Peap ACS authentication - 1242AG - AP authentication Tab

Similar Messages

• PEAP & ACS & machine authentication

  OK, here's the issue :
  Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.
  ACS SE 4.0 and a second ACS SE with 4.1
  Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.
  Machine authentication not working. i.e. a user can't logon until they've previously logged on.
  Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.
  Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.
  ACS using a self signed cert, option to validate server cert on XP wzc unchecked.
  Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....
  Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?
  Help, someone, help...

  This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....
  I referred to this document on MS's site:
  http://www.microsoft.com/technet/network/wifi/ed80211.mspx
  Plus probably the same document you were using from CCO.
  I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.
  You don't need to use the Cisco supplicant.
  HTH
  Andy

• Missing machine authentication - peap acs

  Hi,
  my setup is:
  Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
  WLC 4402 ver 4.0.179.8
  Aironet 1131 LWAPP
  dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
  I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
  http://support.microsoft.com/kb/309448/en-us
  I get these messages in the wlc log:
  AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  anyone who can point me in the right direction?
  Is it a windows client problem or a WLC/ACS problem?
  regards rolf

  Hi,
  still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
  AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
  AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
  It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
  My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
  regards rolf

• Wireless PEAP users authenticated by TACACS+

  Hello,
  I have the following scenario, access points 1214 (fat AP) connected to ACS (RADIUS) and the ACS integrated with Novell LDAP as external database.
  The wireless users use PEAP for authentication, here the problem when I tried to connect wirelessly with username and password configured locally on the ACS database it works fine but if I use a username and password listed on the Novell LDAP I got the error ?Auth type not supported by External DB? .
  Note:
  For VPN users, I can connect and access the network resources from outside with username and password listed on Novell LDAP database (integration between ACS and Novell LDAP is fine). Maybe this note could help you!!
  Regards,
  Belal

  Hello Darran,
  Thx for your feedback..
  now i'm trying to configure EAP-TLS but as stated in the configuration guide i should have CA certificates for both ACS and the wireless users. here the question, shall i have CA server or thers is another way to complete the task (use local generated certificate for example if possible) ?
  Regards,
  Belal

• Bypass PEAP user authentication

  Hello.
  We use PEAP/MSCHAPv2 for client AND user authentication. Wireless users and clients will be authenticated by the ACS by asking a ADS usergroup membership. Only authenticated users on authenticated clients should have access to LAN ressources protected by the wlan controller. If the wireless client use the WZC and the logged on user is not a member of the user group he will not be authenticated and blocked by the wlan controller. But if the wireless client use the actual "Intel Wireless Pro Set" AND the user is not a member of the ADS group the ACS drop the user authentication request, but few seconds later the user will have nevertheless access to internal resources.
  In this case I think the user authentication request will not right handled by the ACS so authenticated client will have access through the wlan controller and a not ACS authenticated user will have access to lan ressources by his local cached user credentials.
  Is there a possible security leak or have I a configuration problem?
  Best regards
  Olaf Bachmann

  This is not a security leak but a configuration issue. If the client utility and the ACS, ADS database is correctly configured then you will not see any issues.

• PEAP wireless authentication

  Has anyone successfully implemented a PEAP wireless solution? I have PAEP authentication working with a client using Cisco ACS 3.1 and authenticating with OTP (SecureID). Everything works great, except that when the user logins into windows 2000 the first time after booting up the pc, they are logging in with a cached account. This is due to the fact that the cisco interface in which you enter your username and passcode does not appear untill after logging into windows. Is there a way to authenticate the wireless network conneciton before logging into the windows domain?

  I am also having the same issues with PEAP not authenticating prior to domain authentication. LEAP works correctly but I told I need the added security of the SSL tunnel (the EAP-TLS part of PEAP). If PEAP authentication cannot occur before domain authentication, it there a way to make it authenticate imidiately afterwards. It seems the client sits associated to the AP and never tries to authenticate till traffic is passed. This presents a bad user expirence.
  I am running a AP1100 with Aironet 350 PCMCIA cards, and Secure ACS as the authentication server.
  Thanks
  CS

• New Intel Wireless Pro set let bypass PEAP user authentication

  Hello.
  I have a critical situation. We use PEAP/MSCHAPv2 for client and user authentication. Wireless users and clients will be authenticated by the ACS by asking a ADS usergroup membership. Valid users and clients have access to LAN ressources protected by the wlan controller. If the wireless client use the WZC and the logged on user is not a member of the user group he will not be authenticated and have no access through the wlan controller. But if the wireless client can use the actual "Intel Wireless Pro Set" and the user is not a member of the ADS group the ACS drop the user authentication request. But some seconds later the user will have nevertheless access to internal resources.
  In this case I think the user authentication request will not right handled by the ACS so authenticated client will have access through the wlan controller and a not ACS authenticated user will have access to lan ressources by his local cached user credentials.
  Is there a possible security leak or have I a configuration problem?
  Best regards
  Olaf Bachmann

  Hi irisrios.
  PEAP "Fast Reconect" is disabled on ACS side.
  But in the meantime we made some tests with cisco ACS and nortel wlan controller. If the wlan client use a wireless profile, generated with the Intel Proset (!! full installation incl. andmin tools and pre-logon authentication!!) then a user who is not a member of the wlan user group have access to lan resources.

• Authentication tab SAP - BOxi Ent 3.1 and Int kit on AIX

  Hello
  Installation of BO-XI Enterprise 3.1 and SAP integration kit 3.1 on AIX. 
  Both products installed successfully. But on CM Console in authentication tab SAP
  is not appearing. Also when we try to  create new connection using universe designer
  from clients (Windows) we get following error
  u201CDBD: A runtime exception has occurred. (Licensed key checked failed.
  Check that you are licensed to access SAP data source)
  Regards
  Upendra

  Dear Stratos
  version libsapjco3 is 64 bit for aix
  eb components automatically deployed.
  At present we are using temporary license key.
  Following description may clear scenario.
  BO-XI Enterprise 3.1 and SAP integration kit 3.1 on AIX installed successfully.
  We are trying to create new connection to SAP BW system as data source using universe
  designer from clients (Windows) we get error from one client
  "DBD: An error occurred while trying to load the provider for transport sap.
  Failed to load library MDA_SAP. System error message u201Cthe specified module could not be foundu201D 
  From another client (PC) error come as
  u201CDBD: A runtime exception has occurred. (Licensed key checked failed. Check that you are licensed to access SAP data source)
  when we checked on CM Console in authentication tab SAP is not appearing.
  In short our BO system is not able to communicate with BW system.

• Don't see Windows NT option in authentication tab on the CMC login page

  I installed BusinessObjects Enterprise XI 3.1 and installation was successful. We are using Widows NT athentication.  I mapped the Window NT Users. Window NT Users group was populated under u2018users and groupu2019. Everything looks fine.The problem is that I am not able to see Windows NT option in authentication tab on the CMC login page. (I can see only Enterprise, LDAP and Windows AD). I can  see Windows NT option in authentication tab on the infoview login page without problem.
  I tried to reconfig the web.xml file ( I replaced 'secEnterprise' with 'secWindowsNT' but it still doesnu2019t work).
  web.xml in E:\Program Files\Business Objects\BusinessObjects Enterprise 12.0\warfiles\WebApps\CmcApp\WEB-INF is as followed now
  <!-- You can specify the default Authentication types here -->
      <!-- secEnterprise, secLDAP, secWinAD, secSAPR3 -->
      <context-param>
          <param-name>authentication.default</param-name>
          <param-value>secWindowsNT</param-value>  
      </context-param>
      <!-- Choose whether to let the user change the authentication type -->
      <!-- If it isn't shown the default authentication type from above will be used -->
      <context-param>
          <param-name>authentication.visible</param-name>
          <param-value>true</param-value>
  Any idea? Thanks

  Sherri, on page 457 of the admin guide it says:
  "The CMC and other Java-based applications do not support NT
  authentication."
  I think it's because only windows based app supports windows NT authentication but not java based ones.
  I thinkt he CMC is a java based application.

• Giving access to 'Authentication' tab in CMC

  Hi,
  We have a user admin role in BO project which has access to only Users and groups section in CMC. We need to give access to Authentication tab in CMC for this group.
  The reason behind this is - we have a user role imported from SAP BW to BO. Whenever a new user is assigned to this user its not getting automatically visible in CMC user list. We need to go to 'Roles import' tab and click update always. We have checked the 'Force User Syn' and 'Automatically Import users' checkboxes. Once the user is imported we have to assign it to one group in BO to complete the user creation in BO.
  Please let us know if there is anyway we can give access to 'Authentication' tab alone in BO for a user / group
  Regards,
  Sivakami

  Hi Ingo,
  or you could simplify it and create those kind of roles already on the SAP side.
  >> This was my suggestion also to the team, but BW security team thinks its a redundancy to create mapping roles in BW
  In my opinion - if you have to go down to a user level as part of the role assignments or as part of the rights assignment you are complicating the administration view unnecessary
  >> I explained the same, but they follow this in all other applications and they want the same in BO also. Let me discuss these options with the team.
  Thanks for your prompt replies
  Regards,
  Sivakami

• SAP authentication tab not enabled

  Hi,
  we have installed the bo xi r2 & the integration kit successfully on Unix server but when I log on to the CMC page. The SAP authentication tab doesn't get highlighted. what can we do so that I can edit the SAP authentication settings. Please give me some pointers to resolve this issue.
  Thanks & Regards,
  Phani.

  Ok, the issue you face is usually related to the deployment of your SAP Java connector within your App Server. I recommend to go thru the deployment guide step by step again  and if you still face the issue create a support message with SAP BO support. The support guys from the SAP Int Team should be able to connect remotely to you system and verify the deployment.
  I hope this helps,
  Tim

• Can Cisco Device Manager Support ACS Authentication?

  Background:
  My company has approximately 500+ devices all across the country (mainly 2801's, 2924's, 2950's, and 2960's) and approx 3 people that have a real idea of how to configure the devices, and 2 or 3 that have a general clue about how to do it. I am in the process of moving all of these devices to use ACS authentication for signing into the device. While I am doing this I am establishing a strong password for the secret password to provide as a backup.
  Problem:
  My supervisor would like the cisco device manager to be available to the people that don't have the in depth cli experience. However in my testing, it will only accept the strong password for its authentication, and does not try the ACS server for authentication. Is this possible?

  Hi,
  Actually, there is a difference as from where the authentication is picked from for HTTP authentication,
  With HTTP v1 server, same method list is picked, that is used by VTY lines.
  With HTTP v1.1 server, but before the integration of fix for bug CSCeb82510, the method list defined for console is checked.
  After the fix of the above mentioned bug, we have some different sent of commands that we can use.
  I would suggest you to give this a try,
  aaa authentication login CONSOLEandHTTP tacacs+ local
  aaa authorization exec CONSOLEandHTTP if-authenticated
  ip http authentication aaa
  line con 0
  login authentication CONSOLEandHTTP
  authorization exec CONSOLEandHTTP
  For detail please refer,
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008069bdc5.shtml
  Regards,
  Prem

• AP1252 : Support for LEAP and PEAP for authentication

  Hi,
  We are deploying Cisco AP1252 in unified (lighweight) mode and would like to know whether it will support both LEAP as well as PEAP for authenticating clients at the same time (mixed mode). If yes, kindly let me know the configuration for the same.

  Local EAP authentication on Wireless LAN Controllers was introduced with Wireless LAN Controller version 4.1.171.0.
  Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, so it removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.
  Local EAP can use an LDAP server as its backend database to retrieve user credentials.
  An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

• ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

  Hello!
  I don't really know, whether this issue has been asked before.
  I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
  ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
  Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
  User authentication works fine, because the user account also is hosted in xyz.domainname.
  The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
  Does anybody knows a solution for this special constellation?
  Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• ACS authentication against AD

  I am in the process of installing an ACS demo and tying it to AD. I have the base stuff installed meaning ACS is in and operational and I have it joined to my domain. I am now to the point of selecting my AD groups and Attributes within those groups. I know very little about AD so that may be part of my confusion.
  First off I gathere that I need to specify a specific group to get the actual user name / password authentication process to work? I loaded the windows Active Director Editor (ADExplorer from Sysinternals) so that I could see and browse what AD groups I have available. I also thinkthat if my domain is 123.abc.corp that I need to use DC=123,DC=abc,DC=corp then pick the correct CN that I need?
  I have two ultimate goals for the use of ACS. First, we want to look into using it for our VPN authentication so figure we need say a remote group that has the users for VPN connectivity. Is it a simple matter of adding the group or are there any specific or recommended fields I need to have with this group?
  Secondly, we also want to use ACS for Dot1.x authentication on our Cisco switches but need VLAN information tied to the user. My question here is this something that we can add as a field to the user information or better to add it as a field in another group?
  I am looking for configuration examples but wanted to also make sure that I am following best practices so any assistance is appreciated.
  brent

  If you have single domain then you don't need to specify the domain name, just click on the 'select' button under directory groups to fetch/retrieve the AD groups and then add them.
  Use this page to select groups that can then be available for policy condition,
  Select Users and Identity Stores > External Identity Stores > Active Directory, then click the Directory Groups tab.
  For more information, you may visit the below listed URL
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1140999
  Once you are done, go to the access-policy >> on the right bottom corner, you would see a tab "customize" click on it and move the attribute AD1:ExternalGroups to thr right end side >> click ok >> create a new authorization policy and select the group you fetched in the directory groups under AD configuration.
  In order to do dynamic vlan assignment on ACS 5.1 you do the following:
  Policy elements >> Authorization  and permissions >> Network Access >> Authorization profile >> Create >> Give it a name like example "switch" >> Common tasks >> Click on VLAN ID name >> Select Static >> Give Vlan Number >> Click Submit >> Go to Access Policies >> Under default network access click on authorization >> Create >> Give the Rule a name like "vlan assignment for SWITCH" >> Click on Ad1:external groups >> Contains any >> Select -> choose the appropriate AD group >> Click ok >> Click select for authorization profiles >> Choose the profile that was previously create called "switch" >>   Click ok >> Now you assign the VLAN of "SWICTH" to the Group to the AD group >>  Click OK.
  HTH
  Regds,  Jatin
  Do rate helpful posts~