cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2174
Views
0
Helpful
8
Replies

ACS for 802.1x Authentication using RSA Tokens and Microsoft PEAP

magurwara
Level 1
Level 1

Has anyone been able to configure 802.1x authentication on Windows XP machines using RSA tokens using Cisco ACS as the RADIUS server?

I have come up with bunch of incompatibilities between the offered support e.g.

1. Microsoft PEAP does not support anything but smartcard/certificate or MSCHAP2.

2. Cisco support PEAP and inside it MSCHAP2 or EAP-GTC

We tried using RSA provided EAP client both the EAP security and EAP-OTP options within Microsoft PEAP but ACS rejects that as "EAP type not configured"

I know it works with third party EAP software like Juniper Odyssey client and the Cisco Aegis Client but we need to make it work with the native Windows XP EAP client.

8 Replies 8

darpotter
Level 5
Level 5

Hi

Microsoft PEAP is hard coded to use only MSCHAP hashes. SO nothing else will work with it.

If you want to do RSA you have to use EAP-GTC inside either Cisco PEAP or EAP-FAST... and of course then you need the supplicant as well.

Darran

jeroencraens
Level 1
Level 1

Hi,

We have tried to do the exact same setup as you and we also failed.

When we tried to authenticate the user with PEAP-MSCHAPv2 (WinXP native) ACS gives "external DB password invalid", and does not even try (!) to send the login to the RSA server. No traffic is seen between RSA and ACS.

MS-PEAP relies on hashing the password with MS-CHAPv2 encoding. This is not reversible. RSA, on the other hand, does not require hashing of the password due to the one time nature of it. So they (RSA) don't.

When we authenticate using e.g. a 3rd party Dell-client, we can successfully authenticate using either PEAP-GTC (Cisco peap), EAP-FAST and EAP-FAST-GTC.

A list with EAP protocols supported by the RSA is in attach.

Also below is the link which says the MS-PEAP is NOT supported with the RSA, please check the

table "EAP Authentication Protocol and User Database Compatibility "

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/o.htm#wp792699

What we are trying to do now in the project is leaving the AP authentication open and try to authenticate it using RADIUS through a firewall or Cisco router authentication proxy.

Thanks.

I wish we could have a consensus on what protocols to use for 802.1x as it will really help implementing this very much needed security solution.

I would be interested to know how you are doing with firewall/Router authentication proxy for wireless access.

What we are trying to do now is that the AP authentication is open, no WEP/WPA key. User must authenticate first with a SecurID token on the router's web page, access is restricted using access lists.

A router is set up as authentication proxy / firewall which sends the request to the RSA + RSA RADIUS server (or the ACS as RADIUS if you wish so), see for a config:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a00800942fd.shtml

(don't forget to add the router as an agent host on the RSA server)

But for the moment this is also failing. We get an "Authentication Failed !" on the client's popup window.

The RSA log monitor shows a successful login, and the cisco router/FW debugging doesn't show error messages and all seems to be ok, the last line we get is "Post authorization status = PASS_ADD" and that's about it, not a single error message, but still authentication fails.

Hi,

We have managed to get the setup working as mentioned with the authentication proxy (see link in previous message).

As the access is controlled with ACL's, you we were also required to config the ACS to push an updated ACL to the router/FW once the user is authenticated, so you can indicate which traffic is allowed and which isn't.

Hopefully this setup can also be used in your scenario so you have at least a way to authenticate guest users without the need to install anything on client side.

I have Cisco 3550 Layer 3 switches and I was wondering if this switch can work as an authentication proxy like the router in your case. It seems to support the auth-proxy commands like in the document you referenced but despite trying several configurations the switch does not intercept any traffic or prompt for user name and password.

There is little in the switch configuration guide for my IOS 12.2.(25)SEE regarding this feature so I have to rely on the referenced document as well as other docs but they all reference this configuration either on a router or Firewall. I wonder if Firewall IOS is required to enable this feature?

In a LAN environment if I need to enable this for a certain VLAN (guest vlan) I will have to do it on the Cisco 6509 core switch?

Afaik Firewall IOS is not needed.

We also tried it with a L3 switch and we didn't succeed.

The L3 switch was installed as DHCP server, we applied the access-list and auth proxy on the guest VLAN interface but it didn't work out: clients could not get an IP via DHCP, and we neither saw the loginscreen.

The router/firewall is now connected to the L3 switch on two ports, with different subnets. So now we route all guest VLAN traffic from the L3 switch to the router, then route back the "access-list processed" traffic to the L3-switch (in an other subnet), then traffic is sent where it needs to be.

So to make things easier you can maybe try first with a separate router (fw) and apply the access-list on the physical incoming interface and see if all goes ok.

(doublepost to be deleted)