Wireless PEAP users authenticated by TACACS+

Hello,
I have the following scenario, access points 1214 (fat AP) connected to ACS (RADIUS) and the ACS integrated with Novell LDAP as external database.
The wireless users use PEAP for authentication, here the problem when I tried to connect wirelessly with username and password configured locally on the ACS database it works fine but if I use a username and password listed on the Novell LDAP I got the error ?Auth type not supported by External DB? .
Note:
For VPN users, I can connect and access the network resources from outside with username and password listed on Novell LDAP database (integration between ACS and Novell LDAP is fine). Maybe this note could help you!!
Regards,
Belal

Hello Darran,
Thx for your feedback..
now i'm trying to configure EAP-TLS but as stated in the configuration guide i should have CA certificates for both ACS and the wireless users. here the question, shall i have CA server or thers is another way to complete the task (use local generated certificate for example if possible) ?
Regards,
Belal

Similar Messages

  • New Intel Wireless Pro set let bypass PEAP user authentication

    Hello.
    I have a critical situation. We use PEAP/MSCHAPv2 for client and user authentication. Wireless users and clients will be authenticated by the ACS by asking a ADS usergroup membership. Valid users and clients have access to LAN ressources protected by the wlan controller. If the wireless client use the WZC and the logged on user is not a member of the user group he will not be authenticated and have no access through the wlan controller. But if the wireless client can use the actual "Intel Wireless Pro Set" and the user is not a member of the ADS group the ACS drop the user authentication request. But some seconds later the user will have nevertheless access to internal resources.
    In this case I think the user authentication request will not right handled by the ACS so authenticated client will have access through the wlan controller and a not ACS authenticated user will have access to lan ressources by his local cached user credentials.
    Is there a possible security leak or have I a configuration problem?
    Best regards
    Olaf Bachmann

    Hi irisrios.
    PEAP "Fast Reconect" is disabled on ACS side.
    But in the meantime we made some tests with cisco ACS and nortel wlan controller. If the wlan client use a wireless profile, generated with the Intel Proset (!! full installation incl. andmin tools and pre-logon authentication!!) then a user who is not a member of the wlan user group have access to lan resources.

  • Bypass PEAP user authentication

    Hello.
    We use PEAP/MSCHAPv2 for client AND user authentication. Wireless users and clients will be authenticated by the ACS by asking a ADS usergroup membership. Only authenticated users on authenticated clients should have access to LAN ressources protected by the wlan controller. If the wireless client use the WZC and the logged on user is not a member of the user group he will not be authenticated and blocked by the wlan controller. But if the wireless client use the actual "Intel Wireless Pro Set" AND the user is not a member of the ADS group the ACS drop the user authentication request, but few seconds later the user will have nevertheless access to internal resources.
    In this case I think the user authentication request will not right handled by the ACS so authenticated client will have access through the wlan controller and a not ACS authenticated user will have access to lan ressources by his local cached user credentials.
    Is there a possible security leak or have I a configuration problem?
    Best regards
    Olaf Bachmann

    This is not a security leak but a configuration issue. If the client utility and the ACS, ADS database is correctly configured then you will not see any issues.

  • EAP-TLS Authentication failure happening in ACS for Wireless End User Authentication

    Hi All,
    We have the Win 3.2 ACS setup in the production environment, We are migrating it with 4.2 Appliance version. We have succesfully migrated the database and other stuffs from 3.2 to 4.2. Same way we have exported the certificates from 3.2 to 4.2 and installed it.
    We have the leap as well as eap-tls in the authentication part.
    We were able to test successfully with the leap. But when it comes to eap-tls. In 4.2 version its throwing the error.
    5/3/2011
    23:16:38
    Authen failed
    [email protected]
    EAP-TLS users
    0023.1413.de18
    (Default)
    EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake
    21356
    10.121.198.38
    13
    EAP-TLS
    ap-1242b4 
      Bangalore APs
    We have used the same certficate exported and installed in the 4.2 version. But its working in the existing 3.2 version and why it is not working with the 4.2 version.
    Could anyone help me out in this?
    Regards
    Karthik

    Hi,
    Looks like the CA Cert is not installed on the ACS.
    The following link will help you install the CA cert.
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCAuth.html#wp327056
    Also trust the CA certificate in the Edit trust list list.
    Hope this helps.
    Regards,
    Anisha
    P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

  • User Authentication o router

    Dear All
    Is the Cisco 3745 router having NM-8A/S module supports dialup user authentication and if yes what is the configuration requires.
    With Regards
    Anand

    Hi,
    It does but you need to be more specific in your backend technology.
    The reason i say this is because you can use AAA on the router to provide user authentication via TACACS+ or RADUIS, both which require a device with TACACS+ or RADUIS applications.
    The other option is to use local authentication which is not very scalable in a dialup environment.
    Rgds
    PD

  • Problems with 802.1x MS PEAP machine and user authentication

    Using Microsoft PEAP 802.1x client on Windows XP SP2, if we enable machine authentication against a Windows Domain, the machine authentication is successful and the machine gets access to the network. However, when user logon occurs to the domain, contrary to the flow given in ACS and Windows documentation, no user authentication takes place.
    We need to differentiate user access based on their identities. We need machine authentication only to allow users access to the domain controller and also GP implementation.
    Any idea why user does not get prompted when they logon. 802.1x is configured in users profile and I have tried with both integrated and non-integrated with Domain logon (i.e. "use my windows logon name and password and domain (if any) option"
    There is no record of any identity request/response in ACS after the initial machine authentication (which appears in successful authentication log)
    We are using MS-CHAPv2.

    Update...The problem of cached credentials in MS PEAP does not occur if "enable logon using Windows username and password (and domain if any) is checked. Using this option, MS PEAP always uses logged on users most current credentials.
    However, using this option sends the username as "DOMAIN\USERNAME". Since we are using ACS internal database for user authentication (even though the ACS and Windows passwords are same - using an identity management system) ACS does not recognize the user.
    I have tried proxy distribution with prefix stripping but it does not seem to work when it is pointing to the same ACS server on which proxy distribution is configured and which receives the request.
    Any idea how the domain\ can be ignored by ACS?

  • Wireless Guest Users once authenticated, are able to connect again after disconnection

                       Wireless Guest Users once authenticated, are able to connect again after disconnection .Clients should not able to connect after the restart or by disabling and enabling the WIFI adapter. But as of now clients are connecting to network . How we can configure this feature in WLC ?

    IIRC, if your reboot, disable the adapter or disconnect from the wireless, as long as the session timer or the idle timer does not timeout, then you are still considered as authenticated. If you logout, the wlc logs you off and you will have to log back in. The wierd thing is with iPhones or iPads, they go to sleep mode and you have to log back in to access the guest network. The workaround was to increase the idle timers to a certain acceptable limit to prevent this from happening.
    If you disconnect from the guest SSID and leave your client off the network until the idle timer expires, do you get prompted for a login or do you have access again?
    Sent from Cisco Technical Support iPhone App

  • Wireless user authentication detail at syslog server

    Hi Dear.  I configurated wireless network. i want to see my wireless user authentication detail(ip address, username and if it is possibly mac-address) at my syslog server. i do some configuration, the wireless controller send something to my syslog server but i need exctahly the user authentication detail.
    how i do that? please help me. thank you veru much.

    Hi dears. please help me

  • ACS 4.2.1 - PEAP Machine Authentication - Hostname different from PC account name in AD

    Hello!
    I don't really know, whether this issue has been asked before.
    I have to configure PEAP Authentication with ACS 4.2.1 for Windows against Active Directory.
    ACS ist Member of AD Domain xyz.domainname. The PC account is located in an OU of xyz.domainname.
    Hosts get via DHCP a hostname as dhcp.domainname. This also is the name the machine uses for AAA request.
    User authentication works fine, because the user account also is hosted in xyz.domainname.
    The host authentication fails, because dhcp.domainname is a DNS domain only but no Windows AD subdomain.
    Does anybody knows a solution for this special constellation?
    Is it possible to strip or rewrite the domain suffix in any way during the authentication process?

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    Hello Jean,
    I am guessing that you are using 802.1x wireless.
    This is a expected behaving because the AD force the computer to change his password every month and if the computer is not on the domain at that moment the computer won't take that change.
    This is a Microsoft issue and unfortunately Cisco does not have any workaround for that.
    Please see links below that explain this situation.
    http://support.microsoft.com/kb/216393/en-us
    http://support.microsoft.com/kb/904943
    Hope this helps
    Erdelgad
    Cisco CSE

  • Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

    Hi,
    Since we implemented Cisco ISE we receive the following failure on several Notebooks:
    Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
    This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
    The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
    Why is this happening?
    Thanks,
    Marc

    The possible causes of this error message are:
    1.] If the end user entered an incorrect username.
    2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
    3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
    In your cases, the 3rd option seems to be the most closest one.
    Jatin Katyal
    - Do rate helpful posts -

  • Machine Authentication and User Authentication with ACS v5.1... how?

    Hi!
    I'm having trouble setting up Machine Authentication and User Authentication on ACS v5.1 using WinXP SP3 (or SP2) as supplicant.
    This is the goal:
    On wireless (preferably on wired too) networks, get the WinXP to machine authenticate against AD using certificates so the machine is possible to reach via for example ping, and it can also get GPO Updates.
    Then, when the user actually logs in, I need User Authentication, so we can run startup scripts, map the Home Directory and so on.
    I have set up a Windows Sertificate server, and the client (WinXP) are recieving both machine and user certificates just fine.
    I have also managed to set up so Machine Authenticaton works, by setting up a policy rule that checks on certificate only:
    "Certificate Dictionary:Common Name contains .admin.testdomain.lan"
    But to achieve that, I had to set EAP Type in WinXP to Smart Card or other Certificate, and then no PEAP authentication occurs, which I assume I need for User Authentication? Or is that possible by using Certificates too?
    I just don't know how to do this, so is there a detailed guide out there for this? I would assume that this is something that all administrators using wireless and WinXP would like to achieve.
    Thank you.

    Hello again.
    I found out how to do this now..
    What I needed to do was to add a new Certificate Authentication Profile that checks against Subject Alternative Name, because that was the only thing I could find that was the same in both user certificate and machine certificate.
    After adding that profile to the Identity Store Sequences, and making tthe appropriate rule in the policy, it works.
    You must also remember to change the AuthMode option in Windows XP Registry to "1".
    What I really wanted to do was to use the "Was Machine Authenticated" condition in the policies, but I have never gotten that conditon to work, unfortunately.
    That would have plugged a few security holes for me.

  • ISE - Machine + user authentication

    I've searched forum, community but I couldn't find exactly what I need:
    I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
    Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
    If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
    Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
    Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
    How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
    NAM is already refused by client, so I need something that will work on plain Windows 7.
    Thanks.

    Hello Align-
    In your post you are referring to two completely separate and independent solutions:
    1. MAR
    2. EAP-Chaining
    MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
    EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
    I hope this helps!
    Thank you for rating!

  • 802.1X wirelss restriction on user authentication

    Hi,
    In the 802.1x wireless environment, I would like to know is there any method to control single user credential only able to be autheticated for one time, at any given time.
    Example: user ABC in domain XYZ.ORG authenticated via his/her desktop, this is using user authentication method.
    After this he/she not able to use the same username/password trying to get authenticate neither using any another PC/tablet/smartphone devices.
    The motive is to prevent user using same user credential able sign-in after he/she made the authenticaiton at first place.
    Meaning to say he/she only able to authenticate to single device, at any given time. Same user credential is not allow to be use for authenticate purpose on other device.
    The components as below:
    supplicant: Window 7, authentication method using PEAP/MSCHAPv2; Apple iPhone iOS version 5.x, 6.x
    Authenticator: Cisco Wireless Controller 5800 Series on code version 7.2
    Authentication server: Cisco secure server ACS 5.3
    Identity Source : Microsoft server 2008 ADDS, single forest single domain.
    Question:
    01. What we can configure on WLC, or ACS to enable above mention requirement
    Thanks
    Noel

    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112175-acs51-peap-deployment-00.html

  • Wireless Test Users being asked to authenticate to new ACS

    Hi All,
    I am nearing the final stages of an ACS Ver 5.3 deployment and everything is working as it should with the exception of our test wireless users.
    Thus far I have:
    Configured an "Identity store sequence" that consists of :
    -acs internal db
    -External radius server
    This is called "VPNSequence"
    I have also configured an Identity store sequence of :
    -AD
    -LDAP
    This is called "Wireless Sequence"
    I then configured the identity section of the "default network access" service.
    I put a condition that will match the vpn access (for example "if network device belongs to the network device group called "VPN concentrators".  The identity store used will be the sequence I created above ("VPNSequence").
    I then created a second rule (for point 2) that will match wireless access (if network device belongs to WLC group for example) and that will use the sequence "WirelessSequence" as identity store.
    I then created a Certification Authorisation Profile and applied it to the Wireless Sequence.
    I then tested an XP laptop on a Test_WLAN wireless network that authenticates using the new ACS device - when it attempts to logon I get a message on the laptop stating that I have to "Click here to process your logon information ...". When I click on this it asks me to re-enter my AD password. (This occurs even when I remove the Certification Authorsiation Profile from the Wireless Sequence" described above. If I enter my credentials I connect no problem.
    However, this is not ideal for a smooth transition from ACS 3.3 to ACS 5.3 for our Wireless End Users (numbering in the hundreds). They will no doubt bombard our helpdesk when this prompt appears for their wireless connectivity.
    Is there anyway I can configure the ACS so that they make a transparent connection without the need to re-enter credentials?
    Any help would be much appreciated - please let me know if you require further information.
    Kind regards,
    Thomas.

    Hi,
    From your description it appears that you are using password based authentication -- PEAP, EAP-FAST. The certificate authentication profile is only required for EAP-TLS. Although it being there would not cause any issues.
    For getting prompted on the laptops to enter the credentials, ensure that when you click on "configure" next to "secure password mschap v2"
    the checkbox next to "Automatically use my windows credentials for login" is selected (not shown in this figure)
    Regards,
    Dev

  • AP1252 : Support for LEAP and PEAP for authentication

    Hi,
    We are deploying Cisco AP1252 in unified (lighweight) mode and would like to know whether it will support both LEAP as well as PEAP for authenticating clients at the same time (mixed mode). If yes, kindly let me know the configuration for the same.

    Local EAP authentication on Wireless LAN Controllers was introduced with Wireless LAN Controller version 4.1.171.0.
    Local EAP is an authentication method that allows users and wireless clients to be authenticated locally on the controller. It is designed for use in remote offices that want to maintain connectivity to wireless clients when the backend system becomes disrupted or the external authentication server goes down. When you enable local EAP, the controller serves as the authentication server and the local user database, so it removes dependence on an external authentication server. Local EAP retrieves user credentials from the local user database or the LDAP backend database to authenticate users. Local EAP supports LEAP, EAP-FAST, EAP-TLS, P EAPv0/MSCHAPv2, and PEAPv1/GTC authentication between the controller and wireless clients.
    Local EAP can use an LDAP server as its backend database to retrieve user credentials.
    An LDAP backend database allows the controller to query an LDAP server for the credentials (username and password) of a particular user. These credentials are then used to authenticate the user.
    Local EAP Authentication on the Wireless LAN Controller with EAP-FAST and LDAP Server Configuration Example
    http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml

Maybe you are looking for

  • Personal File Sharing fails on network of (2) cascading Linksys routers.

    Topography: Comcast cable modem attached to (WAN-port) Linksys BEFSR41 (4-port). Linksys WRT54G (WAN-port) attached to Linksys BEFSR41 (4-port). Linksys BEFSR41 starting @ is 192.168.1.1. Linksys WRT54G starting @ is 192.168.2.1. All systems attached

  • Synchronisation with file

    Hello, I am a user of PC (windows and Ubuntu) but I don't use Outlook or Internet explorer. I am using Firefox and Thuderbird. The reason is that the last 2 works on linux systems as well and even uses the same files (on both systems) to store bookma

  • Regarding ORacle 10g installation

    Hi, I am getting this error while installing oracle 10g database in windows machine. i am getting this error "nmesrvc.exe". Thanks in advance.

  • IDVD 6 - Dual Layer Encoding Quality - not available

    Hi, this is my weird problem: - The movie I want to burn in iDVD 6 (latest version) is of a rather poor quality (Super 8 filmed from screen) and exported from Final Cut Pro with approx 10 GB total size(self-contained movie) and 1 hour 10 minutes leng

  • Need helpful purchase suggestions!

    Swamped with work, from home and need to get wife on her own bookkeeping computer. (I apologize I have no time to research on my own) 1 - I have a G5 (with no airport card, I'll have to get one) 2 - I want her to have a Mini 3 - Want the wireless con