[WLAN] Use 802.1x with PEAP without Certificates?

Similar Messages

• 802.1x with PEAP fails on Unified

  We have an issue with a Fujitsu Siemens Amilo Laptop. It uses 802.1x with dynamic WEP and PEAP-MSCHAP (MS-IAS), Verisign Imported Certificate. It works fine in a Autonomous environment but fails in Unified environment. Other laptops work fine in both environments with the same setup. Debug on the WiSM shows the EAP request identity/start message send to the client. But there's no answer from the client; Reached Max EAP-Identity Request retries (21) for STA
  Any help is welcome!

  If the issue is with the certain brand of laptop, look at the wireless card firmware. What type of card are in these laptops? What configuration has changed between the Autonomous and the LWAPP (basic settings). What does the log show on the IAS server?

• Wired 802.1x with PEAP

  I have manage to get wired 802.1x working using Windows Active Directory as the database. With machine authentication, single-signon can be achieved.
  Setup:
  C3750 switch - Cisco ACS 3.2 - Windows AD
  Sequence of events:
  1. 802.1x machine authentication
  2. User logs in to domain
  3. 802.1x with user credentials
  But, I have the following issues:
  i. If user logs in using local account, it takes 3 minutes (default dot1x switch timers) for the port to turn unauthorized. Is it possible to place the port in unauthorized state immediately?
  ii. If the user 802.1x login has dynamic VLAN assignment, the AD scripts do not run. It seems that the AD scripts can't run if there is a change of IP address upon login (difference in VLAN for 'machine authentication' and 'user login').
  Any solution for this?
  Tks

  2 issues here:
  *Cached credentials for Microsoft supplicannts. Microsoft's authentication strategy in general reflects, and WLAN roaming would be difficult without the use of cached credentials. If cached credentials are not desired, would recommend another supplicant.
  * Falied Authentication for a local account. It should try to dot1x authenticate this user. For PEAP as an example, you would see the username as \. Now, a port will only be placed into a HELD state if a RADIUS-Reject is sent to the switch. A RADIUS-Reject will only be sent to the switch if the attempt is actually "failed" as opposed to silently discarded, packet lost in transit, etc. Taking 3 minutes to actually fail an attempt is indeed way too long, but the switch is probably doing what RADIUS is telling it to do. (this can be verified by a sniffer trace or debugs). Correspinding logs on RADIUS would help as well.

• Android Client working on WPA2 PEAP without certificate loaded

  I am trying to figure out why the andriod phone will work on our Cisco WPA2 Enterprise PEAP wireless when we use a custom internal certificate for authentication with our Cisco 1200 series AP's, ACS 4.x, and AD user group/accounts. 
  The certificate is not loaded on the client, nor from what I learned is very difficult to import for use when trying to install a MS generated certificate
  I did debugs between my regular Domain computer which has the domain certificate, and the Andriod and collected captures; see attachment tabs.
  I do see that the certificate is used somehow and I do see what looks like a ldap lookup.
  See the attached xls sheet with a debug tab for each the PC and the android.
  I stripped out any sensitive account/domain info for viewing.
  I'm not sure if this is a potential security loophole or not and welcome a discussion on this.

  Really?
  Its been a long time since I set this up and tested this and understood all the components. I just read up on it again and it appears your correct that PEAP only requires the server (ACS) side cert and the users credentials are protected during logon within MSCHAPv2.
  If I recall, When I set up our enviroment, we had to install our domain cert on Pocket PC's (warehouse scanners), to get them to work with PEAP as the cert was not from a default trusted publisher. I don't understand why this was an issue then. Any ideas?
  Our AD client computers all get the root cert by default, and all we do is push the wireless setting to the client by GP.
  I was under the impression that we were protected by the client requiring the domain cert, and that pocket PC's, and other rogue wireless devices would not work without them. So how to best control rogue devices without using some NAP system?

• SOAP Receiver with HTTPS(without certificate)

  Hi experts
  Receiver system not using any certificate.  Without certificate How PI can send message through HTTPS using SOAP.
  How to choose HTTPS transport protocol. (Here Target Url have Https://.....)
  Here I am using PI7.1 EHP1.
  I configured Receiver SOAP CC as
  Transport protocol as HTTP
  Taget Url https://api-demo.e-xact.com/transaction
  It will work? if not how to enable Https in SOAP receiver
  but I am getting below error In adapter
  Adapter Framework caught exception: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
  Thank you
  Srini

  Hi Srini,
  The main reasons for this error "Peer certificate rejected..." be appearing are the following:
  1. The correct server certificate could not be present in the TrustedCA keystore view of NWA. Please ensure you have done all the steps described in the URL below:
  Security Configuration at Message Level
  http://help.sap.com/saphelp_nwpi711/helpdata/EN/ea/c91141e109ef6fe10000000a1550b0/frameset.htm
  2. The server certificate chain contains expired certificate. Check for it (that was the cause for other customers as well) and if it's the case renew it or extend the validation.
  3. Some other customers have reported similar problem and mainly the problem was that the certificate chain was not in correct
  order. Basically the server certificate chain should be in order Own->Intermedite->Root. To explain in detail, if your server certificate is A which is issued by an intermediate CA B and then B's certificate is issued by the C which is the root CA (having a self signed certificate).
  Then your certificate chain contains 3 elements A->B->C. So you need to have the right order of certificate in the chain. If the order is B first followed by A followed by C, then the IAIK library used by PI cannot verify the server as trusted. Please generate the certificate in the right order and then import this certificate in the TrustedCA keystore view and try again. Please take this third steps as the principal one.
  4. If the end point of the SOAP Call(Server) is configured to accept a client certificate(mandatory), then make sure that it is configured correctly in the SOAP channel and it is also within validity period.
  (This certificate is the one which is sent to Server for Client authentication)
  As a resource, you may need to create a new SSL Server key.
  The requirement from SAP SSL client side is that the requested site has to have certificate with CN equal to the requested site.  I mean if I request URL X then the CN must be CN=X.
  In other words, the CN of the certificate has to be equal to the URL in the ftp request. This can be the IP address or the full name of the host.
  Request the url with the IP of the SSL Server and the certificate to be with CN = IP of the server.
  In any other case the SSL communication will not work.
  Regards,
  Caio

• How to use ES  bundles (with or without PI)?

  Hello Experts,
  I am new to this forum and this is my first question
  I am currently working in a landscape comprising of ECC 6.0 EHP4 and APO systems. We do not have SAP PI installation.
  I wanted to know the right way forward to get SOA enablement.
  I understand that Service enablement is two fold (Please correct me if I am wrong):
  1) 'Inside out' (from FMs) for which the WS runtime engine of the AS is sufficient. The services thus generated can be consumed directly from other SAP systems (within our landscape only??) or from a frontend app which can conume services (probably a widget developed in .NET with a cool UI).
  2) 'Outside In' where services are modeled in PI/  OR standard SAP services (ES bundles) can be used.
  My question , more precisely, is if we need SAP NW PI to use these ES bundles from the service marketplace.
  If No, the how can it be done?????
  If yes, then do the Business objects to which these services are related to also provided along with this content??? And do these business objects correspond the the ones whihc are available in the Business Object Repository in the backend???
  Is there any other alternative to getting SOA enabled without actually having to instal SAP Nwtweaver PI??
  I am really looking forward to some interesting answers from the experts on this forum.
  Thank you well in advance. Regards,
  Amith

  > So, is it right if I say that the services available in the backend are already implemented? And just creating an endpoint for them would make them ready for use?
  Yes: kind of instant services 
  > Also if I consume a service, say, 'CreateSalesOrder_In' for example, will it create entries in all my Sales order relevant tables (VBAK, VBAP) automatically using a BAPI internally?
  The service has the task to do all necessary steps, whether with or without using a BAPI.
  > Actually,  I have these doubts because during my time at SAP Labs (for the composites team in BusinesByDesign), I used to create business objects in the ESR and create an implementation for the same in the backend using BOPF. But now, in the customer scenario, where a full fledged ECC implementation is used, I am unaware as to how the services would update the tables or even read the relevant data.
  My consumer view on aservice is that I do not have to know how the service works, just need to know how to call it.
  Regards, Boris

• Certificates using serial numbers with material without batch assigned

  Hi experts...how can i track serial numbers and inspection lots from roh material without batch assign but with serial numbers ? these roh materials were used in PO without batch assign to FERT material yet. Is possible use where-used list only to manage serial number or only using batch administration over the serial numbers ?
  i will apreciatte any answer!
  Regards
  Marco Antonio Trois Endres

  Hi ,
  This seems to be a Material Management configuration question, I dont know if this will answer it
  You will have to configure the Characteristics of your Material from a task list and transfer/Copy it to your Certificate profile,
  there has to be a feature to enter the desired selection Criteria based on your question
  Work with the security team if  your MM_G and MM_S class objects can help open or close certain authroization objects to achieve your goal.
  in one of the google search it states that
  "This can be done from  Extras Characteristics from  your task list.
  A dialog box appears for entering the selection criteria for the task list"
  Will Need more security related information to help you on this.

• RADIUS with IAS without certificate ?

  Is it possible to configure a WLC to use Microsoft IAS without issuing a certificate ?

  No. IAS can only do PEAP and EAP-TLS, both of which require a server side certificate. You could use your own CA to issue this certificate. For a walk through of IAS, go to http://www.dweezlenation.com
  HTH,
  Steve

• Intel Mac OS X can't connect using 802.1x with TTLS authentication

  To login at the wireless network on my school I use the following settings:
  802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
  My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
  On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
  Bug in the Intel version of Mac OS X I guess?

  Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
  What I cant understand is why they have changed the
  airport express card for the intel macs, albeit the
  processor has changed but that shouldn't affect the
  card as that should be processor
  The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
  In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
  Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

• Setup WLAN using 802.1X Windows PKI

  Is it possible to setup the WLC 2504 to use Windows 2008 PKI to authenticate domain machines automatically to WLAN?

  Here is how to setup NPS
  http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
  http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/
  Sent from my iPhone

• How can I use Smart Print with IE10 without using the Bing bar.

  I have used Smart Print for a long time but after upgrading to Windows 8-64bit it seems that the only way to get it now is with the Bing Bar. I like windows but I have no use for Bing.

  Are you launching IE 10 from the Start screen, or from the desktop? Smart Print will only work if you launch IE 10 from the desktop.
  -------------How do I give Kudos? | How do I mark a post as Solved? --------------------------------------------------------

• Is any one created Table with in table using adv table with VOs without EOs

  If you have created Advnace table Master-Detail (Table with in table), please let me know the Controller code. I am using below. But getting Nullpointer excveption at innerTable.setAttributeValue(VIEW_LINK_NAME,"ViewLink1VL"); Please help me.
  ===========================
  OAWebBean outerTable = (OAWebBean)webBean.findChildRecursive("region2");
  OAWebBean innerTable = (OAWebBean)webBean.findChildRecursive("region4");
  if (outerTable != null)
  outerTable.setAttributeValue(CHILD_VIEW_ATTRIBUTE_NAME,"FLEX_VALUE_X");
  outerTable.setAttributeValue(VIEW_LINK_NAME,"ViewLink1VL");
  if (innerTable != null)
  innerTable.setAttributeValue(CHILD_VIEW_ATTRIBUTE_NAME,"FLEX_VALUE_X");
  innerTable.setAttributeValue(VIEW_LINK_NAME,"ViewLink1VL");
  OAApplicationModule am = pageContext.getApplicationModule(webBean);
  am.invokeMethod("initGoodsQuery");
  ============================

  My problem was solved when i used ,"ViewLink1VL1" instead of ,"ViewLink1VL" in controller code.
  thanks.
  Gopi.

• Can I use ipad mini with cellular without SIM card

  I have purchased a ipad mini with wifi and cellular, thinking I could use my UK SIM card when required but leave it out when not in the UK. (Live in Qatar)
  I can't activate imessage or facetime, and also I didn't realise it needs a nano sim not my micro sim. I get a cannot connect to network message.
  Do I need to purchase a new sim for the ipad to work properly, I did assume it would work the same as an wifi only ipad if sim wasn't present.
  Thanks

  Thanks James. I was hoping that was the case.
  I've already updated the software, from a quick search that seems to be the network issue for imessage/FaceTime. Is there a fix for this? Ive no back up to go back to.

• Using iPhone only with WiFi without local phone companies

  When abroad it is better to use only WiFi (where available as Roaming is too expensive) but most of the times all calls are again going through local phone companies, despite making "off" for Cellur data, 3G and Roaming on Settings. How I can be sure the calls and other usage of my iPhone 4S is only with WiFi? Or how to exlude telephone companies for sure?

  Her phone will automatically stop broadcasting using Wi-Fi if you put your device to sleep or after 90 seconds elapse with no devices connected using Wi-Fi. You can start broadcasting your Wi-Fi network again by tapping Settings > Personal Hotspot.

• Wireless 802.1x with Window 7

  I have a WLC 6.0,  ACS 3.3 and the SSID is setup to use 802.1x with Peap Authentication.   The clients are using Windows 7 to connect to wireless.     To get the clients connected they have to go into there network properties if the wireless card,  configure the client to use PEAP,  uncheck validate server certificate, and also uncheck use computer name to login into windows.  This works fine and the user to able to connect to to wireless after dong all these steps and then entering in there Windows Username and Password.    The customer is saying that this is to many steps for the end user and they just want the user to to click on the SSID and connect.  If wireless could also be setup to use  there windows username and password   would be a bonus.  I'm basically looking for a solution that is simple but is also secure as well.  I know that's an oxymoron.   Is there anything I could do to make the wireless process simpler.  Either by going with a different security authentication or by doing something different on the clients computers.   Thanks for any help and suggestions. 

  This is a script that we use on our campus (University of Leeds), that self configures an 802.1x connection and when a user connects to an 802.1x connection merely asks them for their username and password, which then remained cached.
  The .exe you create takes away all the techy bits that do 'confuse' some users, even if they are provided with well written documentation.
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  https://sourceforge.net/projects/su1x/
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  http://lsayregj.swan.ac.uk/su1x/SU1X_User_Guide-v104.pdf
  Features include:
  - Automation of configuration of a PEAP wireless connection on XP(SP3),Vita and Win 7
  - Can set EAP credentials without additional user interaction (avoids tooltip bubble)
  - Installation of a certificate (silent)
  - Checks for WPA2 compatibility and falls back to a WPA profile
  - Third party supplicant check -SSID removal and priority setting
  - Support tab: (checks: adapter, wzc service, profile presence, IP)
  - Outputs check results to user with tooltip and/or to file
  - Printer tab to add/remove networked printer
  This tool is very cleverly written by Gareth Ayres at Swansea University