Question Re IAS/RADIUS 802.1x Authentiction on SG300 Switches

Good Morning All,
We have just aquired one of these new SG300 series switches which gives us the ability to play around with 802.1x authentication.
We have everything configured correctly for any clients which have 802.1x (eg PC's, IP Phones)
Our problem comes to non 802.1x compliant devices, in this case a printer.  The documentation says the switch should detect there is no 802.1x client, and pass the authentication as itself, with the username.  It does this, but we get a weird error on our ISA server...  Its weird, I am puzzled.  We have some other vendor switches which perform this without causing the below issue, so am I missing something easy?
Help greatly appreciated.
===
User 0014389c24f0 was denied access.
Fully-Qualified-User-Name = nuffieldhospitals.org.uk/Test OU - IT Infrastructure/MAC Address Testing/0014389c24f0
NAS-IP-Address = 10.101.180.250
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-14-38-9C-24-F0
Client-Friendly-Name = FWCORPAMEXHouse
Client-IP-Address = 10.101.180.250
NAS-Port-Type = Ethernet
NAS-Port = 55
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = CISCO_FWCORP_PCMACS
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
===
Any help greatly appreciated.
Thanks
AJ

Hi,
Can you do the following:
Go to IAS > Remote Access Policies > Double click on the policy CISCO_FWCORP_PCMACS .
Click Edit Profile.
On the Authentication tab, click EAP Methods.
In Select EAP providers, click Add.  Select the authentication methods that you want to use, and then click OK.
In Select EAP providers, click the EAP type that you  want to configure, and then click Edit. Depending on  the EAP type selected, one of the following dialog boxes is displayed:
If Protected EAP (PEAP) is selected, the Protected  EAP Properties dialog box opens. In Certificate Issued,  select the certificate that the server uses to identify itself to  client computers. To enable PEAP fast reconnect for 802.11 wireless  client computers, click Enable Fast Reconnect.  Secure  password user authentication with EAP-MSCHAPv2 is the default in EAP  Types. To configure EAP-MSCHAPv2 properties, click Edit.  To configure certificate or smart card user authentication click Add.  In Authentication methods, click Smart Card or  other certificate, and then click OK.
If Smart Card or other Certificate Properties is  selected, the Smart Card or other Certificate Properties dialog box opens. In Certificate issued to, select the  certificate that the server uses to authenticate to client computers.
In Select EAP providers, click Move Up or Move Down to specify the negotiation order of EAP  methods. The server starts negotiation with the client according to the  order specified in EAP types.
Hope this helps.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Similar Messages

  • SSL VPN IP Address Assignment from IAS radius server

    Can I use SSL VPN IP Address Assignment from IAS radius server?it can be done with acs server.are there some differ from the acs and IAS?

    Hi,
    I will suggest to setup a sniffer capture with ACS and look for the attribute that ACS sends for IP Address Assignment, once you know the attribute apply it on the IAS.
    If you have any question do not hesitate to contact me.

  • EAP-TLS on WLC 5508 agains IAS RADIUS

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hi, anyone experienced issue like this?
    I am installing a WLC 5508 using EAP-TLS authentication with an IAS Radius server.
    I got “Access-Accept” debug message received from RADIUS server.
    However the wireless client failed to connect.
    Below is partially the debug message from the WLC
    Any feedbacks are welcome
    *Oct 07 15:08:24.403:     Callback.....................................0x10c527d0
    *Oct 07 15:08:24.403:     protocolType.................................0x00140001
    *Oct 07 15:08:24.403:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.403:     Packet contains 12 AVPs (not shown)
    *Oct 07 15:08:24.403: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *Oct 07 15:08:24.404: 00:19:7d:72:b4:3b Successful transmission of Authentication Packet (id 101) to 10.86.8.105:1812, proxy state 00:19:7d:72:b4:3b-00:00
    *Oct 07 15:08:24.404: 00000000: 01 65 00 d2 d0 bc 95 1b  f7 c9 71 dd 32 cb b7 0a  .e........q.2...
    *Oct 07 15:08:24.404: 00000010: 52 eb 0c 3e 01 22 68 6f  73 74 2f 49 44 31 30 2d  R..>."host/ID10-
    *Oct 07 15:08:24.404: 00000020: 30 41 46 4a 30 33 31 2e  65 75 63 2e 6e 65 73 74  0AFJ031.euc.test
    *Oct 07 15:08:24.404: 00000030: 6c 65 2e 63 6f 6d 1f 13  30 30 2d 31 39 2d 37 64  01.com..00-19-7d
    *Oct 07 15:08:24.404: 00000040: 2d 37 32 2d 62 34 2d 33  62 1e 1a 30 30 2d 33 61  -72-b4-3b..00-3a
    *Oct 07 15:08:24.404: 00000050: 2d 39 38 2d 39 35 2d 34  36 2d 35 30 3a 57 57 53  -98-95-46-50:TES
    *Oct 07 15:08:24.404: 00000060: 33 30 30 05 06 00 00 00  01 04 06 0a 56 0c d2 20  300.........V...
    *Oct 07 15:08:24.404: 00000070: 0c 49 44 48 4f 4a 58 43  30 30 31 1a 0c 00 00 37  .IDHOJXC001....7
    *Oct 07 15:08:24.404: 00000080: 63 01 06 00 00 00 01 06  06 00 00 00 02 0c 06 00  c...............
    *Oct 07 15:08:24.404: 00000090: 00 05 14 3d 06 00 00 00  13 4f 27 02 03 00 25 01  ...=.....O'...%.
    *Oct 07 15:08:24.404: 000000a0: 68 6f 73 74 2f 49 44 31  30 2d 30 41 46 4a 30 33  host/ID10-0AFJ03
    *Oct 07 15:08:24.404: 000000b0: 31 2e 65 75 63 2e 6e 65  73 74 6c 65 2e 63 6f 6d  1.euc.nestle.com
    *Oct 07 15:08:24.404: 000000c0: 50 12 80 be 54 a7 26 52  8e 63 0f 2f 87 a5 78 53  P...T.&R.c./..xS
    *Oct 07 15:08:24.404: 000000d0: 68 6e                                             hn
    *Oct 07 15:08:24.405: 00000000: 02 65 00 34 3e c1 67 35  f7 be 57 75 43 ce 19 ca  .e.4>.g5..WuC...
    *Oct 07 15:08:24.405: 00000010: 83 5d 83 95 19 20 31 b1  03 a2 00 00 01 37 00 01  .]....1......7..
    *Oct 07 15:08:24.405: 00000020: 0a 56 08 69 01 cb 63 8b  13 1e 16 37 00 00 00 00  .V.i..c....7....
    *Oct 07 15:08:24.405: 00000030: 00 00 00 5f                                       ..._
    *Oct 07 15:08:24.405: ****Enter processIncomingMessages: response code=2
    *Oct 07 15:08:24.405: ****Enter processRadiusResponse: response code=2
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Access-Accept received from RADIUS server 10.86.8.105 for mobile 00:19:7d:72:b4:3b receiveId = 9
    *Oct 07 15:08:24.405: AuthorizationResponse: 0x1524b3d8
    *Oct 07 15:08:24.405:     structureSize................................78
    *Oct 07 15:08:24.405:     resultCode...................................0
    *Oct 07 15:08:24.405:     protocolUsed.................................0x00000001
    *Oct 07 15:08:24.405:     proxyState...................................00:19:7D:72:B4:3B-09:00
    *Oct 07 15:08:24.405:     Packet contains 1 AVPs:
    *Oct 07 15:08:24.405:         AVP[01] Class....................................DATA (30 bytes)
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Applying new AAA override for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Inserting new RADIUS override into chain for station 00:19:7d:72:b4:3b
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Override values for station 00:19:7d:72:b4:3b
        source: 4, valid bits: 0x0
        qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
        dataAvgC: -1, rTAvgC
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 00 00 04 03 ff 00 04                           ........
    *Oct 07 15:08:24.405: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:24.405: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:24.405: 00000010: 00 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:24.405: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:24.405: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:24.405: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:25.316: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:25.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:25.317: 00000010: 01 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:25.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:25.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:25.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:26.317: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:26.317: 00000000: 01 03 00 5f fe 00 89 00  20 00 00 00 00 00 00 00  ..._............
    *Oct 07 15:08:26.317: 00000010: 02 3e 5d 2a e3 2a c2 22  71 0b 06 e8 42 6c 3c bf  .>]*.*."q...Bl<.
    *Oct 07 15:08:26.317: 00000020: 45 1e 5c e7 a1 68 ae 0c  c0 9f 22 ce 0c 3e 96 45  E.\..h...."..>.E
    *Oct 07 15:08:26.317: 00000030: ee 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000040: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000050: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *Oct 07 15:08:26.317: 00000060: 00 00 00                                          ...
    *Oct 07 15:08:27.753: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.753: 00000000: 01 00 00 30 01 01 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.753: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.753: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.753: 00000030: 69 64 3d 31                                            id=1
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 5) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.760: 00000000: 01 01 00 00 00                                    .....
    *Oct 07 15:08:27.760: 00:19:7d:72:b4:3b Sending 802.11 EAPOL message  to mobile 00:19:7d:72:b4:3b WLAN 1, AP WLAN 1
    *Oct 07 15:08:27.760: 00000000: 01 00 00 30 01 02 00 30  01 00 6e 65 74 77 6f 72  ...0...0..networ
    *Oct 07 15:08:27.760: 00000010: 6b 69 64 3d 57 57 53 33  30 30 2c 6e 61 73 69 64  kid=TES300,nasid
    *Oct 07 15:08:27.760: 00000020: 3d 49 44 48 4f 4a 58 43  30 30 31 2c 70 6f 72 74  =IDHOJXC001,port
    *Oct 07 15:08:27.760: 00000030: 69 64 3d 31                                       id=1
    *Oct 07 15:08:27.762: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.762: 00000000: 01 00 00 25 02 01 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.762: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.762: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.764: 00:19:7d:72:b4:3b Received 802.11 EAPOL message (len 41) from mobile 00:19:7d:72:b4:3b
    *Oct 07 15:08:27.764: 00000000: 01 00 00 25 02 02 00 25  01 68 6f 73 74 2f 49 44  ...%...%.host/ID
    *Oct 07 15:08:27.764: 00000010: 31 30 2d 30 41 46 4a 30  33 31 2e 65 75 63 2e 6e  10-0AFJ031.euc.t
    *Oct 07 15:08:27.764: 00000020: 65 73 74 6c 65 2e 63 6f  6d                       est01.com
    *Oct 07 15:08:27.765: AuthenticationRequest: 0x1ad0b36c

    Thanks for your reply jedubois
    Really appreciate it.
    I have tried to change the value for EAPOL-Key Timeout, still the client won't connect.
    Below are the outputs for the eap advanced config
    (Cisco Controller) >show advanced eap
    EAP-Identity-Request Timeout (seconds)........... 30
    EAP-Identity-Request Max Retries................. 2
    EAP Key-Index for Dynamic WEP.................... 0
    EAP Max-Login Ignore Identity Response........... enable
    EAP-Request Timeout (seconds).................... 30
    EAP-Request Max Retries.......................... 2
    EAPOL-Key Timeout (milliseconds)................. 5000
    EAPOL-Key Max Retries............................ 2
    (Cisco Controller) >
    Any other suggestion?

  • Managing Prime Infrastructure 1.2 with MS IAS Radius

    HI,
    I have configured the PI 1.2il MS IAS radius server to authenticate machine with the management domain credentials.
    When I needed to migrate the atuthenticatione from local to radius mode and I went to AAA and I select "with Radius server."
    On the MS IAS I imported the tasks for users with role lobby ambassador and when I turned on the authentication mode in PI 1.2 with AAA Radius Server, the user was able to authenticate properly.
    When I imported Admin or Root tasks on the server could not let the user management interface in Prime.
    there is a documentation update?
    Regards
    Andrea

    I wrote about this some time ago.  Its based on NPS but you should be able to tweak it for IAS as well.
    http://technologyordie.com/windows-nps-radius-authentication-of-cisco-prime-infrastructure
    - Be sure to rate all helpful posts

  • Cannot get SG300 switch to send RADIUS messages for 802.1x

    I  want to eventually configure the SG300 to authenticate wired clients with 802.1x and Microsoft NPS (RADIUS). I am currently testing this setup using a single port (Port 7) on my SG300, a test machine, and an AD based Network Policy Server.
    The problem I have is that when I change the Administrative Port Control for Port 7 to Force Authorized, I see this log entry:
    Informational %SEC-I-PORTAUTHORIZED: Port gi7 is Authorized
    And then when I change the port control to Auto the port immediately changes to Unauthorized and I see this log entry:
    Warning %SEC-W-PORTUNAUTHORIZED: Port gi7 is unAuthorized
    However I never see any RADIUS messages being sent from the SG300 to my RADIUS server or from the SG300 to the test machine plugged into port 7. I am using WireShark on my RADIUS server to watch for messages from the SG300 IP Address and I'm using WireShark on a second test machine that is configured to monitor the NIC card in the test machine plugged into port 7 (I'm using Hyper-V and its facilities for this NIC monitoring setup.)
    Here is my configuration:
    Switch - 10.1.1.3
    RADIUS (Microsoft NPS)- 10.1.1.15
    Switch Usage Type - All (Login and 802.1x)
    Port 7 configuration:
    VLAN Mode is General
    Host Authentication is Single Host Authentication
    Administrative Port Control is Auto
    RADIUS VLAN Assignment is Disabled
    Guest VLAN is Enabled
    802.1x Based Authentication is Enabled
    Additional Configurations under Security - 802.1x/MAC/Web Authentication:
    Port Based Authentication is Enabled
    Authentication Method is RADIUS
    Guest VLAN is Enabled
    Guest VLAN ID is 2
    All of my VLANs are enabled for Authentication
    I've got to be missing something but I do not know what that something is.
    One last note:
    The SG300 uses the same RADIUS server for management console access and it works without problem. When I log into the switch, WireShark shows the RADIUS messages from the switch to the RADIUS server and back. So I know RADIUS is configured correctly on the switch.

    Hi,
    This is my working configuration where port gi3 has DVA configured as well. You might skip port gi3 but please compare to your config:
    interface  gi3
    dot1x host-mode multi-sessions
    exit
    vlan database
    vlan 30,100
    exit
    interface vlan 100
    dot1x guest-vlan
    exit
    dot1x system-auth-control
    interface range gi1,gi3
    dot1x reauthentication
    exit
    interface range gi1,gi3
    dot1x mac-authentication mac-only
    exit
    interface  gi3
    dot1x radius-attributes vlan
    exit
    interface range gi1,gi3
    dot1x guest-vlan enable
    exit
    interface gigabitethernet1
    dot1x port-control auto
    exit
    interface gigabitethernet3
    dot1x port-control auto
    exit
    radius-server host 192.168.1.122 priority 1
    radius-server key testing123
    aaa authentication dot1x default radius
    switch3ba5e1#
    Regards,
    Aleksandra

  • Radius 802.1x LAB TEST

    Hi guys, i planning to do Radius 802.1x LAB TEST. I got a 2950c switch, what are the application i needed ?? any freeware or shareware recommended to do radius authentication ??
    Can some1 share me a configuration guide or any reference for this test... Thanks a lot.......

    Hi
    In the course of eduroam (just some universities worldwide using dot1x - http://www.eduroam.org/) we like http://www.securew2.com/uk/index.htm for windows-pc's
    As Opensource we like: http://hostap.epitest.fi/wpa_supplicant/

  • Cannot ping IAS RADIUS from WLC 2504

    I'm having some weird issues where I cannot ping from the WLC to the IAS RADIUS server.  All of my clients cannot connect, but from the switch, router, RADIUS server, and hard wired clients, I can ping to the WLC and RADIUS server.  The only thing that cannot ping the RADIUS server is the WLC itself.  Nothing in the FW is blocking connectivity.  Any ideas?
    (Cisco Controller) >show radius summ
    Vendor Id Backward Compatibility................. Disabled
    Call Station Id Case............................. lower
    Call Station Id Type............................. IP Address
    Aggressive Failover.............................. Disabled
    Keywrap.......................................... Disabled
    Fallback Test:
        Test Mode.................................... Off
        Probe User Name.............................. cisco-probe
        Interval (in seconds)........................ 300
    MAC Delimiter for Authentication Messages........ none
    MAC Delimiter for Accounting Messages............ hyphen
    Authentication Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1    NM    10.10.50.63       1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    2    NM    10.10.50.130      1645    Enabled   5     Enabled   Disabled - none/unknown/group-0/0 none/none
    Accounting Servers
    Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
    1      N     10.10.50.63       1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none
    2      N     10.10.50.130      1646    Enabled   5     N/A       Disabled - none/unknown/group-0/0 none/none

    It's in the arp cache through the default router
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... d0:c2:82:df:5b:c0
    IP Address....................................... 10.30.72.250
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.30.72.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. untagged
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 10.10.10.65
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Disabled
    (Cisco Controller) >show arp switch
    Number of arp entries................................ 19
        MAC Address        IP Address     Port   VLAN   Type
    50:57:A8:D6:DE:C0   10.10.19.1       1      5      Host
    50:57:A8:D6:DE:C0   10.10.20.138     1      5      Host
    50:57:A8:D6:DE:C0   10.10.50.63      1      5      Host
    64:00:F1:08:A0:D0   10.30.72.1       1      0      Host
    50:57:A8:9E:B5:CD   10.30.72.40      1      0      Host
    50:57:A8:A1:7B:C5   10.30.72.44      1      0      Host
    50:57:A8:9E:99:78   10.30.72.48      1      0      Host
    50:57:A8:3B:66:E3   10.30.72.49      1      0      Host
    00:07:7D:43:23:DA   10.30.72.58      1      0      Host
    50:57:A8:9E:B6:1D   10.30.72.59      1      0      Host
    50:57:A8:9E:95:C5   10.30.72.60      1      0      Host
    50:57:A8:A1:7C:0D   10.30.72.61      1      0      Host
    00:07:7D:65:36:DD   10.30.72.62      1      0      Host
    50:57:A8:44:57:0C   10.30.72.63      1      0      Host
    50:57:A8:CA:CC:01   10.30.72.64      1      0      Host

  • 802.1x with VLAN assignment through MS IAS radius

    What is the correct input syntax of the cisco VAS at the MS IAS?
    Cisco Vendor ID = 9
    - [64] Tunnel-Type = VLAN
    - [65] Tunnel-Medium-Type = 802
    - [81] Tunnel-Private-Group-ID = VLAN NAME
    Thanks

    Not sure of this but this link could be of some help : http://www.microsoft.com/windows2000/technologies/communications/ias/

  • Connecting laptops to wireless APs using RADIUS 802.1x and certificates set-up questions

    I am working at a small school with 25 laptops for a mobile cart. We upgraded to new dual radio APs and I want to set up the laptops to connect to the APs and validate user credentials at logon. The person before me made a generic username "Student"
    on each laptop locally so they could start the laptop and then connect to the wireless with a password. This is less than ideal for many reasons. 
    I have configured NPS on the server and on the AP. When I login locally and then select the AP I am prompted for credentials and can log in. On NPS's eventlog I can see it granting full access. At that point I do not have internet access which is going to
    be a vendor call. I can ping 8.8.8.8 successfully but not the local.domain.org address, nor the server ip 192.168.25.5 which is also the DNS Server. I am thinking that there is a NAT issue there.
    When I try to login to the laptops with my AD credentials it is not connected to the AP yet and tells me there is no logon server available. 
    Is that where the certificates should be used at computer/machine level? 
    I want to get this setup correctly so anyone who has done this and has some advice for best practice would be greatly appreciated! 

    Hi,
    According your description, we can ping 8.8.8.8 successfully. It means that we have connected to the network.
    Due to we can't resolve the domain name, it should be a DNS issue. As you have mentioned, the DNS server is unavailable. Please check if there is something wrong with the DNS server.
    If we want client to connect to AP before implement AD authentication, we need to enable single sign on. For detailed information, please refer to the link below,
    http://technet.microsoft.com/en-us/magazine/2007.11.cableguy.aspx
    Best Regards.
    Steven Lee
    TechNet Community Support

  • EAP authentication MS IAS RADIUS across Subnets without DC

    I have 2 sites set up using MS IAS 2003 RADIUS server and Cisco 1230 APs. Both site that I have configured have MS DCs local and both sites perform USER and HOST based authentication. I have attempted to set up a third site, but this site is unique b/c it does not have a DC local. At this site the authentication apears to be timing out even though I set all timeouts to the highest intervals.
    I need the PC to be authenticated at the Windows login screen, then I need the usercredentials passed to a DC, then I need them to be allowed access to the Network. THe device is requiring a local cached user to gain access then it is authenticating and assigning an IP. However, I need this all to happen at the loginscreen prior to loggin in b/c I do not allow local cached profiles.
    I had this simmilar problem at a nother site and adjusting the timeouts corrected that but a DC was also local.
    Any ideas are appreciated

    hello, try to create a "realm" in IAS Config.
    At the IAS root click on Properties, choose realm and create for example "abc" = "yourdomain\"
    after that in VPN client when prompt for username :
    exemple: if your usernae is Jerry write as username
    abcJerry and it will be translated like
    yourdomain\jerry
    hope it can helps you.
    have a happy new year
    ollivier imbert

  • Radius 802.1x authentication with computer AND users.

    Hi !
    I don't know if what I trying to do is possible so please excuse me if this sounds silly :)
    I have a Cisco Wireless lan manager where I've configure 2 differents SSID's : COMPANY and COMPANY_mobiles.
    What I want is to create a policy to restrict the access to the COMPANY SSID to only my company laptops with authenticaded users (both groups exists in the AD).
    Therefore I created a new policy with the following conditons :
    - NAS Port Type : Wireless
    - Client IPv4 Address : <my cisco ip>
    - Called Station ID : ^AA:BB:CC:DD:EE:FF:COMPANY$
    - Users Groups : EUROPE\MY_USER_GROUP
    - Machine Groups : EUROPE\Domain Computers
    When trying to connect a notebook on windows 7 to that COMPANY ssid, I'm beeing rejected with the following error :
    User:
        Security ID:            EUROPE\HOSTNAME$
        Account Name:            host/HOSTNAME.my.server.com
        Account Domain:            EUROPE
        Fully Qualified Account Name:    EUROPE\HOSTNAME$
    Authentication Details:
        Connection Request Policy Name:    Secure Wireless Connections
        Network Policy Name:        Connections to other access servers
        Authentication Provider:        Windows
        Authentication Server:       My.radius.server.com
        Authentication Type:        EAP
        EAP Type:            -
        Account Session Identifier:        -
        Logging Results:            Accounting information was written to the local log file.
        Reason Code:            65
        Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network
    Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
    It therefore seems that it doesn't match my network policy and falls bacj to the default one.
    If I remove the user rule, and let the computer rule : Connection OK
    If I remove the computer rule, and let the user rule : Connection OK
    but if I put both, i can't connect :s
    Can someone help me with this issue ?
    Thanks a lot !
    Geoffrey

    Hi Geoffrey,
    I would like to know if
    EAP-TLS wireless authentication has been used since it uses user and computer certificates to authenticate wireless access clients.
    Please try to use NPS wizard to configure 802.1x wireless connection,
    and
    you will find that it
    creates new connection request policy and network policy. Network policy NAS Port type will be "Wireless -Other OR Wireless -IEEE 802.11".If
    you
    need filter by user and computer account, the log should show both authenticate user and machine account name.
    EAP-TLS-based Authenticated Wireless Access Design
    http://technet.microsoft.com/en-us/library/dd348478(WS.10).aspx
    Regards, Rick Tan

  • Free RADIUS/802.1X Service for WPA/WPA2-Enterprise

    Hi, just wanted to let everyone know that I recently started offering a Free Edition of our AuthenticateMyWiFi service, a hosted RADIUS/AAA service offering 802.1X authentication for use with WPA/WPA2-Enterprise encryption.
    The Free Edition features 1 user account, supports 1 AP, and includes: PEAP authentication for wireless and wired connections, web-based control panel, and activity logging.
    This is great for IT professionals wanting to experiment with 802.1X or to get enterprise Wi-Fi security in homes and small offices.
    For more info visit our site:
    http://www.nowiressecurity.com/service.htm
    - Eric Geier

    I recommend contacting Linksys support on the phone and ask them which model router has Radius or Enterprise WPA features. Some home class routers may not have this. Ask and see what is available. 

  • TACACS=admin RADIUS=802.1x same ACS?

    I have an ACS appliance set up for TACACS auth for administrative users. I need to configure 802.1x with RADIUS as I'm sending the VLAN ID back down when the user authenticates. Is this possible? Doesn't seem to be working for me. Also, I am doing this on both CatOS and IOS so IOS only solutions won't help.
    Thanks!

    Yes, it's possible. You need to set the following stndard RADIUS attributes via a per-group or per-user basis:
    [64] Tunnel-Type ? ?VLAN?
    [65] Tunnel-Medium-Type ? ?802?
    [81] Tunnel-Private-Group-ID - ""
    Hope this helps.

  • Voltage specs and international question about Airport Extreme (802.11n)

    I'm about to travel to Korea to teach English for a year so I'm preparing all my electronic gear for the journey and I've come to a curious question involving the Airport Extreme with 802.11n.
    First of all, I'm worried about voltage (Korea runs on 220v / 60Hz). For most hard drives (and Apple hardware in general it seems) the power supply is auto-switching 100-240v 50/60 Hz, but when I looked at the official specs for the Airport Extreme (hereafter AEBS) this info is conspicuously absent. The AEBS itself runs on 12V DC power, which is listed in the specs, but the input tolerance for the AC adapter isn't mentioned. I checked the specs for the Time Capsule since the hardware is presumably very similar and it is explicitly 100-240v. Likewise the replacement power supply available from Apple is listed as 100-240v, but since it is a replacement part I'm not sure if it is the exact same make as the adapter that ships with the AEBS in North America. If someone knows the definitive specs, I would appreciate an answer.
    Secondly, when I tried searching the Korean Apple site (www.apple.co.kr) for specs on the Korean version of the AEBS to see if it was the same, I discovered that the Airport Extreme isn't available in Korea (although the Airport Express and Time Capsule). Does anyone know why this is? Is it possible the Airport Extreme doesn't comply with Korean wireless standards (I know the iPhone isn't being released in Korea because of laws about middleware that must be installed on cellular phones in Korea)? It seems safe given the availability of the Time Capsule in Korea, but does anyone have any specific knowledge about the Airport Extreme or Wi-fi regulations in Korea?
    Sorry if this is a strange question, but I'd appreciate insight from the more experienced/advanced Apple users out there.
    -Matt Tranquada

    Thanks for the response. I guess what I would like to know is if I am closer to the newer 802.11n AE base station with my laptop, will it ignore the older base station and communicate directly with the stronger signal, or does it communicate with the weaker, more distant signal. Does the laptop automatically determine which base station has a stronger signal and choose it, or is it fixed which base station the laptop communicates with?

  • Questions about AE Simultaneous 802.11n

    I have an AE simultaneous 2.4/5ghz router (firmware 7.5) as well as an Express (FW 7.4.2) extending the network downstairs.
    The AE has 2 HDDs plugged in via Hub and the AX has a printer and speakers in it. I understand the HDDs will just be slow on the USB, but they seem to work pretty well - surviving suspends and such gracefully. Same with the printer.
    So far things have been running along till the last day or so. Any answers or help would be appreciated:
    1) Just curious, with 2 iphone 3Gs on the network and two Macs, Can the AE connect the iphones at 802.11g while preserving the speed of the 802.11n macs, or does the network all slow to 802.11g speeds (The macs are connectd on 5ghz, the iphones on 2.4 of course)
    2) I turned on one account in the MobileMe "back to my mac" stuff on the AE (not the A Express) and suddenly my network would just drop off randomly and I couldn't see the AE in the Airport utility, or I could see it, the light was green, but I still couldn't connect to the net. In both cases I had to reset/powercycle the AE. Anyone else noticed this kinda behavior related to the MobileMe "back to Mac" login stuff on the AE? Turning it off seems to have stabilized the router.
    3) Anyone seen the MobileMe Backup Utility cause issues with Airports? The Backup hung up last night during its run and caused me to power cycle the router. Just wondering if Backup might have been that issue, or if maybe it was related to #2s issue.

    dead thread.

Maybe you are looking for