OEAP600 with Wired 802.1X

Similar Messages

• Intel vPro with wired 802.1x issue with domain name

  Hello guys,
  this issue is may not related to SCCM directly, but intel forums are really poor so i´d like to ask here...
  The Case: We are currently provisioning our vPro chips with SCCM SP2 R3 and almost everthing worked as expected (Provisioning OK, OOB Console OK, PowerControl OK even TLS and Kerberos are working. But there is an issue with the 802.1x authentication. It
  seems the vPro chips are not using the correct domain name. Lets say our DNS domain name is
  vpro.com and the NETBIOS Name is coprvro . There are no child or other domains. vPro chips are presenting now
  vpro\COMPUTERNAME$iME instead of vpro.com oder corpvro
  so the Radius Server (Windows Server 2008 R2 - NPS) is saying ReasonCode 7 "...domain is not existing...". AuthenticationType and EAP Type are correct. Usually user- and computeraccounts are using
  corpvro as domain name.

  Hi Dan,
  thank you for your reply. I've already done this in the second place using the SDK and winrm ($8021XProfileInstance.GetProperty("Domain")). I've no idea were SCCM is getting this domain name from. Its cutting off the top level domain extension,
  may be SCCM is assuming that this equals the NETBIOS domain name but that is not the case. This is only a guess, in detail I need to know in fact on what basis SCCM is choosing the domain name, then i can fix this...
  Intels SCS putting the correct NETBIOS domain name in the amt config, used certificates are the same...

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• Help with 4506 802.1x Port Based Authentication (Wired)

  Hi all,
  I'm trying to configure wired 802.1x security on a Catalyst 4506 IOS 12.1.19(EW), using Microsoft IAS (Microsoft's RADIUS), and Windows 2000 SP4 clients.
  I've followed the procedures in the 4506 Software configuration guide and they seem to be straight forward.
  I then turn 802.1x Debugging on the switch to monitor the 802.1x traffic, but there is none. If I bring the configured interface down and then back up, I do get some status change, but it seems like the switch is not sending or receiving EAPOL frames.
  I then execute the dot1x "initialize" and also tried the "re-authenticate" commands, but I get an error saying that FastEthernet 2/2 is not a valid dot1x interface. The line card model number is WS-X4148-RJ21. Is the card not 802.1x compatible?
  The switch does not throw any errors when I configure FastEthernet 2/2 as a 802.1x port by executing
  dot1x port-control auto
  i've also configured the interface to be a plain L2 access port by executing
  switchport mode access
  any help will be appreciated!

  I am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
  However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
  Are there special attributes that need to be configured on the switch or IAS?

• Can i use the airport express in my hotel with wired connection?

  I'm going to be traveling quite a bit coming up and staying in hotels with wired internet connections in the room.  Can i use the airport express to connect with the hotel's internet connection and then my ipad and/or iphone 4S?  I'm new to Apple products so will certainly appreciate any info that may help.  Thank you!

  You will need to have AirPort Utility installed on the iPad and/or iPhone. It is free on the App Store
  App Store - AirPort Utility
  Connect the AirPort Express 802.11n to the hotel Ethernet jack using an Ethernet cable
  Power up the AirPort Express and wait 40-45 seconds
  Tap Settings, then tap Wi-Fi on the iPad
  Tap the AirPort Express under the heading of Set up an AirPort Base Station
  AirPort Utility will take a moment to to analyze the connection and then you can proceed with the easy guided setup
  Once the AirPort Express is configured, you should not have to set it up again at the next hotel. But, you could if you want to.

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• Wired 802.1x re-authentication passes but no connectivity after 1 hour

  I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.
  1st observation:
  The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.
  2nd observation:
  I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.
  Any ideas?

  No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.
  The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.
  At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• RADIUS failover not working in wired 802.1x (CATOS switch)

  I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
  Any help is appreciated. Here is my config:
  #version 8.4(7)GLX
  #radius
  set radius server 10.30.XX.XX auth-port 1812 primary
  set radius server 10.18.XX.XX auth-port 1812
  set radius timeout 30
  set radius key EE08361
  Set dot1x system-auth-control enable
  set port dot1x 5/27 port-control auto
  all radius and dot1x settings are at their default values
  Any takers??!

  I have the same setup as yours. I use Steelbelt
  radius 6.0.1 on Linux and I have Cisco 2960
  catalyst. I use 802.1x over Ethernet with
  PEAP, as seen below:
  C2960#sh run int g0/23
  Building configuration...
  Current configuration : 133 bytes
  interface GigabitEthernet0/23
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x guest-vlan 668
  end
  C2960#
  C2960#sh run | inc dot
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  C2960#sh run | inc radius-
  radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
  radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
  C2960#
  Everything works and when I shutdown the
  radius server process on host 192.168.15.10,
  "sbrd stop", it still works with the secondary
  radius server 10.250.97.26.
  The difference between yours and mine is that
  I am running IOS instead of CatOS.
  System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
  David

• FlexConnect Access Point - Wired 802.1X or MAB Authentication

  Hi all,
  We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
  I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
  Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
  Thanks in advance.
  Regards,
  Stephen.

  Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
  1. AP, authenticates via MAB and profiling
  2. Client authenticates via PEAP/EAP-TLS, etc
  3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
  So I have ran into this issue in my deployments and you have the following options (listed in preference order):
  1. Eliminate FlexConnect :)
  2. Utilize AutoSmartPorts where:
  - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
  - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
  More info on auto smart ports:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
  3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
  Hope this helps!
  Thank you for rating helpful posts!

• Wired 802.1x automation

  I have a Wired 802.1x network.
  When I configure the 802.1x setting for the connection and click 'connect' everything works fine.
  However I need to click that same connect button in network preferences every time I reboot or logout.
  This is a multi user enviro so using a System login profile and there is no directory integration here as this is a UNI. as a result I must use a User profile.
  This problem is present on 10.4 with internet connect as well as 10.5.
  Any help would be greatly appreciated.

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,

• Wired 802.1x logon-scripts don't run

  I tested wired 802.1x authentication with a XP-client and a Cat 2960 switch. The authentication are configured with PEAP and MS-ChAP V2. The 802.1x authentication works well.
  The problem is that the 802.1x authentication starts after the windows logon. Due this problem, the logon script don't run.
  How can I force the 8021.x authentication befor the windows login starts?
  Regards
  Pascal

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,

• Wired 802.1x hardware compatible checklist

  Hi forumers'
  Would like to check what kind of access switch is support wired 802.1x, do cisco have a hardware compatible checklist for it?
  Backend Radius server would be Cisco ISE. Business requirement is able to support flexauth.
  Current infrastructure access list with
  a. Linksys switch
  b. ESW 540
  c. Cisco 2950 switch
  Thanks
  Noel

  I have a supplemental question regarding the 2003 update (KB968730).  I have a Kace KBOX that we do patching/inventory of our servers with, and it tells me that all of our 2003 servers are patched with KB968730.  However, when looking at one of
  the 2003 servers, I didn't see KB968730 in the updates list, nor in the registry.  After some research, it appears that the crypt32.dll file on the server now is already a newer version than the one in the KB968730 (it contains the version of crypt32.dll
  from MS14-049 in August 2014).  I went ahead and installed KB968730 anyways on the server, and it now shows up in the updates list.  However, the crypt32.dll file was unaffected on the machine since it was already newer.
  Upon reading the install log for KB968730, it seems that all the update did was add registry keys to say that the KB968730 was installed, but did not replace the crypt32.dll file, and no reboot was needed.
  I believe this will be the case for all of my 2003 R2 servers.  With the actual payload of the KB968730 being the crypt32.dll (and wcrypt.dll for x64), and those files already being newer than on my servers than what is in the KB968730, would it just
  be considered to be SHA2 supported...or would the presence of the reg keys that state the hotfix is installed be needed (sounds pointless to me)?
  EDIT: Not to mention that the KB968730 update never specifically mentions 2003 R2, just 2003.  The install log shows failures during file version checks and other lines, so it really looks like it simply added the registry info for the hotfix and
  that's all.