Blog - Everything within Reason

Entries in ACS (3)

Tuesday

Mar012011

Cisco Secure ACS 5.x and Apple OSX Directory (LDAP)

Tuesday, March 1, 2011 at 13:50

For testing and development purposes I run a Cisco Secure ACS 5.x in a virtual machine at home. In this environment I also run an Apple Directory Service. I'll be using this setup to test several 802.1x and RADIUS authentication schemes.

To get things going I needed to connect to the ACS to my LDAP Directory. The Apple Directory Service is a bit different from the regular LDAP implementations. They seem to add the 'apple' reference in a lot of attribute values. Thankfully the ACS has a very versatile configuration interface.

Apple references in attribute valuesNormally, the group definition would be 'group' instead of 'apple-group'. So the configuration of the ACS should reflect these variations to the standard.

Click to read more ...

Willem |

4 Comments |

tagged

ACS,

Cisco,

Directory Service,

LDAP in

Apple,

Security,

Software,

Tips'n Tricks

Saturday

Jan292011

Weird 802.1x EAP-TLS Behavior with Windows XP SP3

Saturday, January 29, 2011 at 13:29

I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.

In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.

During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.

Click to read more ...

Willem |

1 Comment |

tagged

802.1x,

ACS,

Cisco,

Microsoft,

RADIUS,

XP,

dot1x,

service pack 3 in

Annoying,

Operating Systems,

Security

Thursday

Jan202011

802.1x: Machine Access Restriction 'Vulnerability'

Thursday, January 20, 2011 at 21:45

Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.

Click to read more ...

Willem |