Cisco AAA/Identity/Nac :: Testing Windows 8 Consumer Preview With ACS 5.2 PEAP Auth
Apr 29, 2012
We are deploying ACS 5.2 to replace our ACS 4.2 in production. I have two wireless networks setup as WPA2-Enterprise. One points at the ACS 4.2 and the other at the ACS 5.2. Both use the same SSL certificate with the same CN. Both authenticate Windows 7 clients. However, Windows 8 CP will only authenticate to the ACS 4.2 and not to ACS 5.2. The error it gives is:
11051 Radius packet contains invalid state attribute
It also shows no authentication method (most of the time).
Occasionally, I get a request that actually shows an authentication method of PEAP (EAP-MSCHAPv2) which is what it should be. On those requests, I get error:
24444 Active Directory operation has failed because of an unspecified error in the ACS.
Both ACs 4.2 and ACS 5.2 are pointed at the same Windows AD source.
View 3 Replies
ADVERTISEMENT
Sep 25, 2011
I am trying to setup PEAP authentication for wireless users but I got stuck at place where I have single ssid and users are store in different identity stores like some will be using their active directory and some are locally created users on ACS. I created separate service for wireless authentication and under that I am unable to create rule to differentiate them with identity stores. any idea how to achieve this.
I tried creating identity selection based on role but it does not work as for protocol like radius.peap,ms-chap ACS does not look for another identity store once user not find in an identity stores.
View 1 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Apr 3, 2012
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
View 5 Replies
View Related
Sep 11, 2011
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
View 3 Replies
View Related
Jun 24, 2012
In ACS 5.3 radius authentication report I want to show the called-station-id attribute. (this was appearning on failed and passed auth in ACS 4.2). The value of called-station-id appears in the details. However, I want it to appear as a column with the report.
View 2 Replies
View Related
Aug 19, 2012
Cisco 5508 wireless controllerCisco ACS 5.1LDAP connection I have setup the wireless controller to do RADUIS authentication with the ACS 5.1 using LDAP. The setup is currently working, Brief info below on setup.
I setup the PC client to use WPA2-Enterprise AES and authentication method CISCO PEAP. When I connect to the SSID this will prompt for a username and password. I will enter in my AD details and the ACS with the LDAP connection will authenicate and on the network I go.
Now I want to add machine authentication with CERTIFICATES, each laptop and pc in our network has CA certificates installed.
way that I can add these certificates into the ACS 5.1 so I pretty much want to import them into the ACS. Once they are imported inside I want the ACS to check that the certificates are on the PC and then prompt for the AD username and password, and only once it meets these two conditions it allows the workstation onto the network.So it will be a two form authentication one with certificates and the other ldap.
View 18 Replies
View Related
Jun 11, 2012
I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
View 7 Replies
View Related
Feb 25, 2010
I have a Cisco WLC talking to a ACS 4400 version 5.1 which in turn talks to Active Directory.Ive been trying to get 802.1x for wireless clients going, I have a cert on the ACS from verisign on the box but when users try to sign in they get 12309 PEAP handshake failed in the ACS RADIUS log.The cert was exported and placed directly on the testing laptop and at one point it all worked. I stepped away from it for 2 weeks to get a new internal CA built on a windows box, now coming back to it with the intent of issuing new certs to the ACS from the internal CA and thought I would check it to make sure all was good, but its not.Google doesn’t return happy results for “12309 PEAP handshake failed”, I opened a TAC case on it and they took my cert to their lab. Haven’t heard back.
View 6 Replies
View Related
May 15, 2011
Im trying to configure a 7204 for radius login authentication, although the router is also configured with radius for VPN access. How can I configure it for both using 2 different raidus servers? the login via radius is working fine on another router, although that one is not doing VPN access so there's no conflict.
My config:
aaa group server radius RADIUS_AUTH server x.x.3.11 auth-port 1645 acct-port 1646
aaa authentication login networkaccess group radius local
[Code]....
For some reason, this does not work. I cannot access the router and authenticate via x.x.3.11 radius server. I think there's a conflict between the VPN and the login authentication but im unsure how to resolve this.
View 3 Replies
View Related
Apr 30, 2013
I am looking for the way how to disagle logging of one user. We are using one testing user for checking accesibility of ACS from large number of switches - this checking exhausting logs quite quickly. Is it possible to disable logging of such user?
View 2 Replies
View Related
Oct 20, 2012
We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server. We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....
I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?
View 8 Replies
View Related
Apr 15, 2012
I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
View 1 Replies
View Related
Oct 31, 2010
I replaced an ACS certificate that had been installed as follows:
1. Generate CSR file and private key file, then send CSR to GeoTrust (Key length: 2048 and Digest to sign with SHA1)
2. GeoTrust send me a certificate. Issued by "GeoTrust SSL CA".
3. Install the certificate on the ACS. Restart ACS service.
4. ACS Certification authority setup. Issued by "VeriSign Class 2 Public Primary Certification Authority - G3"
5. Edit certificate trust list and select "VeriSign Class 2 Public Primary Certification Authority - G3" as trusted.
6. Enable EAP-TLS, then restarted the ACS service. The problem is when i try to enable EAP i get the error msg:Failed to initialize PEAP or EAP-TLS authentication protocol because CA certificate is not installed. Install the CA certificate using "ACS Certification Authority Setup" page.I searched on cisco and it said to disable the CSA, but in fact there is no CSA installed on this server.
OS: Win 2003 sp2Cisco ACS: Release 4.2(0) Build 124
View 4 Replies
View Related
Sep 28, 2011
Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
View 1 Replies
View Related
Apr 18, 2011
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
View 10 Replies
View Related
Mar 14, 2013
I'm currently having issues testing OCSP servers for certificate validation on ACS 5.4. Server team claims everything is fine on their side, but all attempts result in the following error:12562 OCSP server response is invalid
I've already tried to disable NONCE extension support and signature validation, which hasn't really had any effect. How to debug OCSP processing or look into the problem more precisely another way?
View 7 Replies
View Related
Jun 11, 2012
configure PEAP for wireless with Windows 2008. The doc we have only mentions Windows 2003. When we follw that document we get a faulure when we try to bind the certificate to we have generated to ACS 5.0 .
View 1 Replies
View Related
Feb 7, 2013
I am trying to configure a 1242 or 3502 WGB with PEAP. There is not ACS server involved as Windows RADIUS is used. I can get the WGB to work with OPEN Authentication but when I attempt to add in the authentication/security piece I get "no association." Below is my current config. The WLAN is set to use WPA/WPA2 802.1x + CCKM.
Current configuration : 1812 bytes
!
! Last configuration change at 00:56:39 CST Tue Mar 2 1993
version 15.2
[Code].....
View 1 Replies
View Related
Oct 12, 2011
I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q
EZVPN_Remote(config-if)#dot1
[code]....
View 1 Replies
View Related
Jan 16, 2013
To enable the taskbar preview I have been told to open taskbar properties and I would find what to click to enable taskbar preview when I hover the mouse over icon.I have tried and cannot find the answer. During chat session w/ McAfee, CSR could not do it either.
View 2 Replies
View Related
Mar 10, 2012
E3200 firmware 1.0.03 build 9. HP 1012 attached to USB port of the router. On a PC with Win7, Print Preview hangs in all applications. Print... also hangs in all applications. Reboot, re-installation of print driver, change default printer do not fix.
View 2 Replies
View Related
Oct 4, 2012
Is there an easy way to detect NAT devices - specifically home wireless routers like those from NetGear or D-Link or Linksys - on my network? I've shut down the ones that are easy to find by looking at the hostnames on the DHCP server, walking around with my phone and capturing the MAC address of the AP then finding a matching MAC address one number higher or lower. But there are still more out there evading me and I need to shut them down.I've read about a method using SFlow/Netflow, but my old Cisco 3750 and 2950 switches don't support that. I've read about a plugin for a Linux based firewall, but I use a Cisco ASA.
View 10 Replies
View Related
Dec 24, 2011
So, using a standard off the shelf UNMANAGED gigabit switch (just a cheapie), I have a scenario that I need to know about before I go and buy a whole lot of equipment.Ok so let's start off and say it's a perfect world and the workstations connect at a full 100 Mb/s and the server connects at 1000 Mb/s.So I'm looking at having say, four or five workstations connected to the gigabit switch (at 100Mb/s) and also a gigabit connection from the switch to the server. In this scenario, taking into account everything I've said above, would each of the workstations get a full 100 Mb/s to the server, or would everything be limited to 100 Mb/s total? I could see potential for the server to only talk to one of the workstations at a time and only at 100 Mb/s, but hopefully all four could communicate to the server simultaneously.
View 3 Replies
View Related
Jan 18, 2011
I think it was three or so years ago that I first went shopping for a top-notch gigabit wireless router/switch for home. I wanted VPN tunneling or at least pass-through, gigabit switching on the 4 ports, wireless n (preferably dual band) and the works. I wanted it to be fast (using a high speed business- class connection at home serving content back to my office at work) and I wanted it to be reliable.
So, I got what seemed to be the cream of the crop at the time, a Linksys WRVS4400N. If you know anything about this model, you know what a disaster it turned out to be - garbage firmware, constant reboots, terrible support, none of the features worked.
I fiddled with it for over a year, including one warranty replacement, before giving up, throwing it in the trash (literally) and thinking, maybe I'll try a "gamer" unit... so I got a Dlink 4500 with the crappy OLED display. It was faster. Most of the advertised features work. But, it wasn't reliable - lots of software bugs, each new firmware would break something new, terrible support, and almost daily power cycling because it would freeze.
That's because the Netgear WNDR3700 had shown up and was going to be the cat's meow. It was fast, seemed to run cool versus the previous two, had a reasonably fast UI and was bonafide dual band. Looked great. But as before... I made the mistake of putting it on autopilot with firmware updates, and the factory firmware was replaced by a series of increasingly unstable builds. Now, several of the features I bought it for don't work, the 5GHz band is dying, support is terrible, recent FW seems to have broken VPN passthrough and yet again I go online and see a five star router now turning into a 2.5 star clunker.
Are gigabit consumer routers uniformly junk? They all launch with great expectations, then fall flat on their face within 12 months, their fall from grace bracketed by atrocious support on one side and terrible firmware developers on the other. I've tried three top models from three of the largest manufacturers over the last four years and have had the same experience each time. Meanwhile, I go back to my $40 WRT54G and it just works.
My question: if I'm looking for something fast, reliable and not prone to getting in my way, do I need to simply call it a day and go up a few rungs on the ladder? Maybe a Sonicwall TZ2xx unit? (I've installed these in field offices for years, they work great.) Or a used Cisco Aironet plus a switch? Photo printers occasionally aside, I've never had so many problems with "premium" consumer electronics products as I do with gigabit wireless routers....
View 3 Replies
View Related
May 7, 2011
I'm setting up a large rambler house with a large footprint, and the only broadband connections are at opposing points of the house. Right now, I'm using two Linksys WRT54GS routers running Tomato in a WDS setup. A router, positioned in the middle point of the house, acts as a wireless access point so that the computer on the far end of the house can pickup the wireless signal. (One WRT54GS on its own doesn't have the power to go all the way across the house.)
I would like simplify things with a single, hi-power, hi-speed router at one end of the house. I know I can get better speeds with Draft N routers, but I need more signal strength as well. Are there any products currently available that can perform much better than my WRT54GS routers right now?
I need to go about 125 feet, through a number of walls.
View 11 Replies
View Related
Apr 12, 2012
I see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“
(Cisco Controller) >debug client 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1)
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state
[code]....
View 2 Replies
View Related
Jul 24, 2011
I was able to successfully implement MS-PEAP authentication with 5508 WLAN controllers and Cisco ACS v4.2. However, when I integrated 4402 WLC with version code 7.0.116, it did not pass across any authentication requests. Did a debug aaa events enable and there was no output. Configured another SSSID with PSK to test that my controller was OK and aaa debug was working, and there were CLI messages when I associated an AP.
why the 4402 is not working as I have compared configs with the 5508 and there is no difference. The shared secret is configured on both ACS and Controller and CA is downloaded on the ACS.
View 5 Replies
View Related
Nov 12, 2012
I was pondering on getting a certificate fro ma public CA to maintain easier configuration for end users. There will be a multitude of devices on this wireless network configured with 802.1x PEAP. (iPhones, iPADs, Droids, and PC's of course).
If you were to get a certificate from a public CA, I'm assuming this would be just a regular server certificate from GoDaddy, or Verisgn?
View 2 Replies
View Related
Jan 23, 2012
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
View 10 Replies
View Related
Jun 29, 2011
ACS 5.1 EAP-PEAP Machine Authentication,
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
View 3 Replies
View Related
Mar 18, 2013
I am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue.
View 4 Replies
View Related
Apr 2, 2013
A customer has RADIUS running on a Win Server 2008 R2 machine, has Autonomous 1140 APs and a mix of Windows 7 and XP Pro clients. Using PEAP as the authentication method the Win 7 clients can access the WLAN, but the Win XP clients cannot. The Win XP clients are at least SP2. I am doing some research before going to site on Friday and wanted to poll the community. I found an older post speaking to a MS Hotfix under KB#885453, but it referes to "third-party RADIUS servers," not MS servers URL.
View 14 Replies
View Related
