PEAP and EAP-TLS on ACU?

Hi,
Does Cisco have any plan to support PEAP and EAP-TLS in the next release version of ACU?
Thank you.
Regards,
Delon

As far as I know, there is no such plan as of now.

Similar Messages

  • EAP-PEAP and EAP-TLS on same switched network

    Hello,
    I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
    The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
    I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
    Thanks,
    Guy

    You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
    Good Luck,
    --Jean Paul

  • Cisco ISE - eap-peap and eap-tls

    Hi,
    Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
    I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
    If peap use this identity source, if tls use 'this certificate authentication profile'.
    Thx

    OK,
    so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
    The authentication policy was allowing EAP-TLS & EAP-PEAP.
    I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
    What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
    In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
    When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
    Hope that helps.
    Mario

  • PEAP vs EAP-TLS Wireless Authentication Method

    Hi,
    I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
    I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
    Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
    We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
    Thanks,

    Hi,
    I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
    I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
    Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
    We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
    Thanks,

  • Other LEAP upgrade options besides PEAP and EAP-FAST?

    Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
    Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

    A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
    TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
    Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
    You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
    If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
    There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
    Good Luck
    Scott

  • No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?

    Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router?  I am replacing with an Asus router.
    thanks,
    KG

    Hi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.

  • ACS 3.3 for windows - Win AD and eap-tls problem

    Hi,
    I have a problem with an ACS to authenticate users with certificate on MS AD.
    Working things:
    PEAP authentication with the MS AD;
    EAP-TLS authentication with the local DB.
    Not working things:
    EAP-TLS authentication with MS AD.
    Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
    Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
    So, why it's not working with the combination EAP-TLS and MS AD.
    I receive the error 'External DB Account Restriction'
    Thanks for your help.

    Hi,
    This is what is interesting,
    AuthenProcessResponse: process response for 'phd' against Windows Database
    Unknown User 'phd' was not authenticated
    Done RQ1027, client 50, status -2125
    The field that is being picked from certificate has the value 'phd', check you check which field is it.
    And was the logging at full?, I think something is missing in the logs.
    Lets do a sanity check, and go through following link again,
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
    Regards,
    Prem

  • Different wireless clients, should go for LEAP, PEAP or EAP-TLS?

    Hi ,
    I have a mixture of wireless clients in this customer environment such as PDA, Cisco clients and third party PCMCIA cards.
    Customer requires me to propose an EAP authentication method to authenticate them. WHat suits them?
    I plan to have authentication done on application level. Could you recommend any?
    Thanks.
    Delon

    Delon
    It will more be a matter of what all the clients support, you normally set it up for the least supported client or have different VLANs with different security levels based on what you clients support
    LEAP is only on Cisco or CCX certified cards
    If you base OS is Windows XP and the client cards they have support EAP then EAP-TLS is a pretty good choice if they will support PEAP then that is even better again.
    So to make this choice you really need to know exactly what client cards you have and what they support The AP will support all of them so the choice is based on the clients

  • ISE and EAP-TLS

    Hi
    We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
    22045  Identity policy result is configured for password based authentication  methods but received certificate based authentication request
    I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
    EAP-TLS is enabled in  the 'Default Network Access' authentication result.
    Can anyone shine a light on where I'm going wrong?
    Thanks
    Martin

    Martin,
    Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
    http://support.microsoft.com/kb/814394
    Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
    The IAS or the VPN server computer certificate is configured with the  Server Authentication purpose. The object identifier for Server  Authentication is 1.3.6.1.5.5.7.3.1.
    Here is the Cisco eap-tls deployment guide which references the same as above:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • ACS 4.2 and EAP-TLS with AD and prefix problem

    Hi there
    we have the following situation:
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
    - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
    First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
    Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
    This is the normal output of the Remote Agent, it finds the host but then nothing happens:
    CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
    CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
    CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
    CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
    So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
    test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
    CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
    CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
    CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
    CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
    CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
    CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
    CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
    CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
    CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
    It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
    Could this be the problem or does someone see any other problem?
    Best Regards
    Dominic

    Hi Colin
    thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
    I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
    Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
    Regards
    Dominic

  • IPhone and EAP-TLS with ACS & 5508

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    I have a large customer that is moving into a new building and adding some
    new wireless.
    They are using a 5508 with 1142's and an ACS server.
    They will have the following SSID's
    SSID01 -> WPA-EAP-TLS
    SSID02 -> WPA2-EAP-TLS (future use)
    SSID03 -> Guest Access (internet access only)
    They currently use this design across the enterprise which has worked well.
    The problem is to get certificates pushed down to the client for the EAP-TLS
    they always connect the machine once by wire and log on to the domain so a
    GPO pushes the cert to the machine.
    This creates a problem that I don't know how to solve as they want to use
    iPhones on the new deployment.
    Does anyone have any ideas on how to get a cert down to the iPhones for use
    with the SSID's?
    Thanks in advance for any assistance.

    I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid  from which clients can download and install cert. ?

  • 7921G and EAP-TLS

    Has anyone been able to import certificates into the phone. I am attempting to install a user certificate that was generated using a CSR from the phone. We are using an ACS 4.0 which passes the cert off to a MS AD server for validation. Any guidance would be appreciated.

    Yes should work fine. When creating the CSR, will need to upload the root cert for the CA that is signing cert. Then upload that signed cert that is in DER format.
    Ensure you have created a user account for the common name that you have specified and ensure that CN comparison is enabled for EAP-TLS.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/administration/guide/7921cfgu.html
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/administration/guide/7921cfgu.html

  • Rras, nps and eap-tls

    Good day!
    We're trying to deploy VPN schema using RRAS (2008R2SP1, l2tp), NPS and certificates as user authentication method
    RRAS server short name is RRAS. it is in domain (AD, domain.local)
    But we must use local (on RRAS) SAM database (not domain users) as user database
    We've change defaultdomain registry key to "RRAS" as shown in technet article (https://technet.microsoft.com/en-us/library/dd197452(v=ws.10).aspx)
    In NPS we've setup connection and network rules (nothing special, by default, only smartcard as eap auth method)
    In local SAM there is test user "user1"
    In test certificate in UPN we wrote "user1"
    But we have next error - Authentication failed due to a user credentials mismatch
    In windows security log we can see:
    User:
    Security ID: RRAS\user1
    Account Name: user1
    Account Domain: RRAS
    Fully Qualified Account Name: RRAS\user1
    It looks correct, isn't it?
    Also we tried UPN=rras\user1 - the same result
    When we use AD as user DB and UPN=[email protected] - it works correctly
    What we do wrong?
    Can we use non-domain usernames as UPN in certificates?
    How to map in certificate non-domain user?
    Thanks!

    Eve,
    yes, the registry key DefaultDomain is configured to RRAS (name of VPN server)
    detailed information was in first message
    VPN architecture consist of one server (RRAS and NPS role installed)
    On NPS we chose EAP auhentication method with smartcard or other certificate type only
    clients connect to RRAS using michine and user certificates
    IKE phase is compleated successfully
    But on user authentication phase described error is generated
    I repeat main questions:
    1. Can we use non-domain usernames
    as UPN in certificates?
    2. How to map non-domain user
    in certificate?
    Thanks!

  • Access connection​s 5.50 and EAP TLS with Computer certificat​e

    Hello,
    I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
    I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
    OS is windows XP with SP3 and all the windows update (as of today).
    On my Radius server this is what I get:
    If I use WZC I get this in the authentication:
    Security ID: DOMAIN\R61WXP$ (this is my computer name)
    Account name: host/R61WXP.domain.local
    Account Domain: DOMAIN
    FQDN: DOMAIN\R61WXP$
    When I use Access Connections:
    Security ID: DOMAIN\Guest
     Account name: 
    Account Domain: DOMAIN
    FQDN: DOMAIN\Guest
    My Access connection profile is set this way:
    IEEE802.1x => Authenticate as Computer when the information is available.
    I hope someone can help !
    Thanks!

    Hi,
    try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
    Make also sure, that the profile connection is correctly configured in the AC profile settings.
    This mighe the the root cause.
    I can tell you, that there must be something missconfigured, as this configuration will surelly work .
    Cheers

  • EAP-TLS and EAP-PEAP Clients

    Hi guys
    I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
    Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
    The endpoints are configured with a username and password. The credentials are created in ISE server.
    I create a second policy for wired dot.1x with EAP - PEAP enabled
    The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
    When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
    Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
    Thanks in advance.
    Sent from Cisco Technical Support iPad App

    Hi,
    There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
    You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
    http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
    The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

Maybe you are looking for