Wired Dot1x and forcing machine auth on windows

Similar Messages

• Not Connecting to Wired Network and Forcing the loss of all Connections on the Home Network

  Just got a new G550 laptop  w/Win 7 OS. Tried to connect to wired router and got message "network cable not connected". Recycled laptop and router and came up with router connected to the laptop. Same message after search and identify steps finished. I then noticed I lost connection to the net/router with my other home networked units as well! Tried another cable, same results along with losing the entire home network connection. Disconnected the G550 from home network, via the cable, and the home network reconnected without any intervention. Tried another reboot directly connected to the cable modem, no go there either!
    I also rebooted with the wireless search shutoff and got the same problems as on the wired attempt. Thought it might have been the NIC card so I exchanged the system back at the store.  Sorry, same problem!! 

  I have a very similar problem... New Lenovo G550, running Vista Home Premium 64-bit. Right from the start it causes my TrendNet TEW-432BRP router to crash every 10 seconds. I bought a new DLink WBR-1310 and experience the same problem. Connecting to either router through either a wireless connection or a LAN cable connection causes the router to crash every 10 seconds. The router crashes, reboots, establishes a connection with the laptop, communication starts and then the router crashes again.
  I am looking for help.

• Migrating From Window Server 2003 to Window Server 2012 for Web server deployment and Developmemt Machine is on Window Server 2008

  Hi Microsoft Team,
  We need your urgent advice and that is also on priority:
  Issue Description: We need to migrate from
  WINDOW SERVER 2003 to WINDOW SERVER 2012 while the development activity will be carried
  under WINDOW SERVER 2008 as DEVELOPMENT BOX.
  .NET Framework Version: 3.5 ( For both DEVLOPMENT(WINDOW SERVER 2008) and WEBSERVER(to WINDOW SERVER 2012))
   IIS Version: 7.5 (For both DEVLOPMENT(WINDOW SERVER 2008) and WEBSERVER(to WINDOW SERVER 2012))
  Need your quick advice Is that configuration feasible for Development and
  Deployment (Web Server).
  Highly appreciate your response as this will depend which product we need to buy also if you feel any showstopper or concern. Please let us know.

  Hi,
  As suggested by Tim, in order to get better assistance, we can ask for help in the following IIS forum.
  IIS Forum
  http://forums.iis.net/
  In addition, regarding migrating from Windows Server 2003 to Windows Server 2012, the following blog can be referred to for more information.
  Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012
  http://blogs.technet.com/b/canitpro/archive/2013/05/27/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Best regards,
  Frank Shen

• Windows 7 Supplicant Configuration - ISE PEAP w Machine Auth

  Can anyone tell me the settings for the Windows 7 supplicant that works with ISE and PEAP using machine authentication?  I have an authorization profile that permits the user login only after machine 'WasAuthenticated'.  I have only found this to work by setting the Windows 7 supplicant up to use Single-Sign-On before Windows logon and to specify 'User or Machine' authentication.  Then I'm only successful if I have both wired and wireless connected/on and I perform a logoff/reboot.  Surely this isn't right.  What if a user logs on without any connection with cached credentials and then wants to use wireless?  Can't they just perform both machine and user auth over the wireless connection regardless of prior machine/auth states?  I used the videos from LABMINUTES to configure the policies, but I don't need the ACLs for the WLAN controller because these are autonomous APs.
  Regards,
  Scott

  Microsoft will send both and only cares if one passes. This is the same with radius. ACS and ISE allows you to check to see if the user was authenticated which happens initially on boot. After the initial machine auth, the windows machine will only send user creds. The was machine auth is a workaround to be able to do both. The issue is that when the timeout of the machine creds happen, the devices has to be rebooted. In Cisco Live 2012, they even suggested you don't do this due to not knowing when the cached credentials ACS or ISE will keep this info.
  Sent from Cisco Technical Support iPhone App

• ISE Wired DOT1X authorization fails

  I'm configuring wired dot1x, and it won't work. My end goal is to use machine/user authentication for this wired profile, but for now, because of issues I'm just attempting wired user authentication. Below is what I have
  -authorization profile to allow a user based on the default (wired dot1x) and AD memberOF to get the person into the network
  -the network card on the computer is setup to use "user authetication" inside of the NIC authentication tab....this is PEAP by the way.
  Here is what I am seeing. I do a reboot of the machine, and the login for Windows comes up and I login. Once in Windows I look at the NIC and it says Authentication failed. ISE says that it PASSED and used my authorization profile to pass it and says that it sent my dacl. Doing a show authentication session int gi8/36 says "status authz FAILED".
  I get the same thing if I use both machine and user. Machine boot->login->ISE says there was a successful authentication for the machine and sends a dacl->sh auth sess int gi8/36 says status authz failed on the switch, and the NIC shuts due to failed authentication which after that it's obviously not going to pass the user side of my policy. This is driving my nuts. If anyone could help it would be greatly appreciated. Below is config info. Thanks
  Windows machines are Win7/64
  switch is 6509e with 12.2(33)SXI 11 running on it.
  Interface:  GigabitEthernet8/36
            MAC Address:  10ee.f10c.4820
             IP Address:  Unknown
              User-Name:  jcarrabine
                 Status:  Authz Failed
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A800C010000018CF35CA5D8
        Acct Session ID:  0x0000077B
                 Handle:  0x0000018C
  Runnable methods list:
         Method   State
         dot1x    Authc Success
         mab      Not run
  Dot1x Info for GigabitEthernet8/36
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = MULTI_AUTH
  QuietPeriod               = 60
  ServerTimeout             = 0
  SuppTimeout               = 30
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 10
  interface GigabitEthernet8/36
  description TEST PORT
  switchport
  switchport access vlan 52
  switchport mode access
  switchport voice vlan 143
  authentication event fail action next-method
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  authentication timer inactivity 10
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast edge
  spanning-tree bpduguard enable
  end
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  ip radius source-interface Loopback0
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server host 10.128.12.41 auth-port 1812 acct-port 1813 key 7 061106324961273C464640
  radius-server host 10.126.12.41 auth-port 1812 acct-port 1813 key 7 120E0C0417242221697A76
  radius-server vsa send accounting
  radius-server vsa send authentication

  I fixed this issue So to the trained eye this should be obvious. The authz ultimatly failed not because of my authorization policies, but because I have no default permit ip any any ACL on the port. This is a requirement for the IOS I'm running. The dACL's can not be applied to the switchport without it, and thus will throw the port into an authz fail without it.

• Dot1x machine auth before user auth required

  We are looking at setting up dot1x in our libraries however I have been asked to see if there is a way to force a switch port to require machine auth before user auth.  The reason for this is a problem we have that users will disconnect the ethernet cable from the library computer and plug it into theirs.  If they have an AD account, they could in theory authenticate on this port. We want to discourage them from disconnecting these ports as we then don't know the computer has been unplugged and then it is no longer on the network and doesn't get updates/ghosted.
  Also, would it maybe be better to just allow a specific group of user accounts to connect to these jacks, and if so what would be the best way?  Location settings on the port?
  We are using ISE 1.2 to do authentication for these switches.

  Hi Zach-
  There are several different ways to prevent non-domain computers from gaining access to the network. I will try to list a few of them starting with the easiest and least expensive/labor intensive methods:
  1. Do only Machine-based authentication. This eliminates the user from having to enter credentials and ISE will simply query AD for valid computer domain membership.
  2. Use EAP-Chaining. This is the only method that truly gives you user+machine authenticaiton. However, it does require that you push the Cisco Any-Connect client to all endpoints
  3. Deploy PKI and use EAP-TLS authentication with Digital Certificates. With this method only domain computers/users can get a certificate and ISE can still query AD for user or machine AD membership
  4. Perform Posture and check for something that is domain specific. For instance, a fake registry key or file that is being created when a machine joins to the domain. With this method ISE can still ask for User authentication but also require posture check. You can then set the policy that if posture fails but user auth succeeds then the user will only get guest access.
  I hope this helps.
  Thank you for rating!

• ACS + Wired dot1x machine authentication

  Hi,
  I am trying to setup wired machine based authentication. I have followed this guide
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00805e7a18.shtml#req
  However I simply get the same error all the time on ACS.
  Invalid message authenticator in EAP request
  Switch config;
  interface GigabitEthernet0/46
  switchport access vlan 20
  switchport mode access
  media-type rj45
  dot1x pae authenticator
  dot1x port-control auto
  dot1x reauthentication
  dot1x guest-vlan 20
  i am trying to setup group matching to perform vlan assignment however I am just entering under the unknown user policy at the min with no vlan assignment setup.
  Anyone shed any light on this, all I want to do is authenticate a machine via certificates issue a vlan id based on the machine name and AD group matching. No user authentication this can be done via the PDC.
  Purely using machine auth.
  Cheers
  Scott

  Hi Guys,
  The plot thickens, I can authenticate via user 802.1x and I can also authenticate the machine against my existing 4.1 ACS server however when using the new server 4.2 I get the external DB authentication failure??
  Thanks for your help.
  Scott

• Intune is forcing updates and force restarting machines linked to it

  as of recently Intune has started forcing updates out overour onsite WSUS server and force restarting out machines we use a mixture of Windows 8 and windows 8.1 machines.  From looking at both group policy's and windows intune it does not look like
  any settings have changed. 
  are there any reason for this and can we control when our machines restart this is happening across all of our intune machines. 

  You can control when your machines receive updates and the reboot policy in the Agent Settings policy.  Please take a look at that.  If you still are encountering issues please contact support.  
  Thanks,
  Jon L. - MSFT - This posting is provided "AS IS" with no warranties and confers no rights.

• I am trying to finish a book in InDesign CS2 with another person. My old XP computer became unstable and I had to get a Windows 7 computer. I was able to install CS2 on the Virtual XP Machine on my Windows 7 computer, but I cannot register or activate it.

  I am trying to finish a book in InDesign CS2 with another person. My old XP computer became unstable and I had to get a Windows 7 computer. I was able to install CS2 on the Virtual XP Machine on my Windows 7 computer, but I cannot register or activate it. Adobe no longer supports activation. Is there a way I can keep using CS2? I need to get files back and forth to my coauthor. I also have CS6. I understand that files can go form 2 to 6, but not backwards. Thanks Robert

  you can download a new installer and serial number from Adobe at Adobe - CS2 Downloads

• When I have 4 or 5 tabs open, selecting one of them often forces that tab to open as a new window and close in the original window

  FF 32.0.1. Moving between tabs that are already open, clicking on one which I have opened before forces it to close and open as a new window, which is a real pain. It seems to happen when I have 4 or 5 open tabs, rather than 2 or 3.
  This has only been happening in the last week, after a clean Windows reinstall.
  I've searched and found lots of people have problems with new windows opening when they just want a new tab, but this seems to be about opening fresh tabs rather than returning to one that's already open, so I can't find the same problem as I describe.

  This can happen if you drag a tab slightly down in the browser window while clicking.
  Firefox has a feature called tear-off tabs
  You can detach a tab from the current window and open it in a new window by dragging a tab in the browser window.
  You can also do this via the right-click context menu of a tab: Move to New Window
  You can drag that tab back to the tab bar in the original window to undo that detaching.
  * https://addons.mozilla.org/firefox/addon/bug489729-disable-detach-and-t

• I am facing issues with my music on my iOS device. I have five devices connected to my apple id. And out of which a Windows Machine and iPhone is not able to sync the purchased songs on the the Windows machine and the iPhone.

  I am facing issues with my music on my iOS device. I have five devices connected to my apple id. And out of which a Windows Machine and iPhone is not able to sync the purchased songs on the the Windows machine and the iPhone. The iPhone4 shows the songs are not supported and on the Windows Machine the songs do not play completely. Can anyone advice what could have gone wrong ? Because rest of the devices are synced to MacBook and they are able to sync the content normally.  I have even subscribed to iTunes Match but the problem is still not fixed.

  Firstly...  a little Clarity...
  Devices refer to iDevices... iPod... iPhone... iPad. ..   Not Computers.
  Authoriation applies ONLY to Computers... of which there is a Limit of 5 per Apple ID.
  If the issue is with iTunes on your Windows Computer... Perhaps you need to Re-install iTunes...
  See Here... to Uninstall and Re-Install iTunes...
  http://www.apple.com/support/itunes/install/

• Can Time Capsule be used as a time machine on a Windows Server.  Is this possible, and how do i configure this?

  I like to use the new TC in my office as a time machine on a Windows Server.  Is this possible, and how do i configure this?
  In fact my plan is to make the first back up by connecting to the server via an ethernet cable, but thereafter i like to bring the TC to my home and perform the incremental backups over the internet.  This is for safety reasons, in case for example the office is broken into, or flooded, or fire (god forbid).
  I sincerely hope it is possible, and not complicated.
  Alternatively i would not mind replacing our current Windows server 2003 with an Apple server, but all computers in the network (except mine) are Windows 7 or 8. Would it work?
  Thanks in advance.
  Paris

  I will consider the WD My Cloud device.
  It is a NAS.. it is designed to provide a cheap centralised file storage.
  What is NAS?? http://en.wikipedia.org/wiki/Network-attached_storage
  A file server like windows uses heaps of power to do very little.. in your setup.. In most setups like SBS it will do exchange server and provide a heap of useful connectivity to your clients.
  Since you are not using the windows server in anything but simple file serving you can replace with a NAS..
  Problem with the TC is, it is a router with a hard disk inside.. designed specifically for Time Machine.. it fails to provide what a NAS does.. easy access to any clients, local or remote.. TC is designed by apple for apple and the rest of world is not really invited to the party.
  It provides no backup.. no data protection.. and is so specifically apple orientated I do not think it works at all well with windows.
  For a simple example.. windows will have file issues with large files.. because it is only NTserver FAT32 to windows.. bad luck if you have large files.. !!
  Plainly if you use active directory in windows that facility is gone.
  I just like Apple products, find them more stable than Windows and easier to use.  Plus i can access the server from home if it is an Apple Server.
  If you only need remote access for yourself that is fine.. too bad for the windows clients I guess.
  Or you open it up to the world and bad luck for security.
  Apple do not design for mixed environment.. in fact with the TC there is no provision for windows access officially at all.. so anything you do is a fudge.
  You can use the TC for your Mac backups within the network.. that is fine. Apple provide no software at all to help with your windows clients.

• On 3 machines now the Windows Store is broken. The Install and Back buttons don't work

  Originally reported here:  http://answers.microsoft.com/en-us/windows/forum/windows8_1-windows_store/on-3-machines-now-the-windows-store-is-broken-the/8bafdc7a-a708-4012-a4f1-b98ab8788c28
  Advised to post here instead.
  Hi there
  On three separate Windows 8.1 Professional machines now, I've had an issue where the Store stops working properly for no apparent reason (no error messages or anything).  The store opens, and I can browse apps, and view individual apps, but
  once in the app view I cannot click on the Install button or the back buttons.
  They "light up" as if being pressed, but they don't actually do anything.
  I've tried all the various troubleshooting, including the Windows App troubleshooter, wsreset, re-registering the store files using powershell, and renaming the cache folder in my user profile. No effect.
  If I sign into the PCs as another user, then I don't get the issue. As such something is getting corrupted in the profile.
  We only have around 9 or 10 Windows 8.1 PCs deployed at our organisation for testing, and three of them have had this fault, which doesn't inspire confidence. As such, we cannot progress with further deployment until we have a fix in place that
  doesn't involve wiping the user profile.
  Any ideas please?

  Hi FangZhou CHEN
  I've discovered the cause of this error after much searching.
  Based on your suggestion, I checked the Event Viewer and found a string of "Application Error" entries similar to this:
  Faulting application name: WSHost.exe, version: 6.3.9600.17093, time stamp: 0x534765e9
  Faulting module name: sxwmon64.dll, version: 4.5.2608.0, time stamp: 0x52b2a853
  Exception code: 0xc0000005
  Fault offset: 0x00000000000257ff
  Faulting process id: 0xf40
  Faulting application start time: 0x01cfeeb1cc6d035e
  Faulting application path: C:\WINDOWS\WinStore\WSHost.exe
  Faulting module path: C:\WINDOWS\SYSTEM32\sxwmon64.dll
  Report Id: 19ee9a1c-5aa5-11e4-8259-600292638f85
  Faulting package full name:
  Faulting package-relative application ID:
  Presumably the WSHost,exe process is critical to the Store and "Metro" apps?
  The offending dll file causing this process to fail, sxwmon64.dll belongs to a peice of security software on our machines called Lumension Endpoint Security (we're running version 4.5 SR2). We use this to control removable media (USB) and CDRW access for
  our employees.
  If I rename that particular DLL file, the store and the calendar app which I was also having issues with (it was blank), spring back into life.

• Can I force the bootcamp wizard to skip looking for the bootcamp drivers?  I have already downloaded the latest drivers and loaded them on a FAT usb drive.  All I want is for bootcamp to create the partition and allow me to install windows 8 pro

  Hi Everyone,
  Can I force the bootcamp wizard to skip looking for the bootcamp drivers?  I have already downloaded the latest drivers and loaded them on a FAT usb drive.  All I want is for bootcamp to create the partition and allow me to install windows 8 pro.
  The bootcamp drivers have been downloaded from apple's website.  Filename:  BootCamp5.0.5033
  I have a iMac 27" late 2013 model.
  NOTE:  I have downloaded the drivers manually from apples support site as the bootcamp wizard fails third of the way through the download.
  Appreciate any assistance.
  Regards,
  asdutoit

  There is a missing point in this thread, and it is that the Boot Camp drivers for the Late 2013 iMac can only be downloaded from Boot Camp Assistant. The Boot Camp drivers available in the Apple site are not compatible with that iMac.
  Delete the Boot Camp drivers from the USB drive, open Boot Camp Assistant and try to download the Boot Camp drivers again. If you get a message telling you that they could not be downloaded, I would try reinstalling OS X through OS X Recovery, by holding down Command and R keys while your Mac is starting up

• What is the best USB powered portable 1TB hard drive for a macbook pro that allows Time machine to work, windows (thru Parallels software) and mac storage and is available in Australia?

  What is the best USB powered portable 1TB hard drive for a macbook pro that allows Time machine to work, windows (thru Parallels software) and mac storage and is available in Australia?

  I agree with teh OWC sggestion above, but why must it be USB powered? I find that far more unreliable, and the low power devices slow.
  I'd frankly get a good external enclosure and buy a bare drive.  But the OWC stuff is quite good - vastly better than some of the majors (WD being aprime example of stuff that's boderline quality and often not compatible)
  Grant