PEAP Authentication before Login

Similar Messages

• ISE 1.2 and Posture Report Before Login

  Hi everyone,
  Is it possible for the ISE 1.2 NAC/Posture agent to submit a posture report before user login on a Windows desktop system?
  We're trialling ISE 1.2, performing machine based authentication using EAP-TLS/Certificates. On top of this we are also using the posture agent and do not grant access until a 'compliant' posture report is received.
  Currently when a desktop powers up the posture status is 'pending' and this does not change until the user logs in, the NAC agent submits a successful posture report. This can take quite a few minutes leaving the user in a state of limbo where they have logged in to the computer but they must wait for the posture report.
  I see the NacAgent service runs as system, but the NACAgentUI.exe does not and only starts with the user logs in.
  Thanks,
  Mark

  That is correct, the nac agent is unaware of what policies exist in your ISE design. It's sole purpose is to start when the services allow it to do so and then send the information about the services and AV information it can gather so ISE can make a decision on whether the client is compliant or not compliant, it can then take direction on how to remeidate the client when it fails. There is nothing you can configure from ISE that will allow you to run the nac agent before user login.
  In the end when the nac agent makes into the anyconnect secure mobility client you might have hope there since there are some start before login vpn features, but I do not see the nac agent adopting this any time soon. You should however still work with your Cisco Account team on doing some research with the BU on your behalf, this could benefit alot of nac customers.
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• PEAP authentication problems

  Hi,
  I configured a Cisco AP 1200 IOS with PEAP.
  Hereby the AP Config:
  aaa new-model
  aaa group server radius rad_eap
  server 192.168.4.58 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 arp-cache optional
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 184 key 1 size 128bit 7 xxxx transmit-key
  encryption vlan 184 mode wep mandatory mic key-hash
  encryption key 1 size 128bit 7 xxxxx transmit-key
  encryption mode wep mandatory
  broadcast-key vlan 184 change 3600
  ssid test
  vlan 184
  authentication open eap eap_methods
  authentication network-eap eap_methods
  world-mode
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  rts threshold 2312
  station-role root
  dot1x reauth-period 1800
  dot1x client-timeout 1800
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.184
  encapsulation dot1Q 184
  no ip route-cache
  bridge-group 184
  bridge-group 184 subscriber-loop-control
  bridge-group 184 block-unknown-source
  no bridge-group 184 source-learning
  no bridge-group 184 unicast-flooding
  bridge-group 184 spanning-disabled
  interface FastEthernet0
  no ip address
  ip accounting output-packets
  no ip route-cache
  speed 100
  full-duplex
  interface FastEthernet0.3
  encapsulation dot1Q 3 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.184
  encapsulation dot1Q 184
  no ip route-cache
  bridge-group 184
  no bridge-group 184 source-learning
  bridge-group 184 spanning-disabled
  interface BVI1
  ip address 192.168.4.98 255.255.254.0
  ip accounting output-packets
  no ip route-cache
  ip default-gateway 192.168.4.3
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
  ip radius source-interface BVI1
  radius-server local
  radius-server host 192.168.4.58 auth-port 1645 acct-port xxxx key xxx
  radius-server timeout 120
  radius-server deadtime 1200
  radius-server domain-stripping
  radius-server attribute 32 include-in-access-req format %h
  radius-server authorization permit missing Service-Type
  radius-server vsa send accounting
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 184 protocol ieee
  W're using a Cisco Wireless client adaptor with the latest ACU version fully installed and configured my client for PEAP. I also configured the Windows XP network settings appropriately.
  The RADIUS we are using is a Cisco ACS 3.2.1. We used a Microsoft certificate for the server that we issued ourselves.
  Without configuring security, the client can associate with the AP, but when we enable PEAP and I open the ACU status screan, the client associates with the AP, but canot authenticate successfully. Status hangs on 'autenticating'. I don't see any traffic to the RADIUS server.
  Who can help us?
  Thanks in advance!

  I just opened a TAC case on this one whereby I have already installed the latest client, made sure PEAP is installed, had the latest WAP image, network security setup on the ACU as per the documentation to select the "host base EAP(802.1x) and select dynamic wep, then turned on debug options on the WAP to see the communication between the client and the WAP:
  debug radius authentication
  debug dot11 aaa dot1x process
  debug dot11 aaa dot1x state-machine
  Guess what... there is no communication between the client and the wap for authentication. You can see association and even get an ip address from dhcp but...
  The advise as per the TAC engineer is to put in a Static WEP key for now and you should get the communication going. They have already noticed this on some calls and have not seen a bug case # assigned to it. They will be working a fix on the next release. Once you do that you should see the Raduis and 802.1x communication going on.
  After doing this I can then concentrate on why I am not getting PEAP authenticated on our Funk Radius EE Server v4.7.
  The other thing...remove the "authentication network-eap eap_methods" when you are doing PEAP. You enable that for LEAP so you have to create a different vlan for that.
  I use 1812/1813 for the radius server.
  :-) Ed

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• Strip domain name in PEAP Authentication

  Is there ny chance to strip domain name (domain\username) in PEAP Authentication?

  We need to configured the proxy distribution to strip the domain name from the username
  before checking the database. Lets say Our domain name is SERVNET. We need to have
  configured Character String "SERVNET\ " , Position "Prefix" , Strip "Yes " Forward to
  local server. When the users authenticate via 802.1x (PEAP), the domain name is stripped
  from the username.
  Also please checkout this bug CSCeg01533 before you try it.
  Regards,
  ~JG
  Do rate helpful posts

• Open Directory: user authentication and logining takes a lot of time

  We have Mac OS X Server Snow Leopard 10.6.8 with OpenDirectory and some iMacs with Mac OS X Snow Leopard 10.6.8. After adding Network Account Server in iMacs (System Preferences->Accounts->Login Options->Network Account Server Edit) OD works normally and users authenticate and login their accounts rather fast (5-10 seconds). But some days or weeks later the time for authentication and logining takes for about 5 minutes. If I re-add Network Account Server, then all works greatly again. What's the matter? How to avoid this re-adding?

  Hello,
  can you tell us what is the size of this Universe in terms of:
  number of tables, number of objects, size of the .unv file?
  Also, is this behaviour specific to this universe or you have other universes having the same problem?
  Last, are you 'opening it' as in File/Open or importing it as in 'File/Import...' ?
  Thanks
  PPaolo

• EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

  Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
  Does anyone have any ideas how to troubleshoot this problem with the appliance?

  If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

  Hi All ,
               I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
               I have downloaded client supplicant certficate file for my windows XP machine .
  When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
  Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
  Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

  Hello,
  I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
  Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
  -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
  -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
  -          Delete the wireless network from the computer
  -          REBOOT!!
  -          Open the Microsoft Management Console, “mmc”.
  -          Go FILE\Add Remove SnapIn. Select Certificates ..
  -          If promoted, do it for “My User Account”.
  -          Make sure the certificates are where you put them. 
  -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
  -          Redo wireless network setup again
  I hope this helps you.
  Mike

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• Peap authentication issue

  I have some problems with peap authentication. Here debug of my AP:
  Mar 13 09:50:39 10.15.1.14 2370: *Mar 1 19:24:18.889: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Mar 13 09:50:39 10.15.1.14 2371: *Mar 1 19:24:18.890: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001a.73ff.a214
  Mar 13 09:50:39 10.15.1.14 2372: *Mar 1 19:24:18.890: dot11_auth_dot1x_send_id_req_to_client: Client 001a.73ff.a214 timer started for 30 seconds
  Mar 13 09:51:03 10.15.1.14 2373: *Mar 1 19:24:43.549: dot11_auth_parse_client_pak: Received EAPOL packet from 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2374: *Mar 1 19:24:43.549: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2375: *Mar 1 19:24:43.549: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2376: *Mar 1 19:24:43.550: dot11_auth_dot1x_send_id_req_to_client: Client 001a.73ff.a214 timer started for 30 seconds
  Mar 13 09:51:03 10.15.1.14 2377: *Mar 1 19:24:43.554: dot11_auth_parse_client_pak: Received EAPOL packet from 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2378: *Mar 1 19:24:43.554: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 001a.73ff.a214
  Mar 13 09:51:04 10.15.1.14 2379: *Mar 1 19:24:43.554: dot11_auth_dot1x_send_response_to_server: Sending client 001a.73ff.a214 data to server
  Mar 13 09:51:04 10.15.1.14 2380: *Mar 1 19:24:43.554: AAA/AUTHEN/PPP (00000159): Pick method list 'eap_methods'
  Mar 13 09:51:04 10.15.1.14 2381: *Mar 1 19:24:43.554: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  Mar 13 09:51:25 10.15.1.14 2382: *Mar 1 19:25:05.371: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  Mar 13 09:51:25 10.15.1.14 2383: *Mar 1 19:25:05.371: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  Mar 13 09:51:25 10.15.1.14 2384: *Mar 1 19:25:05.372: Client 001a.73ff.a214 failed: EAP reason 1
  Mar 13 09:51:25 10.15.1.14 2385: *Mar 1 19:25:05.372: dot11_auth_dot1x_parse_aaa_resp: Failed client 001a.73ff.a214 with aaa_req_status_detail 1
  Mar 13 09:51:25 10.15.1.14 2386: *Mar 1 19:25:05.372: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 001a.73ff.a214
  Mar 13 09:51:25 10.15.1.14 2387: *Mar 1 19:25:05.372: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 001a.73ff.a214
  Mar 13 09:51:25 10.15.1.14 2388: *Mar 1 19:25:05.373: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  Mar 13 09:51:26 10.15.1.14 2389: *Mar 1 19:25:05.373: dot11_auth_dot1x_send_client_fail: Authentication failed for 001a.73ff.a214
  Mar 13 09:51:26 10.15.1.14 2390: *Mar 1 19:25:05.373: %DOT11-7-AUTH_FAILED: Station 001a.73ff.a214 Authentication failed
  Mar 13 09:51:27 10.15.1.14 2391: *Mar 1 19:25:06.611: AAA/BIND(0000015A): Bind i/f
  In IAS log I can find requests and and access is permitted.
  What is the problem?
  Thank you for your help!

  Answering partially your second question, 'Authenticate as Computer when Computer Information Available' is required to enable machine authentication and the same has to be enabled on the ACS server also.

• How to use Any connect before login windows?

  Dear All,
  Right now i have issue on Any connect VPN, all my clinet join Domain and i want connect any connect VPN before login windows. i mean that all user and password veryfy from DC. Is any connect VPN can do connect before windows loggin?
  Best Regards,
  Rechard

  http://www.google.co.uk/search?q=cisco+anyconnect+start+before+logon&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809f0d75.shtml
  http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect22/administration/guide/22admin4.html
  HTH>

• Whats the difference  between Authentication and Login check up ?

  whats the difference between Authentication and Login check up ?

  Authentification is a more generic term. It's generally applicable to any situation where you check that information comes from where it claims to come from.
  Login is just one form of authentification.

• Airport Extreme: PEAP authentication failure when NAT is enabled

  Setup: Airport Extreme firmware 5.6, Windows Admin Utility 5.2
  Airport's WAN port connected to an internal network with Windows 2003 IAS RADIUS server; Airport's LAN port disconnected.
  Windows XP client (using Microsoft zero-configuration client)
  client and server set up to use PEAP authentication
  If I set up the Airport in bridge mode (uncheck the "Distribute IP Addresses" box in the Network setup tab), the client can authenticate correctly and can obtain an IP address from a DHCP server on my internal network.
  If I check the "Distribute IP Addresses" box, select "Share a single address with DHCP & NAT" and the 192.168.1.1/24 address range, the client can no longer authenticate. I haven't changed anything else on either the Airport or the RADIUS server.
  Network traces taken on the wired (WAN) and wireless side of the Airport show that the first few exchanges of the EAP handshake go through fine, but the server's reply to the client's "TLS Hello" message are being blocked by the Airport. Up to that point, I don't see any significant difference between the exchanges with NAT enabled or disabled; it's just that the Airport passes the server's message to the client correctly when NAT is off and blocks it when NAT is on.
  Airport Extreme   Windows XP  

  My mistake - posted to the wrong forum! I've restarted the thread on the Airport Extreme forum.

• Change TrackPad(Click= Tab) before login

  Hi all,
  Is it possible to change trackpad behaviour before login into my account?
  Currently the trackpad is set to "Click" but I want it set to "Tap" before logon.
  Once I'm logged on it is working ok so it's basically only setup for my user account via (System Preferences>Trackpad>Point&Click)
  I've searched this discussion forum but only found not properly working trackpads, I have no issues with my trackpad.
  OS X Version 10.9.4
  MacBook Pro Retina, 13-inch, late 2013

  “Tap to Click is a user specific preference, just like your Desktop picture or Screensaver. If you log out of your account, you won't be able to tap to click at the logout screen. In addition, when you start up to the Install DVD or Apple Hardware Test, the Tap to Click feature won't be available.”
  http://support.apple.com/kb/HT4331