WLC+LAP+ACS4.0 achieving 802.1x PEAP and MAC address authentication ?

Similar Messages

• ACS v4.1 PEAP and MAC Address Validation

  I would like to authenticate to a ACS server via both 802.1x (PEAP) and to also validate the MAC Address of the user. Can both of these be done? I have 802.1x (PEAP) working to the ACS and Active Directory but now I would like to add the MAC Address of the laptops. Can I use Network Access Profiles and add the MAC-address under MAC-Authentication bypass?
  Your assistance is appreciated.

  I seem to have figured my way out of this. The reason for the short dot1x timer is that we are using MAB to authenticate the client MAC, so we actually WANT the dot1x authentication to timeout as quickly as possible for the secondary (MAB) authentication to execute.
  I'm also suffering from the age-old problem of interpreting the logic of a config originally implemented by someone else. I'm wondering if all the dot1x commands we have are actually necessary in our situation.
  What I have found when comparing new switches to old is that on the 3750s, show authentication sessions for an interface only shows mab as a runnable method, while on the 3850s it lists dot1x, mab and webauth (in that order). Using authentication order mab and authentication priority mab on an interface of the 3850 seems to do the trick. With debug mab turned on you can see the mab authentication working and the switch then allows the interface to pass traffic. Just as importantly, it blocks the port if I try using a client whose MAC is not in the ACS database.
  Appreciate your help.

• ISE and WLC 5508 IP and MAc address

  Hi!
  Is it possible that we recibe IP address and Mac address Client at the same time in ISE ?
  The wlc permits choose radius Call station ip type MAC or IP, but not both.
  Thanks you,

  If you are using dot1x then no, the mac address is sent since the client does not receive an ip address till authetication succeeds.
  Sent from Cisco Technical Support Android App

• PEAP and Mac OSX Panther

  Just received our first Panther laptop and I am trying to get authenticated using PEAP to our 1200 series access point. I am curious if anyone has got this working and if so what radius server are you using. We are using 2003 Server IAS and my PC clients authenticate just fine.
  Thanks
  Don Hickey

  You can do it but I have found Tiger to be faster than Panther even on a G3. So I recommend fixing what's wrong vs. downgrading.
  Wireless will work but only 802.11b is supported on an iBook.
  A G3 is going to be painfully slow on most websites no matter what OS you use. Those that require Flash or updated Java are not likely to work at all.

• TACACS+ PEAP and MAC in the same AP

  Hi,
  we are having a configuration in our Access Points, which I would like to know if can create troubles, because in some AP's it works perfectly, in some others we are having issues with PEAP auth.
  We have TACACS+ for the Telnet into the AP's, Mac Authentication for compatibility reasons, and are now introducing PEAP.
  the aaa part looks like this:
  aaa authentication login default group tacacs+ local
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods group rad_mac
  aaa authentication enable default group tacacs+ enable
  but can we have troubles with the first line where is "default" ?
  Jorge

  Jorge,
  No, that is not going to give you any trouble unless there is any software bug.
  You will bind "method list" to a specific interface. Once done, default will ignore that interface.
  Please rate if helps.
  Regards,
  ~JG

• Compatibility 802.1X and mac-filter from ACS

  If the  clients identities and mac address are stored in the same ACS server.
  In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
  this is really a critical problem for me!
  Thanks~

  Hi,
  I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
  If my understading of your queston is  correct the answer is
  Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
  But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
  i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
  another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
  Thanks

• WLC cannot get IP of the Wireless Clients and client not able to ping to the gateway

  Dear Cisco Expertise,
  I have configured WLC embedded in Cisco C3650 switch and also 1 unit AP3702I. AP now able to join to the controller. My client able to connect to the AP and get the IP address (10.127.117.1) from the DHCP server but unable to ping to the gateway (10.127.117.254 - interface gateway). Both switch and AP able to ping to the interface gateway. I also trying to ping to the client from the switch and also from the AP to the client but not able to ping. 
  I've check via switch can see the client's IP address and MAC address (using ARP)
  #sh arp vlan 77
  Protocol  Address          Age (min)  Hardware Addr   Type   Interface
  Internet  10.127.117.1          0   843a.4b90.17e0  ARPA   Vlan77
  Internet  10.127.117.254          -   3c08.f6b7.2173  ARPA   Vlan77
  Need your expertise on this matter. Thank you.
  Configuration as below:
  Switch
  ip dhcp pool LWAPP_VLAN
   network 10.127.117.0 255.255.255.0
   default-router 10.127.117.254
   dns-server 10.127.113.10
   domain-name xxx.com
  vlan 77
   name LWAP_VLAN
  interface Vlan10
   ip address 10.127.112.254 255.255.255.128
  interface Vlan77
   ip address 10.127.117.254 255.255.255.0
   ip helper-address 10.127.117.254
  interface GigabitEthernet3/0/5
   description Connect to AP Test
   switchport access vlan 10
   switchport mode access
   no logging event link-status
  wireless mobility controller
  wireless management interface Vlan10
  wireless security web-auth retries 5
  wireless mgmt-via-wireless
  wlan APAC-WLAN 2 Wifi-Test
   client vlan LWAP_VLAN
   ip dhcp opt82
   ip dhcp opt82 ascii
   ip dhcp opt82 format add-ssid
   ip dhcp required
   ip dhcp server 10.127.117.254
   no security wpa akm dot1x
   security wpa akm psk set-key ascii 0 B*MY2014
   security wpa wpa2 ciphers tkip
   session-timeout 300
   no shutdown
  ap group APGroup-Test
   description "For Testing Purposes"
   wlan APAC-WLAN
    vlan LWAP_VLAN
  AP
  interface Dot11Radio0
   antenna gain 0
   stbc
   mbssid
   power client local
   packet retries 64 drop-packet
   station-role root
  interface Dot11Radio1
   antenna gain 0
   stbc
   mbssid
   power client local
   packet retries 64 drop-packet
   station-role root
  interface GigabitEthernet0
   duplex auto
   speed auto
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface BVI1
   mtu 1792
   ip address 10.127.112.202 255.255.255.128
  interface Virtual-WLAN0
  ip default-gateway 10.127.112.254
  ip forward-protocol nd
  ip dns server

  Pls try the below SSID configuration. WPA2 to be configured with AES & not TKIP. 
  wlan APAC-WLAN 2 Wifi-Test
   client vlan LWAP_VLAN
   security wpa
   no security wpa akm dot1x
   security wpa wpa2 ciphers aes                        
   security wpa akm psk set-key ascii 0 B*MY2014
   ip dhcp required
   no shutdown
  This post should give you some help as well
  http://mrncciew.com/2013/12/04/wlan-config-in-3850-part-1/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• 802.1x authentication with mac address

  Hi guys,
  there is a strange requirement from one of our customer,
  they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
  for username, password and domain.
  is it possible??
  can i avoid popping up the username password with 802.1x and that too with mac address???
  Any help would be greatly appreciated
  Thanks
  Jvalin

  Hi,
  The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
  A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
  For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
  Regards,
  Kush

• 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

  Hi my name is Ivan, i have an issue
  I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
  I have a service dhcp into the wlc to this profile.
  This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
  MAC Filter - IP Address A - UserA
  My policy say:
  PolicyUserA - Internet
  Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
  I possible to do it?.
  How can i do it?

  Hi Ivan,
  You can not map the mac-ip address pairs on the WLC DHCP.
  The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• 802.1x PEAP Windows 2008 NPS Certificate

  I've setup a centrally switched SSID on a 5508 WLC utilising 802.1x PEAP authentication to a pair of Windows 2008 NPS which authenticate the PEAP username and password to our Active Directory domain.
  Currently the Windows 2008 NPS servers are utilsing a server certificate issued from our internal Certificate Authority with the certificate being presented to the device upon connection depending upon which server the WLC sends the authentication too. The servers names on the internally issued certificate are in the form of:
  Server01.domain.local
  Server02.domain.local
  Due to these certificates being internally issued certificates when some devices specifically Apple iPad and iPhones connect to the SSID initally they are prompted to accept the certificate but it is listed as not verified as its issued by an internal domain CA and not an external root certificate authority.
  I am going to be obtaining an external root CA issued certificate for both servers to replace the internally issued certifcates however I notice using the internal certificate if I connect a device to the SSID and accept the certificate of server with certificate name server01.domain.local and then if disable the ability for clients to connect to server01 the WLC will automatically forward the authentication connection to the next server on the list however as this server is presenting a different certificate "server02.domain.local" devices which are conducting certificate validation will fail to connect as the certificate does not match the previously accept certificate.
  Does anyone know a way around this?
  Will adding say server02.domain.local as an additional name to the certificate for server01.domain.local resolve this issue?

  Hi,
  Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
  More information:
  Renew a Certificate
  http://technet.microsoft.com/en-us/library/cc730605.aspx
  NPS Server Certificate: Configure the Template and Autoenrollment
  http://msdn.microsoft.com/en-us/library/cc754198.aspx
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• WLC with 2 WLANs, 1 voice @ 2.4GHz and 1 data @ 5GHz 802.11n

  I have a WLC 4400 series and am using 1142n APs.  Am planning on adding Wireless IP Phones such as 7921/7925 as well as a couple 9971's.  Is it possible to have 2 WLANs, one to connect the voice endpoints to running @ 2.4GHz and another WLAN with a different SSID for data clients @ 5GHz?  All data clients have 802.11n NICs and can operate @ 5GHz.  I have enough APs so that the lessened range of 5GHz won't pose any issues.  Ideally I'd like to see connection rates in the 240mbps-300mbps range on the data clients with data throughput rates of 100mbps+ (I don't think this ought to be an issue, I'm aware that wireless is half-duplex and that connection rates do not necessarily indicate actual throughput rates).  I am also NOT a wireless expert.  I'm still fairly new to working with the WLC and the managed APs as such.  
  The reason for 2.4GHz and 5GHz simultaneously is that the voice endpoints are all 2.4GHz radios, I believe 802.11b/g.  I also want to keep voice clients separate.  This way, I believe I can optimize one WLAN for data clients without having them "suffer" so to speak by having to operate at a lower level as the voice clients.  Also, I want the voice separate for quality there (separate voice VLAN).  If I am correct, 802.11n data rates can also be achieved @ 2.4GHz, but only using the 20MHz as opposed to 40MHz width.  So I'd like one WLAN to be 2.4GHz, 20MHz (voice) and the other WLAN 5GHz, 40MHz (data).
  I'd like to hav both WLANs broadcasted from all the APs simultaneously.  Am I correct that such a configuration is possible with the WLC 4400 series and Aironet 1142n APs?  WLC is running 7.0.240 btw, current stable.  I'm also starting with a clean config on the WLC.  All DHCP will be handled by an external DHCP server also.  Thank you very much for any suggestions/guidance on this.  Your thoughts are greatly appreciated!
  I'll be happ to supply any config information to assist with this, just let me know what is desired/useful.

  Thank you for your prompt response.  I only have 1 WLC, it is a 4402-50.  I believe that 7.0.240 is the most current release for that model.  I think anything higher I need to go to the WLC5508 (or vWLC?)
  Also, I wasn't aware that the 7921/25 were 5GHz, since they are both 802.11g.  Thank you for the information. 
  If I understand you correctly, I'm best creating 2 WLANs, but both at 5.0GHz for both data and voice?
  Also, sorry to confuse the issue further, but I was thinking about this after writing the original post, I'd like to also have a "guest" WLAN that supports both 2.4GHz and 5.0GHz for maximum client compatibility (as I have no way of knowing what tpye of WLAN NIC would be in guest devices).  Am I correct in assuming that I would create a separate WLAN for all these, including a separate SSID.  
  The part that is confusing me some now is the "AP Groups".  Do I leave a single "Default-group" and create multiple WLANs with that.  If I'm correct, this way I can push the WLANs and SSIDs out through all the WAPs in that group.  I want these WLANs to be available from any AP in the organization, not have some APs for one WLAN, other APs for another WLAN, etc.

• 802.1X PEAP fails when using special characters in login

  I am using MS AD & NPS for 802.1X Enterprise authentication with PEAP (no client certificate - MS-CHAPv2 user credentials for login). This works fine for iOS devices on 8.1 (iPhone 5 and iPad mini) and 6.1.6 (iPhone 3GS) when the user has standard "English" ASCII characters in the username and password.
  However, when I introduce Unicode special accented characters in the login name or password such as French é/ù or Spanish ñ then after accepting the server cert authentication fails with "Incorrect username or password for <WLAN name>". Windows 7 and CentOS 6.5 laptops have no problem authenticating to the same setup with either "English" credentials or ones with special accented characters. I also tried an old iPod touch on ancient software version and that fails, so its not something recently introduced.
  I tried using a different access point (TP-Link instead of Ruckus) and had exactly the same issue, so highly unlikely this is an AP issue.
  Then I setup FreeRadius with and see exactly the same issue, so its highly unlikely to be a MS AD/NPS issue.
  When comparing a working/failed authentication Wireshark packet capture on the NPS server, I see the failed attempt is missing the last 4 packets in the authentication exchange. The last packet sent is an Access-Challenge from the NPS server and no response from the iOS device, so the NPS server never even sends an Access-Reject. The iOS device appears to have decided it can't resolve the special characters and terminates the authentication attempt.
  To me this seems to be an Apple iOS software deficiency when using Unicode special characters in the username or password for 801.2X authentication?

  Enterprise support:
  Call enterprise support  (866) 752-7753  to create  a case ID number
  Get an account at
  http://developer.apple.com/  then submit a bug report to http://bugreporter.apple.com/
  Once on the bugreporter page,
     -- click on New icon
     -- See if you need to attach a log file or log files, clicking on Show instructions for gathering logs.  Scroll down to find the area or application that matches the problem.
     -- etc.
  Developers:
  "Submitting Bugs and Feedback
  Your feedback goes a long way towards making our products even better. With Apple Bug Reporter, you can submit bug reports or request enhancements to APIs and developer tools."
  https://developer.apple.com/bug-reporting/

• 802.1x PEAP Machine Authentication with MS Active Directory

  802.1x PEAP Machine and User Authentication with MS Active Directory:
  I have a simple pilot-text environment, with
  - Microsoft XP Client,
  - Cisco 2960 Switch,
  - ACS Solution Engine (4.1.4)
  - MS Active Directory on Win 2003 Server
  The Remote Agent (at 4.1.4) is on the same server as the MS AD.
  User Authentication works correctly, but Machine Authentication fails.
  Failed machine authenticaton is reported in the "Failed Attempts" log of the ACS SE.
  The Remote Agent shows an error:
  See Attachment.
  Without Port-Security the XP workstation is able to log on to the domain.
  Many thanks for any indication.
  Regards,
  Stephan Imhof

  Is host/TestClientMan.Test.local the name of the machine? What does the AAA tell for you the reason it fails?

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml