PEAP + EAP-MD5

Similar Messages

• Authentication with EAP-MD5/PEAP/FAST

  Version: ISE 1.2p12
  Hello,
  I have trouble authenticating devices that use different protocols:
  - Cisco IP Phones: EAP-MD5
  - Windows machines: EAP-PEAP
  - Cisco APs: EAP-FAST
  1) I'm able to authenticate the IP Phones individually with a authentication rule:
  IP PHONES If Wired_802.1X allowed protocols EAP-MD5
  For EAP-MD5 I selected only EAP-MD5
  Now if I use a generic rule
  DEVICES If Wired_802.1X allowed protocols EAP-PEAP-FAST-MD5
  with EAP-PEAP-FAST-MD5 having EAP-PEAP, EAP-FAST, EAP-MD5 selected, it doesn't work
  ISE says that there's a protocol mismatch:
  "Failure Reason: 12121 Client didn't provide suitable ciphers for anonymous PAC-provisioning"
  ISE is trying to authenticate my phone with EAP-FAST while the Cisco phone is useing EAP-MD5
  I read in another topic that some of you would consider MAB/Profiling for the APs and probably for the Cisco IP Phones. But I'm wondering if it's possible to have one authentication rule with allowed protocols EAP-PEAP-FAST-MD5
  2) Also, if I place the EAP-MD5 authentication rule higher and then have a rule for EAP-PEAP-FAST below it doesn't work because only the first rule is matched. I have configured the first rule with "If authentication fails = Continue"
  Does any of you have hints ?

  I know now the problem. WLC try to connect with "anonymous bind" to the ldap server. It works well with Win2000. With Win2003 it works only if you open the security. See link: http://support.microsoft.com/kb/320528/en
  You haven't the possiblity to configure any username/pwd for a secure ldap query. It's something that is an absolutely need for many customers.
  For the moment I will sugest the "workaround" with AP->WLC->Radius->LDAP
  Kind regards
  Alex

• PEAP, EAP-TLS & EAP-MD5

  Hi
  Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?

  Hello,
  There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
  Regards,
  Belal

• ISE 1.2 and EAP-MD5

  Hi,
  I have HP procurve switches that need to get authenticated with EAP-MD5 but I cant get it to work in ISE 1.2 with patch 2.
  We have tried all combination for EAP-MD5 in allowed protocols but get the same message when trying to authenticate.
  The ISE deployemnt do not run in FIPS-140 2 mode.
  And when using the switch with NPS we get this to work, so switch configuration is ok.
  Failure Reason:  12003 Failed to negotiate EAP because EAP-MD5 not allowed in the Allowed Protocols
  Resolution: Ensure that the EAP-MD5 protocol is allowed by ISE in Allowed Protocols.
  Root cause :The client's supplicant sent an EAP-Response/NAK packet rejecting the previously-proposed EAP-based protocol, and requesting to use EAP-MD5 instead. However, EAP-MD5 is not allowed in Allowed Protocols.
  Any thoughts on this?
  Cheers

  Choose Policy > Policy Elements > Results >Authentication > Allowed Protocols
  Select EAP-MD5—Check the Allow EAP-MD5 check box and check Detect EAP-MD5 as Host Lookup check box.
  Save the Allowed Protocol service.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• PEAP EAP-MSCHAP v2

  Hi!
  Does anyone know if the router wrt320n or any other linksys router (wireless or wired) support 802.1x authentification, particularly PEAP EAP-MSCHAP v2? I'm connected to a network that provides access to the internet via ethernet cable and 802.1x authentification. I'd like now to connect several devices to the network through a router, but I'm not sure if the wrt320n can log on to the network, because of the 802.1x authentification.
  Thanks!

  No. They don't support 802.1X authentication (neither supplicant nor authenticator). The WRT and all Linksys branded routers are consumer routers. 802.1X authentication is a business feature which you may find in Cisco Small Business or better devices.

• ISE MAB Host Lookup - PAP or EAP-MD5

  In the docs, it says that MAB uses PAP/ASCII or EAP-MD5 to pass the MAC as username / password.
  In the attached setup, MAB is talking place successfully for an iPhone, without having PAP or EAP-MD5 enabled as Allowed Protocols. 
  Is the "Host Lookup" under allowed protocols, provides for the MAC address to be passed in PAP / EAP-MD5 even if these two protocols are not enabled below under the Authentication Protocols section of the configuration?
  How could we dictate to our switch to start using EAP-MD5 to pass the MAC?  If you look at the attached authentication details output, it lists in the AV Pair a EAP-Key.  Is that it?
  Thank you.
  Cath.

  Hello Cath-
  Question #1: Yes, I think you are correct. I believe that the "Host Lookup" is type of "protocol" used to process the MAB. If you look at the top of the authenticaiton session what do you under "Authentication Protocol?" My guess is that you see "Lookup" (see attached screen shot)
  Question #2: You can force the switch to use EAP-MD5 by appending "EAP" to the "MAB" command under the individual ports:
       interface fa0/1
       mab eap
  Things to conisider:
       1) If you make that change the default/built-in condition in ISE "Wired-MAB" will have to be changed since the
  service-type radius attribute will change from "Call Check" to "Framed." Thus, your MAB devices can easily skip the MAB authenticaiton rule and be denied on the network
       2) Because the MAC address is sent in the clear text  "Attribute 31" (Calling-Station-Id), MAB EAP does not offer any additional security by encrypting the MAC address in the password
       3) Because the service type for MAB EAP is the same as an IEEE 802.1X request, the RADIUS server will not be able to easily differentiate MAB EAP requests from IEEE 802.1X requests
  Here is a good document that you can reference as well:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html
  Hope this helps...
  Thank you for rating!

• 802.1x Profile - PEAP/EAP-MSCHAPv2

  I'm trying to connect my new retina Macbook Pro to our enterprise network, and am having trouble with the 802.1x profile. Looking at the settings on my Windows PC, I need to use PEAP/EAP-MSCHAPv2, but OSX Lion seems to default to PEAP/EAP-GTC. With these settings, I'm able to connect to the network but cannot access any network resources.
  I'm using the iPhone Configuration Utility to generate the 802.1x profile package. As far as I can tell, I am unable to change the inner authentication method with this application. Anyone out there have any suggestions on how I can resolve this?

  The prompt is specified when you create the profile on the machine. You can either have the user get prompt for login, save a username and password or use the cache credentials. You need to look at the errors in radius and in the wlc. One will have enough info to say what went wrong during the authentication process.

• Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

  Hello,
  I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
  The RADIUS SERVER is M$ IAS.
  Authentication is working with a laptop, but it is not with my phone
  The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
  Does somebody know what should I change in my phone's configuration to make it work ?
  Thanks,
  Ceux qui aiment marcher en rangs sur une musique :
  ce ne peut être que par erreur qu'ils ont reçu un cerveau,
  une moelle épinière leur suffirait amplement. -- Albert Einstein

  Hi,
  Sorry for the late answer since I was "out of the office" for a while
  So here is the process to get the certificate.
  Log in to you IAS Server.
  Open the IAS Service Application.
  Go to "Remote Access Policies".
  Choose the policy that apply to "Wireless Connection"
  Click "Edit Profile" button.
  Choose "Authentication" Tab.
  Click "EAP Methods"
  Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
  The Next Window will show you the Certificate Issuer Name & Expiration Date.
  Then, click "Start" Button.
  Choose "Run".
  Type "mmc" in the "Run" box.
  Click "File" & Choose "Add/Remove Snap-In".
  Click "Add" Button.
  Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
  Click "Close" & "OK" Button.
  Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
  The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
  "Right click" on the certificate, choose "All Tasks", the "Export".
  In the new window, click "Next" Button.
  Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
  Choose a suitable location.
  Click "Next" Button & "Finnish" Button.
  Certificate is now exported.
  You have to install it on your Phone now.
  The most simple way is to copy the certicate on a Web Server and access it with your phone.
  Hope that Help, if you did not already succeed.
  Ceux qui aiment marcher en rangs sur une musique :
  ce ne peut être que par erreur qu'ils ont reçu un cerveau,
  une moelle épinière leur suffirait amplement. -- Albert Einstein

• NPS & EAP-MD5

  Hi there,
  We are currently working on the deployment of 802.1x enterprise-wide.  Since we have some old devices that don't support 802.1x natively, and have a Cisco infrastructure, we decided to go the MAC Authentication Bypass route.
  When we tested it prior, we were running Windows 2003 + IAS.  The test was flawless, however, it required us to enable Reversable Encryption and relax our password complexity requirements, which was unacceptable.  We then decided to upgrade to Windows 2008 to leverage the seperate password/complexity policy requirements based on a user or a group of users.
  I've just finished setting that up, and it works perfect.  We decided to go with NPS, as it had a bunch of features that were lacking from Windows 2003's IAS (namelly exporting the configuration and being able to import it to our other IAS/NPS servers).  We currently run the NPS service on our DC's (two of them for redundancy), however, we can't seem to make the MAC Authentication Bypass work.  After some digging, it seems that Microsoft has removed support for EAP-MD5 from Vista/2008.  They mention that there are third party EAPHost compliant vendors that 'may' have EAP-MD5 support, but I've been unable to find any.
  My question is, has anyone else ran into this problem?  If so, how did you go about fixing it.  Unfortunately, Cisco only seems to support EAP-MD5 for the MAC Authentication Bypass, we're currently running this on 3560 Catalyst switches.  I'd much rather get it working again on our NPS servers, as I don't want to revert back to IAS, as it's a pain to replicate the configurations between more than 1 box.
  Thanks!
  Warren 

  Hi PCGUY1184,
  I am trying to get Mitel phones working with 802.1X, I have enabled MD5 and made the other changes you propose but its still not working. The event log is showing eventid 6274
  Network Policy Server discarded the request for a user.
  Contact the Network Policy Server administrator for more information.
  User:
   Security ID:   NULL SID
   Account Name:   Mitel8021X
   Account Domain:   #Domain Removed#
   Fully Qualified Account Name: #Domain Removed#\Mitel8021X
  Client Machine:
   Security ID:   NULL SID
   Account Name:   -
   Fully Qualified Account Name: -
   OS-Version:   -
   Called Station Identifier:  -
   Calling Station Identifier:  08-00-0F-5D-87-1A
  NAS:
   NAS IPv4 Address:  192.168.202.1
   NAS IPv6 Address:  -
   NAS Identifier:   -
   NAS Port-Type:   Ethernet
   NAS Port:   11
  RADIUS Client:
   Client Friendly Name:  Nortel5520
   Client IP Address:   192.168.202.1
  Authentication Details:
   Connection Request Policy Name: Secure Wired Connections
   Network Policy Name:  -
   Authentication Provider:  Windows
   Authentication Server:  #NPS Server FQDN# 
   Authentication Type:  -
   EAP Type:   -
   Account Session Identifier:  -
   Reason Code:   1
   Reason:    An internal error occurred. Check the system event log for additional information.
  Did you come accross this problem? I saw a hotfix available for 2008R2 for EAP-MD5 where the name field is empty however the hotfix wont install as I believe I already have a newer version of raschap.dll
  Regards,
  Craig

• Using Windows 802.1x whith EAP-MD5 on Aironet 350 Adapter

  Hello all,
  I'm trying to use EAP-MD5 as the authentication mechanism with my Aironet Card and the Microsoft 802.1x stack under Win2K. Unfortunately, this choice is not possible while I can do it with legacy LAN cards. According to CCO litterature, it is supposed to be supported. Did anyone manage to have this working ?
  Thanks in advance
  Cyril

  This is supported and it should work.
  Check out this information:
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg/win_ch6.htm#xtocid20

• How to configure PEAP/EAP-GTC on Mac OS X v10.7 Lion

  I want to connect my MacBook Pro to our company WLAN using PEAP/EAP-GTC, but I dont know how to configure it. Can anybody do me a favour? Thanks in advance.

  bdc9898 wrote:
  I am trying to open a jar file that I could open on Snow Lepard but I cannot open it on Lion because there is no Jar Launcher, what should I do?
  Presumably what you think you mean by "JAR Launcher" is a Java runtime.
  Open a terminal.
  Type "java -version"
  If you get an answer, what is that answer?  If you get asked for permission to install Java, do so.

• 802.11X PEAP/EAP-GTC wireless problems

  I have a WPA2 wireless network that uses PEAP/EAP-GTC to authenticate. The token in this case is an RSA key, where the credentials expire after 60 seconds. I have two problems.
  First. The Macbook continuously wants to use keychain to provide cached credentials anytime it reauthenticates me. I can click Deny and it will prompt me with the login window, and this login window has a checkbox for 'Only use password once', which I check. But it still wants to use cached credentials each time. Is this fixable? I have tried deleting the entry in the keychain but it always gets recreated when I authenticate on the WLAN in question.
  Second has to do with sleep mode. If the laptop goes to sleep, it will not prompt me to reauthenticate unless I turn off the airport adapter and turn it back on, or reboot. This is a bigger problem.
  Any ideas?

  Any ideas here? The problem is getting worse. I have to fiddle with airport settings for 15 minutes sometimes to get authenticated. XP/Vista clients on the same network get on the first time, every time.

• ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

  Hello Community,
  i have a problem, one Notebook in our enviroment authenticates successfully with Host-Lookup (MAC-Adress) and get the right VLAN but then also sends permanantly  PEAP (EAP-MSCHAPv2)   requests with a diffrent Username ( Username is not an MAC-Adress) It is the Computername of Windows.
  What is the Problem here ?
  Thanks

  Hello Sebastian. A few questions:
  - How is the supplicant configured on the Windows machines?
  - Is 802.1x enabled on the supplicant?
  - If possible please attach screenshots of the supplicant's configuration
  - Is this for wireless, wired or both?
  - Can you post screenshots of the ACS log page for those events along with a screenshot of the "detailed screen" for one of those events
  Thank you for rating helpful posts!

• PEAP EAP-MSCHAP and Novell(NDS)

  We have several 350/1220/1131 ap's and would like to implement a 802.1x solution. We have a ACS 4.0 and are running Novell(NDS) as userdatabase.
  As far as I have understood, PEAP MSCHAP only support Microsoft databases, and only EAP-GTC can be used with NDS/LDAP databases.
  Is this correct ?
  Johann Folkestad

  PEAP uses TLS to encrypt any subsequent CHAP exchanges. Yes, MSCHAP uses a hashing algorithym. But it runs within a server-side cert TLS tunnel for server-side authentication and encryption.
  peter

• PEAP & EAP-TLS together on ACS

  We have recently deployed lightweight APs/WLCs in my organization and the authentication mechanism for WLANs is PEAP. We plan to add a new wireless LAN and want to use certificate based authentication, EAP-TLS for this new wlan. Our authenticating server is Cisco ACS, and want to use the same authenticating server for authenticating these two wlans. I haven't found a way to configure exclusively to assign a particular authentication mechanism for a wlan on ACS. Neither the sub authentication be specified in WLC. Any clues?
  Thanks,
  Vijay

  In ACS 5.x, you can specify both EAP type and then also have a condition to grant access to a certain AD OU.  If users are in a different OU, then you create two policies that look at conditions for EAP type, SSID and OU.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html