PEAP EAP-MSCHAP and Novell(NDS)

We have several 350/1220/1131 ap's and would like to implement a 802.1x solution. We have a ACS 4.0 and are running Novell(NDS) as userdatabase.
As far as I have understood, PEAP MSCHAP only support Microsoft databases, and only EAP-GTC can be used with NDS/LDAP databases.
Is this correct ?
Johann Folkestad

PEAP uses TLS to encrypt any subsequent CHAP exchanges. Yes, MSCHAP uses a hashing algorithym. But it runs within a server-side cert TLS tunnel for server-side authentication and encryption.
peter

Similar Messages

PEAP EAP-MSCHAP v2

Hi!
Does anyone know if the router wrt320n or any other linksys router (wireless or wired) support 802.1x authentification, particularly PEAP EAP-MSCHAP v2? I'm connected to a network that provides access to the internet via ethernet cable and 802.1x authentification. I'd like now to connect several devices to the network through a router, but I'm not sure if the wrt320n can log on to the network, because of the 802.1x authentification.
Thanks!

No. They don't support 802.1X authentication (neither supplicant nor authenticator). The WRT and all Linksys branded routers are consumer routers. 802.1X authentication is a business feature which you may find in Cisco Small Business or better devices.

EAP-TLS with Novell NDS

I configured EAP-TLS for the wireless LAN in the Novell 6 environment. However encountered a problem on the ACS with Novell NDS. Attached is the error messge, any advice on how to overcome ? I have generated the server key and the client key from Windows 2000 server. The error message is 'AUth type not supported by Ext DB'

EAP-TLS is not supported with Novell NDS as per the compatability matrx shown in the following document,
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm

WIFI issue 9790 OS 7 PEAP EAP-MSCHAP v2

@my company we use PEAP with EAP-MSCHAP-V2. WIth the blackberry 8900,9000,9780 we have no problems connecting to the WIFI network. However the new Blackberry 9790 (OS7) cannot connect and displays an error status: Authentication server timeout. In the logfile of the radius server i can see authentication requests. Increasing the timeout settings is not the solution.
I use the same settings as on the other BB'":
Security Type: WPA/WPA2
CA certificate: None selected
Inner link security:EAP-MS-CHAP v2
Token: None selected
Disable Server Certificate Validation selected
Username an password are correct.
Is this a softwarebug?

Cnguyen, thanks for the info!!
We are not turning off secure renegotiation on our radius server because of a bug in some blackberry devices. I don't expect that blackberry will provide a solution other than the workaround. I have seen this before:
This is a previously reported issue that is being investigated by our development team. No resolution time frame is currently available

PEAP with Novell NDS and LDAP?

I was reading this Cisco Q&A doc (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item0900aecd801764fa.shtml) that contained the following question and answer:
Q. Can I use PEAP with LDAP or Novell NDS databases?
A. Yes. PEAP provides interoperability with both LDAP and Novell NDS.
I was under the impression that LDAP and Netware only supported EAP-GTC, EAP-Fast (phase 2 only), or EAP-TLS???
Can anyone comment?

Getting 802.1x to work with novell using PEAP w/ GTC is a slam dunk with some exceptions. I'm using Cisco ACS with Backend connection to NDS. If you have XP clients you can easily use the Cisco PEAP supplicant to allow connecting with EAP-GTC. I ran into problems with the mixture of cards and Client OS. I turned to Funk Odyssey Client to solve all my problems on the clients.

4402 PEAP w/ACS3.3 using Novell NDS.

I am trying to configure WPA2 with 802.1x authentication through ACS 3.3. Having issue with using PEAP authentication through ACS 3.3 configured for Novell NDS as External Database. Client is stuck "Verifying credentials". Controller sends authentication requests to ACS, but it is not getting any response back from ACS. ACS is on the same subnet, no firewalls of any kind in between. Under Failed Authentication on ACS nothing gets logged if I have PEAP enabled under Global Authentication Setup (EAP-MSCHAPv2). If I uncheck PEAP options under Global Authentication, then ACS will log under Failed Attempts error message saying that "EAP type not configured. Check Global Authentication Setup". Correct IP address of ACS and secret key is entered in Wireless Controller. I have also tried using port 1645 and 1812 with the same result.
Any ideas would be appreciated. Thanks.

If you are authenticating against Novell eDirectory/NDS, you should use EAP-GTC. Also, when you create your database configuration, be sure to enter all contexts (separated by commas) in which your user accounts reside.

EAP Authentication Configuration for EAP-FAST and PEAP

Hi Everyone,
I pretty much got EAP working, however using LEAP
When I get to EAP-FAST and PEAP, I just can't seem to get it to work
What am I missing, I do know that EAP-FAST and PEAP involve certificates. However, how do i set them up on the client side?
Hope you guys can help me on this, stuck on this part xD

EAP is a complicated subject for sure. But it shouldn't be really once you know the foundation.
EAP-PEAP can use server side and client side and EAP-FAST can as well. It all depends how its deployed.
Generally speaking, most deployments of PEAP use server side only and EAP-FAST uses PACS only.
The cert that you install on the radius server for PEAP is passed to the wireless supplicant and is used by the supplicant to hash the logon and password from the user. This hash is passed back to the radius server who has the private key who can decode the hash and pass the user ID and password back to AD for example.
Hope this helps ..

How to connect to a EAP-MSCHAP network?

I'm having trouble connecting to my schools network under Arch Linux using netcfg. Wired internet works well, but I'm unable to connect by wireless as I would under Windows or Ubuntu (using network-manager, which supports MS-CHAP). The easy solution would be to simply install network-manager, but I would rather use CLI programs.
The relevant information;
Network Authentication; Open
Data Encryption; WEP
automatically provided key
EAP type; PEAP
authentication; Secured Password (EAP-MSCHAP v2)
no server certificate validation.

Wintervenom wrote:
network={
ssid="Name of the Access Point"
key_mgmt=WPA-EAP
eap=PEAP
identity="Authentication Username"
password="Authentication Password"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
priority=1
CONNECTION="wireless"
DESCRIPTION="Manual Wi-Fi connection."
INTERFACE="wlan0"
SECURITY="wpa-config"
WPA_CONF="/etc/wpa_supplicant.conf"
IP="dhcp"
TIMEOUT=45
The second excerpt looks like a netcfg related config file, but I'm not sure what to do with the first one.

EAP-TLS and MS AD auth problem

Hi,
I have a problem with an ACS to authenticate users with certificate on MS AD.
Working things:
PEAP authentication with the MS AD;
EAP-TLS authentication with the local DB.
Not working things:
EAP-TLS authentication with MS AD.
Because I'm able to auth users with PEAP on MS AD, I guess my config on MS AD is correct.
Because I'm able to auth users with certif in EAP-TLS, I guess my certif config is correct.
So, why it's not working with the combination EAP-TLS and MS AD.
I receive the error 'External DB Account Restriction'
Thanks for your help.

This issue is generally seens when there are multiple domains. Try out this step. Choose Network Connections from the control panel. Right-click the local area connection.Choose Properties. Double-click the TCP/IP option. Choose Advanced at the bottom. Click on DNS at the top. Choose Append these DNS suffixes. Add the FQDN for each domain that ACS authenticates against in the field.

EAP-TLS and ISE 1.1 with AD certificates

Hello,
I am trying to configure EAP-TLS authentication with AD certificates.
All ISE servers are joined to AD
I have the root certificate from the CA to Activie Directory installed on the ISE servers
I created the certificate authentication profile using the root certificate
I have PEAP\EAP-TLS enabled as my allowed protocol
I am getting the following error for authentication:
"11507 Extracted EAP-Response/Identity
12500 Prepared EAP-Request proposing EAP-TLS with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12301 Extracted EAP-Response/NAK requesting to use PEAP instead
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318 Successfully negotiated PEAP version 0
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12814 Prepared TLS Alert message
12817 TLS handshake failed
12309 PEAP handshake failed"
I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?
Any other issues I am missing?
Thanks,
Michael Wynston
Senior Solutions Architect
CCIE# 5449
Email: [email protected]
Phone: (212)401-5059
Cell: (908)413-5813
AOL IM: cw2kman
E-Plus
http://www.eplus.com

Please review the below link which might be helpful :
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

[SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA

Hello,
We are in progress of migrating our RADIUS (Windows 2003 R2) and Certificate (Windows 2003 R2) servers to 2012 (R2). This went fine, no problems. After that we have changed
our Wireless controller a Cisco 5508. We have change our certificate from a 1024bits to a 2048bits certificate.
We tested the other certificate functions and that went fine too.
But we experience a problem with wireless 802.1x in combination with Windows 7 machines. We have Windows 8 and 8.1 machines that do not experience this problem and wireless 802.1x?
We recreated the wireless policy but also no success.
We have seen this problem before, with a customer who had a Windows 2008 R2 certificate server and Windows XP machines with wireless 802.1x . Exact the same problem. After
decommissioning the Windows 2008 R2 certificate server and changed it to a Windows 2003 R2 certificate server, there where no problems any more.
It looks like that older versions of Windows do not work with newer certificate servers?
Do we miss something? Can someone confirm this.
We already looked for these forum posts, but with no success
http://social.technet.microsoft.com/Forums/windows/en-US/796d447f-518c-4ccb-81ff-921ee561d742/win2k8r2-peapnps-with-cisco-wireless-controller-problem?forum=winserverNIS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d543fe75-0cf9-49e7-bbfa-dd0df219cfe5/the-radius-request-did-not-match-any-configured-connection-request-policy-crp
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\NB80W7$
Account Name:
host/NB80W7.domainname.local
Account Domain:
domainname
Fully Qualified Account Name: domainname\NB80W7$
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
EAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
48
Reason:
The connection request did not match any configured network policy.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\Username
Account Name:
domainname\Username
Account Domain:
domainname
Fully Qualified Account Name: domainname.local/ICT Specialisten/Username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
WLC5500
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
PEAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Hi,
Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
More information:
Renew a Certificate
http://technet.microsoft.com/en-us/library/cc730605.aspx
NPS Server Certificate: Configure the Template and Autoenrollment
http://msdn.microsoft.com/en-us/library/cc754198.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

802.1x/EAP clarification and implementation

Dear SIr,
To setup LEAP authentication using ACS, the client needs a supplicant such as the ACU to run LEAP independent of OS.
Cisco AP will be the carrier of the EAP message between the client and the Radius server sitting between the client and the server. I know from the fact that Cisco AP support LEAP, PEAP, EAP-TLS, EAP-MD5 and EAP-SIM. From my understanding, those types of EAP mentioned earlier can be relay to the Radius server(ACS), am I right?
Does it mean that these messages are transparent from the AP point of view? If I replace the Cisco AP with other third party access point that they claim support 802.1x/EAP but they never specify the type of EAP protocol, can I still run LEAP with a third party AP though my client is Cisco and the Radius server is CSACS?
What type of OS or supplicant support EPA-MD5? I know that Windows XP and 2000 support 802.1x driver, what about their EAP protocol supported on XP and 2000?
Thanks.
Delon

I think the following document will clear most of your doubts,
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008019fea2.shtml

802.1x Profile - PEAP/EAP-MSCHAPv2

I'm trying to connect my new retina Macbook Pro to our enterprise network, and am having trouble with the 802.1x profile. Looking at the settings on my Windows PC, I need to use PEAP/EAP-MSCHAPv2, but OSX Lion seems to default to PEAP/EAP-GTC. With these settings, I'm able to connect to the network but cannot access any network resources.
I'm using the iPhone Configuration Utility to generate the 802.1x profile package. As far as I can tell, I am unable to change the inner authentication method with this application. Anyone out there have any suggestions on how I can resolve this?

The prompt is specified when you create the profile on the machine. You can either have the user get prompt for login, save a username and password or use the cache credentials. You need to look at the errors in radius and in the wlc. One will have enough info to say what went wrong during the authentication process.

Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

Hello,
I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
The RADIUS SERVER is M$ IAS.
Authentication is working with a laptop, but it is not with my phone
The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
Does somebody know what should I change in my phone's configuration to make it work ?
Thanks,
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein

Hi,
Sorry for the late answer since I was "out of the office" for a while
So here is the process to get the certificate.
Log in to you IAS Server.
Open the IAS Service Application.
Go to "Remote Access Policies".
Choose the policy that apply to "Wireless Connection"
Click "Edit Profile" button.
Choose "Authentication" Tab.
Click "EAP Methods"
Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
The Next Window will show you the Certificate Issuer Name & Expiration Date.
Then, click "Start" Button.
Choose "Run".
Type "mmc" in the "Run" box.
Click "File" & Choose "Add/Remove Snap-In".
Click "Add" Button.
Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
Click "Close" & "OK" Button.
Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
"Right click" on the certificate, choose "All Tasks", the "Export".
In the new window, click "Next" Button.
Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
Choose a suitable location.
Click "Next" Button & "Finnish" Button.
Certificate is now exported.
You have to install it on your Phone now.
The most simple way is to copy the certicate on a Web Server and access it with your phone.
Hope that Help, if you did not already succeed.
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein

5440 Endpoint abandoned EAP session and started new

We have an ISE deployment for testing.
This is running v1.2.0.899.
We have an auth policy configured for domain-joined computers for 802.1x and domain credentials:
     Condition: Wired_802.1X
     Allow Protocols: PEAP_CHAPv2
     Use: AD
This works, and authenticates both the machine (pre-login) and user (post-login).
However, I am seeing some errors int the Auth logs before the 5200 Authentication succeeded message.
These messages are not shown in the Cisco ISE Log Messages spreadsheet!
    5441 Endpoint started new EAP session while the packet of previous EAP session is being processed. Dropping new session.
    5405 RADIUS Request dropped
    5440 Endpoint abandoned EAP session and started new

I am seeing this error when a windows supplicant is booting up, we want them to use EAP-TLS. Before the GPOs has struck, they try to authenticate using EAP-PEAP on their own, which they aren't configured to do. Shortly after that, they send the EAP-TLS packets. After the supplicant has been authenticated, the 5440 error shows up but without affecting the authentication.
My guess is that this is the result of Windows behaviour. This generates a couple of "failed" authentications that in our case just confuse the costumer. I know this isn't an answer on your question, just my experience with the problem.

PEAP EAP-MSCHAP and Novell(NDS)

Similar Messages

Maybe you are looking for