NAC-L2-802.1x (EAP-FAST) and Cisco Secure Services Client 5.0 in wired net
Hi!
(Sorry, if this is a wrong forum.)
Does anybody have any success with Cisco SSC and EAP-FAST in the wired network?
I'm going to use NAC, so I'm trying to set up EAP-FAST. I see the pop-up window on the client to enter user credentials and I see a lot of "debug radius" messages on my 3750 12.2(44)SE switch:
Access-Requests with User-Name="anonymous"
Access-Challenges (I see certificate is sent from ACS)
Access-Reject
CS ACS Failed Attempts Report shows "ACS user unknown" failure for "anonymous".
So far as I understood, EAP-FAST is a tunneled method and it uses "anonymous" to protect user's identity during phase 0 / phase 1 transactions. The actual username is sent in phase 2 transaction.
The following is excerpt from the CS ACS documentation:
"EAP-FAST can protect the username in all EAP-FAST transactions. ACS does not perform user authentication based on a username that is presented in phase one; however, whether the username is protected during phase one depends on the end-user client. If the end-user client does not send the real username in phase one, the username is protected. The Cisco Aironet EAP-FAST client protects the username in phase one by sending FAST_MAC address in place of the username. After phase one of EAP-FAST, all data is encrypted, including username information that is usually sent in clear text."
SSC 5.0 is indeed set up with "Unprotected Identity Pattern"=anonymous and "Protected Identity Pattern"=[username] using sscManagementUtility.exe
So, the question is: Why is ACS 4.1 trying to authenticate username "anonymous" if it knows that the user is fake? Does anybody have working configuaration for EAP-FAST in a wired network?
Any help is greatly appreciated.
Correct, ACS database wasn't selected on the NAP Authentication page. It works now, but I constantly get the following message in the Windows event log: "The Cisco Secure Services Client service hung on starting". This is Windows 2000 Advanced Server system with SP4. SSC was set up with no domain authentication, no machine authentication, single sign-on. After some time the SSC service starts, but at that time my PC is already put into the guest VLAN by the switch (the tx-period is 10 seconds):
POD1-SW#sh run int fa1/0/1
Building configuration...
Current configuration : 378 bytes
interface FastEthernet1/0/1
switchport access vlan 999
switchport mode access
dot1x mac-auth-bypass
dot1x pae authenticator
dot1x port-control auto
dot1x timeout reauth-period server
dot1x timeout tx-period 10
dot1x reauthentication
dot1x critical
dot1x critical recovery action reinitialize
dot1x guest-vlan 91
dot1x critical vlan 11
spanning-tree portfast
end
After all the VLAN is reassigned by the switch, but the delay is too high. How can I troubleshoot this?
Thx.
Similar Messages
-
EAP-Fast and Cisco 340 Adapters
Does anyone know if the 340 adapters support EAP-Fast? The docs that I have looked at talk about 350 adapters... I thought the only difference between 340 and 350's was the anntena.
Based on this document seems like its supported,
http://www.cisco.com/en/US/products/hw/wireless/ps4555/products_installation_and_configuration_guide_chapter09186a0080204ae1 -
Cisco ISE with EAP-FAST and PAC provisioning
Hi,
I have search with no result on this topic. So, Does anyone have implemented Cisco ISE authentication with EAP-FAST and PAC provisioning ?
Since I have an issue with internal proxy, user required to authenticate with an internal proxy before granting access to the internet.
If you have any documents, it would be appreciated for me.
Thanks,
PongsatornFrom what I understand a Internet proxy PAC and a eap-fast PAC are two different purposes.
Is that what you are trying to get clarification on.
Basically eap fast PAC provisioning is a PAC that s provisioned when a client authenticates successfully. The client provides this PAC for network authentication and not proxy authentication.
Sent from Cisco Technical Support iPad App -
HI,
I configure a Wireless Lan with 3 AP1131G-E-k9 and a radius serveur CWWLSE and Eap-Fast AND WPA2
All seem's to be OK but some Laptop are obliged to re-authenticate several time a day ?
Anybody has a idee if thre is a timer or
others paramatter I should do set ?
Thanks for your HelpI recently ran into this issue. What I found although not that technical....if the user is prompted for the PAC and does not accept, I had a hard time getting them to authenticate afterwards. I was able to remove the user from the AAA server and once I added them back in they were able to authenticate with no issues. Again this is a very basic finding and I have not had time to test my theory. I believe it has someting to do with the way AAA caches the user account, perhaps there is a denial of service or time-wait before the next login attempt is permitted. If you are using AD and not local accounts use the option, on the Radius server to Remove Dynamic Users.
hardware userd Version 7.0...5508 WLC, 3500i AP's, WCS, MSE, Cisco ACS/Radius 4.2 WPA2, 802.1x, EAP-FAST -
WLAN Access via 802.1x/EAP-FAST ACS & Windows DB
Hi,
Does anyone have any useful links about how to configure ACS server to use windows UN/PW for wireless client logins via 802.1x & Eap-fast?
I can't seem to find a defined example for the ACS to Window DB install?
Can anyone help?
Ta
JamesCheck out whether the following links are useful to you.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00804b9d57.shtml#set-acs
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00802030dc.shtml -
EAP Authentication Configuration for EAP-FAST and PEAP
Hi Everyone,
I pretty much got EAP working, however using LEAP
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xDEAP is a complicated subject for sure. But it shouldn't be really once you know the foundation.
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed.
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password back to AD for example.
Hope this helps .. -
ACS 5.2 802.1x EAP-FAST w/MSCHAPv2, Cisco WiSM WLC, AD 2008
Hi All,
I'm currently trying to replace an old ACS v3.3 with v5.2.0.26.2.
Looking to authenticate wireless clients with EAP-FAST, MSCHAPv2 inner method against AD.
Coming up against a lot of issues to do with the authentication - no problems on the AD side, but getting the EAP-FAST config right on the ACS is proving difficult.
I found this guide for PEAP-FAST(MSCHAPv2), does anyone know of anything similar for EAP-FAST(MSCHAPv2)?
http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf
Any guides for ACS 5.x with EAP-FAST would be very helpful, especially to do with certificates, pac provisioning, etc.
Thanks,
RobHello,
Did you find a guide for EAP-FAST with AD ?
I'm facing the same problem, I can't make EAP-FAST working with AD Account,
Thanks to you
Regards,
Gérald -
EAP-FAST for Cisco a/b/g card ?
Per Cisco
Cisco Compatible client devices and Cisco Aironet 802.11a/b/g PCI and CardBus WLAN client adapters will support EAP-FAST in the fourth quarter of 2004.
Anyone have an idea when this will be supported?Hello,
Currently EAP-FAST support for the ADU software will be available at the end of next month. Sorry for no firmer date but the last week of January is when it appears it will be released.
Regards,
Aaron -
802.1x/EAP clarification and implementation
Dear SIr,
To setup LEAP authentication using ACS, the client needs a supplicant such as the ACU to run LEAP independent of OS.
Cisco AP will be the carrier of the EAP message between the client and the Radius server sitting between the client and the server. I know from the fact that Cisco AP support LEAP, PEAP, EAP-TLS, EAP-MD5 and EAP-SIM. From my understanding, those types of EAP mentioned earlier can be relay to the Radius server(ACS), am I right?
Does it mean that these messages are transparent from the AP point of view? If I replace the Cisco AP with other third party access point that they claim support 802.1x/EAP but they never specify the type of EAP protocol, can I still run LEAP with a third party AP though my client is Cisco and the Radius server is CSACS?
What type of OS or supplicant support EPA-MD5? I know that Windows XP and 2000 support 802.1x driver, what about their EAP protocol supported on XP and 2000?
Thanks.
DelonI think the following document will clear most of your doubts,
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008019fea2.shtml -
Is it possible to use eap-fast authentication with CCKM on 7920 phone with WLC.
It is working when configuring 802.1x and wep 104 bits on controller but it does not work with wpa1+wpa2.If the client doesn't have a PAC and automatic PAC provisioning is enabled on the ACS, then the first authentication attempt will result in a failure, which is the session where the client will receive the PAC. The 7920 only supports automatic PAC provisioning. The default PAC settings should be ok, but may want to decrease or increase based on company's security policy. Also with CCKM, this will help when roaming with an expired PAC, otherwise there will be a 20 second gap in voice when roaming with an expired PAC, where a new PAC will need to be obtained.
-
802.1x EAP-TLS with Cisco IP-Phone on MS NPS
Hi,
does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
With ACS it is not a problem at all.
thx
SebastianHi all !
Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
This is the last e-mail that Microsoft TAC has sent to the customer:
====================================================================================
As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
"Please find below some more information about the same from Microsoft TechNet Article :
CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
=====================================================================================
Tks for your help !!!!!!!
Luis -
ACS EAP-FAST and LEAP restrictions. regarding 7920 wireless phones
Hello, The 7920 still doesn´t support EAP-FAST. So I´m wondering if it is possible to restcrict EAP-FAST users from turning LEAP on. Is there a way in ACS to do that ?
Hi
Kristjan's question above is a good one - I'm looking for a similar answer...
I.e. can I add all my 7920 handset usernames to a group, and only allow these to do LEAP?
Also can I restrict LEAP users to a set of pre-defined MAC addresses?
Thanks
Aaron -
802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.
I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine... We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
in the username password Setting.
Is it possible edit or change the way the client PC is sett up to prevent this?
Is there any way make a policy setting? or is there other solutions?
I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
ThanksHi,
As I know, this goal cannot be achieved.
Reference:
Use the 802.1X Wizard to Configure NPS Network Policies
For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
Microsoft: Smart Card or other certificate, click
Configure, click
OK, and then click
Next.
For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
Microsoft: Protected EAP (PEAP). In
Eap Types, click
Add, click
Smart Card or other certificate, click the
Move Up button to position a smart card or other certificate at the top of the list, click
OK, and then click
Next.
For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
Eap Types, click
Add, click
Secured password (EPA-MSCHAP v2), click the
Move Up button to position the secured password authentication type at the top of the list, click
OK, and then click
Next.
Regards,
Sabrina
TechNet Subscriber Support
in forum.
If you have any feedback on our support, please contact
[email protected]
This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread. -
EAP-TLS witch Cisco Secure ACS
Hi everyone,
we have implemented wpa/leap in our WLAN. We would use certificates for machine authentication. There is a Cisco Secure ACS Server 3.3 installed.
Is it possible to use the ACS self generated certificate without a CA ?
The examples I found on the web describes only the configuration with CSACS with Microsoft CA.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a6b.html
We use Cisco AP1231/AP1232 with 12.3.4JA.
I think for machine authentication we have to install a CA. Let me know, how you think about that issue.
ArminThere are no much options on Client side: MS PEAP, EAP-TLS, EAP-MD5. ACS version 3.3 can generate self-signed certificate (for itself) without the need to install separate CA server. So I'd recommend you to use MS PEAP (PEAP MS-CHAPv2) with self-signed certificate on ACS.
-
Catalyst 3750x and 4510R and Cisco Security Manager
Hi,
I just downloaded and install trial (evaluation) version of Cisco Security Manager 4.3. In supported devices list I saw Cisco Catalyst 3750 and 4510R but when I try to add it I got for 3750:
Invalid device: Device is a switch and cannot be mapped to a Generic Router model.
Please verify the selected device type, OS version and device configuration
For 4510R:
Invalid device: Version 03.03.00.SG (N/A) is not supported for the device type of Cisco Catalyst 4510R Switch Please verify the selected device type, OS version and device configuration
We need to make a purchase decision but for it we need to import all of our devices and perform some tests.
Thanks in advance for your replies!
BR, Vasily.I figured this out on my own -- change Compatibility mode of the installer to be Windows 8 (which is same OS version as Windows 2012) and it installs just fine.
Maybe you are looking for
-
I have been using Firefox for about two years. For about a month now I have been unable to view any Google advertisements that run on YouTube pages alongside and under videos. This is important for my business. I would like to stay with Firefox, but
-
OfficeJet Pro 8600 plus will not install , msg Call to DriverPackageInstall returns error 5
I get message "Call to Driver Package Install returned error 5 for package -c\Program Files\HP\HP OfficeJet Pro 8600\Drivers Store\Pipeline\hpup\03.inf-Call to Driver Package Install must be a member of th eadministrator group to install a driver pac
-
Just recently I tried to click on a link in my email on my Ipad Air, click on menu headings did not respond? This is a new problem! Stores send me emails on sales with menu headings to access "Clearances", "Men's Wares", etc. I click on them to see t
-
Sound drivers can`t be installed
Strange Sound. When I trig some event which will make some sound.Sound don`t come out immediately,but about 2 minutes later it comes out.For example, I click the "Test Sound" button in "Settings:/sound", 2 minutes after i just can hear the Testing-so
-
ColdFusion Builder 3 - Open a large file causing CF Builder 3 to Hang
When I try to open a large file having 2700 lines of code in CF Builder 3, it becomes completely unusable and in the task manager showing Not Responding.