Quick Q on PEAP and 5508

Hi Team,
I configured  user "Bill"under Local User database with a Local EAP profile with PEAP and EAP-TLS.At this stage I do not have a Radius server but
my understanding is that  I should be able to authenticate using Bill's credentials from the Windows XP box.Wireshark capture indicates that EAP does not even complete stage 1.Last message is a EAP Response from the Windows XP to the 1252  and  the whole process (EAPOL Start,Request ,Response) keeps repeating itself without getting a response from WLC .Could someone confirm whether I could test 802.1X using this method?
The other odd thing is that I have to use a Novell client which talk to WindowsXP built-in supplicant via PEAP/MSCHAPv2.The environment I'm in does not have  vanilla XP boxes.
Any help is much appreciated.
cheers,
Janesh

Hi Janesh,
what is the version we are running on WLC? The reason i asked this question is through version 4.1, PEAP is not supported locally on the WLC. You need an external RADIUS server. With WLC version 4.2 and later versions, local EAP now supports PEAPv0/MSCHAPv2 and PEAPv1/GTC authentication.
Please follow the configuration guide in order to confgiure local EAP authentication:-
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
thanks,
Vinay

Similar Messages

  • ACS v4.1 PEAP and MAC Address Validation

    I would like to authenticate to a ACS server via both 802.1x (PEAP) and to also validate the MAC Address of the user. Can both of these be done? I have 802.1x (PEAP) working to the ACS and Active Directory but now I would like to add the MAC Address of the laptops. Can I use Network Access Profiles and add the MAC-address under MAC-Authentication bypass?
    Your assistance is appreciated.

    I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
    I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
    What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
    Appreciate your help.

  • Rolling back of Quick Pay Pre-payment and Quick Pay in case of void cheque

    Hi All
    I am facing an issue if you can help me out of if
    Here is a scenario
    a payroll manager runs the following processes.
    1. Payroll run
    2. Pre-Payments
    3. Payroll Archiver
    4. Payment Output file
    After running all these process payroll manager finds that he also has to make an adhoc payment on account of car loan of AED 150,000.
    So he runs following processes
    1. Quick pay for Car loan
    2. Quick pay pre-payments (payment made through check)
    3. payroll archiver
    4. Cheque Writer.
    Now due to some technical fault, alignment on printing of cheque becomes disturbed there for cheque misprinted.
    Payroll manager runs Void Cheque process to cancel the cheque.
    After all these processes which has run successfully, order comes from upper management to rollback quickpay for adhoc payment of loan.
    Now question is how it can be achieved.
    I tried different things as follows
    On Assignment Process results screen i queried the assignment which all the processes in descending order.
    I tried to start roll back from cheque writer but system didn't allowed to do this because of check Void process.
    I tried to start rollback from Magnetic report, system allowed to roll it back.
    Then i tried to rollback Quick-pay prepayment, system did not allow me be do it. There fore i couldn't run rollback for Quick-pay.
    There is an another thing i tried.
    On "Assignment Process Result" screen i queried assignment. Then i delete the first entry of Void cheque by using delete option from menu bar on top and saved the record. then i delete cheque writer entry and saved the record. Then i run rollback for quick pay pre-payments and ran it successfully and then lastly i ran rollback for quick pay run.
    One thing cautioned me that if I delete the void cheque entry then its history may be lost or have lost and on the other hand with out deleting void cheque i cannot proceed to rollback quick pay.
    Kindly tell me the best way to run rollback for quick pay in this situation.
    Regards
    Majid

    Bt do not provide broadband only so you need existing account holder to add broadband to phone account and then you can pay back the account holder - probably not what you want
    the 12 months advance applies to the line rental not the broadband - as I said BT do not sell broadband only you buy a package which includes phone
    If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
    If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

  • Having a problem with PEAP and Cisco 2960 Switch

    Hi All,
        I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 
        The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
    Any ideas?

    Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work.  I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client.  I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2.  I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
    CSSC Client pops out:
    14:25:08.453  Network Connection requested from user  context.
    14:25:08.468  Connection authentication started using the logged in  user's credentials.
    14:25:08.468  Port state transition to  AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
    14:25:08.796  Port state  transition to  AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
    14:25:09.828   Port state transition to  AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
    14:25:09.843   Identity has been requested from the network.
    14:25:09.875  Identity has been  sent to the network.
    14:25:09.890  Authentication started using method type  EAP-PEAP, level 0
    14:25:09.890  The server has requested using authentication  type: EAP-PEAP
    14:25:09.890  The client has requested using authentication  type:  EAP-PEAP
    14:25:09.968  Profile does not require server  validation.
    14:25:10.031  Identity has been requested from the  network.
    14:25:10.031  Identity has been sent to the  network.
    14:25:10.046  Authentication started using method type  EAP-MSCHAP-V2, level 1
    14:25:10.046  The server has requested using  authentication type: EAP-MSCHAP-V2
    14:25:10.046  The client has requested  using authentication type:  EAP-MSCHAP-V2
    14:25:10.078  Port state transition  to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
    14:25:10.078  The  authentication process has succeeded.
    *************************Raidus Ouptut for PEAP:**************************
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.7 seconds.
    Waking up in 0.7 seconds.
    Waking up in 0.1 seconds.
    Waking up in 3.7 seconds.
    Waking up in 0.1 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for anonymous
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    rlm_ldap: object not found or got ambiguous search result
    [ldap] search failed
    rlm_ldap: ldap_release_conn: Release Id: 0
    [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
    Waking up in 0.9 seconds.
    Waking up in 0.9 seconds.
    Waking up in 0.9 seconds.
    Waking up in 0.8 seconds.
    Waking up in 0.8 seconds.
    Waking up in 0.8 seconds.
    [ldap] performing user authorization for RadiusUser
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.8 seconds.
    [ldap] performing user authorization for RadiusUser
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.8 seconds.
    [ldap] performing user authorization for RadiusUser
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user RadiusUser authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.8 seconds.
    Waking up in 0.7 seconds.
    Waking up in 3.7 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    Ready to process requests.
    **************************Radius ouput for EAP******************************
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.7 seconds.
    Waking up in 0.7 seconds.
    Waking up in 0.1 seconds.
    Waking up in 3.7 seconds.
    Waking up in 0.1 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    Ready to process requests.
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    [ldap] performing user authorization for Radiususer
    rlm_ldap: ldap_get_conn: Checking Id: 0
    rlm_ldap: ldap_get_conn: Got Id: 0
    [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
    [ldap] No default NMAS login sequence
    [ldap] looking for check items in directory...
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
    [ldap] looking for reply items in directory...
    rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
    rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
    rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
    rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
    [ldap] user Radiususer authorized to use remote access
    rlm_ldap: ldap_release_conn: Release Id: 0
    Waking up in 0.9 seconds.
    Waking up in 3.9 seconds.
    Ready to process requests.
    Hope that Helps.

  • Best practices for network design on WLC 2504 and 5508

    Dear all:
    I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
    Maximum amount of AP per port
    The scenario when to use all ports in both WLC
    Maximum number of clients(users) per port
    Bandwidth comsumption of  management vs data in order to assign one port for management
    I've just found this:
    Cisco 5508 controllers have eight Gigabit Ethernet distribution system ports, through which the controller can manage multiple access points. The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller. Cisco 5508 controllers have no restrictions on the number of access points per port. However, Cisco recommends using link aggregation (LAG) or configuring dynamic AP-manager interfaces on each Gigabit Ethernet port to automatically balance the load. If more than 100 access points are connected to the 5500 series controller, make sure that more than one gigabit Ethernet interface is connected to the upstream switch.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/6-0/configuration/guide/Controller60CG/c60mint.html
    Thanks for your help.

    The 5508-12, 5508-25, 5508-50, 5508-100, and 5508-250 models allow a total of 12, 25, 50, 100, or 250 access points to join the controller.
    This is an old document.  5508 can now support up to 500 APs if you run firmware 7.X.  2504 can support up to 75 APs if you run firmware 7.4.X.
    I'm looking for some recommendations on WLC 2504 and 5508 about the the following:
    Best practice and recommendation is to LAG all ports so you will be able to form a link redundancy.  If one link goes down, you have other link to push traffic. 

  • TS3591 Updated itunes - windows quickly shuts it down and says something about "Data Execution Prevention". I followed the instrucxtions to a dead end. I have re downloaded it twice and used the repair files once but get the same result. It worked fine be

    Updated itunes - windows quickly shuts it down and says something about "Data Execution Prevention". I followed the instrucxtions to a dead end. I have re downloaded it twice and used the repair files once but get the same result. It worked fine before I updated it to death.

    Try updating your QuickTime to the most recent version. Does that clear up the DEP errors in iTunes?

  • WLC mobility group between 4404 and 5508 controllers

    Mobility 'Control and Data Path Down' between 4404 and 5508 WLC's.
    Hello, we have 5 x 4404 WLC's running 7.0.240.0 with mobility configured fine between them.
    We have installed a 5508 with HA running 7.4.110.0, and have tried to add it to the mobility group, however we see 'Control and Data Path Down' between the new 5508 and all the 4404 controllers.
    All controllers have:
    The same virtual address
    Management interfaces are in the same VLAN, and indeed all the controllers connect via the same pair of 3750X stacked switches.
    The default mobility domain name is the same
    4404 output when issung the command 'show mobility summary'
    Symmetric Mobility Tunneling (current) .......... Enabled
    Symmetric Mobility Tunneling (after reboot) ..... Enabled
    Mobility Protocol Port........................... 16666
    Default Mobility Domain.......................... SGH-Mobility
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0xe209
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 6
    Mobility Control Message DSCP Value.............. 0
    5508 ouput when issueing the command 'show mobility summary'
    Mobility Architecture ........................... Flat
    Mobility Protocol Port........................... 16666
    Default Mobility Domain.......................... SGH-Mobility
    Multicast Mode .................................. Disabled
    Mobility Domain ID for 802.11r................... 0xe209
    Mobility Keepalive Interval...................... 10
    Mobility Keepalive Count......................... 3
    Mobility Group Members Configured................ 6
    Mobility Control Message DSCP Value.............. 0
    I've spent quite some time double checking all the configurations to no avail.
    Has anybody seen this problem before?
    Kind regards
    Dave Bell

    Thanks Sandeep.
    I am well versed with WLC's and mobility, however trying to add a 5508 to a mobility group with 4404's has come up with a bit of a curve ball.
    All the 4404 controllers all joined the mobility group fine, no problems at all - its only the 5508 I am struggling with.
    In theory its simple, populate the IP address, and MAC addres of the management interface of the remote WLC, as long as the management interfaces are in the same VLAN, and the Default Mobility Domain Name are the same it should come up.
    Interestingly I have found the 5508 reports its own management interface MAC address incorrectly when viewing the Mobility Groups:
    For example:
    {Screen shot WLC1.jpg}
    5508 management address is 10.95.x.x and when viewing the Mobility Management screen it shows its own MAC address as bc:16:65:f9:37:60.
    however!
    From our router is I do an sh arp | i 10.95.x.x (controller management address), I see:f872.eaee.becf.
    {Screen shot wlc2.jpg}
    Hence the WLC reports as: bc:16:65:f9:37:60
    and
    The network reports as: f872.eaee.becf for the same IP address.
    I have changed the other WLC's to the MAC adress seen on the network for the new controller, aka changed from
    bc:16:65:f9:37:60
    to
    f8:72:ea:ee:be:cf
    I now see the controllers reporting the mobility with the new controller as 'Control Path Down', however I am at a loss as to what may be causing this?
    Kind regards
    Dave Bell

  • EAP-PEAP and EAP-TLS on same switched network

    Hello,
    I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
    The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
    I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
    Thanks,
    Guy

    You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
    Good Luck,
    --Jean Paul

  • Wired PC's with PEAP and RADIUS - how to join to a domain?

    I realize this seems like a 'chicken vs. egg' question, but I'm wondering if there is an answer.
    <br />
    <br />We're in the process of implementing RADIUS authentication using PEAP and IAS on our network.
    <br />
    <br />(Server 2003, WinXP Pro, and Cisco hardware)
    <br />
    <br />My test network is working well, however the one glitch that we've come across is joining new PC's to the domain. Because the switch will not authenticate the machine or the user - we can't get access to join the machine to the domain controller.
    <br />
    <br />Is there a simple workaround for this, or do we have to disable AAA on the switch temporarily, every time we want to join/rejoin and machine?
    <br />
    <br />Thanks in advance!
    <br />Rob

    If you are running 802.1x on your switches for wired users, then you either need to stage the machines first by having them join the domain and then pushing out the appropriate certificates to the machine. You can always have ports that don't have 802.1x configured to get this working.

  • I want to run PEAP and LEAP at the same time...

    I have an environment where I have 25 Laptops connected to my wireless network using PEAP and TKIP over an XP wireless client with a certificate. I also just purchased 25 IPAQ's with built-in wireless and they have the ability to do LEAP or PEAP. I am having issues getting the certificate to take up residence on the IPAQ's, so I thought I could do LEAP instead. What are the caveats of running both protocols at the same time and what configuration issues will I run into with this on the IPAQ's?
    I tried to setup LEAP yesterday without success, basically because I don't know what step I am leaving out. Maybe its TKIP that is causing the problem, I don't know.
    Any help would be greatly appreciated.
    David Beaver

    The access point doesn't know or care which EAP flavor you're using; LEAP vs PEAP is configured on the client, and you have to specify on your server which flavor(s) you'll allow.
    Supporting both PEAP and LEAP is inelegant, though, and exposes some of your clients to the dictionary attacks LEAP is subject to. You'd be better served by getting PEAP working correctly on your iPaqs.
    You don't need clientside certificates for PEAP, and you don't need to put the server certificate on the iPaq unless you're self-signing. If you are and the problem is that the iPaq isn't accepting your root cert, then the problem may be that it's not in a format the iPaq recognizes. Try importing the root cert into IE and then re-exporting it in DER format, then see if the iPaq will take that.
    Also make sure that your pda's are flashed with the latest OS and firmware patches. I've got PEAP working just fine on my HP 5500, but it did take a little tweaking to get it there.

  • Is there a script that Quickly get the Equidistant and The same size images.

    Is there a script that Quickly get the Equidistant and The same size images.
    General,I used the paste into the interior one by one, when it is a lot ,will waste a lot of time

    Is there a script that Quickly get the Equidistant and The same size images.
    General,I used the paste into the interior one by one, when it is a lot ,will waste a lot of time

  • One Flash CC project gets stuck when publishing in IOS. It will quickly publish as Android, and other projects will publish as IOS. Not sure what to change.

    One Flash CC project gets stuck when publishing in IOS. It will quickly publish as Android, and other projects will publish as IOS. Not sure what to change.

    Thanks for the info.
    I've recently stumbled on an article on how to view the packaged file (apk) published using AIR 3.2 for Android setting (Adobe Flash CS6). All you need to do is change the extension of the file from (.apk) to (.rar) or (.zip) and extract the file as you would with any other zip or rar file. I was able to confirm that the packaged file (apk) indeed contain all the videos for the presentation. I have more than 80 videos in the presentation. All videos included in the package are of the same video format and resolution (FLV 320x240) but of different duration. I intentionally included the all the videos inside the package so I can use the presentation anywhere and anytime without the need to connect to the internet. The packaged apk file size is (1.23GB) the file includes the project's swf and xml file, the component swf and videos.
    When installed to android I noticed that the package remained as an apk file. Not really sure if android temporarily unpacks it when you run the app.
    Testing phase:
    I see no problem when I'm testing the project on my desktop computer. But when packaged and installed on my device the problem arise.
    Problem:
    I'm able to install and run the app on my device but wont play some of the videos included in the package.
    Was this due to the limited RAM or processor of my android device?
    I wanted to distribute the presentation to friends so i was trying to package it for easy access and installation on their device.
    Alternative Solution:
    I installed a third party app called SWF player by BIT LABS. Copied all the files to my device (the project's swf and component swf with the videos). The project worked like a charm the player (SWF player) and was able to run the presentation as if it was running of my desktop. All buttons and videos working properly. Although the alternative solution worked for me I still wanted to package the presentation for easy access and distribution to friends.
    Please help...Thanks in advance.

  • Quick notes in text and resend.

    Is their any quick note option in the iphone text section?
    With many other phones you can create quick messages or notes and then pick them to put into or create a text message. Also is there anyway to resend a text message once it has been sent? Again, other cell phones I have used, can do it.

    Can't any word processor do this?
    I use Pages as my word processor. I could just write down notes there or dictate them. Then come back later to fill in the details. Once done I could email it in Pages, Word or PDF formats.

  • PEAP and Passwords Wireless Question

    Hello, Our company use Microsoft PEAP and password authentication for wireless with our own root CA. For PC's the root certificate is distributed to clients automatically by Windows AD. For other devices we usually have to manually install - for security it should be done out of band I believe. We have found that our iPhone users have been able to connect and somehow the phone finds the root certificate and all they have to do is click on it and it connects! Can someone please tell me how it is doing this! Thanks, Alan.

    Muhammed,
    Thanks for the link. Unfortunately it doesn't pertain to the issue I am having and is more with the layout and simple authentication pieces. I am not sure my issue is actually with the ISE appliance and not more of an issue with the phone not accepting the certificate chain of the ISE server. Authentication works just fine if I don't validate the server certificate. If I try to validate the server certificate the phone rejects the ISE cert even though the root CA is loaded on the phone. But it appears the phone isn't taking the entire certificate chain as I am unable to load one of the intermediate CA's certificate into the phone. Opening a TAC case to see if they can assist or explain why the phone won't take the entire certificate chain.

  • Other LEAP upgrade options besides PEAP and EAP-FAST?

    Currently I'm using LEAP for authentication on my AP's at roughly 200 remote locations, with about 6 AP's per site. These are performing local Radius authentication on the AP's themselves. We are using non-dictionary passwords, so I'm not too worried about a ASLEAP attack. However, I've been asked to look into other alternatives besides LEAP for security.
    Here's the problem.... there is no way my company will pay for a Radius server at each individual location. As both PEAP and EAP-FAST seem to require an actual Radius server as opposed to an AP acting as one, to use either means authentication would have to happen back to the central office servers over our WAN. That is going to generate an unacceptable amount of WAN traffic, as well as leave us stranded should the WAN connection go down, as happens to at least one site once a week or so. Do I have any other options, are are they superior to my current LEAP setup?

    A comparable system might be to use WPA - PSK (Pre-Shared Key) w/ TKIP.
    TKIP will keep the key rotation, and if you start with a strong PSK, you should be OK. WPA - PSK doesn't need a RADIUS server or certificates to work.
    Pre-shared keys could conceivably be defeated by a brute force attack, but you can control that aspect somewhat with a lockout after X number of failed attempts.
    You could also toss on some MAC filtering but, depending on your user base, it can be an administrative nightmare.
    If all of your remote sites are tied back to your home network, you could try a central RADIUS, and local Certificate Authority (both can be on an existing WIN2K or better server) at the home office, then use the remote RADIUS on the AP to proxy the requests back to the home office.
    There are a couple approaches depending on your specific environment. Without a CA and RADIUS server (that supports certificates - I don't think the AP RADIUS does), your options are fairly limited. LEAP and WPA-PSK are probably as good as you're like to get.
    Good Luck
    Scott

Maybe you are looking for