Wired 802.1x hardware compatible checklist

Similar Messages

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Eap-tls wired 802.1x - certificate issue?

  I have configured ACS 4.0 and an 2003 Enterprise root CA on the same server, successfully applied the GPO to auto-enroll machines with Computer certificates, and then enabled 802.1x security on Catalyst 3750s. Note this is for wired 802.1x.
  If I reboot the machine, the EAP packets go through and you can see a successful authentication in the "Passed Authentications" log. However, if you disconnect the wire and then plug it back in, Windows gets stuck in "Validatiny Identity", and eventually a balloon pops up saying: "Windows was unable to find a certificate to log you on". Doing a 'sh dot1x interface ...' shows it is CONNECTING until the auth timeout is reached then it dumps the workstation into the guest vlan. Nothing is logged to Passed Authentications or Failed Attempts on the ACS server.
  Basically, the only time the EAP-TLS machine authentication works is when you reboot the machine. And if you change the state of the port either by diabling/enabling from the workstation or switch, or unplug the cable and plug it back in, Windows does not seem to pass the certificate information along to the PAE.
  This does not seem to happen when a user/client certificate is issued, only when it is a machine/computer certificate
  Has anybody seen this before and have any solutions why Windows cannot recogonize the machine certificate properly?

  We solved our WIRELESS problem by editing the following entrees. I sure this can be applied to the wired side somehow.
  The information about the correct settings can be found in this Microsoft document:
  http://technet2.microsoft.com/WindowsServer/en/library/8e74974f-c951-48ce-8235-02f4ed8e74921033.mspx?mfr=true
  The areas of interest are the SupplicantMode (EAPOL-Start Message) and AuthMode (what type of authentication to use) registry entries. These can be configured manually in the registry or applied via Group Policy.
  This allows just the machine to authenticate (using a Cert all ready on the Machine) then we use our ACS server to auth the user via AD.
  I am doing this wirelessly and using as long as you are using a WDS the following will be the result.
  Roaming AP to AP I only lost 1 packet.
  Roaming from Vlan to other Vlan I lost 5 packets (Different ip address)
  Shutting the wireless off and back on I only lost 8 packets.
  I thought this was a very good result. We will be launching our lab with 35 plus laptops in a classroom with 2 radios.

• ACS 5.1 Failure: 5411 EAP session timed out -- Wired 802.1X, machine-authentication

  Hi guys,
  I have a strange error here and I`m really disappointed.
  We currently try to do "Wired-802.1X" with our Windows XP SP3 Clients with EAP-TLS and "machine-only" authentication.
  We use ACS5.1 to authenticate the clients. At about 50% of the clients authentication works fine.
  At the other clients we can see a strange error at the ACS.
  At the Reports page --> "Authentications - RADIUS - Today" we see that a client is trying to authenticate, but this fails with the Failure Code: 5411 EAP session timed out.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 2,10 3:37:46.916 PM
  Wired_802.1X_EAP-TLS
  EAP-TLS
  svacs01
  5411 EAP session timed out
  Steps
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - Wired_802.1X_EAP-TLS
  11507  Extracted EAP-Response/Identity
  12500  Prepared EAP-Request proposing EAP-TLS with challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  At the switch I used "Authentication Open" to get the client working and capture traffic with wireshark.
  Switch --> Request Identity --> Client
  Switch <-- Response Identity <-- Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request EAP-TLS --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  Switch --> Request Identity --> Client
  What is missing ist the Switch <-- Response EAP-TLS <-- Client
  Any ideas what is going wrong ? Maybe someone had this error before ?
  Any suggestions how to debug this ?
  Thank you very much for your help!
  Mathias

  Hi @all,
  I have this issue too. It occurs in our wireless environment. The problem for me is that I don't know which client (or clients) causes the error. The error occur many times per day.
  Logged At RADIUS
  Status NAS
  Failure Details Username MAC/IP
  Address Access Service Authentication
  Method Network Device NAS IP Address NAS Port ID CTS
  Security Group ACS Instance Failure  Reason
  Sep 7,10 11:50:36.143 PM
  dot1x wireless
  PEAP
  bfnetacs01
  5411 EAP session timed out
  Kind regards,
  Michael

• Wired 802.1x re-authentication passes but no connectivity after 1 hour

  I am testing wired 802.1x with the desired behavior of machine auth with user auth. I have a 6509 CAT OS 8.3(5) using the dot1x global defaults, 2 laptops one is XP SP1 and XP SP2 both with AuthMode=1 and SupplicantMode=3 with windows update as of 02mar2005. Active Directory. ACS SE 3.2 using vlan assignment. Have tested PC and user in different vlans and it works fine.
  1st observation:
  The initial EAP authentication is good. Every hour there is an EAP request with a final result of success in the packet trace. The switch shows connected dot1x-123. The ACS log shows the passed re-authentication. Everything looks good but both laptops lose connectivity 1 hour after the first authorization. If I issue "set port dot1x initialize" or enable/disable the port the process starts over.
  2nd observation:
  I can connect with Remote Desktop. There are 2 EAP start frames then the port becomes unauthorized about a minute later.
  Any ideas?

  No. I am still waiting on Cisco to address the 1st observation. Does it occur on your 6506 8.4(2). I see it also in my 6509 with 8.4(2). I find it interesting that it works in my end of life 2948g switch 8.2(1)GLX.
  The MS supplicant defaults for WIRED are authmode=1 and supplicantmode=2. Remote Desktop works in their default WIRED mode.
  At this point I am content controlling machine access until dot1x matures. Cisco ACS has a machine access restriction feature that authorizes the port after a successful User Auth. I have found if enabled, a successful Machine Auth will be unauthorized when logged in with a local account. If disable the local account is authorized b/c MA has only occurred.

• ISE : error on wired 802.1x deployment

  Hi,
  i got this error message once i try to do wired 802.1x, identity source is from Active Directory
  I just curious i already enable 802.1x on the pc LAN port, but i just found the authentication method shown on ISE is using MAB !!!
  any clue?
  Thanks
  Noel

  Hello,
  Please check this link for "802.1x using Cisco ISE", it may help you in this.
  https://supportforums.cisco.com/docs/DOC-29409

• Wired 802.1x EAP-TLS Server Certificate Problem

  I have setup wired 802.1x authentication using EAP-TLS with ACS 3.3 and backend link to Active Directory. Root CA certificates are installed on the ACS and Client PC. Machine certificates and user certificates are also installed on Client PC. A Server certificate is installed on the ACS. All has been configured as detailed on the Cisco Web Site (numerous documents).
  If I set the client to authenticate the Servers certificate I get a failure. The clients log (Cisco Secure Services Client) states:
  11:48:53.088 Validating the server.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 Server list is empty, trusted server can not be validated.
  11:48:53.088 The server certificate is invalid, the common name ACS-One.rotherham.gov.uk does not match.
  11:48:54.776 Port state transition to AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_ERR_SERVER_TLS_CERTIFICATE_REJECTED)
  11:48:54.776 The authentication process has failed.
  If I look at the Auth log on ACS (set to full logging) it states:
  AUTH 08/27/2008 14:09:04 I 0701 1492 AuthenProcessResponse: process response for 'paul.kyte@domain' against Windows NT/2000
  AUTH 08/27/2008 14:09:04 E 0350 1492 EAP: TLS: ProcessResponse: SSL handshake failed, status = 3 (SSL alert fatal:bad certificate)
  If I configure the client to not check the servers certificate it all works ok.
  Can anyone tell me why my server certificate is getting rejected?
  Thanks,
  Paul

  If Cisco Secure ACS runs on a member server and any user is to be authenticated using EAP-TLS, you must complete additional configuration in Active Directory of the domain containing Cisco Secure ACS. The username that you configured to run all Cisco Secure ACS services must also have permission to read user properties in Active Directory, else EAP-TLS authentication fails.

• ISE Wired 802.1x with Foundry access switch ,not show "Device Port"

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

  Our customer wanna enable wired 802.1x for user and machine authentication on Foundry Switch.
  They want to use ISE as radius server.We try it ,but the ISE report can't show which port the client is connectd on the switch.
  We get the tcp dump packets from ISE.It shows that the "nas-port-id" radius attribute is not sent out by  foundry switch,but it sends "nas-port".
  Is it possible to let foundry switch send "nas-port-id" attribute in the radius request packet ?
  Or is it possible to let ISE show "nas-port" attribute value on the authentication report ?
  Thanks.

• RADIUS failover not working in wired 802.1x (CATOS switch)

  I am setting up a pilot group for wired 802.1x testing. I have it working correctly on a C2950 and C3550s. I am having trouble with the RADIUS failover on my CATOS C4006 series switches. When I disable the primary RADIUS Server to test failover, the switch never fails over to the backup RADIUS server and thus wired 802.1x fails. Am I missing something?
  Any help is appreciated. Here is my config:
  #version 8.4(7)GLX
  #radius
  set radius server 10.30.XX.XX auth-port 1812 primary
  set radius server 10.18.XX.XX auth-port 1812
  set radius timeout 30
  set radius key EE08361
  Set dot1x system-auth-control enable
  set port dot1x 5/27 port-control auto
  all radius and dot1x settings are at their default values
  Any takers??!

  I have the same setup as yours. I use Steelbelt
  radius 6.0.1 on Linux and I have Cisco 2960
  catalyst. I use 802.1x over Ethernet with
  PEAP, as seen below:
  C2960#sh run int g0/23
  Building configuration...
  Current configuration : 133 bytes
  interface GigabitEthernet0/23
  switchport mode access
  dot1x pae authenticator
  dot1x port-control auto
  dot1x guest-vlan 668
  end
  C2960#
  C2960#sh run | inc dot
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  C2960#sh run | inc radius-
  radius-server host 192.168.15.10 auth-port 1812 acct-port 1813 key xxx
  radius-server host 10.250.97.26 auth-port 1812 acct-port 1813 key xxx
  C2960#
  Everything works and when I shutdown the
  radius server process on host 192.168.15.10,
  "sbrd stop", it still works with the secondary
  radius server 10.250.97.26.
  The difference between yours and mine is that
  I am running IOS instead of CatOS.
  System image file is "flash:c2960-lanbasek9-mz.122-25.SEE4.bin"
  David

• FlexConnect Access Point - Wired 802.1X or MAB Authentication

  Hi all,
  We are piloting wired 802.1X but have hit a snag - FlexConnect AP switchport configuration requires the port be configured as trunk, with the native VLAN for management and access VLAN(s) for client data.
  I know 802.1X cannot be configured on trunk port, but how can we configure MAB on trunk ports such as these?
  Otherwise, is there another way we can authenticate these FlexConnect APs on a switch using ISE?
  Thanks in advance.
  Regards,
  Stephen.

  Hi Stephen. You are correct, 802.1x should not be configured on a trunk port. Moreover, you would run into an issue with clients if you are running local switching mode. Here is the flow:
  1. AP, authenticates via MAB and profiling
  2. Client authenticates via PEAP/EAP-TLS, etc
  3. Now the client's traffic is locally switched, thus, the client mac address is showing on the same port where the AP is connected. The NAD (Switch) sees this new mac address and it is expecting it to perform 802.1x or MAB based authentication. The supplicant, however, does not know that and as far it is concerned it was already authenticated.
  So I have ran into this issue in my deployments and you have the following options (listed in preference order):
  1. Eliminate FlexConnect :)
  2. Utilize AutoSmartPorts where:
  - If an AP is connected, then 802.1x configuration is removed, port-security is enabled and locked to a single MAC address and trunk configuration is enabled
  - If the AP is removed, then port is configured as standard access port, port-security is removed and 802.1x is configured
  More info on auto smart ports:
  http://www.cisco.com/c/en/us/td/docs/switches/lan/auto_smartports/15-0_1_se/configuration/guide/asp_cg.html
  3. You can configure the port in a "multi-host" mode where after the first device is authenticated all subsequent devices are allowed on the network.
  Hope this helps!
  Thank you for rating helpful posts!

• Wired 802.1x automation

  I have a Wired 802.1x network.
  When I configure the 802.1x setting for the connection and click 'connect' everything works fine.
  However I need to click that same connect button in network preferences every time I reboot or logout.
  This is a multi user enviro so using a System login profile and there is no directory integration here as this is a UNI. as a result I must use a User profile.
  This problem is present on 10.4 with internet connect as well as 10.5.
  Any help would be greatly appreciated.

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,

• Wired 802.1x logon-scripts don't run

  I tested wired 802.1x authentication with a XP-client and a Cat 2960 switch. The authentication are configured with PEAP and MS-ChAP V2. The 802.1x authentication works well.
  The problem is that the 802.1x authentication starts after the windows logon. Due this problem, the logon script don't run.
  How can I force the 8021.x authentication befor the windows login starts?
  Regards
  Pascal

  With the XP-Client, this cannot be forced. You need to enable machine authentication. This way, network access is granted with machine credentials by the time the user logs on, and 802.1X authentication occurs during the user logon event.
  Hope this helps,

• OEAP600 with Wired 802.1X

  Hello everybody,
  I'm trying to find out if the Wired 802.1X capabilities associated with the OEAP-600 extend so far as including the dynamic assignment of attributes to the User's session? VLAN assignment would probably be the most useful, but QoS, Rate Limiting and ACL would also be handy.  These features all work on a standard switch and on a normal WLAN, but I can't find anything that discusses how the OEAP600 fits in to this?
  Any pointers greatly appreciated!
  Rich

  Hi Dan,
  thank you for your reply. I've already done this in the second place using the SDK and winrm ($8021XProfileInstance.GetProperty("Domain")). I've no idea were SCCM is getting this domain name from. Its cutting off the top level domain extension,
  may be SCCM is assuming that this equals the NETBIOS domain name but that is not the case. This is only a guess, in detail I need to know in fact on what basis SCCM is choosing the domain name, then i can fix this...
  Intels SCS putting the correct NETBIOS domain name in the amt config, used certificates are the same...

• 802.11n only 5GHz or 802.11b/g compatible?

  Using a wireless connection to an AE, I don't notice any difference in speed and/or performance with my MB while in the "802.11n only" (5GHz) mode compared to the "802.11b/g compatible" (2.4GHz) mode. No matter which mode, I don't seem to get more than 130 MBit/s. Could someone please provide me the correct AE settings and/or tweaks necessary for me to obtain the optimum speed. FYI, my AE is connected via Ethernet to a cable modem with Charter Communications 5.2 Mb/s High Speed Internet service. (I already installed the 10.5.8 combo update with no problems)

  I see you have marked this solved... but would just like to confirm. Are you using download speeds as your measurement?... or moving files within your local network? For the most part, even FiOS... which is generally the fastest internet available for the average consumer... will not saturate the bandwidth of 802.11g. You will not see any faster internet speeds using 802.11n vs. 802.11g.

• Broadcasting in 802.11n (a compatible) AND 802.11b/g

  I have a Time Capsule and an Airport Express and I'm wondering if I could do the following (but not sure if/how)...
  1. Broadcast my cable broadband connection in 802.11n (a compatible) from the Time Capsule.
  2. Extend the network using my Airport Express but in 802.11b/g.
  I want to do this because my xBox works far better on n/a, but of course my iPhone doesn't work at all unless it's on b/g (which is quite annoying).
  Is this possible? And if so, is there any issue about the respective devices differentiate between the n/a and b/g?s

  This is the exact command that you need to use.
  The throughput with the aggregation is a bit higher than that without aggregation.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"