Other LEAP upgrade options besides PEAP and EAP-FAST?
Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?
A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
Good Luck
Scott
Similar Messages
-
PEAP or EAP-FAST, associating but no IP assigned
All -->
I have a number of AP's using both PEAP and EAP-FAST...the clients are associating with the SSID's, but are not receiving an IP address via DHCP.
I've checked VLAN configuration on the AP's, and also the logs on both the AP's and ACS server. Both logs are reporting successful authentication...
Any suggestions?If the DHCP server is on the AP, then it will only serve the native VLAN (or the administrative VLAN ..... usually the same thing) unless you are directing the DHCP requests through a layer 3 device and something like IP Helper.
Even though the AP is common to all VLANS, (like a switch would be), the native resources are only available to the devices associated with the native / administrative VLAN serving the AP.
Good Luck
Scott -
No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?
Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router? I am replacing with an Asus router.
thanks,
KGHi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.
-
EAP-PEAP and EAP-TLS on same switched network
Hello,
I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices use TLS. Over time all will be using TLS, but for now both will the there.
The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
Thanks,
GuyYou are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
Good Luck,
--Jean Paul -
Windows 7 upgrade option update (Microsoft and Lenovo
All:
Edit: Lenovo link added
http://www.lenovo.com/us/en/windows7/index.html?ipromoID=wnb00492&
Here's the information from Microsoft about the update program. Hopefully there will be an announcement soon from .... hardware vendors
Announcing the Windows 7 Upgrade Option Program & Windows 7 Pricing – Bring on GA!
http://windowsteamblog.com/blogs/windows7/archive/2009/06/25/announcing-the-windows-7-upgrade-option...
As Brad discussed in the video, today we’re announcing details for the Windows 7 Upgrade Option Program, pricing, and a special pre-order offer for select markets.
But first, I want to talk a little bit more about GA and the worldwide availability of Windows 7. We’ve really focused a lot of our efforts on getting the product out to as many people around the world as quickly as possible. OEMs will start shipping PCs with Windows 7 in all language versions beginning on GA, October 22nd.
And for our retail software, we’ve made significant strides in terms of timing. Gone are the days when it could take months for all language versions to be available. In fact – we’ve narrowed the gap to just over ONE week!
On October 22nd, Windows 7 will be available in the following 14 languages: English, Spanish, Japanese, German, French, Italian, Dutch, Russian, Polish, Brazilian Portuguese, Korean, Simplified Chinese, Traditional Chinese and Chinese (Hong Kong).
Then on October 31st, the remaining 21 languages will become available: Turkish, Czech, Portuguese, Hungarian, Swedish, Danish, Norwegian, Finnish, Greek, Ukrainian, Romanian, Arabic, Lithuanian, Bulgarian, Estonian, Slovenian, Hebrew, Thai, Croatian, Serbian Latin, and Latvian.
Windows 7 truly is a global release and I’m excited to be able to tell my international friends that when I say Windows 7 will be available for the holidays – I mean everywhere in the world.
But, you don’t have to wait until GA to get a new Windows PC. In fact, we know many people need that new PC sooner – for back to school specifically. And we have the answer for people who need a new PC now but still want to get Windows 7 and that’s the Windows 7 Upgrade Option Program, which kicks off tomorrow, June 26th! Anyone who buys a PC from a participating OEM or retailer with Windows Vista Home Premium, Business or Ultimate on it will all receive an upgrade to the corresponding version of Windows 7 at little or no cost to customers. The Windows 7 Upgrade Option Program will be available until January 31st, 2010 – and is global! For more information on taking advantage of the Windows 7 Upgrade Option Program, visit www.windows.com/upgradeoffer.
Another one of the most common questions I get is: how much will Windows 7 cost? Well, today we’re sharing these details.
For Windows 7, we are reducing the price on our most popular retail product for customers, the Home Premium Upgrade, by approximately 10% (depending on the market). In the U.S., this means a customer buying Windows 7 Home Premium upgrade will pay only $119.99 instead of the $129.99 being charged today for its predecessor.
Overall, customers will be paying less and getting more with Windows 7. This includes fun new features such as HomeGroup, Device Stage, Aero Shake, Snap, Peek, Jump Lists and our completely redesigned Windows Taskbar (one of my favorite new features in Windows 7 today). These new features make your PC simpler and much easier to use.
So here’s the low-down on pricing for Windows 7. The estimated retail prices for upgrade packaged retail product of Windows 7 in the U.S. are:
Windows 7 Home Premium (Upgrade): $119.99
Windows 7 Professional (Upgrade): $199.99
Windows 7 Ultimate (Upgrade): $219.99
And the estimated retail prices for full packaged retail product of Windows 7 in the U.S. are:
Windows 7 Home Premium (Full): $199.99
Windows 7 Professional (Full): $299.99
Windows 7 Ultimate (Full): $319.99
This means that Windows 7 Home Premium full retail product is $40.00 less than Windows Vista Home Premium today.
As Brad describes in the video, for Europe, we will not have a separate upgrade SKU for the packaged retail product versions of Windows 7 at GA. But we will be offering upgrade pricing on our full licenses to make sure that European customers who want to upgrade have the pricing options available in the rest of the world.
Finally, as a way of saying thank you to our loyal Windows customers, we are excited to introduce a special time limited offer! We will offer people in select markets the opportunity to pre-order Windows 7 at a more than 50% discount. In the US, this will mean you can pre-order Windows 7 Home Premium for USD $49.99 or Windows 7 Professional for USD $99.99. You can take advantage of this special offer online via select retail partners such as Best Buy or Amazon, or the online Microsoft Store (in participating markets).
This program begins tomorrow in the U.S., Canada and Japan. The offer ends July 11th in the U.S. and Canada and on July 5th for Japan or while supplies last. Customers in the UK, France and Germany, can pre-order their copy of Windows 7 starting July 15th and will run until August 14th (or supplies last) to ensure folks don’t miss out on this. Act fast if you want to be the first in line to get Windows 7 at this screaming deal! Note: The special low pre-order price will vary per country.
For more information on this special pre-order offer,
I am really excited to be sharing these Windows 7 announcements with you today. Because of the great feedback we received from you, we are confident we are poised to deliver a great product this fall!
Message Edited by Darksaber on 06-28-2009 11:41 AM
x200 7454-CTO; 320GB HD; 4GB; Win 7 64bit - Now on RTM.
- 2nd SSD with Win 7 Enterprise RTM
T61p - RTM - Win 7 Enterprise
S10 4231 for my wife - now on Win 7 Ultimate RTMHaving purchased my Thinkpad T500 two weeks ago, I'll be a little miffed if I am not eligible for a free upgrade to Windows 7. However, my pain will be eased a little by the TechNetPlus subscription that will allow me to download and install the RTM bits sometime in mid-to-late July.
I really do think Microsoft continues to miss the boat on their retail OS and Office pricing. Keep Windows between $50 and $100, and Office $75 to $150 and you're going to have loads of people buying instead of seeking out ways to not pay for it.
T500: T9400 (2.53GHz), 4GB RAM, 160GB 7200rpm, 15.4in 1680x1050 WSXGA+ LCD, 256MB ATI Radeon HD3650, DVDRW, Intel 802.11agn wireless, AT&T WWAN, Bluetooth, Modem, 1Gb Ethernet, 9c Li-Ion, Windows 7 Ultimate x64 RC (Build 7100) -
Hi,
Does Cisco have any plan to support PEAP and EAP-TLS in the next release version of ACU?
Thank you.
Regards,
DelonAs far as I know, there is no such plan as of now.
-
help! imovie media browser only has one option, "Mobile". other videos had option for medium and small. mobile option wont import into iDVD. other videos gave me the Medium option, why not this one? need answers ASAP!
That is your answer then.
Large is 960x540
Medium is 640x480 (or 720x480)
Mobile is probably 480x272.
It is offering you the sizes that make sense given the size of your source material.
As a trick, you might try this. In your project, put a short 640x480 clip in the project as the first clip of the project. Then keep the rest of the project as is. See if it will let you share now in Medium. It will not look as good, because there are not enough pixels to cover the Medium size, but it might work. -
I try to authenticate a 1300 Worgroup bridge with EAP-FAST.
Using ACS 3.3(2) Build 2 and 1231 AP's with WDS.
Is there anyone who has tried this configuration. Ordinary wireless clients are OK.Hi,
a workgroup bridge support only LEAP als EAP Client for EAP authentication.
You have no option to integrate a PAC File to the device in workgroup bridge mode.
Look at this link:
http://www.cisco.com/en/US/products/ps5861/products_configuration_guide_chapter09186a00804158b3.html#wp1055422 -
Hi NetPro.
EAP-TLS is working now, but how to configure EAP-FAST as the backup in case TLS is failure then user still able to use FAST as the second choice ?
your reply will be highly appreciated.
thanks heaps.
JackAll you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.
-
I'd like to use EAP-FAST for both my 802.11 wireless and my lan network.
However the only EAP-FAST client I have seen is the ACU for the Aironet products, nothing for the Catalyst (am I missing something?)
Any plans for Ethernet adapter software that does EAP-FAST? I primary use Windows XP-SP2 in my lan.All you really need to do is enabled EAP-FAST on the Radius server. If you are running a controller environment there isn't any changes on the controller needed. If you are running autonomous make sure you have both "authentication open..." and "authentication network-eap..." configured under the SSID. They only thing that would need to be changed would be the client. You could setup two profiles, one for TLS and the other for EAP-FAST.
-
Cisco ISE - eap-peap and eap-tls
Hi,
Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
If peap use this identity source, if tls use 'this certificate authentication profile'.
ThxOK,
so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
The authentication policy was allowing EAP-TLS & EAP-PEAP.
I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
Hope that helps.
Mario -
Hi guys
I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.
I create a second policy for wired dot.1x with EAP - PEAP enabled
The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
Thanks in advance.
Sent from Cisco Technical Support iPad AppHi,
There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
Thanks,
Tarik Admani
*Please rate helpful posts* -
EAP Authentication Configuration for EAP-FAST and PEAP
Hi Everyone,
I pretty much got EAP working, however using LEAP
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xDEAP is a complicated subject for sure. But it shouldn't be really once you know the foundation.
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed.
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password back to AD for example.
Hope this helps .. -
Having a problem with PEAP and Cisco 2960 Switch
Hi All,
I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828 Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843 Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps. -
Hi Team,
I configured user "Bill"under Local User database with a Local EAP profile with PEAP and EAP-TLS.At this stage I do not have a Radius server but
my understanding is that I should be able to authenticate using Bill's credentials from the Windows XP box.Wireshark capture indicates that EAP does not even complete stage 1.Last message is a EAP Response from the Windows XP to the 1252 and the whole process (EAPOL Start,Request ,Response) keeps repeating itself without getting a response from WLC .Could someone confirm whether I could test 802.1X using this method?
The other odd thing is that I have to use a Novell client which talk to WindowsXP built-in supplicant via PEAP/MSCHAPv2.The environment I'm in does not have vanilla XP boxes.
Any help is much appreciated.
cheers,
JaneshHi Janesh,
what is the version we are running on WLC? The reason i asked this question is through version 4.1, PEAP is not supported locally on the WLC. You need an external RADIUS server. With WLC version 4.2 and later versions, local EAP now supports PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication.
Please follow the configuration guide in order to confgiure local EAP authentication:-
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
thanks,
Vinay
Maybe you are looking for
-
I upgraded my Iphone to IOS6, but now I can't connect it to itunes (10.6.3) because it is not upgraded. However, when I want to upgraded, it says that my computer (imac Mac OS 10.5.8) needs to be upgraded to another version. I can't find anything to
-
OIM 9.1.0.2 - Email notification
Hi experts, When resource is provisioned, I need that OIM send the Email Notification (Provisioning Accounting Complete) for Requester or User's Manager depending of requetee's attributes. If requestee's User Type is Employee, User's Manager should r
-
I've 1.85TB empty space on my Time Machine, but it only retains back-ups to the beginning of the previous month. I should be able to access weekly back-ups for every month before that until the disk is full. Any ideas why it deletes stuff older than
-
How to remove a paragraph style?
How do you remove a paragraph style from a paragraph and make that paragraph not have any style assigned to it? Without deleting the actual style. Thanks.
-
Hi All, I have to 3 rd level of navigation in site of dynamics CRM2013. I have an scenario like on first I click on company (on first tiles) then on the basis of company department should comes first and then when I click on department I want one mor