Switch Cisco and Microsoft NPS

Similar Messages

• Integration between WLC 5508 and Microsoft NPS 2008

  Hi guys,
  Any of you, have working guidance for WLC 5508 and Microsoft NPS 2008 integration?
  I managed to configure Wireless 802.1x feature (PEAP) but it failed. I'm running software ver. 7.0.116.0.
  Is there any bug related 802.1x on this software version?
  thanks in advance.
  BR
  shendy

  Hi Shendy,
  I am not aware about any bug related to this. I think you better check all configuration and make sure it is fine.
  Logs from NPS and WLC (and possibly from the supplicant) may guide you where the problem resides.
  What does the NPS logs tell about the reason of the authentication failure?
  What does the WLC logs say about the failure (check show msglog and show traplog).
  - Make sure the Radius server added correctly with correct IP and correct shared secret on WLC.
  - Make sure that the radius is configured correctly to allow PEAP-MSCHAPv2.
  - Make sure WLC is added successfully to WLC with correct IP address and correct shared secret.
  - Make sure the clients are correctly configured and the server's (NPS) certificate is trusted on the clients.
  HTH
  Amjad

• [ ISSUE ] NCS / PI authentication using Microsoft NPS as a RADIUS server

  So here is my goal:
  Authenticate employees who use NCS or PI with their ActiveDirectory credentials against Microsoft NPS.
  Background:
  I have successfully configured our switches to use the NPS server and our AD credentials to log into and receive plvl=15 access.
  I've also used NPS to authenticate wireless clients in a lab setting.
  Problem:
  I cannot figure out what is going on with NCS/PI authentication against NPS.
  Here are a couple/few steps I've taken:
  - I've added the RADIUS client to the list.
  - I've created a network policy to grant access to a specific group of users (AD group).  It accepts either CHAP or PAP authentication
  - I've also taken out the default radius attributes and inserted these:
  - - Vendor Specific, Cisco-AV-Pair
  - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
  - - Vendor-Specific, RAIDUS Standard
  - - - - I've used both the ASCII format of the task list and/or variations of the HEX value
  On the NPS server I can see the request coming in on the NPS logs.  Access has been granted and it matches the Network Policy I created.
  The usual message I receive is this:
  No authorization information found for Remote Authenticated User. Please check the correctness of the associated task(s) and Virtual Domain(s) in the remote server
  Attached is a picture from a packet capture.  The RAIDUS "Access-Accept" message has something under the Attribute Value Pairs section:
  - "[Not enough room in packet for AVP] "
  This capture was taken when I was only using the RAIDUS role value and not all the RAIDUS Tasks.
  Has anyone gotten this to work using Cisco NCS/PI and Microsoft NPS?
  Here are some of guides I used:
  http://mihai.radoveanu.ro/2010/11/configuring-the-radius-authentication-with-cisco-wireless-control-system-6-0-196-0/
  https://supportforums.cisco.com/thread/339057
  http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• AP1200 and Switch Cisco Express 500

  Hi,
  We have an AP1200 (port 1) attached to a switch cisco express 500,in this switch we are using a Vlan and we have a DHCP server.
  The problem is when a new PC tries to connect to this AP, it takes to much time to assign the IP address, and in other cases the PC is disconnected from the System constantly. Do you know wich could be the problem ?

  It sounds like it could be a problem with your wireless signal - have your tried doing a carrier busy test on the AP to check for interference?
  Regardsd
  Aaron
  Please rate helpful posts.

• Cisco WLC and Microsoft NAP

  Hi, I want to integrate my Cisco WLC directly into Microsoft NAP. Is this possible?
  Thanks

  follow the table in the link http://www.cisco.com/en/US/docs/security/nac-nap/1.0/release/notes/NACNAPRN.html#wp1134942 for the integration of WLC and Microsoft NAP

• Cisco NAC and Microsoft NAP

  Dear all,
  I need to know what are the differences between Cisco NAC and Microsoft NAP ?
  Can NAP be used instead of NAC or not ? why ? why not ?

  I really do not know if you will find the answer that you are looking for. From what I remember NAP was an option that was available with the ACS via a special patch. This is only supported for vista clients if memory serves me correct.
  Here is the link that will help you with the basics.
  http://www.cisco.com/en/US/netsol/ns466/index.html
  We do not get much case volume or exposure to the NAP solution and with ACS 5.2 and ISE around the corner it might be too late to go through this setup and then run into issues with acs 4.2 possibly hitting eol/eos.
  Thanks,
  Tarik

• Cisco and Huawei switch compatibility

  Hi all. In our company we are going to implement VoIP in our regional offices were all the networking equipment is Cisco. We were thinking of using Huawei 8 port PoE switches to which we would connect our Cisco phones and then connect the Huawei switch to the Cisco switch using a trunk.
  I was wondering if anyone has experience connecting Cisco and Huawei switches? Are there known problems interconnecting these switches and what should I pay attention to on the Cisco side of things?
  We mostly deal with Cisco equipment in our company so connecting/configuring Huawei switches is something new for us.
  Thanks in advance for any help.

  Hi Igor,
  As Glen indicated , the main problem is spanning tree. Huawei switches use mstp where cisco has pvst by default.
  The other problem is qos on switch ports for IP Phones. Cisco Switches automatically discover and configure some settings for IP Phones but Huawei will not do any of these by default.
  If you are planning to use some L3 configuration on Huawei switches be sure that their administrative distances differ from Cisco.For example , static routes have admin distance of 60 :) Also routing protocols have different admin distances as well.
  There are many differences on MPLS functions as well , but I guess they are all out of your scope.
  Please let me know if you need further information.
  Hope to help,
  Kerem

• HT4519 I switched to a Cisco Router model EA6500, in now periodically receive a message on both of my email accounts "cannot get email" the connection to the server failed"  it's happening on both by iPad and iPhone.  I've talked to Cisco and they couldn'

  I switched to a Cisco Router model EA6500, in now periodically receive a message on both of my email accounts "cannot get email" the connection to the server failed"  it's happening on both by iPad and iPhone.  I've talked to Cisco and they couldn't help

  Start by working throudh the Troubleshooting iOS and WiFi knowledge base article and see if that helps the situation.  When you get to shutting down the router, be sure to disconnect power as shutdown on some is really just standby mode.

• 802.1x MAB with Microsoft NPS ieee802Device object group

  Hi,
  according to http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.pdf (MAC Authentication Bypass Deployment Guide as of May 2011), when you use Microsoft NPS, you cannot simply add MAC-Adresses as Active Directory user objects if your domain has strict password enforcement policies (because passwords are not allowed to match usernames under that circumstances). The guide mentions the use of the 'ieee802Device' class that is build into Windows Server 2003R2 and above. I have tried to get this working (with no success...), unfortunately I did not find any guidelines on the web how to accomplish this. What I did so far was:
  - Created a new structural class"myieee802Device", based on the abstract class "ieee802Device"
  - Created a new OU "ethers" in AD
  - Created a simple objekt by means of an ldifde.exe import
  dn: CN=001b21******,OU=ethers,DC=dot1x,DC=com
  changetype: add
  objectClass: myieee802Device
  cn: 001b21******
  macAddress: 00:1b:21:**:**:**
  When I trigger 802.1x authentication at a supplicant, NPS does not find the device (MAC-Address) in AD.
  Has anybody got this running so far?
  Stefan

  Stefan,
  Many thanks for your reply. in my test environment, what I have encountered is:
  1. I created the user account and used the mac address as account and password, which can access into the AD.
  2. I enabled the function of  MD5-Challenge  in Windows 2008 R2 NPS server. pls refer the link:
  http://social.technet.microsoft.com/Forums/en/winserverNAP/thread/e801bdac-9347-4efb-9d7c-bcf4d64aa927
  3. Created the network policy, which use the  MD5 as the EAP type, and select PAP as the authentication method.
  4. Enable the 802.1x and MAB function in the port of cisco 3750.
  by test, 802.1x works fine, but when  I try to let it authenticate with MAB, got the below error in NPS event log:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
      Security ID:            QBBB\002622c997ff
      Account Name:            002622c997ff
      Account Domain:            QBBB
      Fully Qualified Account Name:    qbbb.net/Sales/002622c997ff
  Client Machine:
      Security ID:            NULL SID
      Account Name:            -
      Fully Qualified Account Name:    -
      OS-Version:            -
      Called Station Identifier:        3C-DF-1E-C6-48-13
      Calling Station Identifier:        00-26-22-C9-97-FF
  NAS:
      NAS IPv4 Address:        10.197.40.2
      NAS IPv6 Address:        -
      NAS Identifier:            -
      NAS Port-Type:            Ethernet
      NAS Port:            50219
  RADIUS Client:
      Client Friendly Name:        Wired
      Client IP Address:            10.197.40.2
  Authentication Details:
      Connection Request Policy Name:    Secure Wired (Ethernet) Connections
      Network Policy Name:        Connections to other access servers
      Authentication Provider:        Windows
      Authentication Server:        QINGXXX1.QBBB.net
      Authentication Type:        PAP
      EAP Type:            -
      Account Session Identifier:        -
      Logging Results:            Accounting information was written to the local log file.
      Reason Code:            65
      Reason:                The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
  Just for you reference and hope can get you help, thanks a lot!
  --Scott

• WLC 2504 - Issue with using Microsoft NPS for Radius Management Login

  Hello,
  In our environment we like to have our network admins and engineers use their Active Directory credentials when logging into devices so we can log who logged into which devices and if any changes were made. To do this we use a Server 2008 R2 NPS server with all our routers, switches and ASA's. We recently purchased a WLC to begin adding wireless to our environment. (See WLC_Radius_Config.png and NPS_Radius_Config.png)
  On the WLC, I am able to authenticate in using my AD credentials but when I go to apply any config changes I get a message saying "Authorization Failed. No sufficient privileges." (See error.png) I have a feeling I am missing something small but this is very important to us.
  I checked the Radius server and there are no login errors or NPS errors pointing to the WLC logins. Has anyone else run into this issue or know what I can do to solve it? 
  Thanks,

  Hi Kyujin,
  I wish I had finished my guide.  Didn't realize it would take this long.
  But what I meant is that when adding the attributes to my NPS (Microsoft's Network Policy Server) I only had to add the role and virtual domain if using Prime Infrastructure.
  If you use NCS, you have to add the role, all the tasks, and the virtual domain.
  See the screenshots and see if that helps explain it.  Not sure how TACACS will work as I'm not familiar with it.
  Microsoft NPS - Attributes for NCS
  Microsoft NPS - Attributes for PI

• Oracle 11g express --- Wish list --- Match or beat IBM and Microsoft

  Oracle's significant competitors IBM and Microsoft have had support for XSLT and XQuery in their express editions for a while. My wish-list for Oracle 11g express is to match it or even beat it. With increasing adoption of XML a lot of innovation is happening. Oracle is a no-show here.
  I had to switch to DB2 from Oracle to be able to take advantange of the IBM Db2 express. Along the way, I will end up purchasing their high-end DB2 offering also.
  Later ...
  /rk

  I see Oracle in a dilemma here.
  Oracle 11g SE One Processor Perpetual costs $5,800 - dillute this over 3 years and you have a VERY GOOD database for a VERY affordable price. For small shops, this is a no-brainer over Standard Edition.
  But alas, suppose 11g XE supports 2 CPUs, 2 GB of RAM and 20 GB of storage!
  Let's think about it. A fast, robust, mature, fully-featured database - for FREE. But wait, there's more - APEX is FREE as well.
  XE and APEX make a killer combo. XE's hard-coded limits are cumbersome, but creative DBAs/developers manage to create impressive solutions nonetheless. Without Oracle making a single dollar in licenses.
  Simply put, I think 11g XE with 2 CPUs, 2GB RAM and 20 GB of storage would take away customers from Oracle - those currently buying Oracle 11g SE One Processor Perpetual. OK, XE comes with no support, but still, $0 is less than $5,800. The difference is even more significant in a scenario of economic downturn.
  It will be interesting to see how Oracle handles this.
  Regards,
  Georger
  rober584812 wrote:
  Hi, Oracle's significant competitors IBM and Microsoft, is true.      
  But Oracle does not seem to care because the niche is selling software. However, when entering the world of the express editions should confront its closest competitors by relaxing the limits on Oracle Database XE, remove certain restrictions to be at the level of competence DB2 Expreess C 9.5 which has no storage limits and uses up 2 processors and 2GB of RAM.
  As someone suggested in another thread, it is possible that Oracle Database XE is the leader of the Express editions, but must improve, I think it would be best to enter the world of the MacOS and relax the limits of storage, memory and CPU. We must offer competitive!.

• Blackberry Device Manager can't find 9320 Bluetooth device (even Bluetooth is switched on and set to Discoverable)

  I want to sync my Blackberry 9320 via Bluetooth to a Windows 7 Professional machine using a Bluetooth adapter. Syncing using USB cable works fine.
  I can Bluetooth pair with the 9320 and also send / receive files to /from the Windows 7 machine. Fantastic !
  HOWEVER, Blackberry Device Manager can not find the 9320 Bluetooth device (even Bluetooth is switched on and set to Discoverable) - see screen shots below.
  By the way I have already tried (amongst other things) “Manually Install RIM Virtual Serial Ports in Microsoft® Windows® 7” on http://www.youtube.com/watch?v=gK2n5dHxGHI  Unfortunately, this does now work - the drivers do load up OK and remove the warning signs when view in Windows Device Manager, but Blackberry Device Manager still can't see my 9320.
  Please help !

  I have the exact same problem with my 9360. I have also tried all the fixes I could find on the Internet with no luck. I have posted a request as well. I will let you know if I find a solution. What gets me though is that this appears to be a long standing issue with no obvious fix! Best of luck.

• Nexus 1000v, VMWare ESX and Microsoft SC VMM

  Hi,
  Im curious if anybody has worked up any solutions managing network infrastructure for VMWare ESX hosts/vms with the Nexus 1000v and Microsoft's System Center Virtual Machine Manager.
  There currently exists support for the 1000v and ESX and SCVMM using the Cisco 1000v software for MS Hyper-V and SCVMM.   There is no suck support for VMWare ESX.
  Im curious as to what others with VMWare, Nexus 1000v or equivalent and SCVMM have done to work around this issue.
  Trying to get some ideas.
  Thanks

  Aaron,
  The steps you have above are correct, you will need steps 1 - 4 to get it working correctly.  Normally people will create a separate VLAN for their NLB interfaces/subnet, to prevent uncessisary flooding of mcast frames within the network.
  To answer your questions
  1) I've seen multiple customer run this configuration
  2) The steps you have are correct
  3) You can't enable/disable IGMP snooping on UCS.  It's enabled by default and not a configurable option.  There's no need to change anything within UCS in regards to MS NLB with the procedure above.  FYI - the ability to disable/enable IGMP snooping on UCS is slated for an upcoming release 2.1.
  This is the correct method untill the time we have the option of configuring static multicast mac entries on
  the Nexus 1000v.  If this is a feature you'd like, please open a TAC case and request for bug CSCtb93725 to be linked to your SR. 
  This will give more "push" to our develpment team to prioritize this request.
  Hopefully some other customers can share their experience.
  Regards,
  Robert

• Word documents have disappeared from my desk top (macbook air) and cannot be found anywhere, happened after switching off and re-bootingk

  Saved word documents have dissappeared from the desk top after saving. Problem seems to occur when laptop is switched off and then re-started. they can't be found anywhere e.g tried spotlight, recent documents etc. Help. Joe

  First, you might as well address the two apparently-minor issues you found:
  Some info on the Epson Scanner Monitor (via searching these forums):
  http://discussions.apple.com/thread.jspa?messageID=8272208&#8272208
  Not sure about the MS Word message, but it looks like you might need an upgrade. I'd check with Microsoft, or perhaps VersionTracker.com.
  Ok, back to the original problem. Does the message have any other text (intelligible or not)?
  Does it give you any options, especially "report"? If so, take it, then look via Console for a crash log.
  What IS in the system log for the sleep/wake time? There should be a System Sleep, followed by a System Wake, and perhaps another line or two. Anything in that area might be helpful.