Search the Site

 

Top
Blog

My Social
Services
Meta
Powered by Squarespace

Entries in Cisco (4)

Tuesday
Mar012011

Cisco Secure ACS 5.x and Apple OSX Directory (LDAP)

DateTuesday, March 1, 2011 at 13:50

For testing and development purposes I run a Cisco Secure ACS 5.x in a virtual machine at home. In this environment I also run an Apple Directory Service. I'll be using this setup to test several 802.1x and RADIUS authentication schemes.

To get things going I needed to connect to the ACS to my LDAP Directory. The Apple Directory Service is a bit different from the regular LDAP implementations. They seem to add the 'apple' reference in a lot of attribute values. Thankfully the ACS has a very versatile configuration interface.

Apple references in attribute valuesNormally, the group definition would be 'group' instead of 'apple-group'. So the configuration of the ACS should reflect these variations to the standard.

Click to read more ...

AuthorWillem | Comment4 Comments |
tagged , , , in , , ,
Saturday
Jan292011

Weird 802.1x EAP-TLS Behavior with Windows XP SP3

DateSaturday, January 29, 2011 at 13:29

I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.

In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.

During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.

Click to read more ...

AuthorWillem | Comment1 Comment |
tagged , , , , , , , in , ,
Thursday
Jan202011

802.1x: Machine Access Restriction 'Vulnerability'

DateThursday, January 20, 2011 at 21:45

Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.

Click to read more ...

AuthorWillem | CommentPost a Comment |
tagged , , , , , , , in , ,
Tuesday
May202008

CiscoVPN Error 51 Annoyance

DateTuesday, May 20, 2008 at 14:28

The CiscoVPN client (v4.9.01.0100) for Apple OSX throws an error every once in a while. Mainly when I just rebooted, or when I was forced to quit some hanging application (which also occurs on Macs). The error is:

Error 51: Unable to communicate with the VPN subsystem

Somehow, the VPN software looses contact with the network adapter (wired AND wireless). After this there are two things you can do;

  1. Reboot
  2. or restart the Cisco VPN Service manually.

The first is kinda obvious (it's almost a MS Windows strategy :)). The second one is done via the Terminal (Finder -> Applications -> Utilities -> Terminal). Just type the following command (followed by your password);

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

The thing I don't understand is; Why hasn't Cisco incorporated this in the VPN client?

IF (Error 51 == TRUE)
DO CiscoVPN.restart

It seems that this 'bug' is present since the release of the Mac OSX version of the software.

AuthorWillem | CommentPost a Comment |
tagged , , in , , , ,