Z10 802.1x Authentication Issue

Similar Messages

• 802.1X Authentication issues when moving between switch ports

  Hi Guys,
  We are having some issues at our office where when users move from one switch to another, the 802.1X authentication does not want to take place. The PC just gets an APIPA address. Now I have read about features that MAC Move and MAC replace but they seem to be used when moving from one port a switch to another port on that same switch. Will MAC move help for issues between switches? And should I focus my attention on the switch's configuration or have a look at the NPS server that might be blocking that authentication as the user is already authenticated?
  My configuration we have on the switch ports look as follows:
  authentication host-mode multi-domain
  authentication order dot1x mab
  authentication priority dot1x mab
  authentication port-control auto
  dot1x pae authenticator
  Your help is greatly appreciated.
  Grant

  Hi Neno,
  Thanks for the reply. We are using NPS on a Server 2008 R2 virtual machine. The switches are stacked 2960S-48FPS-L running 15.0(2)SE. I will quickly do the debugs and get back to you.
  Here is the config:
  aaa group server radius customer-nps
   server name radius1
   server name radius2
  aaa authentication dot1x default group radius
  dot1x system-auth-control
  radius server radius1
   address ipv4 172.28.130.52 auth-port 1645 acct-port 1646
   key 7 05392415365959251C283630083D2F0B3B2E22253A
  radius server radius2
   address ipv4 172.28.131.52 auth-port 1645 acct-port 1646
   key 7 107C2B031202052709290B092719181432190D000C
  interface GigabitEthernet1/0/1
   switchport access vlan 300
   switchport mode access
   switchport voice vlan 2
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication host-mode multi-domain
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication periodic
   authentication timer reauthenticate 28800
   authentication timer inactivity 1800
   mab
   no snmp trap link-status
   mls qos trust cos
   dot1x pae authenticator
   auto qos trust cos
   storm-control broadcast level 1.00
   storm-control multicast level 1.00
   spanning-tree portfast
   spanning-tree bpdufilter enable

• WLC, ISE certificate authentication issue

  Hi Folks,
  This is the setup:
  Redundant pair of WLC 5508 (version 7.5.102.0)
  Redundant Pair of ISE (Version 1.2.0.899)
       The ISE servers are connected to the corporate Active Directory (the AD servers are configured as external identity sources)
       There is a rule based authentication profile which queries the AD identity source when it receives wireless 802.1x authentication requests.
  A corporate WLAN is configured on the WLC:
  L2 security WPA+WPA2 (AES Encryption), ISE server 1 and 2 configured as the AAA Authentication servers.
  This is all working correctly - I associate to the Corp WLAN (Authentication WPA2 enterprise, encryption AES CCMP, 802.1x auth MS-CHAPv2 using AD credentials) ... I can see the authentication request being processed correctly by the ISE, and I get access to the network.
  The client I am working for wants to restrict access to the WLAN to users who have been allocated a certificate from the corporate CA, and this is where I am having issues.
  I took a test laptop, and requested a new certificate (mmc, add snapin, certificates, current user, personal, request new cert).   
  The cert that was issued was signed only by a Corporate AD server with CA services (there is nothing in the certification path above the cert I was issued, apart from the issuing server itself).   I changed the security settings of my connection to the corp wlan (using TLS instead of mschapv2, and pointing to the certificate I requested)
  Initally authentication failed because the ISE did not trust the CA that provided my certificate (the ISE radius authentication troubleshooting tool had this entry: '12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain').
  I exported the issuing CA's root certificate (followed this process http://support.microsoft.com/kb/555252), and imported the cert into ISE (administration, system, certificates, certificate store, import) - status of the cert is enabled, and it is trusted for client auth.
  After I did this, I could no longer associate to the Corp WLAN.  
  My laptop's wireless management software logs were filled with messages saying that the authentication server did not respond.   
  The ISE troubleshooting tool reported no new failed or successful authentication attempts.   
  Strangely though, the WLC log had a lot of entries like this: 'AAA Authentication Failure for UserName:host/laptop_asset_tag.corp.com User Type: WLAN USER'.
  It looks like the WLC is trying to locally authenticate my session when I use TLS, rather than hand off the authentication request to the ISE.    Other users who authenticate using their AD credentials only (as I described above) can still authenticate ok.
  Anyone able to shed some light on where I have gone wrong or what additional troubleshooting I can do?
  Thanks in advance,
  Darragh

  Hi,
  I had the same issue with microsoft CA and running ISE 1.1.4. The CA file was "corrupted", but you didn't see it at first glance. You can verify if the client CA matches the root CA via openssl.
  Try to export the root CA and the issuing CA in a different format (Base64), import both root and issuing into ise and check if that works. Also check if "Trust for client authentication or Secure Syslog services" in the Certificate Store -> CA -> Edit, is set.
  If this does not work, try to import the CA into another system and export it, then import into ISE.
  Regards,

• Cisco IP Phone 802.1x authentication with NPS

  Hi All,
  I would like to configure 802.1x authentication on both my Cisco ip phones and windows clients using NPS. So far i have tested the clients and it works however I am not finding any information on if NPS supports 802.1x on ip phones. Has anyone done a similar
  deployment using NPS. So far I am only seeing cisco ACS server being used as the policy server.

  Hi,
  Based on my research, it seems that you may enounter issues related to username(Basically Mircosoft only allows a 20 character user name, while the user name of the phone exceeds the 20 character limit and causes it to fail.) and certificate schema when
  configuring 802.1x authentication for Cisco IP phones.
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• 802.1x Authentication on Wired and Wireless LAN

  I have successfully configured 802.1x authentication on wired and wireless Lan. We have Cisco Switches, ACS SE and Windows AD.
  But i have one issue regarding the Single Sign on while authentication using the 802.1x with Windows Active directory the users that are login first time not able to logon but the users that have their profiles already existed in their PC then there is no issue and they successfully authenticated and login easily.
  Is there any way of login successfully for the users first time using 802.1x authentication with Windows AD like a Single Sign On?

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• Windows 7 – 802.1x Authentication fails after wakeup from Sleep/Hibernation

  In our environment we randomly have issues with 802.1x authentications after Sleep or Hibernation of our client-systems.
  Clients have Windows 7 as OS and are up-to-date regarding regular updates/patches. Drivers (at least
  network and chipset) on affected machines have also been updated.
  802.1x authentication method is PEAP (EAP-MSCHAPv2) and systems are validated
  against Active Directory by RADIUS.
  Analyzing the logs of our RADIUS-Server you can see that the client trys to authenticate
  via MAC instead of its DNS-Name/FQDN (desired method). So the request fails and the client is assigned to a different VLAN without access to the company’s resources. Following steps like DHCP work correctly.
  We have enabled the tracing of RAS-components on some of our clients by executing the following command-line: netsh ras set tracing
  * enabled
  Analyzing the client’s log-file “C:\Windows\tracing\svchost_RASCHAP.LOG” it looks like that the
  component is simply not up at that point in time, because there are absolutely no entries making it impossible to search for a specific error/error-code. Side-fact: unplugging the network-cable and plugging it in again forces the client to
  authenticate again – successfully and with entries in the given log.
  There has been an article KB980295 describing my issue but that does not apply to Windows 7. Hotfix KB2736878 cannot be applied (0x80240017
  - install is not needed because no updates are applicable).
  Does anyone have an idea how you could force the component to initialize earlier (if it is possible at all)?
  Any other advice is highly appreciated as well!
  Thanks a lot

  Hi Deason,
  sorry for my very very late reply on this.
  Even if I could not solve the problem yet, I can tell about some progress.
  As both KB-Files (980295 and 2481614) sadly did not help with this at all and even setting the blockperiod to 1 (I saw that 0 doesn't seem to be supported here: https://technet.microsoft.com/en-us/library/hh831813.aspx) didn't make any difference I
  have been working on how to reproduce the issue. So I wrote a tiny script disabling and enabling the client's network-port on and on (I have removed outputs and logging to keep it short):
  $doAllTheTime = $true
  $i = 0
  $DomainName = (Get-WmiObject -Class Win32_ComputerSystem).domain
  $NWAdapter = Get-WmiObject -Class Win32_NetworkAdapter | ? {$_.name -like "*gigabit*"}
  while ($doAllTheTime -eq $true)
  $i++
  $NWAdapter.disable() | out-null; Start-Sleep -Seconds 10
  $NWAdapter.enable() | out-null; Start-Sleep -Seconds 10
  $ping = $null
  $ping = test-connection $DomainName -count 1
  if ($ping -eq $null)
  "Error with connection"; return
  So I kept it running and after a dozens of loops the issue reoccurred. I could see that it is the dot3svc-Service that does not response anymore by the RASCHAP-log given above. Restarting the service manually triggered a re-authentication that was then successful.
  So I added the restart-service-cmdlet to my script in case that the error was detected and configured a Scheduled Task triggered by the event that a network-cable has been plugged in (has to be provided by the driver). Script and Scheduled Task
  have then been deployed to our clients.
  Even if this is no solution it definitely helps with a high rate of incidents -
  but not entirely... so I am still looking for further steps to
  solve this. Any ideas are highly appreciated.
  Thank you very much for your support!!! Uhle

• Send vlan via Radius with 802.1x Authentication

  Hi all.
  I am trying to set up 802.1x authentication using Windows XP Supplicant, Catalyst 2950 and FreeRadius as radius server.
  I can login correctly so I have the port in Authorized mode, but I can't download the vlan id through the radius server.
  Reading docs, I have found these attributes:
  cisco-avpair="tunnel-type(#64)=VLAN(13)"
  cisco-avpair="tunnel-medium-type(#65)=802 media(6)"
  cisco-avpair="tunnel-private-group-ID(#81)=2" (2 is my vlan id)
  but when I insert these into radius DB (I have also tryed with text file config...) I can see from Radius debugs that only the first one (cisco-avpair="tunnel-type(#64)=VLAN(13)" is passed in the access-accept packet.
  Here are some outputs:
  Sending Access-Challenge of id 80 to 128.0.0.21:1812
  Cisco-AVPair = "tunnel-type=VLAN"
  EAP-Message = 0x0101001604103ee52f729eb199689ef4fc77a18a6a08
  Message-Authenticator = 0x00000000000000000000000000000000
  State = 0xf88b9673c199cb13def96563250cf8a7
  I issued a "debug radius" on the switch Catalyst 2950 also, and the output is:
  02:49:39: RADIUS: Received from id 73 128.0.0.243:1812, Access-Accept, len 129
  02:49:39: Attribute 26 75 0000000901457475
  02:49:39: Attribute 79 6 03010004
  02:49:39: Attribute 80 18 1ABB3507
  02:49:39: Attribute 1 10 74657374
  02:49:39: RADIUS: EAP-login: length of eap packet = 4
  02:49:39: RADIUS: EAP-login: radius didn't send any vlan
  so I can see that radius is not sending anything about vlan...
  Has anyone alredy tried this set up?
  Thank you in advance.
  Massimo Magnani.

  OK, so I may have glossed over that before. From your debug post, you had:
  Cisco-AVPair = "tunnel-type=VLAN"
  Unless I'm missing something, that looks like a VSA (or RADIUS Attribute [26\9\1].
  You don't need VSAs for VLAN Assignment. You can do this with three standard RADIUS Attributes. Here they are (and an example of what they should look like):
  [64] Tunnel-Type – “VLAN” (13)
  [65] Tunnel-Medium-Type – “802” (6)
  [81] Tunnel-Private-Group-ID - "" OR ""
  They are defined in RFC 2868.
  Hope this helps,

• Trouble with 802.1x authentication

  Hello. I live in a dorm, and we connect to the Net over 802.1x authentication. Everything worked OK, until two days ago. Now I can no longer authenticate my Mac on the network and connect to the Net.
  I get the following error:
  "802.1X is unable to authenticate. It is possible that the configuration you have provided is invalid. If you are unsure about what configuration to connect with, check with your network administrator.
  (Error: 1 on port en0)"
  My configuration seems to be ok (I didn't change anything about it, it just stopped working), username and password are also correct. Also other computers can connect to the network, and my LAN card works normally otherwise, only it can't pass the 802.1x authentication :S I'm connected now over my LinuxBox which shares the connection to my Mac, so obviously my LAN card is not broken...
  What could be the problem?
  cheers!

  hi, if the problem still persists, have you tried clearing out any 802.1x profiles you have saved?
  Go to System Preferences > Network, click on Airport, choose Advanced, go to the 802.1x tab, look at the section on the left side that has User Profiles. Select the profile and hit the minus button at the bottom of the pane.
  A lot of these issues seem to be helped by clearing out any saved data about the wireless network, and setting it up manually again. We have seen many issues here at Notre Dame with Macs vs 802.1x. Hoping Apple makes it more reliable soon.

• 802.1x authentication on Macbooks running Lion..

  Hi Guys,
  I was wondering if anyone has experienced problems with 802.1x authentication on their Cisco Wifi network using Macbook Pro/Airs running Lion.
  We have..
  2x Controllers with WiSMs running 7.0.116.0
  A mixture of 1131 and 1142 APs..  ( APs mainly in HREAP mode with some APs located on the same local network as the Controller in Local Mode )
  Macbook Airs/ Pro running Lion
  The symptoms we are experiencing are very similar to those described in this thread.. https://supportforums.cisco.com/message/3485552
  In summary, we are finding that when our MacBooks are coming out of sleep/standby or roaming between APs, the devices get stuck during the 802.1x authentication process and will either get the self assigned 169 address or continuously try to authenticate.
  This can occasionally be solved by turning the wifi interface off and on or manually stopping and starting the 802.1x process on the Mac
  From reading various online forums, we have tried the following to resolve this..
  - Disabled WPA across our wifi network as we don't use it anymore.. We now just use WPA2 with AES and Dot1x authentication.
  - Disabled Client Load Balancing on the SSID configuration… this does not seem to have made things any better or worse although we are seeing more Load Profile threshold notification alerts for some of our APs which are used heavily.
  - The 802.1x time out is currently set at 20secs.
  - Some APs which are in Local mode ( due to them being on the same local network as our wifi controllers ) have been changed to HREAP mode and assigned a static IP address.. We found that this was required at our spoke sites where we were originally experiencing issues with our old Windows based devices.. Incidentally, we have not experienced any of these delayed authentication issues with our Window laptops, all our problems seem to be with our MacBooks running Lion..
  As I mentioned earlier, there seems to be many discussions online regarding problems with the Lion OS and 802.1x authentication..
  Has anyone experienced these problems in the past on there Cisco Aps and successfully managed to resolve it.. ?
  Any ideas would be appreciated..
  Many thanks.
  Jon.

  Ran across this old post while researching this same issue. For us, the problem appears to be with the Mac's trying to request an IPv6 address if set to Automatically or Link-local only for Configure IPv6 under the TCP/IP tab. When we changed this to Manually and set a manual link local address, the problem went away and could reconnect after roaming between APs or coming out of sleep/standby.
  Enjoy,
  Wayne 
  UPDATE 1: This 'fix' did not solve the issue. After a day, we're still seeing the problem. 
  UPDATE 2: Found the solution to my problem. It was the cert chain of trust and CRL lookup. The link below describes the problem, but basically the Mac's were unable to check the certs and causing a time out. No network = no CRL lookup = no network......
  http://support.apple.com/kb/TS5258?viewlocale=en_US&locale=en_US

• 802.1X Authentication + PKI encryption

  Hi Guys,
  I want to know if there is a relationship between 802.1x authentication and cisco PKI encryption.
  We are facing some problems with many IP Phones that were using 802.1x without problems. Once we we installed PKI encryption on ip phones , many of them began to fail : the ip phone shows phone not registered and on the status messages we can see authentication fail. I have to restart security settings on ip phones or disabling 802.1x on the switches to get phones registering again
  I am using CUCM 8.5 with 6961 phones
  Regards

  We ran into the same situation from time to time. We implemented 802.1x authentication using the Cisco Secure Services Client (SSC) on the windows hosts.
  At the beginning we were completly unable to logon on the maschines where no locally stored windows profile exists. After change to timeout to authenticate at the network in the SSC options we are able to logon to the network and also be authenticated by the domain controller.
  Sadly this works out often as a timing issue. Most times the user needs to try a couple of times. At the moment, I'm also very interessted in a good way to avoid this (as it seems to be) racecondition.
  Hope that someone else has any clue?

• 802.1x authentication client sends username as PC-NAME\USERNAME

  Hi Team,
  I've enabled 802.1x authentication in windows 7 desktop whose PC name is INDIA-ACP with users "radius" as administrator.
  When I connect my LAN cable to my authenticator device, the user "radius" is sending his credentials along with pc-name instead just only the username.
  Example, in the packet capture i've observed the response identity pkt user credentials appeared as "INDIA-ACP\radius" instead just the "radius" as the identity user.
  Please help me in re-solving this issue.
  Regards,
  Anurag

  Hi Anurag,
  According to your description, the user name changed from radius to INDIA-ACP\radius. Due to the packet was send from the Windows 7 PC to the authenticator device, it seems that the problem is in Windows 7 PC. Have we used INDIA-ACP\radius as the username
  and chose “Remember my credentials” before? When we choose “Remember my credentials”, the credentials would be saved and managed by Credentials Manager in Windows 7. Windows credentials management is the process by which the operating system receives the credentials
  from the service or user and secures that information for future presentation to the authenticating target. Maybe the credentials was saved by the Credentials Manager, when we connect the authenticator device, the Credentials Manager send the saved credentials
  to the authenticator device. To verify if the credential was saved in the Credentials Manager, please open Credentials Manager in the control panel.
  Best Regards,
  Tina

• 802.1X Authentication with InTouch

  Dear Community,
  does anybody know if/when it's possible to use 802.1X authentication with the TelePresence InTouch 10?
  It perfectly works on the C/SX codecs and as long as the Panels are connected directly to the Codec, there is no issue. But on some codecs, direct pairing is not possible and therefore I would need 802.1X authentication from the panels itself.
  Thanks in advance!
  Best regards
  Alex

  Hello!
  We've just launched an Ask the Expert event on 802.1x
  https://supportforums.cisco.com/discussion/12463991/ask-expert-8021x-configuring-and-troubleshooting-javier-henderson
  Perhaps post your question with Javier as well!
  Thank you!

• Dot1X guest vlan authentication issue..Real Challenge!!

  Hi Guys!
  I would really appreciate if some one could help me find lead on this issue...
  My coporate and Quarantine users dosn't get correct VLAN as soon as i enable Guest VLAN feature..all of them go to guest VLAN...
  Scenario 1
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 1
  802.1X (Quarantine)= VLAN 20
  Non-802.1X (Guest) = UnAouthorized
  Conclusion
  802.1x authentication is working without the guest VLAN feature
  Scenario 2
  interface GigabitEthernet3/0/42
  switchport mode access
  authentication event no-response action authorize vlan 30
  authentication port-control auto
  dot1x pae authenticator
  dot1x timeout quiet-period 5
  dot1x timeout tx-period 5
  spanning-tree portfast
  Test Workstation behavior
  802.1X (Corporate) = VLAN 30 GuestVlan
  802.1X (Quarantine)= VLAN 30 GuestVlan
  Non-802.1X = VLAN 30 GuestVlan
  Conclusion
  802.1X doesn't work after enabling Guest VLAN feature (no-response)
  Some important notes...
  1) IOS version = c3750-ipbase-mz.122-50.SE.bin the only IOS which supports 10gig modules...
  so i can not test with any other IOS
  2) We had older 3750 100Mpbs switches with same config (we copied the config from old switch to new Switch) and the only command which got change automatically due to IOS change is....
  dot1x guest-vlan 30 (Old IOS syntax) = authentication event no-response action authorize vlan 30 (New IOS syntax)
  so even if you put old command syntax it will get change to new one...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750e_3560e/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1176660
  Guys please help me.........

  Just to update you here.......after running some debugs on Swicth i found that....(Scenario-2)
  When we connect 8021X enabled PCs (Coporate users) and Boot them...they initially behave like Non-8021X client while booting and during that time switch puts them in guest vlan but when workstation comes to a state (login prompt)where they start communicating like 8021X client.....switch just fails to put them in appropriate VLANs.. may be due to some time out issues.........I feel like i am very close to get the solution but just wondering which timers need to change or may be i am wrong if there is something else need to be put in...........any way i just shared my things with you....
  Same Workstations are working fine with old swicthes without any problem...it is windows XP SP3

• Migration to 802.1x authentication

  Hi all,
  I have a very large wired-only Ethernet network which I would like to migrate to 802.1x for stronger authentication of end users. The problem I have is that there are long chains of legacy switches which do not support 802.1x (the topology of the network is a complete tree of switches). As far as I know, 802.1x is port based.
  So here is the issue:
  - the replacement of all switches will take a very long time, but I would like to have all end users authenticated asap
  - switches supporting .1x will initially only be located at the roots of the tree. There will still be legacy switches not supporting .1x between end users and newer switches.
  - authentication of users on a port of a new switch will be shared between several end users.
  Do you know if it possible to enable authentication of all users but having only enabled 802.1x in some more central locations first?
  Cheers,

  IEEE 802.1x Authentication
  These are the IEEE 802.1x authentication configuration guidelines:
  ?When IEEE 802.1x authentication is enabled, ports are authenticated before any other Layer 2 or Layer 3 features are enabled.
  ?If you try to change the mode of an IEEE 802.1x-enabled port (for example, from access to trunk), an error message appears, and the port mode is not changed.
  ?If the VLAN to which an IEEE 802.1x-enabled port is assigned changes, this change is transparent and does not affect the switch. For example, this change occurs if a port is assigned to a RADIUS server-assigned VLAN and is then assigned to a different VLAN after re-authentication.
  If the VLAN to which an IEEE 802.1x port is assigned to shut down, disabled, or removed, the port becomes unauthorized. For example, the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed.
  Try these links:
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1025090
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml

• OS X keeps asking for System keychain password in order to do 802.1X authentication

  In order to join a corporate WLAN that uses WPA2 with 802.1X / EAP-TLS, I added the company's root certificate to the System keychain and set the trust level to always trust this certificate. I then added the client certificate that was issued for my computer. I set the trust level to always trust this certificate as well. Finally, I added the WLAN network, choosing Security: WPA2 Enterprise, Mode: EAP-TLS, Identity: the newly added client certificate, and username: the domain name of my computer. This setup works - I can connect to the WLAN network.
  My problem is that the system always asks me for the System keychain password before the WLAN connection can be established. This seems to be during the 802.1X authentication phase. What do I need to change so that this is not required? Or how can I at least find out which System keychain item it is that cannot be accessed without the password?
  Im using a MacBook Pro with OS X 10.10.1, but I also had the problem back on 10.9.
  If I remember correctly it started whenI received a new client certificate in the summer. But I am not able to say what I might have done differently with the old certificate so that the password was not required back then.

  i'm having the same problem at home. i had problems with my keychain before, because i deleted the system keychain. i recently learned how to replace it, which worked. however, my computer is not remembering the password to my home wireless connection. even when i put the computer to sleep and wake it, it becomes disconnected and never automatically re-connects. i have to again select my network and then re-enter the password, every time. how do i fix this ?
  +