PEAP and IAS

Hey everyone,
I have done a fair bit of reading into PEAP, IAS, 802.11x and so on.
This is the part I am confused with - I wish to have multiple VLAN's one for each of year groups. Can I force VLAN assignments using IAS / PEAP authentication using the same SSID? Or do I need one SSID per VLAN?
Last question - For each switchport an AP's connect to does the port needs to be configured as trunk?
Any help would be appreciated.
Cheers,
MArk

Mark -
These will help you:
Dynamic VLANs
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
AP VLAN Groups
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
You will only need a trunk for you AP if you are running H-REAP.

Similar Messages

  • Wired PC's with PEAP and RADIUS - how to join to a domain?

    I realize this seems like a 'chicken vs. egg' question, but I'm wondering if there is an answer.
    <br />
    <br />We're in the process of implementing RADIUS authentication using PEAP and IAS on our network.
    <br />
    <br />(Server 2003, WinXP Pro, and Cisco hardware)
    <br />
    <br />My test network is working well, however the one glitch that we've come across is joining new PC's to the domain. Because the switch will not authenticate the machine or the user - we can't get access to join the machine to the domain controller.
    <br />
    <br />Is there a simple workaround for this, or do we have to disable AAA on the switch temporarily, every time we want to join/rejoin and machine?
    <br />
    <br />Thanks in advance!
    <br />Rob

    If you are running 802.1x on your switches for wired users, then you either need to stage the machines first by having them join the domain and then pushing out the appropriate certificates to the machine. You can always have ports that don't have 802.1x configured to get this working.

  • 1200 AP and IAS authentication

    I am just trying to verify that a Cisco access point will not allow windows clients to authenticate to a Microsoft IAS server without using a certificate. It looks as if you have two choices PEAP and SmartCard/Digital Certificate and that is it, am I correct?

    The AP itself doesn't actually care about the protocols - it approves the authentication based on the instructions of the radius server, in your case IAS. You are correct, in that when using IAS and the built-in supplicant on windows your only choices are essentially EAP-TLS and EAP-PEAP.
    Since the 802.1x authentication itself isn't encrypted or protected, its up to the EAP protocols to build in credential and privacy protections to its authentication method - the easiest way to do this is with certificate-based methods.
    - mike

  • EAP with Windows 2000 client and IAS server

    Several messages on this site point to peole using EAP on a Windows 2000 client and authenticating against an IAS server. I am running an Aironet 350 AP and trying to setup my Windows 2000 clients to use EAP only and authenticate against a Windows 2000 AD forest via IAS. The access point and client are on the latest firmware and drivers (12.0 for AP). I have two basic questions.
    1. It is my understanding that by enabling Network-EAP as the only authenticaiton type that users will authenticate and then dynamic WEP keys will be used, greatly reducing the risks of compromised WEP keys while at the same time keeping the data encrypted.
    2. Does anyone have a quick HOW-TO or point-by-point list of how to configure the Windows 2000 client to authentication using the Network-EAP method? I am currently running into a situation where no matter what I configure on the client, the IAS server reports and error with "Reason: The authentication type is not supported on this system." I also noticed that the "Authentication-Type" and "EAP-Type" fields shown in the IAS messages in the Windows 2000 Event Viewer log have the value "<undetermined>". Has anyone else run into this?

    I'm having a similar problem. I'm trying to do PEAP and it appears that IAS is not handling the request properly. It keeps trying to log the user PEAP-##### in instead of setting up the TLS and then asking for Username, Pass, Domain. The IAS error message I'm getting is:
    User PEAP-00097CFCD901 was denied access.
    Fully-Qualified-User-Name = APPLY\PEAP-00097CFCD901
    NAS-IP-Address = 172.16.200.31
    NAS-Identifier = AP1
    Called-Station-Identifier = 004096570d87
    Calling-Station-Identifier = 00097cfcd901
    Client-Friendly-Name = WirelessAP
    Client-IP-Address = 172.16.200.31
    NAS-Port-Type = 19
    NAS-Port = 37
    Policy-Name =
    Authentication-Type = EAP
    EAP-Type =
    Reason-Code = 8
    Reason = The specified user does not exist.
    So if anybody has the needed settings for Win2k (SP3 and 802.1x patch) IAS it would be much appreciated.
    Ben
    Note: if I had PEAP-####### as a user in Win2k I get:
    User PEAP-00097CFCD901 was denied access.
    Fully-Qualified-User-Name = apply.org/Users/PEAP TEST
    NAS-IP-Address = 172.16.200.31
    NAS-Identifier = AP1
    Called-Station-Identifier = 004096570d87
    Calling-Station-Identifier = 00097cfcd901
    Client-Friendly-Name = WirelessAP
    Client-IP-Address = 172.16.200.31
    NAS-Port-Type = 19
    NAS-Port = 37
    Policy-Name = Wireless Policy
    Authentication-Type = EAP
    EAP-Type =
    Reason-Code = 16
    Reason = There was an authentication failure because of an unknown user name or a bad password.

  • Problems authentication with PEAP WLC IAS Windows 2k3

    Hi all
    I have configured a WLC (6.0.182.0 model 2100) with authentiacion PEAP with IAS and a DA of Microsoft Windows 2003. I have been reading in the documentation "PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)" that in the installation proccess of Active Directory it must select the option "Permissions compatible with pre-Windows 2000 server operation systems". In my scenario the other option was chosen "Permissions compatible only with Windows 200 or Windows Server 2003 operations system".
    I have test this scenario and it does not work.
    Is there some configuration in the WLC so that it can work without having to reinstall the AD?
    Thanks

    For the most part the WLC doesn't care about what type of authentication is being used. It really is just proxying the requests between the client and Radius server.
    I would make sure your EAP timer are extended with the commands:
    config advanced eap identity-request-timeout 10
    config advanced eap request-timeout 10

  • Having a problem with PEAP and Cisco 2960 Switch

    Hi All,
        I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 
        The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
    Any ideas?

    Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work.  I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client.  I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2.  I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
    CSSC Client pops out:
    14:25:08.453  Network Connection requested from user  context.
    14:25:08.468  Connection authentication started using the logged in  user's credentials.
    14:25:08.468  Port state transition to  AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
    14:25:08.796  Port state  transition to  AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
    14:25:09.828   Port state transition to  AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
    14:25:09.843   Identity has been requested from the network.
    14:25:09.875  Identity has been  sent to the network.
    14:25:09.890  Authentication started using method type  EAP-PEAP, level 0
    14:25:09.890  The server has requested using authentication  type: EAP-PEAP
    14:25:09.890  The client has requested using authentication  type:  EAP-PEAP
    14:25:09.968  Profile does not require server  validation.
    14:25:10.031  Identity has been requested from the  network.
    14:25:10.031  Identity has been sent to the  network.
    14:25:10.046  Authentication started using method type  EAP-MSCHAP-V2, level 1
    14:25:10.046  The server has requested using  authentication type: EAP-MSCHAP-V2
    14:25:10.046  The client has requested  using authentication type:  EAP-MSCHAP-V2
    14:25:10.078  Port state transition  to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
    14:25:10.078  The  authentication process has succeeded.
    *************************Raidus Ouptut for PEAP:**************************
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.7 seconds.
    Waking up in 0.7 seconds.
    Waking up in 0.1 seconds.
    Waking up in 3.7 seconds.
    Waking up in 0.1 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for anonymous
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    rlm_ldap: object not found or got ambiguous search result
    [ldap] search failed
    rlm_ldap: ldap_release_conn: Release Id: 0
    [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
    Waking up in 0.9 seconds.
    Waking up in 0.9 seconds.
    Waking up in 0.9 seconds.
    Waking up in 0.8 seconds.
    Waking up in 0.8 seconds.
    Waking up in 0.8 seconds.
    [ldap] performing user authorization for RadiusUser
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.8 seconds.
    [ldap] performing user authorization for RadiusUser
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.8 seconds.
    [ldap] performing user authorization for RadiusUser
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.8 seconds.
    Waking up in 0.7 seconds.
    Waking up in 3.7 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    Ready to process requests.
    **************************Radius ouput for EAP******************************
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.7 seconds.
    Waking up in 0.7 seconds.
    Waking up in 0.1 seconds.
    Waking up in 3.7 seconds.
    Waking up in 0.1 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    Waking up in 3.9 seconds.
    Ready to process requests.
    Hope that Helps.

  • EAP-TLS Win2003 CA and IAS...not checking CRL?

    Hi
    I've got EAP-TLS setup and working using Win2003 CA and IAS as the RADIUS backend. I've issued certs to my wireless users, and now I want to revoke a certificate, so in the CA, I revoke the cert and then under Revoked Certs I click on publish...yet the user can still authenticate and communicate. How can I configure the IAS to check the CRL? Thanks

    Hi,
    I'm battling to setup EAP-TLS with AP1200,windows AD 2003 and IAS.Are there any funny tricks in setting up
    EAP-TLS with IAS.
    On the AP1200 I keep getting AAA unsupported.
    regds
    Johnny

  • Quick Q on PEAP and 5508

    Hi Team,
    I configured  user "Bill"under Local User database with a Local EAP profile with PEAP and EAP-TLS.At this stage I do not have a Radius server but
    my understanding is that  I should be able to authenticate using Bill's credentials from the Windows XP box.Wireshark capture indicates that EAP does not even complete stage 1.Last message is a EAP Response from the Windows XP to the 1252  and  the whole process (EAPOL Start,Request ,Response) keeps repeating itself without getting a response from WLC .Could someone confirm whether I could test 802.1X using this method?
    The other odd thing is that I have to use a Novell client which talk to WindowsXP built-in supplicant via PEAP/MSCHAPv2.The environment I'm in does not have  vanilla XP boxes.
    Any help is much appreciated.
    cheers,
    Janesh

    Hi Janesh,
    what is the version we are running on WLC? The reason i asked this question is through version 4.1, PEAP is not supported locally on the WLC. You need an external RADIUS server. With WLC version 4.2 and later versions, local EAP now supports PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication.
    Please follow the configuration guide in order to confgiure local EAP authentication:-
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
    thanks,
    Vinay

  • EAP-PEAP and EAP-TLS on same switched network

    Hello,
    I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
    The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
    I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
    Thanks,
    Guy

    You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
    Good Luck,
    --Jean Paul

  • I want to run PEAP and LEAP at the same time...

    I have an environment where I have 25 Laptops connected to my wireless network using PEAP and TKIP over an XP wireless client with a certificate. I also just purchased 25 IPAQ's with built-in wireless and they have the ability to do LEAP or PEAP. I am having issues getting the certificate to take up residence on the IPAQ's, so I thought I could do LEAP instead. What are the caveats of running both protocols at the same time and what configuration issues will I run into with this on the IPAQ's?
    I tried to setup LEAP yesterday without success, basically because I don't know what step I am leaving out. Maybe its TKIP that is causing the problem, I don't know.
    Any help would be greatly appreciated.
    David Beaver

    The access point doesn't know or care which EAP flavor you're using; LEAP vs PEAP is configured on the client, and you have to specify on your server which flavor(s) you'll allow.
    Supporting both PEAP and LEAP is inelegant, though, and exposes some of your clients to the dictionary attacks LEAP is subject to. You'd be better served by getting PEAP working correctly on your iPaqs.
    You don't need clientside certificates for PEAP, and you don't need to put the server certificate on the iPaq unless you're self-signing. If you are and the problem is that the iPaq isn't accepting your root cert, then the problem may be that it's not in a format the iPaq recognizes. Try importing the root cert into IE and then re-exporting it in DER format, then see if the iPaq will take that.
    Also make sure that your pda's are flashed with the latest OS and firmware patches. I've got PEAP working just fine on my HP 5500, but it did take a little tweaking to get it there.

  • PEAP and Passwords Wireless Question

    Hello, Our company use Microsoft PEAP and password authentication for wireless with our own root CA. For PC's the root certificate is distributed to clients automatically by Windows AD. For other devices we usually have to manually install - for security it should be done out of band I believe. We have found that our iPhone users have been able to connect and somehow the phone finds the root certificate and all they have to do is click on it and it connects! Can someone please tell me how it is doing this! Thanks, Alan.

    Muhammed,
    Thanks for the link. Unfortunately it doesn't pertain to the issue I am having and is more with the layout and simple authentication pieces. I am not sure my issue is actually with the ISE appliance and not more of an issue with the phone not accepting the certificate chain of the ISE server. Authentication works just fine if I don't validate the server certificate. If I try to validate the server certificate the phone rejects the ISE cert even though the root CA is loaded on the phone. But it appears the phone isn't taking the entire certificate chain as I am unable to load one of the intermediate CA's certificate into the phone. Opening a TAC case to see if they can assist or explain why the phone won't take the entire certificate chain.

  • ACS v4.1 PEAP and MAC Address Validation

    I would like to authenticate to a ACS server via both 802.1x (PEAP) and to also validate the MAC Address of the user. Can both of these be done? I have 802.1x (PEAP) working to the ACS and Active Directory but now I would like to add the MAC Address of the laptops. Can I use Network Access Profiles and add the MAC-address under MAC-Authentication bypass?
    Your assistance is appreciated.

    I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
    I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
    What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
    Appreciate your help.

  • Other LEAP upgrade options besides PEAP and EAP-FAST?

    Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
    Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

    A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
    TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
    Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
    You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
    If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
    There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
    Good Luck
    Scott

  • Why is it that directory server and IAS will not install through a remote Terminal Services session??

     

    Hi,
    I think this can be done in Unix, using telnet, you may log into the
    system and install it.
    Regards
    Raj
    Mozkill Williams wrote:
    why is it that directory server and IAS will not install through a
    remote Terminal Services session??
    Try our New Web Based Forum at http://softwareforum.sun.com
    Includes Access to our Product Knowledge Base!

  • No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?

    Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router?  I am replacing with an Asus router.
    thanks,
    KG

    Hi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.

Maybe you are looking for