PEAP.
Hi there.
I have setup EAP type authentication using MS-PEAP V2, everything works fine. The issue is when using PEAP, users must authenticate before network connection is established. However, this introduces another issue, I cannot for example, push a virus while the machine is logged out. I don't want to use LEAP. I need to use a strong a safe method while allowing me pushing updates when machines are logged out. Ant assistance is highly appreciated.
Thanks.
Hi,
You could always configure IAS to allow computer authentication, based on if the computers are in the domain or not.
That way, the computers would be authenticated to the access point before user authentication would take place.
I would think that having user authentication combined with computer authentication configured in IAS would be best option to allow access to the wireless domain.
Regards
Andri
Similar Messages
-
Having a problem with PEAP and Cisco 2960 Switch
Hi All,
I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant. I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS. If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan. Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius?
The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
Any ideas?Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work. I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client. I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2. I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
CSSC Client pops out:
14:25:08.453 Network Connection requested from user context.
14:25:08.468 Connection authentication started using the logged in user's credentials.
14:25:08.468 Port state transition to AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
14:25:08.796 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
14:25:09.828 Port state transition to AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
14:25:09.843 Identity has been requested from the network.
14:25:09.875 Identity has been sent to the network.
14:25:09.890 Authentication started using method type EAP-PEAP, level 0
14:25:09.890 The server has requested using authentication type: EAP-PEAP
14:25:09.890 The client has requested using authentication type: EAP-PEAP
14:25:09.968 Profile does not require server validation.
14:25:10.031 Identity has been requested from the network.
14:25:10.031 Identity has been sent to the network.
14:25:10.046 Authentication started using method type EAP-MSCHAP-V2, level 1
14:25:10.046 The server has requested using authentication type: EAP-MSCHAP-V2
14:25:10.046 The client has requested using authentication type: EAP-MSCHAP-V2
14:25:10.078 Port state transition to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
14:25:10.078 The authentication process has succeeded.
*************************Raidus Ouptut for PEAP:**************************
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for anonymous
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.9 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
[ldap] performing user authorization for RadiusUser
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user RadiusUser authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.8 seconds.
Waking up in 0.7 seconds.
Waking up in 3.7 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
**************************Radius ouput for EAP******************************
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.7 seconds.
Waking up in 0.7 seconds.
Waking up in 0.1 seconds.
Waking up in 3.7 seconds.
Waking up in 0.1 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
Ready to process requests.
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
[ldap] performing user authorization for Radiususer
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
[ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
[ldap] looking for reply items in directory...
rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
[ldap] user Radiususer authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
Waking up in 0.9 seconds.
Waking up in 3.9 seconds.
Ready to process requests.
Hope that Helps. -
PEAP works with Windows zero but not with CSSC
I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.
When using CSSC I get asked for the password and authentication fails. ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.
Any suggestions?
SethLook at this ....
Server Validation
–The Personal stores are not used for server validation.
–When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.
–Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.
–The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.
http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/administration/guide/C2_SetupSSC.html -
WPA PEAP No working under 10.4.8 and Macbook Pro C2D
After the Core 2 Duo upgrade I finally decided to buy a Macbook Pro to use at work.
Everything working fine so far (Love the MBP) except that at work we are using a Radius Server to authenticate with PEAP under WPA for wireless.
I created the 802.1x connection and after giving it the Network name and UID and pwd (SID is not broad casted) it sees the network and connects OK (after accepting the certificate) but I do not get an IP from the DHCP.
I looked at the forum discussions and apparently this has been an issue before o certain Intel machines but was fixed on 10.4.6 or so, well apparently is brocken again.
Called Apple Support but they did not know how to resolve.
Anyone else having the problem?If anyone is interested the problem of instability resurfaced despite doing an archive and instal to reinstal 10.4.8 and then go through the upgrade process from there to instal the updates to bring it back to 10.4.10. Even after that the instability got to the stage that I only had to sneeze and it would crash.
Ultimately I resorted to backing up all my data onto a 120Gb USB HD, erased the HD drive and started from the beginning again with the discs that came with the MBP. As you can imagine that was a long process and took me from about 4pm in the afternoon to 1am in the morning. Eyes were hanging out of my head after that effort.
So far I have not had any further problems.
I really don't know now to what extent that Safari 3 Beta was the cause of all my instability problems but the crash logs seemed to point to it. Some people are reporting no problems with Safari 3 whatsoever so that begs the question if there was a conflict with some 3rd party application I was running or something got corrupted that could not be repaired for whatever the reason.
After the rebuild I was thinking that re-establishing my iPhoto and iTunes library would be a slow nightmarish process by having to import each photo group or each iTunes album one at a time. I chose to gamble on copying the entire directory for iPhoto and the entire directory for iTunes across from my USB HD. Well I needn't have worried because it worked perfectly. I also had copied out some user/library/.... folders and gambled on copying them back after rebuild in the hope of restoring various setups etc and that worked too. Things like Application Support files, Mail files, selected Preferences, Safari bookmarks and history and Widgets. That sort of approach worked on my well used Windows XP box so thought it would work on the MBP. Worst case is that I would have had to start all over again if I messed it up. -
Can't create a WPA2-Enterprise wireless connection; missing Microsoft: PEAP
OS: Windows 7 64-bit Enterprise
Hardware: Lenovo T410S w/Intel 5300 ABGN Wireless
If I try to build the wireless connection manually and choose WPA2-Enterprise, then click next, I get 'An unexpected error occurred.' and no options to configure; just close.
I then tried to create a Preshared Key WPA2 connection. This worked fine. When I go to edit the connection, I have the ability to select the WPA2-Enterprise options, however in the list of Network Authentication methods (under Security Tab), I don't have
the Microsoft: PEAP or SmartCard options. I only have Cisco: LEAP,PEAP,EAP-FAST and Intel: EAP-SIM,EAP-TTLS,EAP-AKA (6 entries).
It's my theory that because the Microsoft options are missing, the wizard gets the unexpected error. I'm wondering how I get the MS ones back.Hi,
Thanks for posting in Microsoft TechNet forums.
Do you have Symantec installed? It is said the issue could be due to conflict with Symantec Endpoint Protection. Please uninstall\reinstall Symantec
if it is there.
Best Regards
Magon Liu
TechNet Subscriber Support
in forum. If you have any feedback on our support, please contact
[email protected]
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” -
ISE 1.2 - MAR cache with PEAP vs EAP Chaining
Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless? It's not still tied to the windows log in event as with PEAP?
I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).
-
ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"
We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
Personas:
Administration
Role:
PRIMARY(A)
System Time:
Apr 24 2014 08:26:58 AM America/New_York
FIPS Mode:
Disabled
Version:
1.2.0.899
Patch Information:
7,1,3
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
12300
Prepared EAP-Request proposing PEAP with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - *****
24431
Authenticating machine against Active Directory
24470
Machine authentication against Active Directory is successful
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
15036
Evaluating Authorization Policy
24433
Looking up machine in Active Directory - host/*****
24435
Machine Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - Default
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Rejectsalodh,
Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly.
12500
Prepared EAP-Request proposing EAP-TLS with challenge
12625
Valid EAP-Key-Name attribute received
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12301
Extracted EAP-Response/NAK requesting to use PEAP instead
If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
Name
Wired-******-PC
Conditions
Radius:Service-Type EQUALS Framed
AND
Radius:NAS-Port-Type EQUALS Ethernet
AND
*******:ExternalGroups EQUALS **********/Users/Domain Computers
AND
Network Access:EapAuthentication EQUALS EAP-TLS
Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
Thanks again, sir.
Andrew -
Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert
I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate. This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD. The ISE policy is just to match on machine auth.
The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball. They were, the auth passed.
I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities. Retest and the client passes.
If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed. ISE reports that my Windows client rejected the server certificate. Which is odd as it just accepted it.
If I untick the validate the client passes, if i tick it again it will authenticate fine, once. The next connection it will fail again with the client rejecting ISE.
Anyone got any ideas?I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.
-
802.1x EAP-PEAP over Ethernet need help !!!
I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
troubleshooting this, I am not sure what else to do. Need help. Here
is the scenario:
- Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
- Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
with IP address of 129.174.2.7. This device is connected to the same switch above.
Firewall is OFF on the server, allow ALL,
- Windows 2003 Enterprise Server supplicant with the latest Service pack and patches. Again,
Firewall is OFF on the server, allow ALL. Juniper has verified the configuration settings
on the Supplicant machine. The supplicant has a static IP address of 129.174.2.15, same subnet
as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
the port is activate to be "hot".
- Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
and that everything is looking fine,
I have verified that the switch can communicate fine with the radius server.
- Configuration on the switch for 802.1x:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
interface FastEthernet0/39
description windows 2003 Supplicant
switchport access vlan 401
switchport mode access
dot1x port-control auto
no spanning-tree portfast (does not matter if this is enable or disable)
lab-sw-1#
.May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
.May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
.May 20 07:52:47.338: EAPOL pak dump Tx
.May 20 07:52:47.338: EAPOL Version: 0x2 type: 0x0 length: 0x0005
.May 20 07:52:47.338: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
.May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
lab-sw-1#
lab-sw-1#sh dot1x interface f0/39
Dot1x Info for FastEthernet0/39
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
lab-sw-1#
I am at a complete lost here. don't know what else to do. Someone with expertise in this realm please
help me how to make this work.
Many thanks in advance,#1: dot1x system-auth-control is already in the switch configuration
#2: Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
The case is being worked on by Cisco TAC. One of the issues is the windows 2003 server supplicant refuses to work. Windows XP supplicant uses machine-authentication instead of user-authentication. Cisco TAC is looking into this issue. -
5760 WLC & ISE 1.2 PEAP Issues
I have the following setup:
WLC 5508 (7.4.100)
WLC 5760 (03.03.02) (I'm replacing the 5508 with the 5760)
ISE 1.2
Im currently running 802.1x PEAP with external AD authentication, on the 5508 and everything is working 100%.
As soon as I switch the users over to the 5760 I get the following errors on the ISE:
Event
5440 Endpoint abandoned EAP session and started new
Failure Reason
5440 Endpoint abandoned EAP session and started new
Resolution
Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
Root cause
Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
I took the config of a working 5760, why would this one give the above errors ?
JacoHello!
Turn on debugs on your 5760 to track authentication activities. Most probably you'll spot the issue from them. If not - post them here, so we'll have a look as well.
Thanks, Irina -
Has anyone included an AUP Page as part of a PEAP Auth process on ISE?
I was wondering if somebody has ever tried to include UAP in a PEAP wireless connection using ISE. I am still doing tests and trying to make it work. Any general ideas are well-received.
thanksHi Jan,
Thanks for answering. In fact, I could see the AUP displayed after the AUTH succeeded on IPAD 2/4 (I have not tested the rest of the devices I have - Samsung tab/Blackberry/Iphone/Win7).
I created an AUTHZ policy which pointed to an AUTHZ Profile after the successful AUTH. It is something like you mentioned, doing CWA after dot1x validation but only applies for user identity. I am still trying to make it work the part on which I accept the AUP and click OK because it is redirecting me to the default ISE Guest Portal and falling in a loop (similar to the one mentioned on the CWA configuration).
If you have any other ideas is welcomed. -
Hi!
Does anyone know if the router wrt320n or any other linksys router (wireless or wired) support 802.1x authentification, particularly PEAP EAP-MSCHAP v2? I'm connected to a network that provides access to the internet via ethernet cable and 802.1x authentification. I'd like now to connect several devices to the network through a router, but I'm not sure if the wrt320n can log on to the network, because of the 802.1x authentification.
Thanks!No. They don't support 802.1X authentication (neither supplicant nor authenticator). The WRT and all Linksys branded routers are consumer routers. 802.1X authentication is a business feature which you may find in Cisco Small Business or better devices.
-
PEAP MSCHAP restriccion to block connections from Iphone
Good day my name is Ivan
I have a problem about my wireless network.
I have a Cisco WLC 5508 in which I have configured two SSID's. An SSID is working on my corporate network users, which uses 802.1X PEAP MSCHAP v2 session to authenticate user and computer in the wireless network.
Computers are validated as part of the domain objects
Everything works great but when I use a mobile device like an iPhone, iPad, or other similar, the iPhone asks me to write the domain user account (username and password) and below asks me inherit ACS certificate v5 .4 (Security server). I give a click to accept the certificate and admission to corporative wireless network.
That is a security hole, since from the IPhone any person who knows the credentials of a corporate user, may enter the corporate network by the SSID set.
What I can do in the ACS v5.4 for the IPhone not automatically inherit the user certificate. Any restrictions or configuration to support PEAP MSCHP V2 in Cisco ACS?.
My ACS v5.4 is integrated to Active Directory with Machine authentication.
My other solution is to use EAP TLS. But I would like to exhaust all MSCHAPV2 PEAP.
I understand that PEAP user certificate valid only, not machine.
Can you help with some advice?
Thank you.Hi Scott, thanks for your answer
Is there any special settings in policies, because I already I have configured two policies, one for authentication and authorization of users and one for computers.
I have enabled MAR (Machine Access Restriction)
Maybe I need to add some policy or characteristic of politics
Maybe some condition especially as
Compund condition: service type: match framed, nasport IEEE 802.1X wireless type?
Thank you. -
Cannot connect to wlan eap-peap athentication fail...
Hi all
I have A nokia N97 which I tried to connect to my work WLAN but I get eap-peap athentication failed. We do user a certificate which I have installed on the phone but it does not connect. It does not even promt for user name or password. I can connect to my home wireless which just ask for a security key which i enter and it works please please help.
Please helpI got it working please read my How to
/t5/Connectivity/How-to-connect-to-wlan-with-n97-using-ca-certificate/td-p/659372 -
How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...
I am trying to connect to the company network, but it always shows "PEAP authentication failed".
There are only instructions for iPhone and PC.
security : WPA2-Enterprise
authority certificate : None
Security Type : PEAP
Inner Link Security : EAP-MSCHAPv2
additionally MAC address filtering.
The access point I set is as follows:
network status: public
wLAN network mode: infrastructure
security: WPA/WPA2
WPA2 only mode: off
EAP plug-in setting: EAP-PEAP enable only
personal certificate: not defined
authority certificate: not defined
user name: user-defined BLANK
realm in use: user-defined BLANK
allow PEAPv0
MSCHAPv2
user name: username
password: mypassword
We have domain, but there are no command about domain in iPhone guide.
Is there anything wrong of my setting?WPA2-Enterprise is not supported on your device.
‡Thank you for hitting the Blue/Green Star button‡
N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009 -
Enterprise Wireless using WPA, TKIP, PEAP
I received my wireless protocols from my work. However, it doesn't look like iPhone will be able to connect. Here are the instructions for connecting a Windows computer to the network. Is there a way to configure the iPhone to do the same?
1. Manually Add Network
2. Choose WPA network authentication
3. Choose TKIP data encryption
4. Choose PEAP, EAP type
5. Do not automatically log in
6. Have a login page come up with user name, password and domain options available.
Thanks.Can't be done at this time...iphone will not connect to a domain.
My work just setup a access point that gives free wifi internet access only. No network resources are available only internet access. Maybe an option for your work as well.
Maybe you are looking for
-
Keynote 3: Transparent Animated GIF Problems
I've been trying to get an animated GIF with a transparent background to run in Keynote, but it's giving some disastrous results. I produce the animation by rendering the frames as PNG (with alpha channel) in MegaPOV 1.2.1. Then I use the convert uti
-
How can i include css in html file when exported
I want the CSS should be included in the html file when exported, how is that posable?
-
Wrong EoX bulletin mapping on 3750X
Hello, /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Normale Tabelle"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm
-
Dear Friends, I have created a Survey in Mobiles and transfered it to to SAP CRM . how can i get the the final survey results in the BI or in SAP CRM. I checked the cubes and ODS in BW for the activities 0CRM_C08 , 0CRM_ACT I could not able to find t
-
Installing Oracle 9i Lite Database standalone
We are interested in installing the Oracle 9i Lite Database standalone for Windows 2000. Can you send me the instructions that you mentioned below in a previous response? In addition, I need to know the size of the database footprint. Thanks, Sarah [