WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

Similar Messages

• EAP-PEAP and EAP-TLS on same switched network

  Hello,
  I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
  The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
  I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
  Thanks,
  Guy

  You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
  Good Luck,
  --Jean Paul

• E61i, Acces point config with WPA2, EAP-PEAP and ...

  How can you activate the AES encryption on a Nokia E61i.
  I'm running the 1.0633.62.05 firmware.
  In documentation I've found there is mentioned I need to disable the TKIP encryption but this option is not available
   Select “WLAN security sett.”
  • In “WPA mode” choose EAP
  ● In “TKIP encryption” choose Not allowed (thus enabling AES encryption)
   Disable everything except EAP-PEAP
   Highlight EAP-PEAP
  • Choose “EAP plug-in settings”le
  They mention firmware above 2.xxx but this one is not available
  Any hints ?

  Hey all, It seems I have the same problem!!! I don't know whats the problem. I asked the guys in IT support in my school about this problem and they told me that the phone has to support PEAP-Enterprise in order to be able to connect.. I don't know what does that mean but if anyone guys can help here, it will be soooo respected!! I am using the new firmware ,by the way. TKIP is not exist in the connection settings anywhere!!! and the message is exactly "Unable to Connect. WPA authentication failed" .... help help pleaseeeeeeeeeeeeeeeee

• Cisco ISE - eap-peap and eap-tls

  Hi,
  Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
  I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
  If peap use this identity source, if tls use 'this certificate authentication profile'.
  Thx

  OK,
  so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
  The authentication policy was allowing EAP-TLS & EAP-PEAP.
  I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
  What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
  In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
  When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
  Hope that helps.
  Mario

• Accounting-Start and Accounting-Stop recorded on diffrent RADIUS server.

  1.If a NAS configured to have a primary and a backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the primary server goes down (Primary server won’t tell the NAS?). When sessions stop, the NAS sends the “Accounting-Stop” to the secondary. I understand the “Start-Stop” record with the same “user name” and “session-id” ideally should be recorded in the same server. If this situation happens what should both the NAS and RADIUS server do?
  2.A NAS configured to have a primary and backup RADIUS server. To start with all the “Accounting-Start” records will be in the primary RADIUS server. Later on the administrator decided to change the primary server (as there are problems with the previous primary). sessions stop, the NAS sends the “Accounting-Stop” to the new primary. This ends up the “Accounting-Start” and “Accounting-Stop” with the same “user name” and “session Id” in two RADIUS servers.
  To summarize, how to avoid the ”start-stop” pair ends up in different servers ? If it does, is it  an issue for RADIUS application ?
  Cheers,

  It is my understanding that the 'NAS_PORT' value in authentication and accounting request are unique and a different value for each authentication request allows it to identify those users that are logged in. However, sending one Acct-Unique-Session-Id at the Start and a different one at stop does sound fishy. However, I could not find any bugs related to this problem. Do let me know if you manage to locate something.

• Connecting myRIO to WiFi with WPA2 Enterprise EAP-TTLS

  Hey guys,
  I´m struggling to connect my myRIO to the eduroam wifi on campus. It worked for a time, but now it suddenly just doesn´t.
  The network runs a EAP-TTLS (or PEAP) Authentification, MSCHAPv2 as an inner authentification and a GT UserTrust Global Root certificate. When I first got it working I just set it up in MAX and uploaded the certificate, when that now stopped working I´ve tried just about everything including editing the wpa_supplicant locally on the myRIO. 
  To put it short I´m stumped at this, and the fact that it worked for a while doesn´t help O.o
  Cheers,
   Bjørn

  Hi bjornsol,
  I managed to connect a wireless cDAQ to eduroam by
  Uploading the certificate in MAX 
  Entering the user name and network secret for PEAP, IP adress set to "DHCP or Link Local"
  I can also confirm successfully accessing the device from a eduroam connected computer. Remember to configure a password for your device, it will otherwise be accessible to other eduroam users.
  Ask the IT department at your university for a valid certificate. I downloaded this certificate from the KTH eduroam web page, not sure it will work for you if you are registered at another university.
  If this doesn't work for you, please upload a screenshot from MAX when trying to connect to the network.
  Best regards,
  Robert P-F
  Applications Engineer
  National Instruments Sweden

• Has anyone succeeded to connect on WPA2 Enterprise personal wifi and used AirPlay?

  I have a ATV 2 and i has been trying to connect to the wifi of my college.. does anyone succeded? I have filled out the options and it says it succeded to install it trough Apple Configurator but when i plug it in to the TV it says it offline.. I also tried to let it be connected to a hotspot from my iPhone while i installed it on my Mac..
  I updated for the last version - 6.0.2 i believe..
  help is pushiated thx

  They can add the MAC address of the device to their allowed list of devices on the network so that no login is required.  Whether they will do this or not is a completely different matter.
  If they will not, then the other option is to see if they will allow you to connect a router to their network, essentially creating your own personal network inside the schools network.    

• Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

  Hello
  We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
  The clients are non-managed and from all variety (OS, wifi-software, ...).
  The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
  What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
  Thanks
  Patrick                 

  Hello Patrick,
  As per your query i can suggest you the following steps-
  Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
  The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
  For more information you can refer to the link-
  http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
  Hope this will help you.

• IPhone (and Mac) 802.1x WPA2-Enterprise fail

  Large enterprise with lots of access points (Cisco AIR-AP-1131) using RADIUS authentication going back to Windows (2k3) servers running IAS. WPA2-Enterprise.
  Windows devices are able to authenticate fine. Our servers do present an authentication certificate. No certs are required on clients.
  When Macs and iPhones try to connect, they are able to successfully authenticate (username/password successfully passed to RADIUS and is accepted), and the client device then asks if we want to accept the server certificate. We do, but we never get an IP address from DHCP.
  If we configure a static IP on the client device, it associates but is unable to communicate with anything.
  This seems to only happen with Apple devices.
  Any ideas? We've tried this with multiple Apple devices running multiple versions of iOS and MacOS.

  Fixed. Our Cisco APs were configured with WPA2 but were using TKIP encryption only. Enabled AES, and blammo - works.

• 802.1x EAP-PEAP over Ethernet need help !!!

  I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
  troubleshooting this, I am not sure what else to do.  Need help.  Here
  is the scenario:
  - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
  - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
  with IP address of 129.174.2.7.  This device is connected to the same switch above.
  Firewall is OFF on the server, allow ALL,
  - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
  Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
  on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
  as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
  the port is activate to be "hot".
  - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
  and that everything is looking fine,
  I have verified that the switch can communicate fine with the radius server.
  - Configuration on the switch for 802.1x:
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
  interface FastEthernet0/39
    description windows 2003 Supplicant
    switchport access vlan 401
    switchport mode access
    dot1x port-control auto
    no spanning-tree portfast (does not matter if this is enable or disable)
  lab-sw-1#
  .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  .May 20 07:52:47.338: EAPOL pak dump Tx
  .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  lab-sw-1#
  lab-sw-1#sh dot1x interface f0/39
  Dot1x Info for FastEthernet0/39
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = PROTECT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  lab-sw-1#
  I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
  help me how to make this work.
  Many thanks in advance,

  #1:  dot1x system-auth-control is already in the switch configuration
  #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
  The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

• Issues with IOS and WPA2 Enterprise

  Hi,
  Done a lot of searching on this, but can't find anything useful!
  I've got a network running WPA2 Enterprise using AES and PEAP/EAP-MSCHAP-V2
  For some reason, all our apple IOS devices connect to the network fine and are able to accept the server certificate, but can't seem to access anything over the network such as the internet once connected. I'm currently testing an iPad mini with IOS 7.0.4
  I have other devices such as laptops and a Windows Phone 8 devices, and everything works fine.
  Am I missing something here? What could be causing the IOS devices to stop accessing the network?
  Cheers,
  Carl.

  I just found this on the frontline support site, I believe my question has been answered:
  Important Notice
  iOS Devices
  Apple has made a change to the PushMagic or UnlockToken values in that they may differ in size to previous values. This can cause issues with iOS devices being able to connect to the Afaria server as the current database field size is not adequate to facilitate the variable length of this value.
  Apple has made a change to the PushMagic or UnlockToken values in that they may differ in size to previous values. This can cause issues with iOS devices being able to connect to the Afaria server as the current database field size is not adequate to facilitate the variable length of this value.
  There is an Apple issue that we have found in our testing that occurs when iOS devices are enrolled. This issue fails a check when the enrollment payload is inspected and the signing cannot be read. SAP believes Apple will fix this issue prior to iOS 7.1 being released but we are working on a patch that will address this issue shortly in case the fix does not make the iOS 7.1 GA release.
  Afaria will be providing a patch to address this issue that increases the size of the database column from 2K to 6K to accommodate this change.
  This issue is resolved in Service Pack 3 Hot Fix 39 and Service Pack 4 Hot Fix 3. Available now.

• 802.1x/EAP clarification and implementation

  Dear SIr,
  To setup LEAP authentication using ACS, the client needs a supplicant such as the ACU to run LEAP independent of OS.
  Cisco AP will be the carrier of the EAP message between the client and the Radius server sitting between the client and the server. I know from the fact that Cisco AP support LEAP, PEAP, EAP-TLS, EAP-MD5 and EAP-SIM. From my understanding, those types of EAP mentioned earlier can be relay to the Radius server(ACS), am I right?
  Does it mean that these messages are transparent from the AP point of view? If I replace the Cisco AP with other third party access point that they claim support 802.1x/EAP but they never specify the type of EAP protocol, can I still run LEAP with a third party AP though my client is Cisco and the Radius server is CSACS?
  What type of OS or supplicant support EPA-MD5? I know that Windows XP and 2000 support 802.1x driver, what about their EAP protocol supported on XP and 2000?
  Thanks.
  Delon

  I think the following document will clear most of your doubts,
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008019fea2.shtml

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• 802.1x/EAP-TTLS and EAP Certificate Policies

  Hello,
  I am having a hard time with 802.1x authentication against a radius server I manage. Every time I try to connect, I get a pop up about certificate verification - the certificate cannot be verified because there are no explicit trust settings. This system is to be used to authenticate people on a wireless network we are setting up. The machines and people being authenticated are not managed - I do not have the ability to force a configuration on their computer.
  After researching this it looks like OS X has certificate policies that are consulted depending on the certificate operation requested. For 802.1x, I think the EAP certificate policy and the x.509 basic policy are consulted. These policies are outlined here.
  The problem is that when I get the certificate popup and hit 'View Certificate', I don't see anything that would explain why it is not being verified. Both the server certificate and the CA root certificate are listed as valid. There are no messages about insufficient extended key usage values or hostname mismatches or anything. How can I tell what is actually wrong?

  I was hoping this could be accomplished without having to change the trust settings from whatever the default is. The people who will ultimately be using this are students and staff at a University - a moderate number of which are bothered by any appearance of lower security.
  The root cert is in X509Anchors. The certificate CN is the IP address and the RADIUS server does not have a PTR record in the DNS server.
  If I point Firefox at a website set up on the same machine with the same certificate, there are no complaints. If I use Safari, there is an error about the names not matching but the name listed on the cert according to Safari is the same name I typed in the address field and the same name listed in the ServerName configuration of the web server.
  Just kind of a weird problem.

• 802.1X EAP-PEAP with Apple devices

  We have deployed a variety of wireless networks using Cisco WLC (2504, 5508 and Virtual WLCs) with (1550e, 1260, 2602 access points) and we have been unable to get apple device to successfully authenticate to corporate SSID's that use 802.1X against a Microsoft IAS server. We have spent numerous hours building different profiles with OS-X Server and other profile configuration utilities with no luck.
  Apple devices authenticate just fine to corporate SSIDs if we use autonomous access points using 802.1x against the same Microsoft Radius server but continue to fail when we attempt the same through any of the WLC options referenced above.
  Can anyone shed some light into this issue? It seems that radius request only show up on the IAS logs when something is entered in the "outer identity field"
  Thanks in advance.
  Ivan Chacon

  Complete these steps to troubleshoot the configurations:
  1.    Use the debug lwapp events enable command in order to check if the AP registers with the WLC.
  2.    Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.
  Check the Passed Authentications and Failed Attempts reports on the Radius server in order to accomplish this.
  3.    You can also use these debug commands in order to troubleshoot AAA authentication:
  •    debug aaa all enable—Configures the debug of all AAA messages.
  •    debug dot1x packet enable—Enables the debug of all dot1x packets.
  Here is a sample output from the debug 802.1x aaa enable command:
  (Cisco Controller) >debug dot1x aaa enable
  4.    Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click Monitor in order to check the logs from the WLC GUI. From the left-hand side menu, click Statistics and click Radius server from the list of options.
  This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.
  This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:
  You can use a combination of the show wlan summary command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the show client summary command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Raduis attempts or failed attempts logs.
  •    Verify on the controller that RADIUS server is in active state, and not on standby or disabled.
  •    Use the ping command in order to check if the Radius server is reachable from the WLC.
  •    Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).