Windows XP + Novell + 802.1x + OS X

Similar Messages

• Where to download the "Windows 2000 Wireless 802.1X hot fix"?

  From the "Cisco Aironet Wireless LAN Client Adapters Configuration Guide for Windows", it indicates that Windows 2000 can support host-based EAP with the "Service Pack 3 or greater and the Windows 2000 Wireless 802.1X hot fix".
  However, I cannot find the 802.1x hot fix in Microsoft. Please kindly advise how I can download this hot fix. And, what is the function of this 802.1 hot fix?
  Thanks!!!!

  Hi!
  Here you have the link to the hotfix :
  http://www.microsoft.com/downloads/release.asp?ReleaseID=45017&area=search&ordinal=1
  Regards
  Fredric

• After Windows 7 fails 802.1X on wired network

  Hi, I'm testing flex-auth and fail-open which is critical vlan.
  when I FAIL(not timeout) to 802.1X authenticate, it is not getting IP address even though the switch initiates MAB.
  What I want to do is provisioning 802.1X from ISE and using it.
  so flow is like this :
  1. the supplicat (windows7) connects to the network.
  2. Switch and supplicant tried 802.1X but the 802.1X is not set up on windows 7 so it goes to MAB and I am able to open the ise guest portal.
  3. login with ad credential, and install wired 802.1x.
  4. reconnect to swith and try 802.1x authentication but I put wrong ID/PW
  5. after few times of miss entering ID/PW, I could not get IP from DHCP.
  6. verified on SW see if MAB is initiated, and yes. but could not get IP address on windows 7.
  does anyone know why ?

  Your certificate template will have a "renewal period" (for example, 6 weeks). Then, 6 weeks (or whatever the renewal period is) before the certificate is supposed to expire, the workstation will automatically attempt to renew its certificate. As long as the workstation is connected to the domain and has access to the CA at some point during that period, it can update its certificate and hence will not fail authentication.
  Hope that helps.
  Shelly

• HP iPAQ 5450 with Windows Mobile 2003 802.1x and certificates.......

  This maybe a bit off topic but I am struggling trying to get some answers out of HP.
  We have some HP iPAQ 5450/5550's all running Windows Mobile 2003 - to use 802.1x Authentication with PEAP or TLS-EAP we need certificates installing on the PocketPCs. We have a Windows 2000 Active-Directory integrated Certificate Authority that publishes certificates to W2K machines OK - initially HP didn't include any way of importing Certificates but have released the SDK Certificate Enrolment Tool (enroll.exe). We have tried for several days to get a certificate but to no avail and we are struggling to find any information out. Has anyone on here managed this? If so how?
  Thanks
  Andy

  Obviously the WindowsCE devices can't be 'members' of the domain as they would need W2K to do that (create a computer account etc). The enrollment tool is available from HP's website (software & drivers etc). Once I installed the enroll.exe tool I modified the enroll.cfg file to request a 'computer' certificate from my CA, this is now installed and appears in 'Settings, System, Certificates'. I have yet to actually test this with a Cisco AP as I just can't get my hands on one.......
  Andy

• SPS224 and Windows XP SP3 802.1x supplicant problem

  Hi everybody
  We run MS Active Directory based network (Windows Server 2008, MS NPS as RADIUS server) and have Windows XP SP3 and 7 in it. We have a lot of SPS224 (with the latest SW version 1.0.6) as the access switches, and we are trying to implement 802.1x in our network to authenticate users by their AD domain computer accounts. Also, we want to use dynamic VLAN assignment using RADIUS attributes. The authentication by PEAP-MSCHAPv2 works fine on all workstations but we have a problem with the dynamic VLAN assignment in case Windows XP machines are used. The problem is that after a successful authentication and VLAN assignment on a switch port, the Windows XP supplicant is trying to re-authenticate after several seconds. However, the switch port state remains authorized and the workstation does not lose connection. So, the only problem we see is that the state of supplicant does not correspond the switch port state. We have notice that the problem occurs when the "multiple sessions mode" is used (it is needed to enable VLAN  assignment by RADIUS attributes). We have tried the built-in Windows XP SP3 supplicant and Cisco Secure Services Client with the similar result. At the same time, the Windows 7 workstation works just fine, without any problems. Is anybody has faced this problem with Windows XP and has a workaround? Any help will be appreciated!

  Not exactly sure what could be the problem. It should be working - it's definitely supported (I'm currently typing this via a XP SP3 machine using PEAP WPA2/AES via WZC). The only things I can think of to check are:
  - Make sure your wireless drivers are up to date *this is a must*
  - Make sure the other supplicant is completely disabled (uninstall it if you really need to rule it out)
  - Try disabling the server certificate check in the WZC profile for this network (do you know for sure that your laptop trusts the IAS server's certificate)?
  - Are you doing machine or user authentication for PEAP - make sure you have the WZC profile properly configured
  - Are you 100% sure that you've configured everything properly for the network (WPA vs WPA2? AES vs. TKIP? etc.)

• Windows 2012 r2 802.1X MAC Address bypass configuration

  I am setting up MAB for my environment and I want to make sure I am setting it up correctly, as I see some articles stating there is a reg edit needed and others that don't mention it at all.
  I have Dell PowerConnect switch with 802.1X authentication working for my Domain Computers.
  I now want to allow non-802.1x capable devices to be assigned the correct vlans (Printers, IP Phones, etc).
  I have created a user account in AD for the device, using lowercase MAC Address for the username and password.  
  I have set the switchport to allow MAB
  I have created a NPS Network Policy for one of the devices and assigned the groups it belongs to and set Authentication Method to: Unencrypted (PAP,SPAP).
  I keep receiving this error in the logs "The user attempted to use an authentication method that is not enabled on the matching network policy"
  Does anyone have advice or can direct me to a nice guide/checklist of all the areas that need to be set to allow this to happen?

  You've posted in the Print/Fax forum, but I can see you've also posted in the NAP forum. You'll likely get a better response over there, so maybe you should delete this question in here..
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Windows 7 x64 802.11n Wirless LAN Card #2 Randomly stops working

  Hello, I've had a re-occurring issue with my network card over the past 2 weeks, it randomly started after I received a windows update. Often as I'm playing a game / surfing the web I will experience a moment where I lose all connectivity and my wireless
  connection is telling me it is "Limited connectivity". Although this happens if I go to my Device Manager and scan for available hardware changes to my network adapters, my Wireless LAN Card adapter disappears, after scanning a couple more times
  it will return and I will regain all of my connectivity and the issue will not happen again until I reboot my computer. 
  I'm not sure how I can fix this as I have opened my computer to check if the network card was loose, and everything seems like it should be working properly. It is also strange that it began occurring after an update.

  Download and install the latest Wireless LAN Card driver from the website of the manufacturer.
  S.Sengupta, Windows Entertainment and Connected Home MVP
  Turned out that the manufacturer switched websites which must have messed up something with the auto updating, thanks.

• Share Windows 8 Printers 802.1X (WLAN)

  Regards,
  I had some drawbacks to share printers on windows 8
  Specifically it is:
  I have the "a" shared printer on the computer "1"
  When the user closes the session on the computer "1" users who are using the share lose access (which from my point of view is normal)
  The question is this:
  That strategy could use to continue sharing this resource even if the user closes session?
  I have in mind 3 options
  The first is to use advanced adapter properties and save the user login credentials.
  The second is to authenticate the computer as such in the domain.
  The third and least we be advisable (for cost) wireless print servers installed in each of the printers
  Because if there is any other way to solve this and what would be the most convenient?
  Waiting for your comments
  Sincerely

  We use the computer authentication mode to be sure that the client is a domain PC and managed by Us. And I see that he is connected without a login, so I would give that option a try in your case. U should be able to test that easy with a test ssid and corresponding radius setup....

• 802.11n with Bootcamp and Windows xp

  My 13 inch Macbook connects to my airport network at 802.11n 5GHz dual bandwidth using OSX but only 802.11g works when using bootcamp and windows. My 802.11n network shows-up on windows as an available network and I can type in my network password but it won't make the connection. Is 802.11n automatically active with bootcamp? I am able to connect at 802.11n speeds to my network using my work's Window laptop and a Linksys 802.11n usb card so I know it works.

  Boot Camp forum.
  https://discussions.apple.com/community/windows_software/boot_camp

• Auth-Fail Feature and Windows 802.1x Supplicant Compatibility

  As per Cisco IOS design when authentication fails the switch sends a simulated EAP-Success message to the client so that DHCP can be implemented by the client. Taking into consideration the dot1x auth-fail command is configured.
  However we have noticed that when using the built-in Windows XP SP2 802.1x supplicant and authentication fails, the Windows supplicant does not like this Cisco simulated EAP-Success message and drops the packet, therefore never re-initiating the DHCP process.
  I have attached the Microsoft supplicant log indicating the dropped EAP-Success.
  We are using catalyst 3750 with IOS 12.2(25)SEE. We have also tried release 12.2(35)xxx but issue persists.
  Your suggestions would be appreciated.
  Thank You,
  ET

  An EAP-Failure is by design. This occurs on all failures. The session fails rather normally. After the third (default but configurable) successive failure, the port is conditionally enabled (and placed in the auth-fail-vlan) even though 1X is configured and operating.
  At this point, it's up to the supplicant to access the network if it wants to, since the port has been enabled. Without the notion of a controlled port on a supplicant, there's no reason it shouldn't try and access the network ;-).
  Once a workstation is authorized on the network, and then subsequently fails for whatever reason, and put on the auth-fail vlan then it's also up to the machine to renew it's IP if it needs to. Optionally, you can configure the auth-fail-vlan to be the same as your default vlan. I guess it's worth pointing out, that you'd have this problem without 802.1X (changing VLANs on the fly for example). Some supplicants can deal with this though.
  If an EAPOL-Logoff does not come from a supplicant (and it doesn't by default with Windows-XP) then there's nothing to get the port out of the Auth-Fail-VLAN either (short of link down). You can configure this through registry though. So the answer to your earlier question was no .. it shouldn't.
  I'm not sure I understand the "IB" and "OOB" references here though.
  Hope this helps,

• Date concatination to export file name on windows / Novell

  Hi everybody,
  I need utility which can add date at end of export file. How its possible in DOS/Windows/NT/Novell.
  eg: exprod.dmp --- exprod07122002.dmp
  Thanks

  If you're invoking export with a shell script you could do something like:
  exp file=exp%date%.dmp <other options>
  If you want to format the date you need to do something ugly like:
  setlocal
  for /F "tokens=1-4 delims=/ " %%i in ('date /t') do (
  set DayOfWeek=%%i
  set Month=%%j
  set Day=%%k
  set Year=%%l
  exp file=exp%Day%%Month%%Year%.dmp <other options>
  endlocal
  -Antti

• Problems with 802.1x,ACS and Windows Server 2000

  Hi,
  My components: ACS 3.3 running on a Server with Windows 2000 Server SP4 , 2950 Catalyst (AAA-Client) ,
  Laptop with Windows XP SP2 (802.1x Client)
  I have everything configured according to Cisco documentation, but I am getting one error in the ACS's log.( Failed Attempts active.csv)
  Authen-Failure-Code : EAP-TLS or PEAP authentication failed during SSL handshake
  I have a valide certificate on my Radius(ACS) server and about machine authentication I have a valide certificate on my laptop. (I have installed this certificate before i started to login at the 802.1x port of the switch)
  Does anyone have any idea what the problem is?
  Here is the Config of the Catalyst 2950 if that will help:
  version 12.1
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname ACS-Client1
  aaa new-model
  aaa authentication dot1x default group radius
  enable secret xxxx
  username xxxx privilege xxx password xxx
  ip subnet-zero
  ip ssh time-out 120
  ip ssh authentication-retries 3
  spanning-tree mode pvst
  no spanning-tree optimize bpdu transmission
  spanning-tree extend system-id
  dot1x system-auth-control
  interface FastEthernet0/13
  switchport mode access
  dot1x port-control auto
  dot1x timeout quiet-period 3
  dot1x timeout reauth-period 1
  dot1x reauthentication
  interface GigabitEthernet0/2
  interface Vlan1
  ip address 10.10.3.253 255.255.255.0
  no ip route-cache
  ip default-gateway 10.10.3.254
  ip http server
  radius-server host 10.10.3.1 auth-port 1812 acct-port 1813
  radius-server retransmit 3
  radius-server key radius
  line con 0
  password xxx
  line vty 0 4
  password xxx
  line vty 5 15
  password xxx
  end

  Yes we get to solve this problem. Because it is a only a test senario, we installed everything new, win2000 server SP4,the certificate service and the winXP on the client.
  The config of the switch is ok, we set the reauth-period and quiet-period to default.
  Then we test the whole configuration with the IAS-Radius (MS). After this we install the ACS, following this document:(Certificates were already installed)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml
  Attention, we used the AEGIS Client not the XP Client!

• Wireless authentication to a windows network

  IF this is the wrong group please let me know and I will re-post...
  I am trying to solve some problems authenticating to a windows network using a airport card....
  I keep getting a non-trusted certificate message after/during the 802.x authentication box..We are not using certificates, at least that is what the admin tells me...so I have logged in as root, opened keychain and set the certifcates in question to trust always for all settings...I log out and then relogin as a normal network account and I still get the message which I can click continue and now I have access..
  the other problem is that my home folder will not mount...I have to mount it manually through the finder..I am assuming this is because the airport network services are not running until I authenticate locally with a cached password....Is there a way to have the login window authenticate through airport so I can have my home directory mount automatically...
  thanks for your help...

  unfortunately there are severla problems with the solution and it really doesn't address the issue. I can't mount the volume on the dock as it won't mount, probably because it is the server itself that has been mounted, not the shared home folder. Also it might create a conflict by having an alias to the home folder that would conflict with the auto mounted home folder when I use the ethernet as a connection source. What I have is a multi-purpose machine.
  1) I use a hardwired connect at my desk...
  2) If I need to go somewhere that a port in the wall is not active, I can then use a wirless connection which allows me access to everything I need....
  What I need to do is get this working so that the rest of the area can use it as well....
  So the question still remains: Does the wireless authentication not mount the home directory because it is not tied into the login window. For example, in a hardwired case I login to the system and this authenticates me and mounts my home folder. When I unplug the ethernet cable and turn on ariport and log off I login to the login window but the 802.x box comes up and asks for my password....which then brings up a not trusted certificate. Which I have tried everyhting I know to make this accepted by the system, including logging as root and going into keychain and setting it to be trusted. This DOES not work. I still get the untrusted certifcate message and the home directory does not mount. So what I need is someone who is authenticating to a windows network using wireless. I have followed all the 802.x suggestions which include using only peap to authenticate through.
  I hope someone can tell me how to stop the untrusted certificate error and how to mount the home directories. It would seem that there should be some type of setting to make airport startup prior to the login window or be hooked into the login window and pas that through to the wireless authentication. This is beyond my experience as you can see...
  thanks

• Cisco ISE: HotFix and Timers for 802.1x (EAP-TLS)

  Hi,
  I found the below Hot-Fix to be set;
  http://blogs.technet.com/b/jeff_stokes/archive/2013/01/24/20-minute-delay-deploying-windows-7-on-802-1x-fix-it-here.aspx
  Kindly let me know that what is the best time to be set on it. It tells 20 mintues. Also, i wanna know that what is the corresponding configuration needs on Switch and ISE to reflect it or doesn't need it.
  Thanks,
  Regards,
  Mubasher Sultan

  Hello Mubashir,
  Many timers can be modified as  needed in a deployment. Unless you are experiencing a specific problem  where adjusting the timer may correct unwanted behavior, it is  recommended to leave all timers at their default values except for the  802.1X transmit timer (tx-period).
  The tx-period timer defaults to a value of 30 seconds.  Leaving this value at 30 seconds provides a default wait of 90 seconds  (3 x tx-period) before a switchport will begin the next method of  authentication, and begin the MAB process for non-authenticating  devices.
  Based on numerous deployments, the best-practice  recommendation is to set the tx-period value to 10 seconds to provide  the optimal time for MAB devices. Setting the value below 10 seconds may  result in the port moving to MAC authentication bypass too quickly.
  Configure the tx-period timer.
  C3750X(config-if-range)#dot1x timeout tx-period 10

• 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

  I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
  We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
  I push out the wireless client’s setting via group policy, and the clients are using WZC. 
  Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. 
  To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
  Many of our classrooms lack network drops, so wireless is the best for us. 
  Except for this one downfall, it is working great. Any help is appreciated.

  Hi Ryan,
  Thanks for posting here.
  Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
  Some clients this will never happen to and a few it will happen repeatedly. ”
    in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
  Only certain computers are facing this issue or all?
  What’s OS running on these client computers?
  According the situation right now , I’d like to share some suggections with you:
  1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
  the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
  click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
  of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
  2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
  event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
  dialog.
  3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
  settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
  4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
  an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
  if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
  If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
  authentication.
  5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
  authentication process the failure occurs.
  Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
  Windows Server 2003 Wireless Troubleshooting
  http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
  Troubleshooting Windows Vista 802.11 Wireless Connections
  http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
  Thanks.
  Tiger Li
  TechNet Subscriber Support in forum
  If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
  It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
  I checked if logging is turned on and I can see successful events from computers that are working. 
  I can also see failed events from computers that are not ours that tried to connect to our wireless. 
  However for the computers that are having this problem there are no logged events. 
  It is as if they don’t even communicate with the server. 
  Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
  I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
  I did notice that the firewall is also turned on through group policy when the domain is not available.
     Do you think the firewall is blocking the communication? 
  I added an exception to port 1812 UDP and this did not make a difference.