NPS & EAP-MD5

Similar Messages

• ISE 1.2 and EAP-MD5

  Hi,
  I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
  We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
  The ISE deployemnt do not run in FIPS-140 2 mode.
  And when using the switch with NPS we get this to work, so switch configuration is ok.
  Failure Reason:  12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
  Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
  Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
  Any thoughts on this?
  Cheers

  Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols
  Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
  Save the Allowed Protocol service.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Authentication with EAP-MD5/PEAP/FAST

  Version: ISE 1.2p12
  Hello,
  I have trouble authenticating devices that use different protocols:
  - Cisco IP Phones: EAP-MD5
  - Windows machines: EAP-PEAP
  - Cisco APs: EAP-FAST
  1) I'm able to authenticate the IP Phones individually with a authentication rule:
  IP PHONES If Wired_802.1X allowed protocols EAP-MD5
  For EAP-MD5 I selected only EAP-MD5
  Now if I use a generic rule
  DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5
  with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work
  ISE says that there's a protocol mismatch:
  "Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"
  ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5
  I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5
  2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"
  Does any of you have hints ?

  I know now the problem. WLC try to connect with "anonymous bind" to the ldap server. It works well with Win2000. With Win2003 it works only if you open the security. See link: http://support.microsoft.com/kb/320528/en
  You haven't the possiblity to configure any username/pwd for a secure ldap query. It's something that is an absolutely need for many customers.
  For the moment I will sugest the "workaround" with AP->WLC->Radius->LDAP
  Kind regards
  Alex

• ISE MAB Host Lookup - PAP or EAP-MD5

  In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
  In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 
  Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
  How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?
  Thank you.
  Cath.

  Hello Cath-
  Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
  Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
       interface fa0/1
       mab eap
  Things to conisider:
       1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
  service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
       2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
       3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
  Here is a good document that you can reference as well:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
  Hope this helps...
  Thank you for rating!

• PEAP + EAP-MD5

  I've read that with the ACS 3.1 the only eap-type supported with PEAP is GTC.
  Why it is not possible to use EAP-MD5 or EAP-TLS with PEAP? These EAP-type were already supported in ACS 3.0...
  Thanks for your time.

  As per my knowledge,Peap uses TLS protocol also to authenticate.
  PEAP works in the following way:PEAP operates in two steps. The first step is the server authentication and second one is user authentication using a new EAP type .
  PEAP uses TLS to authenticate the network infrastructure through the TLS Handshake protocol, to protect user credentials in transit by means of the TLS Record Protocol, and to generate cryptographic keying material using the TLS-defined pseudo-random function (PRF) functionality.
  For information on this you can follow the URLs,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008010217f.html#4907
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080102179.html
  http://www.cisco.com/warp/public/cc/pd/sqsw/sq/prodlit/acsq_qp.htm

• Using Windows 802.1x whith EAP-MD5 on Aironet 350 Adapter

  Hello all,
  I'm trying to use EAP-MD5 as the authentication mechanism with my Aironet Card and the Microsoft 802.1x stack under Win2K. Unfortunately, this choice is not possible while I can do it with legacy LAN cards. According to CCO litterature, it is supposed to be supported. Did anyone manage to have this working ?
  Thanks in advance
  Cyril

  This is supported and it should work.
  Check out this information:
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg/win_ch6.htm#xtocid20

• PEAP, EAP-TLS & EAP-MD5

  Hi
  Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?

  Hello,
  There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
  Regards,
  Belal

• EAP MD5 with ISE 1.2 - How to Prevent Active Directory Account locks?

  Hi,
  Is there any how to prevent accounts to be locked in AD if someone do a password brute force attack in a account? ISE has some feature/Configuration to prevent this type of attack ?
  Thanks.

  So what you're saying is the retry values only come in to play if the RADIUS server is inaccessible, right?
  Windows laptops actually work just fine, because many of them are using machine authentication.  The main issue seems to be from iPhones, which are saving the username/password and then re-attempting too many times when the user changes password.
  One solution is to use LDAP instead of AD within ACS, but the downside is the password can be guessed thousands of time in a row and open to dictionary attacks.  We do enforce complex password policies so the liklihood of an account being compromised is slim, but, I'd rather eliminate the chance entirely.

• NPS Hotspot 2.0 eap-AKA

  Hello all,
  i am trying to configure Windows 2012 NPS for EAP-AKA authentication to build an hotspot 2.0 (802.11u).
  I am searching documentation about NPS EAP-AKA configuration.
  someone can help me please?
  Thanks
  Michele

  Hi,
  I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
  Thanks for your understanding and support.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• NPS Discarding RADIUS request from Cisco switch (802.1x)

  Last few weeks I've been busy to get the following to work:
  - Cisco 2960 switch as the suppliant
  - Another Cisco 2960 as the authenticator switch
  - The supplicant is only able to send MS-EAP MS-ChapV2 requests
  - The NPS server is Windows 2008 R2 (and also tested on 2012 R2)
  This is called "NEAT" by Cisco; which does seem to work with Cisco ISE (http://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/116681-config-neat-cise-00.html)
  but I'd like to get it to work with Windows NPS.
  Within NPS I've setup the following Connection Request policy:
  - NAS Port Type: Ethernet
  I'm using the following Network Policy:
  - User Group: DOMAIN\Switches (the useraccount used by the switch is part of this group)
  - NAS Port Type: Ethernet
  - Autehntcation Type: EAP
  Now the request sent by the switch is discarded. The actual error is the following (excluded irrelevant information):
  User:
  Account Name: Rotterdam-Switch-8-1
  Account Domain: DOMAIN
  Authentication Details:
  Connection Request Policy Name: Secure Wired Connections
  Network Policy Name: Switches Allowed
  Authentication Provider: Windows
  Authentication Server: SERVER.DOMAIN.local
  Authentication Type: EAP
  EAP Type: -
  Account Session Identifier: -
  Reason Code: 1
  Reason: An internal error occurred. Check the system event log for additional information.
  Wireshark on the NPS server shows:
  1. The RADIUS Access-Request (1) being received by the NPS Server
  2. The NPS Server sending out a RADIUS Access-Challenge (11) to the authenticator switch
  3. Another RADIUS Access-Request (1) is beging received by the NPS Server
  Packet 2 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 1 (Challange)
  Packet 3 has an t=EAP-Message(79) with type MS-EAP-Authentication [Palekar](26) and MS-CHAPv2-ID set to 2 and OpCode 2 (Response)
  I've also tried the following:
  - I've also tested with an invalid username/password. The request is correctly denied
  - I've also tested by added ALL EAP Types as condition to the Network Policy. The request isn't pickup by this policy anymore.
  Any help would be greatly appriciated ofcourse.
  Kind regards,
  Peter

  It only took like.. uhm.. forever.. but there's an answer which is "OK ish..".
  Cisco 2960 switches support EAP-MSCHAP; but it seems that NPS only supports EAP-MSCHAP for VPN Connections and not for Wired/Wirelss authentication. Something to do with inner and outer methods and NPS requireing PEAP as an outer method for Wired/Wirelss
  authentication.
  End result is that both the Cisco switches and NPS do support EAP-MD5. Though it's definitly not as secure (at all), it's definitly a step in the right direction and it's something that we'll be implementing.
  Now it seems that NPS doesn't support EAP-MD5 (which is supposidly depricated), it's possible to re-enable it. Using the following articles.
  http://support.microsoft.com/kb/922574/en-us
  Microsft mentioned me that "Though this article says it applies to Windows Vista only, it does apply to Server 2008R2 as well. Also I would suggest you the following link:
  http://support.microsoft.com/kb/981190"
  Please note that you'll have to enable 'Store password using reversible encryption’  on the accounts that will be used for NEAT authentication.
  All though I would have hoped EAP-MSCHAPv2 would work, I feel I do need to clarify that I understand Microsoft's point of view on this as well. They feel EAP methods without PEAP are simply not safe; which is understandable, espcially for EAP-MD5 which
  could be sniffer using a hub/repeater/etc.
  Kind regards,
  Peter

• EAP-TLS new user login

  Hi!
  I´m having a logical misunderstanding about NPS, EAP-TLS and certificates. Maybe you can help me out with this.
  In my environment I have AD, NPS, CA and network devices. I´m using successfully Wifi EAP-TLS policy and my Ethernet policies are working aswell. I have two policies for ethernet and for wifi:
  1. Computer policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Computer Group
  2. User policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Users Group
  When I turn on computer it get acces to network (if I have certificate and machine is domain computer). When I log in with user who has a certificate and who is domain user - everything still works. So policies are working! If user don´t have certificate
  then connection is disconnected.
  Problem is that when I have a new user logging to the machine then it don´t have certificate. And authentication will fail! Is there a way to allow user to request certificate and then try to authenticate? GPO policy is "enroll automatically" turned
  on but it will not work cause user log in is using TEMP account and certificate is not enrolled! So new users can´t access to network to download profile if I don´t put the certificate there by myself. 
  Second question is about PXE an computer certificate. Is there a way to use SCCM/PXE for OSD?
  Any help would be appriciated!
  Taavi

  On Wed, 22 Jan 2014 09:07:38 +0000, asfewfewf wrote:
  I´m having a logical misunderstanding about NPS, EAP-TLS and certificates. Maybe you can help me out with this.
  In my environment I have AD, NPS, CA and network devices. I´m using successfully Wifi EAP-TLS policy and my Ethernet policies are working aswell. I have two policies for ethernet and for wifi:
  1. Computer policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Computer Group
  2. User policy: Conditions are Client Friendly Name (Switches), NAS Port Type (Ethernet), Domain Users Group
  When I turn on computer it get acces to network (if I have certificate and machine is domain computer). When I log in with user who has a certificate and who is domain user - everything still works. So policies are working! If user don´t have certificate
  then connection is disconnected.
  Problem is that when I have a new user logging to the machine then it don´t have certificate. And authentication will fail! Is there a way to allow user to request certificate and then try to authenticate? GPO policy is "enroll automatically"
  turned on but it will not work cause user log in is using TEMP account and certificate is not enrolled! So new users can´t access to network to download profile if I don´t put the certificate there by myself. 
  You need to look into setting up remediation.
  http://technet.microsoft.com/en-us/library/dd125372%28v=ws.10%29.aspx
  Second question is about PXE an computer certificate. Is there a way to use SCCM/PXE for OSD?
  You should be asking this question in a System Center forum -
  http://technet.microsoft.com/en-ca/systemcenter/bb625749.aspx
  Paul Adare - FIM CM MVP
  How do I set my LaserPrinter to "Stun"?!

• Dynamic VLAN Assignment + NPS

  Hello,
  I'm planning a deployment with the following:
  5508 WLC running 7.0.222.0
  NCS 1.0.2.29
  50+ 3502i AP's
  Windows 2008 R2 running NPS
  EAP-TLS for authentication
  The end goal is to have a single SSID and utilize NPS to dynamically assign VLAN's depending on role/group.
  I've read several documents that use ACS to complete the dynamic VLAN assignment (inclduing http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml), however in this case ACS is not available.
  My question basically is; do I need ACS to apply the VSA for Cisco Airespace, or can this be done solely with the following IETF attributes using Microsoft NPS and AAA override on the WLC?
  [64] Tunnel-Type
  [65] Tunnel-Medium-Type
  [81] Tunnel-Pvt-Group-ID
  Any advice would be greatly appreicated!
  Thanks

  Thanks Steve for your quick response.
  I did everything as per your recommendation and it still doesnt work.
  Do you mind providing me a remote assistance, do you have Skype?
  Or your prefer that I provide you a set of logs, tell me which one and I will do so.
  SSID:TT
  @IP WLC: 172.20.252.70
  NPS: 172.20.1.16
  config rule NPS: service-Type: NAS Prompt
                           Tunnel-Type: VLAN
                           Tunnel-pvt-group-ID:10
                           Tunnel-Meduim-Type:802
  log WLC:
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processIncomingMessages: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: ****Enter processRadiusResponse: response code=2
  *radiusTransportThread: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Access-Accept received from RADIUS server 172.20.1.16 for mobile 8c:70:5a:1c:8e:20 receiveId = 4
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.841: 8c:70:5a:1c:8e:20 Processing Access-Accept for mobile 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Applying new AAA override for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.842: 8c:70:5a:1c:8e:20 Inserting new RADIUS override into chain for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 4, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Applying override policy from source Override Summation:
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values for station 8c:70:5a:1c:8e:20
  source: 256, valid bits: 0x200
  qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
  vlanIfName: 'dy-data-ksb1', aclName: ''
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.843: 8c:70:5a:1c:8e:20 Setting re-auth timeout to 1800 seconds, got from WLAN config.
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Station 8c:70:5a:1c:8e:20 setting dot1x reauth timeout = 1800
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Creating a PKC PMKID Cache entry for station 8c:70:5a:1c:8e:20 (RSN 2)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: 8c:70:5a:1c:8e:20 Adding BSSID 00:1e:be:a7:bf:b6 to PMKID cache for station 8c:70:5a:1c:8e:20
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844: New PMKID: (16)
  *Dot1x_NW_MsgTask_0: Sep 19 12:32:47.844:      [0000] 80 36

• 802.1x/EAP clarification and implementation

  Dear SIr,
  To setup LEAP authentication using ACS, the client needs a supplicant such as the ACU to run LEAP independent of OS.
  Cisco AP will be the carrier of the EAP message between the client and the Radius server sitting between the client and the server. I know from the fact that Cisco AP support LEAP, PEAP, EAP-TLS, EAP-MD5 and EAP-SIM. From my understanding, those types of EAP mentioned earlier can be relay to the Radius server(ACS), am I right?
  Does it mean that these messages are transparent from the AP point of view? If I replace the Cisco AP with other third party access point that they claim support 802.1x/EAP but they never specify the type of EAP protocol, can I still run LEAP with a third party AP though my client is Cisco and the Radius server is CSACS?
  What type of OS or supplicant support EPA-MD5? I know that Windows XP and 2000 support 802.1x driver, what about their EAP protocol supported on XP and 2000?
  Thanks.
  Delon

  I think the following document will clear most of your doubts,
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008019fea2.shtml

• Need help in configuring Cisco AP to support EAP authentication

  Hello all,
  in desperation after trying for more than 3 weeks, I am trying in this way to get a solution to my following problem.
  I am trying to build up as 802.1x scenario using 802.11b infrastructure (RADIUS server, Cisco 1100 Aironet AP, Cisco PCMCIA WLAN card with Xsupplicant software, the complete OS is Linux). I am trying to use EAP-MD5 authentication. It seems that the things are funtioning in standalone mode.
  The client wants to authenticate to access WLAN. It sends EAPoL start packet and gets a request from AP for user identity. Good. Then the user sends his identity with EAP packet. The Cisco AP is forwarding the request to RDAIUS server as specified in many documents. It is also Good. RADIUS server is sending a request for challenge (Password). Upto this point things are gooing fine.
  Now the Cisco AP is not sending this challenge to the
  Xsupplicant, it is just ignoring it. Can any one help me in this point. If needed I can also send the configuration file of the AP.
  I would be very thankful, if I could solve this Problem with your support.
  Thanking you in advance,
  Felix

  As per the RFC for RADIUS, a RADIUS Server receiving an Access-Request with a Message- Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent. A RADIUS Client receiving an Access-Accept, Access-Reject or Access-Challenge with a Message-Authenticator Attribute present MUST calculate the correct value of the Message-Authenticator and silently discard the packet if it does not match the value sent.

• 802.1x EAP type not configured

  Hi, a simple 802.1x test with XP client sp2, 3560 with IOS 12.2(35)SE5 and ACS 4.1(1) build 23.
  EAP MD5 selected on the client and enabled on the ACS but I receive in ACS an authentication failure message, with Authen-Failure-Code "EAP type not configured".
  Any idea ?
  thank you in advance
  greatings

  You have to install a self-generated certificate on the ACS, and enabled PEAP with "Allow EAP-MSCHAPv2". then changed the setting on our PC, and manage to make it work.
  Could you do the following,
  1.) Enable full detail logging on the ACS: System Configuration -> Service
  Control -> Logging detail level = "FULL". Then restart the ACS services.
  2.) Enable "debug radius" together with the debugs that you already have
  on the switch
  3.) If there is a sniffer (Norton SnifferPro, or the freeware Wireshark or
  Ethereal) on the client laptop, please start it and enable sniffing on the
  client interface.
  4.) Make another authentication attempt.
  5.) Generate a "package.cab" on the ACS, by running Bin\CSSupport.exe
  underneath the ACS installation directory
  6.) Please send me the following information,
  a) The package.cab file,
  b) the debug output from the switch,
  c) the sniffer trace (if available).