PEAP wireless authentication

Similar Messages

• Wireless PEAP users authenticated by TACACS+

  Hello,
  I have the following scenario, access points 1214 (fat AP) connected to ACS (RADIUS) and the ACS integrated with Novell LDAP as external database.
  The wireless users use PEAP for authentication, here the problem when I tried to connect wirelessly with username and password configured locally on the ACS database it works fine but if I use a username and password listed on the Novell LDAP I got the error ?Auth type not supported by External DB? .
  Note:
  For VPN users, I can connect and access the network resources from outside with username and password listed on Novell LDAP database (integration between ACS and Novell LDAP is fine). Maybe this note could help you!!
  Regards,
  Belal

  Hello Darran,
  Thx for your feedback..
  now i'm trying to configure EAP-TLS but as stated in the configuration guide i should have CA certificates for both ACS and the wireless users. here the question, shall i have CA server or thers is another way to complete the task (use local generated certificate for example if possible) ?
  Regards,
  Belal

• Wireless authentication to a windows network

  IF this is the wrong group please let me know and I will re-post...
  I am trying to solve some problems authenticating to a windows network using a airport card....
  I keep getting a non-trusted certificate message after/during the 802.x authentication box..We are not using certificates, at least that is what the admin tells me...so I have logged in as root, opened keychain and set the certifcates in question to trust always for all settings...I log out and then relogin as a normal network account and I still get the message which I can click continue and now I have access..
  the other problem is that my home folder will not mount...I have to mount it manually through the finder..I am assuming this is because the airport network services are not running until I authenticate locally with a cached password....Is there a way to have the login window authenticate through airport so I can have my home directory mount automatically...
  thanks for your help...

  unfortunately there are severla problems with the solution and it really doesn't address the issue. I can't mount the volume on the dock as it won't mount, probably because it is the server itself that has been mounted, not the shared home folder. Also it might create a conflict by having an alias to the home folder that would conflict with the auto mounted home folder when I use the ethernet as a connection source. What I have is a multi-purpose machine.
  1) I use a hardwired connect at my desk...
  2) If I need to go somewhere that a port in the wall is not active, I can then use a wirless connection which allows me access to everything I need....
  What I need to do is get this working so that the rest of the area can use it as well....
  So the question still remains: Does the wireless authentication not mount the home directory because it is not tied into the login window. For example, in a hardwired case I login to the system and this authenticates me and mounts my home folder. When I unplug the ethernet cable and turn on ariport and log off I login to the login window but the 802.x box comes up and asks for my password....which then brings up a not trusted certificate. Which I have tried everyhting I know to make this accepted by the system, including logging as root and going into keychain and setting it to be trusted. This DOES not work. I still get the untrusted certifcate message and the home directory does not mount. So what I need is someone who is authenticating to a windows network using wireless. I have followed all the 802.x suggestions which include using only peap to authenticate through.
  I hope someone can tell me how to stop the untrusted certificate error and how to mount the home directories. It would seem that there should be some type of setting to make airport startup prior to the login window or be hooked into the login window and pas that through to the wireless authentication. This is beyond my experience as you can see...
  thanks

• Macbook Wireless Authentication Problem

  I am having a strange issue that I haven't seen much information in either the Leopard forum or the Snow Leopard forums. This issue started with the 10.5.8 upgrade. When I migrated to 10.5.8 the campus network wireless stopped working. The Campus Network runs on WPA Enterprise. I have no issues connecting to my WPA Personal network at home. Neither network broadcasts the SSID and both require authentication to access. The home network requires just a password to connect while the campus network requires both Username and Password authenticated via Active Directory. When connecting to the campus network opening the Network preferences pane shows Airport flashing Authenticating then Authenticated repeatedly. Eventually after 10-20 minutes of flashing the wireless will finally connect to the network. Console shows the following:
  Sep 14 07:35:31 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:32 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:33 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:34 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:35 ***** eapolclient[324]: eapmschapv2successrequest: successfully authenticated
  Sep 14 07:35:35 ***** eapolclient[324]: PEAP: successfully authenticated
  Sep 14 07:35:36 ***** configd[15]: network configuration changed.
  Following the instructions here:
  http://www.viewfromthedock.com/2009/08/temp-fix-for-10-5-8-airport-bug/
  Which has you replace the following 2 files fixes the issue:
  AppleAirport.kext
  IO80211Family.kext
  Now that I have upgraded to Snow Leopard the problem is back again. This is a completely fresh loaded laptop. I erased and formatted the hard drive before installing Snow Leopard. I'm running an older Macbook that uses the Atheros card. A guy I work with has a slightly newer Macbook running a Broadcom card that doesn't have this issue.
  I do have a log file I generated from this post:
  http://discussions.apple.com/messageview.jspa?messageID=10123194
  If that would be helpful in getting the problem resolved.
  Thanks in advance.

  Here:
  Card Type: AirPort Extreme (0x14E4, 0x8D)
  Firmware Version: Broadcom BCM43xx 1.0 (5.10.91.19)
  Locale: ETSI
  Country Code: TW
  Supported PHY Modes: 802.11 a/b/g/n
  Supported Channels: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 149, 153, 157, 161, 165
  Country code may vary, according to base stations in the vicinity. When I'm at home in the UK, code is TW. At work in the UK, code is US. Verbose startup of the OS reveals variety long before authentication, so I guess that the country code sometimes reflects the characteristics of a nearest capable base station.
  I have different issues in different environments. One of the issues is summarised at <http://discussions.apple.com/thread.jspa?messageID=10159356&#10159356> and in this area of Apple Discussions, I watch just a few other threads.

• AP1252 : Support for LEAP and PEAP for authentication

  Hi,
  We are deploying Cisco AP1252 in unified (lighweight) mode and would like to know whether it will support both LEAP as well as PEAP for authenticating clients at the same time (mixed mode). If yes, kindly let me know the configuration for the same.

  Local EAP authentication on Wireless LAN Controllers was introduced with Wireless LAN Controller version 4.1.171.0.
  Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, so it removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.
  Local EAP can use an LDAP server as its backend database to retrieve user credentials.
  An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
  Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• 802.1x Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  No, CA wasn't changed with R2.
  Are you able to see the User's certificate in the Keychain app under the login keychain & My Certificates? Can you see the CA's certificate under the X509Anchors?
  In the login keychain, when looking at the Users certificate, does it show as valid?

• Secure wireless authentication

  I have just been reading all the posts about secure wireless access and I am
  not happy with the direction Novell has chosen to take.
  I have been extremely pleased with Netware, GroupWise & ZenWorks but Novell
  is starting to loose it's appeal.
  Let me summarize what I have learned and see if I have made any mistakes
  with my understanding.
  1. Novell has stopped development on their Radius server and have no plans
  to resume development.
  2. Novell contributed code to the open source FreeRadius project.
  http://www.novell.com/news/press/arc...2/pr05008.html
  3. There isn't any Radius server with 802.1x authentication that runs on
  Netware (Netware kernel).
  a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  802.1x authentication.
  b. I have contacted Funk and this is their reply. Steel-Belted Radius
  Server will run on Windows and Solaris (Linux is coming).
  http://www.funk.com/News&Events/sbr_linux_pn.asp
  c. MTG House hasn't gotten back to me about a solution for Netware. (I
  am doubtful, I didn't find anything on their website.)
  4. You need to run a Radius server that does 802.1x authentication and will
  work/integrate with eDir.
  a. FreeRadius (Linux) will integrate with Edir.
  http://www.novell.com/documentation/...ius/index.html
  http://www.novell.com/coolsolutions/feature/15383.html
  b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is in
  beta).
  http://www.funk.com/radius/default.asp
  c. Aegis Server
  http://www.mtghouse.com/products/aeg...er/index.shtml
  5. You need a 802.1x Client to authenticate to a Radius server for wireless
  authentication.
  a. Microsoft has 802.1x support in their client. (read this from other
  posts in this forum)
  b. Novell isn't planning on putting 802.1x support in the NW Client.
  (read this from other posts in this forum)
  c. There are 2 Radius clients that integrate with the NW Client for
  Radius Edir authentication.
  1. Funk's Odyssey Client ($45 - $50 per workstation depending on
  quantity) + added annual maintenance costs.
  $2281.25 for 50 Client licenses & annual maintenance.
  http://www.funk.com/radius/wlan/wlan_c_radius.asp
  2. Aegis' Client ($32 - $39.99 per workstation depending on
  quantity) + added annual maintenance costs.
  $2240.00 for 50 Client licenses & annual maintenance.
  http://www.mtghouse.com/products/aeg...nt/index.shtml
  http://www.mtghouse.com/novell_app_note_122204.pdf
  3. When FreeRadius is integrated with Edir is this separate client
  still needed?
  I didn't see anything about a separate client being needed while
  reading the Integrating FreeRadius with Edir documentation.
  6. FreeRadius support is going to be built-in to the next version of Edir.
  http://www.novell.com/news/press/arc...2/pr05008.html
  Why didn't Novell contribute code to port FreeRadius to Netware?
  At this point in time they are still giving us a choice between the Netware
  kernel and the Linux kernel. To me that says they are willing to make
  things work with both systems until they drop support for the Netware
  kernel. Ok, so give me support for 802.1x authentication in the Netware
  kernel. I don't have stray single purpose servers floating around my
  network and I don't want to have to begin that practice just to get Radius
  802.1x authentication working.
  I also won't put my district at a disadvantage by upgrading to the Linux
  kernel until I know Linux well enough to administer it properly. I am the
  IT department at this district so I don't have a great deal of extra time to
  run about learning the new things I would LOVE to learn. I'm sure I'm not
  the only person in this situation so Novell should take these things into
  concideration before they just drop support for a product they say they are
  still supporting. Obviously all of the real support is going toward the
  Linux side at Novell.
  Daniel Blake
  Milford Central School

  Ok, I'll give them the benefit of the doubt and say fine the Netware kernel
  might as well be considered dead. So they are giving me support via
  FreeRadius if I just migrate to OES (Linux). Ok, I might/can live with that
  as a Novell decision.
  But that still doesn't explain why they don't give us some client to log in
  via 802.1x. Giving us the server but not the client is like giving us a
  locked door without a key. That's just plain stupid. I would rather stay a
  Netware - OES shop, but if Novell can't think something this simple through
  then I'm a little nervous about staying with them. What could they think up
  next?
  I guess Novell has decided to port all it's software to Windows cause it
  sucks so bad at business decisions. GroupWise & ZenWorks run completely on
  Windows now, so why do I need OES at all? Except for complexity &
  integration issues of course. I mean why would I need to purchase Edir for
  Windows if I didn't stay with OES? Or Nsure Identity Manager for that
  matter. So if we start looking deeper into this we see Marketing all over
  this thing. Novell Marketing has always done such a good job for Novell.
  Novell has given me a real choice that will work though. If I migrate
  completely to a Windows network it just works without any added costs. Heck
  it even makes my installs easier without having to install the NW Client on
  every new workstation. I can still run ZenWorks & GroupWise too.
  Now, how is Novell Marketing going to screw up and make me hate GroupWise &
  Zenworks so I migrate completely away from Novell products? Way to go
  Novell!
  Daniel Blake
  Milford Central School
  "Jim Michael" <[email protected]> wrote in message
  news:[email protected]...
  > mcsdtech wrote:
  >
  >> 1. Novell has stopped development on their Radius server and have no
  >> plans to resume development.
  >
  > Correct, so far as we know.
  >
  >> 2. Novell contributed code to the open source FreeRadius project.
  >> http://www.novell.com/news/press/arc...2/pr05008.html
  >
  > Yes. Code to allow easier integration with eDirectory.
  >
  >> 3. There isn't any Radius server with 802.1x authentication that runs on
  >> Netware (Netware kernel).
  >
  > Correct.
  >
  >> a. Novell's Radius server (BMAS or the newer NMAS server) doesn't do
  >> 802.1x authentication.
  >
  > Correct. It was developed quite a while before 802.1x even existed.
  >
  >> b. I have contacted Funk and this is their reply. Steel-Belted
  >> Radius Server will run on Windows and Solaris (Linux is coming).
  >> http://www.funk.com/News&Events/sbr_linux_pn.asp
  >
  > Correct, but Stell-Belted Radius is probably the last solution I would
  > look at. Radiator is a commercial product that runs on Linux or Windows
  > (it is Perl-based) and you will get far better support from them on
  > eDirectory issues and general Radius problems. freeRADIUS is what I would
  > run on Linux if you don't want to spend a dime on the software.
  >
  >> c. MTG House hasn't gotten back to me about a solution for Netware.
  >> (I am doubtful, I didn't find anything on their website.)
  >
  > Not familiar with them.
  >
  >> 4. You need to run a Radius server that does 802.1x authentication and
  >> will work/integrate with eDir.
  >> a. FreeRadius (Linux) will integrate with Edir.
  >> b. Funk's Steel-Belted Radius server (Windows, Solaris & Linux is
  >> in beta).
  >
  >> c. Aegis Server
  >
  > And Radiator (what I run) http://www.open.com.au This is the solution we
  > run.
  >
  >> 5. You need a 802.1x Client to authenticate to a Radius server for
  >> wireless authentication.
  >
  > Correct.
  >
  >> a. Microsoft has 802.1x support in their client. (read this from
  >> other posts in this forum)
  >
  > Correct. Technically, the "support" is in Windows, not the MS client.
  >
  >> b. Novell isn't planning on putting 802.1x support in the NW Client.
  >> (read this from other posts in this forum)
  >
  > Correct.
  >
  >> c. There are 2 Radius clients that integrate with the NW Client for
  >> Radius Edir authentication.
  >> 1. Funk's Odyssey Client 2. Aegis' Client ($32 - $39.99 per
  >> workstation depending on
  >
  > Correct.
  >
  >> 3. When FreeRadius is integrated with Edir is this separate
  >> client still needed?
  >
  > Yes. You ALWAYS need a 802.1x supplicant (client) on the workstation.
  > Windows has one built-in, which works FINE against eDirectory. HOWEVER,
  > because of the way it works you must log into eDirectory *after* fully
  > logging into windows. That is unacceptable to most organizations (you
  > would have to manually log in and map drives to NW, etc). This is why
  > there are third-party clients that integrate specifically with the NetWare
  > client.. they allow the 802.1x authentication to "insert" itself
  > in -between the Windows and eDirectory login, thus preserving all of the
  > normal features like dynamic local user, zen policies, etc.
  >
  >> I didn't see anything about a separate client being needed
  >> while reading the Integrating FreeRadius with Edir documentation.
  >
  > A client is always assumed.
  >
  >> Why didn't Novell contribute code to port FreeRadius to Netware?
  >
  > Because Novell's future direction is Linux, and there isn't much demand
  > for a NetWare Radius server.
  >
  >> At this point in time they are still giving us a choice between the
  >> Netware kernel and the Linux kernel. To me that says they are willing to
  >> make things work with both systems until they drop support for the
  >> Netware kernel. Ok, so give me support for 802.1x authentication in the
  >> Netware kernel. I don't have stray single purpose servers floating
  >> around my network and I don't want to have to begin that practice just to
  >> get Radius 802.1x authentication working.
  >
  > You can always make your wishes known at
  > http://support.novell.com/enhancement
  >
  >> I also won't put my district at a disadvantage by upgrading to the Linux
  >> kernel until I know Linux well enough to administer it properly. I am
  >> the IT department at this district so I don't have a great deal of extra
  >> time to run about learning the new things I would LOVE to learn. I'm
  >> sure I'm not the only person in this situation so Novell should take
  >> these things into concideration before they just drop support for a
  >> product they say they are still supporting. Obviously all of the real
  >> support is going toward the Linux side at Novell.
  >
  > I understand the frustration, but I doubt things will change. There is a
  > big difference between "supporting" existing products and adding major
  > enhancements to products to support new standards. I just don't think
  > Novell believes it is worth dedicating development resources to enhancing
  > Radius on NetWare, for those few that can't/won't run a Linux or Windows
  > box where the software already exists.
  >
  >
  > --
  > Jim
  > NSC SYsop

• Wireless Authentication

  Hello
  I am using a MS Certificate Server and MS Radius server with 802.1x Wireless Authentication. When the macs Authenticate I get a warning so to speak and the Cert will not save or trust. I have enter it in as a 509 anchor and other and still the same thing. Is anyone out there doing this.
  The windows says
  801x Authentication
  The Server Certificate could not be validated becuase the root certificate is missing.
  Thanks

  You've posted in the wrong forum. This is Feedback about Discussions. Try Networking and the Web maybe.

• Open Wireless authentication concept.

  Folks,
  We have been asked to explore the possibilities of getting an open wireless setup going for guests. This essentially means that guests coming in should get Internet access without having to feed in a username/password. Connecting to this SSID should take them to a portal page which mentions some policies about internet access. On accepting that the users must get Internet access.
  Can this be achieved on the Cisco Wireless controllers? Has anyone heard about the industry using such Wireless authentication? Is there any know setup that uses this kind of configuration?
  Thanks,
  N.

  Web Passthrough on Wireless LAN Controllers
  Web passthrough is a solution that is typically used for guest access. The process of web passthrough is similiar to that of web authentication, except that no authentication credentials are required for web passthrough.
  In web passthrough, wireless users are redirected to the usage policy page when they try to use the Internet for the first time. Once the users accept the policy, they can browse the Internet. This redirection to the policy page is handled by the WLC.
  In this example, a VLAN interface is created on a separate subnet on the WLC. Then, a separate Wireless LAN (WLAN)/Service Set Identifier (SSID) is created and configured with web passthrough, and it is mapped to this VLAN interface.
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116879-configure-wlc-00.html

• Wireless authentication through AD

  I have a 2106 LAN controller with 1250 AP. I need to authenticate via my Active Directory users. Can this be done and how? I am also looking to get better range from my antennas, what the best omni or Bi antenna I can use with my 1250 AP
  Thank you in advance.

  Hi Tabish:
  Unfortunately, there is no specific document for wireless authentication with ACS 5.x
  If you wish you can check the below listed sections from acs 5.1 user guide:
  You can configure AD on Windows to use as external database, you can use the following link to integrate your AD
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/users_id_stores.html#wp1053213
  For authorization using TACACS+
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html#wp1074366
  For configuring managing access
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• PEAP vs EAP-TLS Wireless Authentication Method

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

  Hi,
  I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
  I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
  Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
  We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
  Thanks,

• New Intel Wireless Pro set let bypass PEAP user authentication

  Hello.
  I have a critical situation. We use PEAP/MSCHAPv2 for client and user authentication. Wireless users and clients will be authenticated by the ACS by asking a ADS usergroup membership. Valid users and clients have access to LAN ressources protected by the wlan controller. If the wireless client use the WZC and the logged on user is not a member of the user group he will not be authenticated and have no access through the wlan controller. But if the wireless client can use the actual "Intel Wireless Pro Set" and the user is not a member of the ADS group the ACS drop the user authentication request. But some seconds later the user will have nevertheless access to internal resources.
  In this case I think the user authentication request will not right handled by the ACS so authenticated client will have access through the wlan controller and a not ACS authenticated user will have access to lan ressources by his local cached user credentials.
  Is there a possible security leak or have I a configuration problem?
  Best regards
  Olaf Bachmann

  Hi irisrios.
  PEAP "Fast Reconect" is disabled on ACS side.
  But in the meantime we made some tests with cisco ACS and nortel wlan controller. If the wlan client use a wireless profile, generated with the Intel Proset (!! full installation incl. andmin tools and pre-logon authentication!!) then a user who is not a member of the wlan user group have access to lan resources.

• ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

  Hello!
  I don't really know, whether this issue has been asked before.
  I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
  ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
  Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
  User authentication works fine, because the user account also is hosted in xyz.domainname.
  The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
  Does anybody knows a solution for this special constellation?
  Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hello Jean,
  I am guessing that you are using 802.1x wireless.
  This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
  This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
  Please see links below that explain this situation.
  http://support.microsoft.com/kb/216393/en-us
  http://support.microsoft.com/kb/904943
  Hope this helps
  Erdelgad
  Cisco CSE

• Bypass PEAP user authentication

  Hello.
  We use PEAP/MSCHAPv2 for client AND user authentication. Wireless users and clients will be authenticated by the ACS by asking a ADS usergroup membership. Only authenticated users on authenticated clients should have access to LAN ressources protected by the wlan controller. If the wireless client use the WZC and the logged on user is not a member of the user group he will not be authenticated and blocked by the wlan controller. But if the wireless client use the actual "Intel Wireless Pro Set" AND the user is not a member of the ADS group the ACS drop the user authentication request, but few seconds later the user will have nevertheless access to internal resources.
  In this case I think the user authentication request will not right handled by the ACS so authenticated client will have access through the wlan controller and a not ACS authenticated user will have access to lan ressources by his local cached user credentials.
  Is there a possible security leak or have I a configuration problem?
  Best regards
  Olaf Bachmann

  This is not a security leak but a configuration issue. If the client utility and the ACS, ADS database is correctly configured then you will not see any issues.