key in MAC address as username and passwaord, this entry is also found in the ACS local database as a valid user, will it be allowed ?

• Cisco ACS v4.1 - User Export incl. Authentication Method

  Hi,
  I wish to export a list of all our users, to include their group and more importantly, their password authentication method. We have a combination users that authenticate using both ACS internal database and also external RSA Secure ID database. Basically I need to identify all users who are NOT authenticating against Secure ID.
  I ran CSUtil.exe -u   , however this only gives me the user & group, doesn't list the authentication method per user.
  Thanks,
  Brian

  Brian,
  Unfortunately, CSUtil.exe will only list the users & group they are a member of. So the simple answer is no.
  If the goal is to set everyone to use token authentication, you could get export a list of all users with CSUtil.exe, then use the client import option to update database used for authentication of all users. Here is the url for documentation on this and other CSUtil.exe options.
  =====================
  Via Csutil
  Created a file in text format
  ONLINE
  UPDATE::EXT_SDI
  ADD::EXT_SDI:PROFILE:
  DELETE:
  csutil -i
  =====================
  If you feel adventerous, you could explore the contents of the dump.txt. by running csutil -d
  This file does contain the information you are looking for. However, there is no documentation or support available for reading or decrypt it.,
  Regards,
  Jatin
  Do rate helpful posts-

• VDI and other authentication methods

  hello,
  I want to set VDI 3 and i know you need AD/LDAP for a production environment.
  I was wondering if in any way there is/(will be) an open framework for other authentication methods,
  for instance like HESIOD?
  thanks
  Michael.

  Since you disabled "clear", you will need to configure SquirrelMail to use Cram-MD5.
  To do so run:
  sudo /etc/squirrelmail/config/conf.pl
  and adjust your IMAP and SMTP settings

• Reset Authentication method to Exchange 2013 EAC and now I can't get in.

  In trying to work through a list of issues related to Exchange upgrade I inadvertently have locked myself out of the EAC by changing the authentication method.  Is there any way to change it back?

  Hi,
  According to my experience, the ECP login failure issue has many reasons. Thus, to narrow down the cause, we can try to confirm the following information and try the following troubleshooting:
  1. Check the detail information about OWA and ECP virtual directory:
  Get-owavirtualdirectory |fl
  Get-ecpvirtualdirectory |fl
  2. Clear or restart the MSExchangeOWAAppPool
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support

• TS3276 Does anyone know the YAHOO authentication method and port? I recently installed the new OSX 10.8.2 software and my mac mail wont work.

  Does anyone know the YAHOO authentication method and port? I recently installed the new OSX 10.8.2 software and my mac mail wont work.

  Hello,
  I have no idea what you're talking about, however my Mail stopped working when I
  had to add a new e-mail address for my Hotmail account.
  My new Hotmail address works, and seems to get e-mail from the old e-mail address,
  which from I've read behaves as a "default" address for the old address.
  Apple Mail is linked to my Hotmail account of the old e-mail address.
  I no longer know my old password.
  Apple Mail will not accept my new password for ny new Hotmail account.
  Can someone help me solve this problem WITOUT COMPLICATED SOLUTION!
  As I said I have no idea what a port, or SSL or authentication is!
  If you do answer,please answer in vert simple steps that are easy to follow, and donlt make matters worse.
  Thanks,
  SB

• Suggestions/Help - Authentication method and tracking of acess/download

  Hello all.
   Recently i've got a mission to do on Sharepoint and i would like to ask you guys for some suggestions on how to do this:
  -Create an authentication method and tracking of access and download documents from one page.
  Already tried some ways but no success until now, then i come here to ask for your help.
  I am a beginner in sharepoint development so please try to speak in the simplest possible way, some terms i may end up not understanding.
  I do Really appreciate all the help.

  Hopefully you have access to Central Administration.  If you don't, I think you don't have the control over the farm you will need to accomplish your task.  Go into Central Admin.  On the left side you will see an option "Upgrade and
  Migration".  Select the option "Convert farm license type".  The next page will tell you the current license version.  I'm not sure about Foundation, but I expect that the upgrade and migration link won't be available at all and
  thus could be assumed to be Foundation which may not have the functionality you desire.  The list at
  http://technet.microsoft.com/en-us/library/jj819267.aspx will show you that they are only available in the Standard or Enterprise version.

• Airport and Cisco Aironet over Radius

  Does anybody know how to configure a MacBookPro with built in Airportcard to connect to Cisco Aironet 1231 WLAN Router with LEAP Authentication over Radius Server?? I can connect to it when no security is activated but if LEAP is on no connection and no request is on the Server from the Client??!! Thanks in advance.

  Does anybody know how to configure a MacBookPro with
  built in Airportcard to connect to Cisco Aironet 1231
  WLAN Router with LEAP Authentication over Radius
  Server?? I can connect to it when no security is
  activated but if LEAP is on no connection and no
  request is on the Server from the Client??!! Thanks
  in advance.
  I am having the same problem with my MacBookPro. Currently, I have supplied data to Apple's engineers from my machine as this is a known problem with MacBookPro's. AluminumG4 notebooks have no trouble authenticating; therefore, this may be a problem with the Atheros chipset. I am hopeful that the next version update will fix the problem, but don't have any information from Apple to support that optimism.
  Good luck,
  Norm

• RADIUS and Cisco 2611 router

  Greetings. First, let me start by saying I am an idiot, I know I am an idiot, and I apologize for wasting everyone's time. I have actually RTFM, many RTFMs, in fact, and I still have not found a resolution.
  Second, I am trying to set up a RADIUS server in my test network. I have installed ClearBox RADIUS on a Windows 2000 system. I have the following configuration on my Cisco 2611 router:
  Using 2297 out of 29688 bytes
  ! Last configuration change at 17:20:27 PDT Tue May 20 2008
  ! NVRAM config last updated at 17:20:29 PDT Tue May 20 2008
  version 12.1
  no service single-slot-reload-enable
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname Tester
  logging buffered 10000 debugging
  aaa new-model
  aaa group server radius RadiusServers
  server 172.26.0.2 auth-port 1812 acct-port 1813
  aaa authentication login default group RadiusServers local
  aaa authentication login localauth local
  aaa authentication ppp default if-needed group radius local
  aaa authorization exec default group radius local
  aaa authorization network default group radius local
  aaa accounting delay-start
  aaa accounting exec default start-stop group radius
  aaa accounting network default start-stop group radius
  aaa processes 6
  enable secret xxx
  username test password xxx
  clock timezone PST -8
  clock summer-time PDT recurring
  ip subnet-zero
  no ip domain-lookup
  no ip bootp server
  interface Loopback0
  ip address 192.168.0.1 255.255.255.0
  interface Ethernet0/0
  description To Main Network
  ip address X.X.X.X 255.255.255.128
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  full-duplex
  no cdp enable
  interface Ethernet0/1
  description To Internal Network
  ip address 172.26.0.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  load-interval 30
  full-duplex
  no cdp enable
  ip nat pool test X.X.X.X X.X.X.X netmask 255.255.255.128
  ip nat inside source list 3 pool test overload
  ip nat inside destination list 3 pool test
  ip classless
  ip route 0.0.0.0 0.0.0.0 X.X.X.X
  no ip http server
  ip radius source-interface Ethernet0/1
  access-list 3 permit 172.26.0.0 0.0.0.255
  no cdp run
  snmp-server community public RO 15
  radius-server host 172.26.0.2 auth-port 1812 acct-port 1813 key secret
  radius-server retransmit 3
  radius-server key secret
  line con 0
  password xxx
  logging synchronous
  line aux 0
  line vty 0 4
  access-class 10 in
  password 7 1234567890
  logging synchronous
  ntp clock-period 17208108
  ntp server 192.43.244.18
  end
  My RADIUS server is up and responding to requests, but my router does not appear to be forwarding authentication requests to it. In fact, when I log into the router using HyperTerm, it times out, and I end up authenticating locally.
  I really don't care whether my Cisco equipment authenticates against the RADIUS server, but I do need to get it set up to authenticate my users so I can track their time online. What have I missed in my router configuration? Why isn't it forwarding user authentication requests to the RADIUS server.
  Thank you for any assistance you may be able to provide.

  I have found that if I am in the middle of composing a response, and I open the thread in another browser window (to refer to it), when I go to submit my response, it doesn't get posted. Perhaps you are running into the same thing.
  The command I shared:
  aaa authentication enable default group radius local
  ... was erroneous. The keyword should have been "enable", as you have discovered.
  Therefore use:
  aaa authentication enable default group radius enable
  When I view a Wireshark trace I see the following:
  AVP: l=18 t=User-Password(2): Decrypted: "user-PWD\000\000\000\000\000\000\000\000"
  Like you, I see the user password appended with the group of \000 grouping's.
  Note the word "Decrypted" which confirms that the password entered in Wireshark is a match with that entered on the AAA client (for what that's worth).
  I'm not sure if I suggested that this would confirm that the server and client were using the same shared secret. If I did, I miss-spoke. I think we would have to gauge the server's response to the attributes we see passed by the client.
  The Wireshark decryption is much more dramatic with TACACS+ because the whole payload is encrypted.
  My issue with your PPPoE is that I saw no "interface" on the router that is configured to perform such authentication. I do seem to recall a global authentication command with the PPP keyword perhaps. I have not attempted to do this, and am not sure whether the interfaces in your router will support this method. Perhaps someone else will weigh in with an opinion.
  However, there are other mainstream authentication methods that I think you should investigate as well.
  You could implement 802.1x on a switch so that a host has to authenticate before it can gain Layer 3 access to the LAN. Depending on the platform, you can download VLAN assignments and ACLs.
  I believe the router also supports 802.1x, but that may determine whether a host can get "through" the router. I have not had cause to investigate 802.1x on the router. I may do so in the future to authorize access to IPsec tunnels.
  The router is also likely to support Authentication Proxy. This feature intercepts a user's attempt to browse resources on the other side of the router. User specific ACLs can be downloaded to the router (from RADIUS) to control what resources a user can access.
  I think you should:
  1. Resolve the issue(s) with AAA logins on the router. It'll establish a baseline of functionality, and give you some short term joy.
  2. Investigate whether PPPoE support exists on your router's interfaces.
  3. Read up on 802.x and Authentication Proxy (docs on Cisco web site).
  4. Decide which methods appeals to you.
  5. Dive in.
  I'd lose the self-deprecation. I don't think it will serve you well. If you're treated badly, move to a newsgroup where the participants display a higher level of emotional maturity. I don't think you will have an issue on the Cisco forums. Others would probably step in.
  I'm going to be absent for several days, so if you don't receive any response, it will be for said reason.
  Good luck.

• ASA to ACS: how to distinguish different authentication methods?

  I have SSL VPN Clients connecting to an ASA 5520 using RADIUS to a backend Cisco ACS. I want to support two authentication options for the clients. The first is a certificate combined with an Active Directory username & password. The second is a token-name & one-time-password.
  Setting these two authentication methods up on the ASA is no problem ... I can configure user selectable connection profiles that have the wanted authentication settings. The ACS can handle both the AD and token credentials.
  Here's the problem. I need to be able to distinguish on the ACS if a connection request was certificate authenticated or not. I don't want users choosing to do a token/OTP connection and then entering in their AD credentials instead. the ACS won't know that this AD authentication request wasn't properly combined with a certificate.
  I've used NAR settings in the past to control what user databases an AAA client can authentication against, however, if the two authentication methods are coming from the same AAA client (the ASA), what can I do?

  I guess this should be possible with a feature called NAP,( network access profiles). Here you can define which database to use for any specific request. We can filter request on the basis of attributes sent in the authentication request.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NAPs.html
  Regards,
  ~JG