PEAP and EAP-TLS on ACU?
Hi,
Does Cisco have any plan to support PEAP and EAP-TLS in the next release version of ACU?
Thank you.
Regards,
Delon
As far as I know, there is no such plan as of now.
Similar Messages
-
EAP-PEAP and EAP-TLS on same switched network
Hello,
I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices use TLS. Over time all will be using TLS, but for now both will the there.
The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
Thanks,
GuyYou are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
Good Luck,
--Jean Paul -
Cisco ISE - eap-peap and eap-tls
Hi,
Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
If peap use this identity source, if tls use 'this certificate authentication profile'.
ThxOK,
so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
The authentication policy was allowing EAP-TLS & EAP-PEAP.
I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
Hope that helps.
Mario -
PEAP vs EAP-TLS Wireless Authentication Method
Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks,Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks, -
Other LEAP upgrade options besides PEAP and EAP-FAST?
Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
Good Luck
Scott -
Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router? I am replacing with an Asus router.
thanks,
KGHi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.
-
ACS 3.3 for windows - Win AD and eap-tls problem
Hi,
I have a problem with an ACS to authenticate users with certificate on MS AD.
Working things:
PEAP authentication with the MS AD;
EAP-TLS authentication with the local DB.
Not working things:
EAP-TLS authentication with MS AD.
Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
So, why it's not working with the combination EAP-TLS and MS AD.
I receive the error 'External DB Account Restriction'
Thanks for your help.Hi,
This is what is interesting,
AuthenProcessResponse: process response for 'phd' against Windows Database
Unknown User 'phd' was not authenticated
Done RQ1027, client 50, status -2125
The field that is being picked from certificate has the value 'phd', check you check which field is it.
And was the logging at full?, I think something is missing in the logs.
Lets do a sanity check, and go through following link again,
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a008068d45a.shtml
Regards,
Prem -
Different wireless clients, should go for LEAP, PEAP or EAP-TLS?
Hi ,
I have a mixture of wireless clients in this customer environment such as PDA, Cisco clients and third party PCMCIA cards.
Customer requires me to propose an EAP authentication method to authenticate them. WHat suits them?
I plan to have authentication done on application level. Could you recommend any?
Thanks.
DelonDelon
It will more be a matter of what all the clients support, you normally set it up for the least supported client or have different VLANs with different security levels based on what you clients support
LEAP is only on Cisco or CCX certified cards
If you base OS is Windows XP and the client cards they have support EAP then EAP-TLS is a pretty good choice if they will support PEAP then that is even better again.
So to make this choice you really need to know exactly what client cards you have and what they support The AP will support all of them so the choice is based on the clients -
Hi
We're planning on implementing eap-tls for our corporate iPads and in the past I've successfully tested it authenticating against ACS5.3 but now that we've moved to ISE (1.1.1.24) I'm getting an error.
22045 Identity policy result is configured for password based authentication methods but received certificate based authentication request
I've tried two different profiles, one with a certificates and AD credentials and the other one with just certificates but the error message is the same for both.
EAP-TLS is enabled in the 'Default Network Access' authentication result.
Can anyone shine a light on where I'm going wrong?
Thanks
MartinMartin,
Then that makes sense, since the ISE uses certificate based authentication when using eap-tls the certificate doesnt have the OIDs to support certificate based authentication. Here is a guide that shows the requirements needed in order to authenticate clients via certificates:
http://support.microsoft.com/kb/814394
Here is the comment in the article in this case the IAS is the radius server and the same holds true for ISE:
The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1.
Here is the Cisco eap-tls deployment guide which references the same as above:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml#wp39121
Thanks,
Tarik Admani
*Please rate helpful posts* -
ACS 4.2 and EAP-TLS with AD and prefix problem
Hi there
we have the following situation:
- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
- 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
This is the normal output of the Remote Agent, it finds the host but then nothing happens:
CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB: Creating Domain cache
CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB: Creating Domain cache
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
Could this be the problem or does someone see any other problem?
Best Regards
DominicHi Colin
thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
Regards
Dominic -
IPhone and EAP-TLS with ACS & 5508
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
I have a large customer that is moving into a new building and adding some
new wireless.
They are using a 5508 with 1142's and an ACS server.
They will have the following SSID's
SSID01 -> WPA-EAP-TLS
SSID02 -> WPA2-EAP-TLS (future use)
SSID03 -> Guest Access (internet access only)
They currently use this design across the enterprise which has worked well.
The problem is to get certificates pushed down to the client for the EAP-TLS
they always connect the machine once by wire and log on to the domain so a
GPO pushes the cert to the machine.
This creates a problem that I don't know how to solve as they want to use
iPhones on the new deployment.
Does anyone have any ideas on how to get a cert down to the iPhones for use
with the SSID's?
Thanks in advance for any assistance.I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid from which clients can download and install cert. ?
-
Has anyone been able to import certificates into the phone. I am attempting to install a user certificate that was generated using a CSR from the phone. We are using an ACS 4.0 which passes the cert off to a MS AD server for validation. Any guidance would be appreciated.
Yes should work fine. When creating the CSR, will need to upload the root cert for the CA that is signing cert. Then upload that signed cert that is in DER format.
Ensure you have created a user account for the common name that you have specified and ensure that CN comparison is enabled for EAP-TLS.
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/administration/guide/7921cfgu.html
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/administration/guide/7921cfgu.html -
Good day!
We're trying to deploy VPN schema using RRAS (2008R2SP1, l2tp), NPS and certificates as user authentication method
RRAS server short name is RRAS. it is in domain (AD, domain.local)
But we must use local (on RRAS) SAM database (not domain users) as user database
We've change defaultdomain registry key to "RRAS" as shown in technet article (https://technet.microsoft.com/en-us/library/dd197452(v=ws.10).aspx)
In NPS we've setup connection and network rules (nothing special, by default, only smartcard as eap auth method)
In local SAM there is test user "user1"
In test certificate in UPN we wrote "user1"
But we have next error - Authentication failed due to a user credentials mismatch
In windows security log we can see:
User:
Security ID: RRAS\user1
Account Name: user1
Account Domain: RRAS
Fully Qualified Account Name: RRAS\user1
It looks correct, isn't it?
Also we tried UPN=rras\user1 - the same result
When we use AD as user DB and UPN=[email protected] - it works correctly
What we do wrong?
Can we use non-domain usernames as UPN in certificates?
How to map in certificate non-domain user?
Thanks!Eve,
yes, the registry key DefaultDomain is configured to RRAS (name of VPN server)
detailed information was in first message
VPN architecture consist of one server (RRAS and NPS role installed)
On NPS we chose EAP auhentication method with smartcard or other certificate type only
clients connect to RRAS using michine and user certificates
IKE phase is compleated successfully
But on user authentication phase described error is generated
I repeat main questions:
1. Can we use non-domain usernames
as UPN in certificates?
2. How to map non-domain user
in certificate?
Thanks! -
Access connection​s 5.50 and EAP TLS with Computer certificat​e
Hello,
I'm trying to connect to a Wifi using Computer certificate to authenticate and it works perfectly fine with windows Wireless Zero Config however with Thinkvantage Access Connection I always get an authentication error.
I'm using a R61 with a ThinkPad 802.11a/b/g/n, 802.11b/g/n Wireless LAN Mini PCI Express Adapter. It's been updated to the latest driver (v7.6.1.260b)
OS is windows XP with SP3 and all the windows update (as of today).
On my Radius server this is what I get:
If I use WZC I get this in the authentication:
Security ID: DOMAIN\R61WXP$ (this is my computer name)
Account name: host/R61WXP.domain.local
Account Domain: DOMAIN
FQDN: DOMAIN\R61WXP$
When I use Access Connections:
Security ID: DOMAIN\Guest
Account name:
Account Domain: DOMAIN
FQDN: DOMAIN\Guest
My Access connection profile is set this way:
IEEE802.1x => Authenticate as Computer when the information is available.
I hope someone can help !
Thanks!Hi,
try to dissable the IEEE802.1x => Authenticate as Computer when the information is available.
Make also sure, that the profile connection is correctly configured in the AC profile settings.
This mighe the the root cause.
I can tell you, that there must be something missconfigured, as this configuration will surelly work .
Cheers -
Hi guys
I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.
I create a second policy for wired dot.1x with EAP - PEAP enabled
The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
Thanks in advance.
Sent from Cisco Technical Support iPad AppHi,
There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
Thanks,
Tarik Admani
*Please rate helpful posts*
Maybe you are looking for
-
how to convert file.class to file.java....if i have not the .java file
-
ORA-01775: looping chain of synonyms
Hello, I had some issues with the database and then we need to force this database open. After opening it we need to take the full export of the database which I took. Then I recreate the database and ran ran catalog, catproc and other component's cr
-
Print report in excel report without modifying the layout
Offcourse we can print or view report in excel format by setting parameter desformat=delimited.But the o/p generated is not in proper format , with bolierplates repeating ???.And the o/p is more worse in case of complex report.Is there anyway to have
-
I have a large PDF document and i need to convert the same to a pages document. Can anybody help please. Many thanks
-
Ios8.2 since updating cant update apps or download apps on ipad mini with retina
ios8.02 and now ios8.1 ipad mini still not updating apps or allowing to download from store. circle spins and does nothing else .