Re: 802.1x Authentication

I have any questions:

When I select "Smart Card or other Certificate" and I clic "Configure"
button, appear the message "A Certificate could not be found that can be used
with this EAP"; so I think IAS server do not have a certificate. How can I
get one? If I use a certificate, is only for the supplicant and the IAS? What
happen with the switch?

If I can not use MD5 because w2k/xp supplicant do not support it neither
PEAP and Smart Card or other Certificate because IAS server do not have a
Certificate, what EAP type must I select when I check "Using 802.1x" on the
supplicant (in "Authentication" tab on "LAN Properties"), because when I
ckeck it I have three options only: PEAP, MD5 and Other Certificate? How I
configure MS-CHAPv2 both on the supplicant and the IAS? If switch uses EAPOL,
is correct do not using EAP on IAS?

Users are domain users.

I tested the format domain\user with the same result.

Thanks for your help.

Regards.
--
nedasima


"Wei Zheng [MSFT]" wrote:

> But on IAS server, you can configure it to use MD5. However, I don't think
> Microsoft 802.1x supplicant supports MD5, I would feel wired if you can use
> MD5, although MD5 is available for VPN client.
>
> So this means if you are using 802.1x, you can't use MD5.
>
> Your IAS server must have a certificate. To see whether you have one, please
> do the following: (assume you configure IAS to use EapTls for now)
>
> ias.msc --> double click "Remote Access Policies" on the left pane -->
> double click the policy that you want to configure in the right pane -->
> "Edit Profile" button --> "Authentication" tab --> "EAP methods"
> button -->select "Smart Card or other certificate" --> "Edit" button, you
> should see "Certificate issued to" text box, and your computer name should
> be in that text box.
>
> Without a certificate issued to your server, you can't do EapTls or PEAP.
> However, you will be able to use MSCHAP v2.
>
> Switch will send the identity request packet to 802.1x client, which will
> bring up the UI if needed (and if you choose to use EAP method, it is the
> EapMethod decide whether to bring up the UI, however, it will still be the
> 802.1x client that brings up the UI.
>
> What is the user you are trying to authenticate? A domain user? Or a local
> user on the IAS server? Try using such format:
> xxxxx\yyyy, where xxxx is the domain or computer name (for local user), and
> yyyy is the user name.
>
> However, if you are really using "MD5", something is wrong. Microsoft 802.1x
> doesn't support MD5.
>
> Let me know if you need more help.
>
>
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm.
>
> Please do not send e-mail directly to this alias.
> This alias is for newsgroup purposes only.
> ====================================
> "nedasima" <nedasima@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:02EDF550-C78A-48A1-A9CE-34C366F050D8@xxxxxxxxxxxxxxxx
> > Other thing: When on the supplicant (w2k) and on IAS I selected EAP with
> > MD5-Challenge, I was prompted for my username and password, but neither I
> > connected, and IAS log said "username unknown or password unknown".
> >
> > Who do prompt me: switch, IAS or the 802.1x client on the supplicant?
> >
> > Regards.
> > --
> > nedasima
> >
> >
> > "Wei Zheng [MSFT]" wrote:
> >
> >> Hi,
> >> First, let me answer a question you asked in your first post: EAPOL can
> >> use
> >> PEAP for authentication. They are different things.
> >>
> >> Second, to answer your question in your last post, is your IAS server
> >> provisioned with certificate?
> >>
> >> Thx.
> >>
> >> --
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >> Use of included script samples are subject to the terms specified at
> >> http://www.microsoft.com/info/cpyright.htm.
> >>
> >> Please do not send e-mail directly to this alias.
> >> This alias is for newsgroup purposes only.
> >> ====================================
> >> "nedasima" <nedasima@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:82C37BFD-5F27-4498-AE5C-A9C823A3B558@xxxxxxxxxxxxxxxx
> >> > Shared secret key is the same on both the switch and IAS; I type it
> >> > again,
> >> > but now the error message is: "Could not retrieve the Remote Access
> >> > Server's
> >> > certificate to the following error: Cannot find object or property". On
> >> > the
> >> > supplicant xpsp2 I use PEAP and on IAS I have checked EAP with PEAP and
> >> > MS-CHAP, MS-CHAPv2, CHAP and PAP-SPAP.
> >> >
> >> > Regards.
> >> >
> >> > --
> >> > nedasima
> >> >
> >> >
> >> > "Thomas K" wrote:
> >> >
> >> >> Hey,
> >> >>
> >> >> Double check the radius shared secret key on both the switch & IAS.
> >> >>
> >> >> Cheers,
> >> >>
> >> >> /T
> >> >>
> >> >> "nedasima" <nedasima@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:CA0D003B-1E4D-4405-AADC-AE23DC96956C@xxxxxxxxxxxxxxxx
> >> >> > Hi. I'm trying to set up 802.1x authentication. I have a switch
> >> >> > Catalyst
> >> >> > Cisco 2950 series and I'm using IAS on Windows 2000 Server, but the
> >> >> > supplicant (XPSP2) can not to access to the network, although switch
> >> >> > prompts
> >> >> > me username and password. Log in IAS indicate "signature attribute
> >> >> > is
> >> >> > not
> >> >> > valid". I have a doubt: Is EAPOL (EAP over LAN) equal to PEAP or
> >> >> > they
> >> >> > are
> >> >> > compatible? Because the documentation of Cisco says this switch use
> >> >> > EAPOL
> >> >> > and
> >> >> > in the IAS of w2k is only available PEAP, MD5-Challenge and Smart
> >> >> > Card
> >> >> > and
> >> >> > other Certificate. Can anyone help me, please?
> >> >> >
> >> >> > Thanks and regards.
> >> >> > --
> >> >> > nedasima
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.

Loading