Sg300 - 802.1x NPS - mac authentication not working
I configured 802.1x on a sg300 switch. It is working very well with some Windows 7 machines and a Windows Server 2008 NPS server.
Now I tried to get the MAC authentication running, on a 3850X it is working without problems, but every access request sent from the SG300 is declined.
My current port configuration on the SG300:
interface fastethernet1
dot1x guest-vlan enable
dot1x max-req 1
dot1x reauthentication
dot1x timeout quiet-period 10
dot1x authentication 802.1x mac
dot1x radius-attributes vlan static
dot1x port-control auto
switchport mode access
On the Windows NPS server there is following error to see:
Authentication Details:
Connection Request Policy Name: Secure Wire
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: myradius.local
Authentication Type: -
EAP Type: -
Account Session Identifier: 30353030399999
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
There is compared to the message from the 3850 the authentication type missing (PAP) and a not very helpful error message displayed...
Still not working.
I tried different settings and (also older) software versions on the SF302-08P.
Also started to change the settings on the NPS (though it is working with the 3850X!), without success.
The NPS reports following error:
Schannel:
The following fatal alert was received: 40.
EventID 36887
If I search for this error, every source is pointing to certificate errors, but there should not be any certificate involved?!
... is this a bug on the SF302-08P?
Similar Messages
-
The Smartart feature of Office for Mac will not work in my user account. It works for all other user accounts on the same computer, and it works after a "safe start". How can I fix the problem?
You may also want to search/ask in the forums run by the people who make the product which is causing you problems:
http://answers.microsoft.com/en-us/mac/forum/macoffice2011 -
Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. javaRevision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java -
accidentally removed from,sharing and permissions the admin user,and now i do not when i find the home icon at my computer i do not have permmission,and the mac does not works properly,lots of question mark at the dock ,please help
I'm going to assume that since you deleted your hard drive and all its files, you had a backup, yes? If the backup has an OS (bootable clone), then you can boot into it by holding down the option key when you start up you iMac and choose the backup drive. Then use Carbon Copy Cloner or Super Duper to copy the files back to your iMac.
-
My photo booth in mac in not working for many days so please give me any suggestion to solve that problem......
And my Airplort utility does't catch any other wireless devices please provide help....fubar
-
My ProductionPremium CS5.5 serial number for my Mac is not working when I download and install ProductionPremium CS5.5 on my windows machine. Do I need to deinstall on my mac or get another serial number issued?
This is expected. Serial numbers are platform specific and platform swaps only apply to current versions. You need to upgrade to CS6 and make the switch.
Mylenium -
Lion - 2004 MS Office for Mac will not work
My 2004 version of Microsoft Office for Mac will not work in Lion. I suspect because this is a PowerPC application. My question is this:
Is there any program out there which will map the PowerPC to an Intel format? Other than trying to seel more products, I am surprised that Apple does not supply a mapping program for products made by Microsoft for the Apple devices.Eric, can you tell me where please? It's not mentioned on the Lion compatibility pages at all. (http://www.apple.com/uk/macosx/what-is/compatibility.html) nor on the 'how to upgrade' page (http://www.apple.com/uk/macosx/how-to-buy/)
-
TS1381 My "t" button on my MAC is not working.. what should i do?
My "t" button on my MAC is not working.. what should i do?
I think you'll have to replace the KB...
http://www.google.com/search?client=safari&rls=en&q=ifixit+macbook+keyboard&ie=U TF-8&oe=UTF-8 -
HT204032 Why find my Mac does not work in powernap?
FInd my Mac does not work in powernap mode even though I enabled it energy preferences to work while on battery power.
ANy ideas?"I think Find My Mac is not one of the features claimed to work in Power Nap."
Yes it is.
Please see the link at top of this page.
"Find My Mac. Locate a lost Mac notebook even when it’s sleeping." -
Wireless with PEAP Authentication not working using new NPS server
All,
We are planning to migrate from our old IAS server to new NPS server. We are testing the new NPS server with our wireless infrastructure using WISM. We are using PEAP with server Cert for authentication. For testing purpose we are doing user authentication but our goal is to do machine authentication. On client side we are using Windows XP, Windows 7 & iPAD’s
I believe I have configured the NPS & CA server as per the documents I found on Cisco support forum & Microsoft’s site.
But it is not working for me. I am getting the following error message on the NPS server.
Error # 1
=======
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADXXX
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: XXX-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Error # 2
======
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
I was wondering if anyone has any insight on what is going on.
Thanks, DsScott,
I have disabled MS-CHAP v1 & only MS-CHAP v2 is enabled on Network Policies > Constraints.
I disabled validate Certificate on Windows 7 and tried to authenticate, it is still failing. Here is the output from the event viewer:
Cryptographic operation.
Subject:
Security ID: SYSTEM
Account Name: MADHFSVNPSPI01$
Account Domain: AD
Logon ID: 0x3e7
Cryptographic Parameters:
Provider Name: Microsoft Software Key Storage Provider
Algorithm Name: RSA
Key Name: DOT-Wireless-NPS
Key Type: Machine key.
Cryptographic Operation:
Operation: Decrypt.
Return Code: 0x80090010
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: AD\mscdzs
Account Name: AD\mscdzs
Account Domain: AD
Fully Qualified Account Name: AD\mscdzs
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 64-ae-0c-00-de-f0:DOT
Calling Station Identifier: a0-88-b4-e2-79-cc
NAS:
NAS IPv4 Address: 130.47.128.7
NAS IPv6 Address: -
NAS Identifier: WISM2B
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 29
RADIUS Client:
Client Friendly Name: WISM2B
Client IP Address: 130.47.128.7
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows
Authentication Server: MADHFSVNPSPI01.AD.DOT.STATE.WI.US
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 23
Reason: An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
Attached are EAP logs & debug logs from the controller.
Thanks for all the help. I really appreciate. -
802.1x port authentication not working
I am having some troubles figuring out what is going on here. I am trying to setup 802.1x port based authentication to assign clients to VLANs. I inherited this mess and its been a long time since I have used this. I ran a wireshark on my Radius server and I see no packets even coming from my switch IP address when I plug into a port (I verified communication because pings come up in my trace)
Switch info:
sw-ConfB>sho ver
Cisco IOS Software, C2960C Software (C2960c405-UNIVERSALK9-M), Version 12.2(55)EX3, RELEASE SOFTWARE (fc2)
Port config:
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
Radius Server Info:
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
Kinda lost why not Radius packet even comes from the switch. Any tips?sw-ConfB#sho ru
Building configuration...
Current configuration : 6301 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname sw-ConfB
boot-start-marker
boot-end-marker
enable secret 5 $1$3QAC$puzutRpCI5zR3Xv55xBVH0
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa session-id common
system mtu routing 1500
crypto pki trustpoint TP-self-signed-706182400
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-706182400
revocation-check none
rsakeypair TP-self-signed-706182400
crypto pki certificate chain TP-self-signed-706182400
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37303631 38323430 30301E17 0D393330 33303130 30303430
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3730 36313832
34303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C72AE421 F5BF8C62 7C9E14C1 E73686FB 67DD760A 0C6C790D 935143A0 8DD96CC8
D14A11C1 D16F9583 AE3B591E 68581049 1C837110 1B1C0398 BDE81C86 3F80CD45
E55EBE76 73B9F7AB 5F14CBD5 2BD38330 E1B4FA92 32490A66 CE0BE135 9B695D97
BF7C04FB 2999CF98 2336E82C 559A89C1 7F4E2948 1D73EBD4 236E4DD9 4D8675AB
02030100 01A36930 67300F06 03551D13 0101FF04 05300301 01FF3014 0603551D
11040D30 0B820973 772D436F 6E66422E 301F0603 551D2304 18301680 14C35330
A1D32EA5 C2A07CC9 B1B3CCDB EB93CAA7 02301D06 03551D0E 04160414 C35330A1
D32EA5C2 A07CC9B1 B3CCDBEB 93CAA702 300D0609 2A864886 F70D0101 04050003
8181002E FC217BF1 F9E6FBE1 B07270A6 79A57AA5 691A949D C61C00C2 09C1C3CA
CA14EE07 60BA058E CFDCD8E7 19D83B68 5F06B92C 8612B396 B18BA823 C0E83021
2EFD391E 06113246 5609E287 7883422A 0513AF6D 5BF03CDE 92786B1D 3E01284C
1EE23296 12999C71 BE8A5BEA 4B768F7E 6EB63E05 B71AF375 7FB72B98 7665BF45 D14622
quit
dot1x system-auth-control
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/2
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/3
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/4
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/5
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/6
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/7
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/8
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/9
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/10
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/11
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface FastEthernet0/12
switchport access vlan 900
switchport mode access
authentication event fail action authorize vlan 900
authentication event no-response action authorize vlan 900
authentication port-control auto
dot1x pae authenticator
dot1x timeout tx-period 5
interface GigabitEthernet0/1
switchport trunk native vlan 200
switchport trunk allowed vlan 100,200,900
switchport mode trunk
interface GigabitEthernet0/2
switchport access vlan 100
switchport mode access
interface Vlan1
no ip address
interface Vlan100
ip address 10.0.1.3 255.255.255.0
interface Vlan200
ip address 10.0.2.4 255.255.255.0
interface Vlan900
ip address 10.0.9.4 255.255.255.0
ip default-gateway 10.0.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
radius-server host 10.0.1.52 auth-port 1645 acct-port 1646 key 802.1x!
radius-server retransmit 5
radius-server key secret
radius-server vsa send authentication -
"Allow insecure authentication" not working on mac mail after upgrade to Yosimite
I recently upgraded to the new Yosemite OS. Since then, I have not been able to access my ISP's IMAP server. After spending time troubleshooting with the service provider, it seems that the "allow insecure authentication" feature is not working. The password appears to be sent as a series of "*" which the server can not recognize and I fail the login. It is of note that I am still able to access this email account through my iPhone 4S with all the same settings and had no issues before the Yosimite upgrade. Is there anyway around this issue?
I had the same problem. Rebooting the computer fixed the issue for me.
-
Enabling 802.1x and MAC Authentication Bypass on ACS 4.2
Hi experts,
I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
ii. If it is possible, any reference that I can check on how to configure this?
The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
Hope anyone here could help me on this.
Thanks very much,
DanielWith ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
Specific info is here:
<http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
Hope this helps, -
Kerberos Authentication Not Working on OS X 10.6
Using FF version 20.0, on OS X 10.6.8, I can not get it to use Kerberos authentication to allow SSO to a SharePoint web site.
On OS X 10.8, with the same configuration in the about:config, everything works fine - the user is not prompted for credentials.
I have put the necessary entires in network.negotiate-auth.delegation-uris and network.automatic-ntlm-auth.trusted-uris, network.negotiate-auth.gsslib is set to true.
When I have setup to log the errors from the authentication module, I find in the log file "Fail to load gssapi library".
Interestingly on 10.8, when I start Firefox from the command line the Kerberos authentication does not work. When I start it via the icon, it does. What is the difference? Are the preferences not being loaded when launching via the command line?
Thanks for any help,
RichardFound the solution:
Was a combination of kinit being run on login (apparently a known 10.6 bug). Our Mac team were able to alter the appropriate plist file so that this does happen on login.
We also had to add an extra SPN for the actual server, as well as the DNS name of the SharePoint site we were trying to access with Kerberos authentication - although this may have something to do with using host-named site collections at the SharePoint end.
Main problem was the kinit thing though. -
Upgrade to IOS and ACS authentication not working
Hi. I have just upgraded my 1200AP to IOS Version 12.2(11)JA1. I am using LEAP with MAC address auth in the ACS (version 3.0). I cannot get onto LAN though. Error on ACS failed auth report says 'User Access Filtered' even though the MAC of the card is in there. I can still authenticate with AP's that are still at old version though. A debug on IOS AP shows that the ACS is replying with a FAIL auth after LEAP negotiation and the ACS interestingly gives the failed MAC address as AAAA.BBBB.CCCC (note dots between) making me think that the AP is sending it in that format instead of AAAABBBBCCCC. I cannot add the MAC to the ACS in the dotted format as it is a 12 character string. Is this a format issue with the RADIUS passthru? Has anyone any idea why this is happening? Thanks for any help in advance.
Just thought I would let you know that I have got the cause of this. This happens if MAC authentication is enabled in the ACS. Once I turned that off it worked again. I think it is due to a format error in the data sent from ap to acs.
Maybe you are looking for
-
I've also tried doing a restore by choosing the "Show all bookmarks" "Import and backup" "Restore" to a day earlier and the folder still didn't show up. When I tried to do this again using one of the many earlier dates I had seen that were available
-
Can not import photos from my Nikon D810
I recently bought the new Nikon D810. I just spent all weekend with it and got some fantastic images. So naturally I came home and immediately went to import them. I'm also using Lightroom 4. and I had no image previews, so I thought to myself perhap
-
Oracle express 10G and oracle 9_2
Goodmorning, i've the oracle 9_2 client on my pc. Yestarday i've installed the oracle 10G express. The connection with the 10G vers is OK but now i can't connect with the db oracle 9_2. It give me this messaege "ORA-12535 TNS: Operation timed out". C
-
Most user friendly way to browse document libraries for saving documents
We are trying to figure out the most user friendly way to save office documents to different site collection document libraries. The locations appear fine when we click "save as" for recent folders. We can even click browse and use the up arrow for
-
TS3682 how do i put iso5 back on my iphone
how do i get my grayed out wifi to work can not turn it no or off after i put on iso6-1-3 can any one help i put the to restore but still no go !!!!!