Macintosh clients, 802.1x and NAC.

Similar Messages

• Macintosh OSX, 802.1x and PEAP

  I'm preparing to implement 802.1x port authentication for both wired and wireless connections. The authentication server is Windows 2003 IAS. In the test environment, Windows XP clients can connect fine, but I'm not sure how to configure this for Mac OSX workstations (10.4.6). Has anyone successfully done this? If so could you please explain the proceedure, or direct me to documentation that explains the process?

  Assuming you're using NAC fraework then it's bad news, 802.1x won't work on a Mac. If you use 802.1x and L2IP in combination then wired Macs will work but wireless Macs will not. The reason is that the Cisco CTA for the Mac communicates with using EAP over UDP and this transport is not available when using 802.1x alone or over a wireless link with 802.1x or L2IP. The only way of catering for all client types at once (Windows wired and wireless, Mac wired and wireless) is L3IP.
  The NAC Appliance "will" support wireless Macs in a future release but (I believe) doesn't at the moment.

• NAC - L2 IEEE 802.1x and NAC - L2 IP differences.

  Hi,
  My customer is having Cisco 4507R switch with IOS version 122.31-SG1 which deosnt supports NAC - L2 IEEE 802.1x but supports NAC - L2 IP.
  What is the difference between these features and which features is required for proper authentication and posture assesment.
  Thanks and regards,
  Pulkit Sharma

  Hello,sharma
  can u be more clear abt ur question.What r u trying to achieve.

• Supplicant Client Provisioning for Windows + NAC - is it supported?

  Hello,
  I'm testing out a scenario where it would be most interesting to be able to provision a windows laptop from connecting to a Guest SSID with it the wireless settings it would need to access a secure SSID where then it would be Posture assessed. Like when someone brings their laptop from home to work in the company, and you want to make sure the laptop is not carrying any bad stuff, while still assisting the user with its configuration..
  As the NAC provisioning rules and the supplicant provisioning rules are done from the same page, I'm having trouble being able to differentiate the initial supplicant client provisioning (SPW) and the posture verification done after the the association to the secure SSID.
  The choices that we have on the client provisioning pages seem to be too limited to do this.
  Can anyone confirm if this scenario is supported?
  Thanks for any insight
  Gustavo Novais

  Hi Tarik, I managed to do what I wanted - same client being provisioned and NAC'd in two steps, as you were suggesting.
  One limitation that I found though is that as soon as you mark a device as registered (part of RegisteredDevices endpoint group), you stop being able to distinguish an iPad from a Windows workstation, if both of them have been registered by the same user - both of them will belong to RegisteredDevices group (assuming initial registration via webguest portal), both of them will have the similar certificate (same common name) and profiling group matching will no longer work.
  Do you know if there is any workaround to it? - I can see the common case where people bring their laptop from home as well as their iPad.
  A possible way would be to register to two different devRegPortals (two different endpoint groups) depending on the initial profiling option, but I saw no option on the guest portal to be able to choose multiple devRegPortals only self provisioning flow. I guess the best possible way would be to not merge guest portal and provisioning portals and use different authZ rules depending on the initial profiling of the devices, on a separate SSID dedicated to provisioning.
  Thanks for your insight
  Gustavo Novais

• Win 7 client with machine and user auth stuck in 802.1x_REQD

  Hi everybody
  we have a WLC 5508 with 7.2.110.0 and an ACS 5.3 and do the following:
  - Win 7 client gets a GPO object with the wlan configuration for "Machine and User authentication" with PEAP
  - On ACS 5.3 I configured correctly the authentication and authorization for first machine authentication and then user authentication ("Was machine authenticated = true)
  - First when machine authentication happens, the client is configured into a quarantine VLAN, where it is only allowed to communicate with the domain controllers
  - When the user authenication happens, the client is moved into the productive client vlan with no restrictions.
  Everything works fine, except that after the user loggs in, it takes about 3 minutes until the client answers the EAP Identity Request and loggs in, see attached screenshot or the screenshot below:
  In the client status on WLC i can see that the client is stuck in the 802.1x_REQD state for these 3 minutes, until suddenly it authenticates (but then very often, about 5 times - see screenshot).
  We tried the following to find the problem spot. but we were not able to locate the problem:
  - Configure the machine and user authentication into the same vlan all the time
  - ONLY user authentication on the client
  - Played with the Win 7 settings (timers, and so on)
  - When we manually configured the WLAN profile on the Win 7 client and saved it, the Win 7 client connected to the SSID without any problems and without any delay (about 5 seconds after the save)
  Did someone ever had the same issue?
  Thanks a lot and best regards
  Dominic

  Hi Amjad
  very good point on this, thanks a lot. In this case, I did not even think about the client firmware side, thought that I should be the WLC or the client settings, but not the driver. We will give a shot on this next week, maybe this will help us to solve the problem.
  It is normal to have the clietn in 802.1x_REQD if it is not yet authenticated and that is the expected state to be at in your situation untlil the client fully authenticates.
  Absolutely correct that the client is associated and in the 802.1x_REQD state as long as the authenticator did not get the EAP identity Response, but that the client takes such a long time to answer is not normal ;-)
  - What is the supplicant that is used on the windows machines? default WLAN supplicant? or you use some commercial supplicants?
  WZC.
  - what is the result when testing with user auth only?
  The same, it takes such a long time.
  - what ist he result when testing with machine auth only?
  Machine authentication works as expected, fast and as soon as the client is booted, the client gets authenticated.
  Regards and have a nice weekend
  Dominic

• ISE 802.1x and Windows Logoff

  Hi Guys,
  i have a ISE works fine using 802.1x but we have a strange behavior when the client just logoff the windows machine, after the client login again, the machine does not authenticate and stuck as a message " not possible to authenticate". Then I need to take off the cable machine and put again, after this everything works fine.
  This happens just using logoff windows.
  could someone help me about it?
  thanks a lot

  Hi Rik,
  I am using this configuration.
  interface GigabitEthernet3/33
  switchport access vlan 22
  switchport mode access
  switchport voice vlan 23
  ip access-group ACL-DEFAULT in
  logging event link-status
  authentication event fail action next-method
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication violation restrict
  mab
  snmp trap mac-notification change added
  snmp trap mac-notification change removed
  dot1x pae authenticator
  dot1x timeout tx-period 10
  qos trust device cisco-phone
  spanning-tree portfast
  spanning-tree bpduguard enable
  service-policy input AutoQos-4.0-Cisco-Phone-Input-Policy
  service-policy output AutoQos-4.0-Output-Policy
  the client are using the NAC Agent the way to perform a posture.
  If i take off the cable and put again, everything works fine, but if the client try to logoff and after a time login again, the NIC Card can not be authenticated.
  thanks a lot

• Problem with Macintosh client on 10.5.6

  I am having a problem with applying color lables and I was wondering if anybody else was. My server was upgraded to 10.5.6 and ever since then, when on a Macintosh client, applying a color label will not work as expected. I can label a file a color and it shows, but when I click off the file, it changes back to the previous color {or no label if it previously didn't have a label}. If I click on the file again, then the label seems to stick, but even this isn't consistent. It seems that the label does look correct when I look on the server itself. We use the labels quite a lot in my workgroup as a simple way to organize works in progress. Can anybody replicate this on their system? Also, this happens on both clients running 10.5.5 and 10.5.6 (and even 10.5.3 I think)
  thanks,
  sean ross

  Yes, this appears to be a bug introduced with whatever modifications Apple made to AFP in 10.5.6. See this thread for more info, but no solution yet: http://discussions.apple.com/thread.jspa?messageID=8776293
  Message was edited by: JJakucyk

• ISE and NAC Agent

  Hello, we currently run NAC for our wired (OOB), wireless (IB) and VPN (IB) enviroments. We are looking at migrating over to ISE for our wireless enviroment as a first step, with follow-up projects to move the VPN and wired clients over. I have been reading that ISE will still use the NAC agent. Our current NAC enviroment is at 4.7.2 and we are running the 4.7.2.10 agent. We do not want to upgrade this enviroment, we would rather focus on migrating to ISE. So our thought was to upgrade the clients to the latest NAC agent version 4.9.1.5. This agent is supported against the 4.7.2 NAC Manager. The problem is, I do not see this agent version listed as supported in the ISE compatibility matrix. Instead, they list a NAC agent of 4.9.0.37, which ironically, is NOT listed in the NAC compatiblity matrix. So what version of NAC agent should we run in a mixed enviroment? I am hoping 4.9.1.5 is supported against ISE, and the matrix is simply not updated yet. Thank you in advance for your help.

  Not sure I understand. The 4.9.1.5 NAC agent does run against our CAM, as we have tested that and it is listed in the support matrix. So if we upgrade our NAC applainces, we would still run that agent. Does that agent tun against ISE, and if not, what is Cisco's recommendation to bring ISE into the enviroment? We have to have a migration path, and wireless seemed like a logical first step. But we need a NAC agent that will work against Clean Access AND ISE as our laptops will be wireless and wired at different times. Which Agent would be recommended?

• 802.1x and Voice VLAN

  I had read articles on cco, and I believed for the same switch port we can have 802.1x configure and the voice vlan configure. It mean the IP phone is connect to the switch port with 802.1x configured, but the phone will not autheticate, only the workstation connect to phone data port will get authenticate.
  I had configured 802.1x and test with notebook logon and able to access the network. Now I would like to test the notebook attached to IP phone data port, and the phone connect to switch port configure with 802.1x. But I failed to add voice vlan commmand. Why ?
  interface GigabitEthernet9/48
  description temporary port
  switchport
  switchport access vlan 12
  switchport mode access
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  CIG01-ENT-SW1(config-if)#switchport voice vlan 14
  Command rejected: Gi9/48 is Dot1x enabled port.

  Using IEEE 802.1x Authentication with Voice VLAN Ports
  A voice VLAN port is a special access port associated with two VLAN identifiers:
  ?VVID to carry voice traffic to and from the IP phone. The VVID is used to configure the IP phone connected to the port.
  ?PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port.
  In single-host mode, only the IP phone is allowed on the voice VLAN. In multiple-hosts mode, additional clients can send traffic on the voice VLAN after a supplicant is authenticated on the PVID. When multiple-hosts mode is enabled, the supplicant authentication affects both the PVID and the VVID.
  A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several Cisco IP phones are connected in series, the switch recognizes only the one directly connected to it. When IEEE 802.1x authentication is enabled on a voice VLAN port, the switch drops packets from unrecognized Cisco IP phones more than one hop away.
  When IEEE 802.1x authentication is enabled on a port, you cannot configure a port VLAN that is equal to a voice VLAN.
  Waht kind of switch do you have? In 3550 I can configure the port for both vvid and pvid:
  interface FastEthernet0/1
  switchport access vlan 3
  switchport mode access
  switchport voice vlan 2
  no ip address
  dot1x port-control auto
  spanning-tree portfast
  end
  Nevertheless, as the statement above indicates, the port will need to be configured for multi-host in order the PC behind the phone get autehntication:
  under the interface configure "dot1x host-mode multi-host"
  Nevermind, I just realized that you might have a 5600 running native, checking the configuration guide and realese notes it does not looks like dot1x and vvlan can play together in that platform.

• CSA agent and NAC agent together

  Hi, do you have experience of CSA agent and NAC agent together on the same pc ?
  Does one include the other ?
  Which one have I to test first ?
  thank you in advance
  greatings
  RS

  Cisco Trust Agent collects security posture information from the NAC-compliant applications running on the network client and reports them to the Cisco Secure Access Control Server (ACS). These are some NAC-compliant applications:
  - Antivirus applications
  - Personal firewalls
  - Host-based intrusion protection applications, such as Cisco Security Agent (CSA)
  Cisco NAC is a strategic element of the Self-Defending Network. Working together with other Self-Defending Network components such as Cisco Security Agent and the Cisco Security Monitoring, Analysis, and Response System (Cisco Security MARS), Cisco NAC helps organizations achieve more accurate threat identification and prevention while increasing patch management efficiency.

• Compatibility 802.1X and mac-filter from ACS

  If the  clients identities and mac address are stored in the same ACS server.
  In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
  this is really a critical problem for me!
  Thanks~

  Hi,
  I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
  If my understading of your queston is  correct the answer is
  Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
  But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
  i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
  another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
  Thanks

• 802.1x and the iPhone

  So I don't think this is possible right now to connect to an 802.1x network from the iPhone. I am posting for 2 reasons.
  1. Anybody figure out a way to do this?
  or if not...
  2. Apple, we really need this in a software update...

  802.1X [upper case X] is a network access mechanism or authentication protocol used with 802.11x [lower case x] wireless networking standards, such as…
  • 802.11a
  • 802.11b
  • 802.11g
  • 802.11n
  …and so on. It has been natively supportive in Mac OS X for Macintosh desktop and portable platforms since the release of OS X 10.3, but is not visible typically unless you launch the Internet Connect application to add and configure it.
  A general discussion of 802.1X can be found in this Wikipedia article.
  The oft confused 802.11x is nothing more than a generic representation of the group of wireless networking standards listed above.
  This really is a very substantial issue for many academic and business users, as access to their networks is typically controlled by an upstream Radius server and without support for configuring an 802.1X interface, they cannot connect their networks as recognized, authorized users.

• Wireless 802.11r and .k on WLC

  Hello all,
  I've seen that in 7.4 and later Release on the WLC5508 you can configure 802.11r and 11k support using Fast Transaction so that iOS7 won't experience connection loss during Roaming...my question is on the same WLAN can I configure 802.1X and FT-802.1X Authentication so that I'll be able to have on the same SSID non802.11r and 802.11r capable client? Or this setup will create association problem ?
  BR
  OG

  Maybe this can help explain it also:
  http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0111.html#d155467e2632a1635
  Legacy clients cannot associate with a WLAN that has 802.11r enabled if the driver of the supplicant that is responsible for parsing the Robust Security Network Information Exchange (RSN IE) is old and not aware of the additional AKM suites in the IE. Due to this limitation, clients cannot send association requests to WLANs. These clients, however, can still associate with non-802.11r WLANs. Clients that are 802.11r capable can associate as 802.11i clients on WLANs that have both 802.11i and 802.11r Authentication Key Management Suites enabled. The workaround is to enable or upgrade the driver of the legacy clients to work with the new 802.11r AKMs, after which the legacy clients can successfully associate with 802.11r enabled WLANs. Another workaround is to have two SSIDs with the same name but with different security settings (FT and non-FT).
  Sent from Cisco Technical Support iPhone App

• 802.1X in NAC OOB

  We are installing a NAC Solution version 4.9, and we want to know which protocol between 802.1X and SNMP is recommended for  discovery?
  We have multiple vlans for users and only one authentication vlan.
  Thanks in advance,
  Jocelyn

  Hi,
  In a wired environment, dot1x and snmp will not work well together. So you will set the port the way it is and let the CAM use SNMP on moving users to their role based vlans.
  It is ok if you have multiple vlans and one authentication vlan, when you configure the user roles on the manager you can set the vlan attribute there.
  Please explain what you are referring to as discovery? Are you referring to snmp traps being sent for new mac addresses?
  For wireless and if you want to enable SSO, then you will have to use radius and snmp both.
  Tarik Admani
  *Please rate helpful posts*

• AirPort Extreme (802.11n) and Airport Express

  I wonder...
  I do relase reading other posts that connecting my Airport Express as a client, joining my 802.11n (and 54g compatible network) will slow the whole network down.
  But I can't do without the airport express, and I don't want to slow down my WAN 100 MBit internet connection either.
  Is there a way to split the networks WITHOUT having to switch to the Airport Express-network when I want to play to the Express in iTunes? Has anyone tried some working configs of how to combine these two in a good way?

  Saw a recent post just now...I guess the only solution would be to connect the Express by wire to the Extreme!