• RELEVANCY SCORE 3.71

    DB:3.71:Peap Xpsp1 Ap1200 Acs3.1 k7






    I can't get this combo working. Any assistance would be great.

    ACS 3.1 with certs installed and PEAP / EAP-TLS enabled.

    XP laptop with 350 PCMCIA card with newest firmware.

    User database is Active Directory (RADIUS works for IOS and PIX okay)

    AP1200 with 12.01T1 software.

    AP configured for Accept Auth Type = Shared and Network EAP

    Require EAP = Shared

    What am I missing. Wireless works when all security is removed.

    Thanks,

    Patrick

    DB:3.71:Peap Xpsp1 Ap1200 Acs3.1 k7


    Patrick,

    I am far from an expert on the ACS sorry.

    Couple of things to look at.

    Can you ping the access point from the ACS server using 1500 byte packets ?? Make sure you can consistantly ping it.

    You do have the AP configured as a NAS in the ACS ?? The NAS type is right ??

    If these dont lead you to anything I think it is getting to the point where you would be best served by a TAC case. Please raise the case on the ACS server and include both of the debugs.

  • RELEVANCY SCORE 3.59

    DB:3.59:Peap, Eap-Tls Eap-Md5 kd






    Hi

    Just want to know is there any known problems or issues having PEAP, EAP-TLS EAP-MD5 enabled on ACS Radius servers for wireless authentication?

    DB:3.59:Peap, Eap-Tls Eap-Md5 kd


    Hello,

    There is no problems excep you have to have CA server for certificates for both ACS and wireless users.

    Regards,

    Belal

  • RELEVANCY SCORE 3.46

    DB:3.46:Password Change Via Ise For Switch Login 7a






    HI,

    I am having difficulty in setting up the ISE to allow password change when a user logs onto a switch/router when their password is expired. Users dont get prompted to change the password when logging onto the switch with AD credentials.

    i have checked the configurations on ISE i.e change password is enabled on the AD connection, under the default allowed access , under inner PEAP i have checked to allow password changes.

    i have attached some screen shots of successfull authentication and unsuccessful authentication from the same switch with the error message too.

    Do i need to put in any extra lines on the switch for RADIUS authentication/management config?

    Currently all that i am doing is to login into the switch via RADIUS using AD credentials.

    the radius config is

    aaa new-model
    aaa authentication login LOGIN-AUTH group RADIUS-GROUP local
    aaa authorization exec default group RADIUS-GROUP local
    aaa authorization console
    aaa authentication enable default group RADIUS-GROUP enable
    aaa accounting exec default start-stop group RADIUS-GROUP

    aaa group server radius RADIUS-GROUP
    server X.X.X.X auth-port 1812 acct-port 1813
    server X.X.X.X auth-port 1812 acct-port 1813

      
    radius-server host X.X.X.X auth-port 1812 acct-port 1813 key XXXXXXXXXX

    radius-server host X.X.X.X.auth-port 1812 acct-port 1813 key XXXXXXXXXX

    line vty 0 4
    exec-timeout 15 0
    logging synchronous
    login authentication LOGIN-AUTH
    transport input all
    transport output all

    DB:3.46:Password Change Via Ise For Switch Login 7a


    No you can not change the login algorithm to peap on routers or switches.

    Sent from Cisco Technical Support Android App

  • RELEVANCY SCORE 3.41

    DB:3.41:Wlse Peap 3k



    Can anyone help me about to find documentation about configuration of PEAP using radius inside the wlse

    Thanks

    DB:3.41:Wlse Peap 3k


    Hi Gianluca,

    Here are some docs that may help you get started;

    Using the AAA Server

    From this doc;

    http://www.cisco.com/en/US/products/sw/cscowork/ps3915/products_user_guide_chapter09186a008052dbfd.html

    Configuring Cisco-PEAP Settings

    http://www.cisco.com/en/US/products/sw/cscowork/ps3915/products_user_guide_chapter09186a008052dbfd.html#wp1562360

    Configuring AAA Certificates on WLSE

    http://www.cisco.com/en/US/products/ps6379/products_configuration_guide_chapter09186a00805ac0e9.html

    Hope this helps!

    Rob

    Please remember to rate helpful posts.......

  • RELEVANCY SCORE 3.39

    DB:3.39:Client Behavior Connecting With Ldap p3



    Hi,

    I am working with a customer who implemented LDAP with AOS6.1.2.4, using Radius was not an option, I have them using the PEAP-GTC plugin found on the Aruba Support page. Client is using XP and Windows 7. I had them setup the client exactly as stated in the Aruba PEAP-GTC User Guide.

    When they try to connect, they get splashed with box asks them to "Terminate" or "Connect". If connect is chosen, it goes into a continual loop. If terminate is selected, they get a "Connecting to (name of network" and a Enter credentials box pops up and when they try to enter credentials, it fails. I have had the user test connectivity with their credentials from within the Aruba Controller using the Diagnostic tool used for testing username and passwords to an External server.

    What is the correct process for a client using the Aruba PEAP-GTC plugin? Is there a way to save credentials so they don't have to enter them everytime in Windows?

    Thanks.

    DB:3.39:Client Behavior Connecting With Ldap p3

    syurick wrote:

    So, must I have a certificate on the LDAP server to run LDAP-S? Or can I just change the preferred connection method to LDAP-S on the controller and the port number and it should be good to go?

    This is a small deployment with limited number of users 10-15 using the internal SSID so rolling out to the entire company is not an issue at this time.

    Yes, you must have a certificate on the LDAP server: http://support.microsoft.com/kb/321051




    Colin JosephAruba Customer EngineeringLooking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

  • RELEVANCY SCORE 3.27

    DB:3.27:Wpa2 Security With Eap-Tls User Cert Auth c8



    I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 

    When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.

    It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.

    Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

    DB:3.27:Wpa2 Security With Eap-Tls User Cert Auth c8


    Well Well

    WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....

    The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.

    In order to verify that we need ' debug client mac address of the client ' from the WLC while trying to connect to make sure that is the case.

    Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.

    -----------------------------------------------------------------------

    Please make sure to rate correct answers

  • RELEVANCY SCORE 3.25

    DB:3.25:Cisco Wlc 5508 Controllers, Microsoft Nps With 802.1x And Peap fj



    We are using Cisco WLC 5508 controllers, NCS and Microsoft NPS for Radius. I know it's possible with PEAP to check if user is member of an AD  group, but is it also possible to check if the user is using a Domain  machine? So an AND operation. I tried it with a NPS policy to check if  the machine is member of AD group domain machines, but it is not  working.

    DB:3.25:Cisco Wlc 5508 Controllers, Microsoft Nps With 802.1x And Peap fj


    If you need to validate that the PC is a member of the domain and you are using NPS you should do machine authentication for your windows PCs and use EAP-TLS. If you use PEAP you will run into problems when the PCs decide to change their passwords for the domain. You can do condition based policies, so you can have your first policy be EAP-TLS for domain PCs, then you can do PEAP for other things if necessary. Deploying certs to the workstations is pretty easy with windows PCs that are in the domain.

  • RELEVANCY SCORE 3.24

    DB:3.24:Machine Authentication With Mar And Acs - Revisited k1



    I'm wondering if anyone else has overcame the issue I'm about to describe.

    The scenario:

    We are happily using ACS 4.1 to authenticate wireless PEAP clients to an external Windows AD database.

    We do have machine authentication via PEAP enabled, but at this time we are not using Machine Access Restrictions as part of the external database authentication configuration.

    The clients (we care about) are using the native XP ZWC supplicant and are configured to "authenticate as machine when available".

    The passed authentications log does successfully show the machines authenticating.

    The challege:

    We only want to permit users on our PEAP protected WLAN if the machine they are using has an account in the domain (and they are a Windows XP box - the currents standard corporate image).

    In a testing lab, we enable Machine Access Restrictions, with the access mapped to "No Access" if there is no machine auth, or if machine auth fails.  If a machine is shut down and boots fresh, or if the logged on user chooses to logoff while on that WLAN - we see the Windows box sends its machine authentication.  As I understand it - a windows XP box will only attempt to authenticate as a machine when a user logs off, or upon initial boot.

    In our environment (and I'm sure many others) - if a user comes into the office and docks their laptop and is attached to the wired LAN and boots or logs on - the machine maybe authenticating - but it is authenticating directly to the AD as our wired LAN is not using 802.1x or ACS radius.

    So the user maybe logged on and working on the network - and then choose to undock which activates the wireless.

    The problem then - the machine does NOT attempt to authenticate as a machine and only processes the user credentials - which get passed onto ACS vial the WLC - and when MAR is enabled with the No Access mapping for no machine auth - the user auth obviously fails.

    Has anyone seen / over come this ?

    Our goal is to enforce that only standard XP imaged machines get on the wireless PEAP network (where the configuration is maintained by GPO).

    DB:3.24:Machine Authentication With Mar And Acs - Revisited k1


    Did you ever get this resolved?

    I am working on the exact same authentication policy. I need machine authentication againast AD for all of our users; wired, wireless and VPN/ASA.

  • RELEVANCY SCORE 3.23

    DB:3.23:Aaa Radius as



    Hi,

    I want to use AAA (Radius Server)to do PEAP Authentication,Can i use different Radius Vendors or I need to use CSACS ONLY ?

    DB:3.23:Aaa Radius as


    You can use any Radius server, most of them(actually I guess all of them) support PEAP authentication.

    IAS, FunkSteel, CSACS etc....

  • RELEVANCY SCORE 3.19

    DB:3.19:Cannot Connect To Peap-Mschapv2 Wireless Network cx


    We have recently setup a new wireless network. We are using a Meru wireless controller. We are using Windows 2008 R2 NPS for our RADIUS 802.1x authentication. We have it setup for PEAP-MSCHAPv2. We couldn't get a connection with
    our AD CS certificate, so we purchased a cert through DigiCert. I installed the cert using IIS 7 on the same server as the NPS Server. The NPS server sees the certificate and does not seem to have an issue with it. I am manually configuring
    my wireless security type as 802.1x and WEP as encryption type. I am using PEAP as the network authentication method. In the PEAP Properties, I have Validate server certificate unchecked. I have Secured Password (EAP-MSCHAP v2) selected as the
    authentication method. Enable fast reconnect is enabled. It's also enabled on the server. In the Security tabs Advanced Settings, under 802.1x settings, I have specified User or computer authentication. When I try to connect, the Windows Security Network
    Authentication prompts for the credentials. I am typing in my credentials as domain\user and password. When I click OK, I almost immediately get a Windows was unable to connect to wireless ssid. When I look on the NPS server, I am not even
    seeing an event for my logon attempt. However, if I do not configure any special settings for my wireless connection, I am prompted with an EAP/TLS prompt and when I type in my credentials, those are being logged in the event log. The connection
    still fails of course. The dial-in properties for my account are set to Control access through NPS Network Policy as my Network Access Permission, Verify Caller-ID is not selected and there are No Callback options set. There are no static IP addresses
    or static routes applied. We have been working on this issue for 2 weeks now and cannot seem to find a resolution. Please help!

    DB:3.19:Cannot Connect To Peap-Mschapv2 Wireless Network cx

    I am new to certificates and NPS. I am a little confused. Do I need to change the Certificate Template for the certificate that we purchased from Digicert? How do I do that? When I Add the CA snap-in, I only see the snap-in for the
    certificate that was created with AD CS. I don't want to use this one.
    Also, I am not quite sure if I am having an issue with the certificate. Please see the following from the NPS log file. Does it look like it is passing the authentication process?
    DC,IAS,04/16/2012,12:20:50,1,domain\username,DC.local/Enterprise Admins/User,00-90-0B-23-67-85:DO-Faculty,64-27-37-2F-92-EC,,,,192.168.3.253,2049,0,192.168.3.253,DC-MERU,,,19,CONNECT 802.11g,,,5,Secure Wireless Connections,0,311
    1 172.16.5.159 04/14/2012 11:11:57 36,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Secure Wireless Connections,1,,,,
    DC,IAS,04/16/2012,12:20:50,11,,DC.local/Enterprise Admins/User,,,,,,,,0,192.168.3.253,DC-MERU,,,,,,,5,Secure Wireless Connections,0,311 1 172.16.5.159 04/14/2012 11:11:57 36,30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Secure
    Wireless Connections,1,,,,

    It looks like the reason code 0 is stating that there was IAS_Success?Does that mean it passed authentication? But then we are getting an Access Chalenge (Code 11). I found this article on Access Challenge:

    l4.4. Access-Challenge

    Description

    If the RADIUS server desires to send the user a challenge
    requiring a response, then the RADIUS server MUST respond to the
    Access-Request by transmitting a packet with the Code field set to
    11 (Access-Challenge).

    The Attributes field MAY have one or more Reply-Message
    Attributes, and MAY have a single State Attribute, or none.
    Vendor-Specific, Idle-Timeout, Session-Timeout and Proxy-State
    attributes MAY also be included. No other Attributes defined in
    this document are permitted in an Access-Challenge.

    On receipt of an Access-Challenge, the Identifier field is matched
    with a pending Access-Request. Additionally, the Response
    Authenticator field MUST contain the correct response for the
    pending Access-Request. Invalid packets are silently discarded.

    If the NAS does not support challenge/response, it MUST treat an
    Access-Challenge as though it had received an Access-Reject
    instead.

    If the NAS supports challenge/response, receipt of a valid
    Access-Challenge indicates that a new Access-Request SHOULD be
    sent. The NAS MAY display the text message, if any, to the user,
    and then prompt the user for a response. It then sends its
    original Access-Request with a new request ID and Request
    Authenticator, with the User-Password Attribute replaced by the
    user's response (encrypted), and including the State Attribute
    from the Access-Challenge, if any. Only 0 or 1 instances of the
    State Attribute can be present in an Access-Request.

    A NAS which supports PAP MAY forward the Reply-Message to the
    dialing client and accept a PAP response which it can use as
    though the user had entered the response. If the NAS cannot do
    so, it MUST treat the Access-Challenge as though it had received
    an Access-Reject instead.

    Any ideas? It appears that it is treated like a rejection. Do you think it is because of the authentication or that the NAS is not configured for challenge/response?

  • RELEVANCY SCORE 3.16

    DB:3.16:How To Set Enterprise Wpa2 With The Ap 1241 ( Peap-Ms-Chap V2 ) jk



    Hi friends

    I've already set up the wpa2 with the WLC and AP 1130, with the IAS Radius server according to this howto:

    http://cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

    It's working without any problems

    i'd like to do the same, but with the AP1241 ( autonomous ) without WLC.

    I've tried to use this howto, but actualy it doesn't work :

    http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml

    The main question is if it's possible, because i don't know if the AP supports PEAP-MS-CHAP

    When i use it,  IAS server says that the account is granted , but wireless connection on the client says :

    Validaty cerificate eroor, or Potential problem with sup0plicant

    Thanks for any hints

    pet

    DB:3.16:How To Set Enterprise Wpa2 With The Ap 1241 ( Peap-Ms-Chap V2 ) jk


    On the client, under the wireless profile for this ssid, uncheck "validate server certificate." This option forces the Windows client to check with a third-party certificate provider (EnTrust and others) for YOUR certificate that you've applied to the server. You don't want this to happen, so you unselect "validate server certificate" and you won't get that error any longer.

    HTH,

    John

    *Please rate all useful posts*

  • RELEVANCY SCORE 3.16

    DB:3.16:Allowing Peap - Mschapv2 Traffic Through Pix j3



    Hi friends,

    There is a PIX that segments the wireless network from the wired network and does routing between them as well.

    Now, i have created an open access list allowing access to everything.

    The Access point 10.81.65.2 (wireless network) talks to the Radius / AD server viz. 10.81.64.12 (PEAP MSCHAPv2) for AD authentication.

    Authentication fails in such a setup. But if i put the AP in the same segment as radius server, i am able to get authenticated successfully.

    The issue is only when NAS (Access point) and MS IAS Radius server are in separate subnets.

    Authentication works perfectly fine if they are in the same subnet.

    Access lists / Static statements are all given appropriately.

    Anyone with ideas on how to resolve this?

    Should i make PIX also a AAA client to the radius server?

    Thanks a lot

    Gautam

    DB:3.16:Allowing Peap - Mschapv2 Traffic Through Pix j3


    Hi friends,

    There is a PIX that segments the wireless network from the wired network and does routing between them as well.

    Now, i have created an open access list allowing access to everything.

    The Access point 10.81.65.2 (wireless network) talks to the Radius / AD server viz. 10.81.64.12 (PEAP MSCHAPv2) for AD authentication.

    Authentication fails in such a setup. But if i put the AP in the same segment as radius server, i am able to get authenticated successfully.

    The issue is only when NAS (Access point) and MS IAS Radius server are in separate subnets.

    Authentication works perfectly fine if they are in the same subnet.

    Access lists / Static statements are all given appropriately.

    Anyone with ideas on how to resolve this?

    Should i make PIX also a AAA client to the radius server?

    Thanks a lot

    Gautam

  • RELEVANCY SCORE 3.16

    DB:3.16:Wlse In Peap Env sx



    will there be a problem for WLSE in a PEAP env, I saw on the web that is support LEAP and Radius, no mention of PEAP

    DB:3.16:Wlse In Peap Env sx


    I have not tried it myself but given that in the documentation for the WLSE it says it can set the feild Authentication Type and one of the options there is network eap and the authentication server and if you look in the AP documentation you will see that to set PEAP that is the field that needs to be enabled

    Step 9 Select EAP Authentication under the server. The EAP Authentication checkbox designates the server as an authenticator for any EAP type, including LEAP, PEAP, EAP-TLS, EAP-SIM, and EAP-MD5.

    Then it looks like you should be fine.

    Sources

    http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cwparent/cw_1105/wlse/1_3/user_gd/config.htm#xtocid9

    http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm#1036420

  • RELEVANCY SCORE 3.11

    DB:3.11:Can Anyone Tell Me How Peap Works And How To Set Up On My 1242 Ap jp



    Hi all

    Firstly can anyone explain briefly how the PEAP works, Can I use local usernames from the AP, and also a radius server linked to my active directory?

    also when using PEAP etc do I not need to type in the PSK for WPA etc, does the PEAP function effectively do this?

    also what are the basics for setting it up on my 1242 ap.

    thanks

    Carl

    DB:3.11:Can Anyone Tell Me How Peap Works And How To Set Up On My 1242 Ap jp


    Hello Carl,

    PEAP just like LEAP, EAP-FAST, EAP-TLS is one of the 802.1x/EAP authentication methods used in WPA Enterprise. You can also use 802.1x/EAP without WPA. This is different from WPA-PSK. WPA-PSK doesn't use 802.1x authentication methods. In WPA-PSK you simply enter the same passphrase on client and AP. This passphrase is used to calculate the actual encryption keys used by TKIP or AES-CCMP encryption methods.

    With WPA enterprise, you must have an authentication server (RADIUS). AP doesn't actually care which 802.1x authentication method you are using. AP ("authenticator") simply converts Client's 802.1x messages to RADIUS messages and forwards them to the authentication server (Cisco ACS, Microsoft IAS, etc), and then converts RADIUS messages from the authentication server back to 802.1x messages and forwards them to the client ("supplicant").

    You can either uses your RADIUS server or you can also configure Local RADIUS (local usernames) on the AP. You can't use both at the same time, but you can failover from your RADIUS server to the Local RADIUS, if you wish. When using RADIUS server, AP doesn't care which 802.1x/EAP method you use, there's no EAP configuration on the AP (only EAP timeout settings and such). It's up to the supplicant to tell Authentication server which EAP method it wants to use, and it's up to the Authentication server to support that EAP method. When using Local RADIUS on the AP, AP must understand the 802.1X/EAP method that supplicant wants to use. Cisco Local RADIUS service supports only LEAP, EAP-FAST and EAP-TLS, but not PEAP, therefore you won't be able to use PEAP with local RADIUS server in your case, you must use external server (Cisco ACS or Microsoft IAS).

    If you had Wireless LAN controller with lightweight APs, then you could set up WLC with Local RADIUS authentication and PEAP. WLC supports local RADIUS with LEAP, EAP-FAST, EAP-TLS *and* PEAP.

    Here's the basic configuration for an autonomous IOS AP if you are planning to use an external Authentication server that supports PEAP (as well as LEAP, EAP-FAST, and EAP-TLS):

    aaa group server radius rad_eap

    server auth-port 1645 acct-port 1646

    !

    aaa authentication login eap_methods group rad_eap

    !

    dot11 ssid PUBLIC

    authentication open eap eap_methods

    authentication network-eap eap_methods

    guest-mode

    !

    interface Dot11Radio0

    encryption mode wep mandatory

    ssid PUBLIC

    !

    radius-server host auth-port 1645 acct-port 1646 key RADIUS_KEY

    The above configuration is pure 802.1x without WPA (WPA key management involves supplicant and AP only, not the Auth server). Here's a WPA-Enterprise example:

    aaa group server radius rad_eap

    server auth-port 1645 acct-port 1646

    !

    aaa authentication login eap_methods group rad_eap

    !

    dot11 ssid PUBLIC

    authentication open eap eap_methods

    authentication network-eap eap_methods

    authentication key-management wpa

    guest-mode

    !

    interface Dot11Radio0

    encryption mode ciphers tkip (or aes-ccm)

    ssid PUBLIC

    !

    radius-server host auth-port 1645 acct-port 1646 key RADIUS_KEY

    Regards,

    Roman

  • RELEVANCY SCORE 3.10

    DB:3.10:Eap-Sim Initiated By Sony Xperia Mobile, Not Reaching Access Point 9x


    Hi Friends, EAP-SIM initiated by Sony Xperia mobile not reaching Access Point or AP not forwarding EAP-SIM message to Free Radius Server. Am facing a problem in EAP-SIM evaluation with free radius. Please find the below points and help me out.... 1. Using Sony Xperia as User End. Dlink dir615 or linksys wrt120n for access point and free radius as authentication server. 2. Free radius tested with eap-sim option with the help of eap-sim06 test client provided with free radius, its working fine. 3. If i configure PEAP on free radius and Dlink as AP with Xperia as UE, its working fine. 4. If i configure EAP-SIM on free radius and if i select SIM option on Xperia, am not getting access-request on free radius. Is AP supports partial EAP. Like supporting PEAP, TLS, TTLS and leaving SIM and AKA ? If AP not supports SIM, still can we do something to get access request ? coz specs tell old AP should also work ! Please suggest me the solution.

    DB:3.10:Eap-Sim Initiated By Sony Xperia Mobile, Not Reaching Access Point 9x

    Hi Friends, EAP-SIM initiated by Sony Xperia mobile not reaching Access Point or AP not forwarding EAP-SIM message to Free Radius Server. Am facing a problem in EAP-SIM evaluation with free radius. Please find the below points and help me out.... 1. Using Sony Xperia as User End. Dlink dir615 or linksys wrt120n for access point and free radius as authentication server. 2. Free radius tested with eap-sim option with the help of eap-sim06 test client provided with free radius, its working fine. 3. If i configure PEAP on free radius and Dlink as AP with Xperia as UE, its working fine. 4. If i configure EAP-SIM on free radius and if i select SIM option on Xperia, am not getting access-request on free radius. Is AP supports partial EAP. Like supporting PEAP, TLS, TTLS and leaving SIM and AKA ? If AP not supports SIM, still can we do something to get access request ? coz specs tell old AP should also work ! Please suggest me the solution.

  • RELEVANCY SCORE 3.10

    DB:3.10:Eap Over Wireless And Nap Problems cm


    Hello,
    I have the following problem with NAP. I am trying to connect Windows Vista to a wireless network and validate its health using NAP. My PEAP request is successfully forwarded to Longhorn server running NAP server, but the client does not connect.
    On Longhorn I set up :
    - radius client to accept requests from authenticator.
    - Connection request policy specifying NAS port type == Wireless-IEEE 802.11
    - 3 network policies as described in step-by-step guides: Compliant-full access, noncompliant-restricted, downlevel-full-access
    - system health validator to check if firewall is enabled.
    I also have windows 2003 server working as domain controller. There is IAS running there with installed RADIUS.
    Now, when I try to connect Vista, I see that EAP request is forwarded to Longhorn server.
    If I setup Connection Request Policy to forward authentication request to RADIUS running on Windows 2003, I can connect my client, but I do not see that NAP was used. In the System log I see that Proxy-Policy-Name used was the one configured for Connection request policy. However, policy name is specified as undetermined. I guess I should see something like Compliant/noncompliant, right?
    If I setup Connection Request Policy to process authentication locally, connection process fails. Proxy-Policy-Name is the one I defined for Connection request, Policy Name is Undetermined. The log also says that Access request was discarded, Reason code is 1 with description: Internal error Occured.
    Questions:
    - Can I use NAP on Longhorn and forward request to RADIUS on Windows 2003?
    - If I want to process authentication requests locally on Longhorn, do I need to setup user account there? I cannot find IAS.
     
    Thanks,
    Paker
     

    DB:3.10:Eap Over Wireless And Nap Problems cm

    If you want to have NAP with EAP; then you have to override authentication in CRP and add PEAP as authentication method. You have to configure PEAP to enable quarantine checks. You have to do these configurations in the authenticating NPS server (not the one that is proxy-ing your request).
    I have already posted a reply to the other thread for internal error reporting in the event log. Please turn on NPS tracing as per the other thread and send iassam.log and iasnap.log. 
    To answer your specific questions:
    - Can I use NAP on Longhorn and forward request to RADIUS on Windows 2003?
    No -- Health evaluation can only be done on NPS server on Longhorn. While you can proxy your request to win2k3 for authentication; you have to terminate your PEAP session on a LH box for NAP.
    - If I want to process authentication requests locally on Longhorn, do I need to setup user account there? I cannot find IAS.
    Not sure if I understand what you mean by local authentication. NPS can authenticate users in AD if it can communicate to the DC of the AD. Or it could authenticate local users in the NPS box.
    Thanks,
    Shankar

  • RELEVANCY SCORE 3.10

    DB:3.10:Aironet 1200+Wet54+Peap? 1j



    I am trying to get a Linksys WET54GS5 bridge connected to an Aironet 1200 using PEAP.

    PEAP authentication to the Aironet 1200 works fine from a Windows XP wireless client setup to use PEAP. We are using Windows IAS for RADIUS authentication on the backend.

    I bought the WET54 specifically because it claimed to support WPA RADIUS authentication and EAP. I have loaded the certificate from our Windows certificate server into the WET54, set it up to use TKIP, and used a username and password that definitely has access to connect to the Aironet 1200. If I enable EAP -or- MAC authentication for the particular ssid on the 1200, the WET54 will associate and stay linked, but no traffic is permitted because WEP-Encryption is set to mandatory, which I gather is a requirement when you associate an ssid to a VLAN. So really the "or" part is not really true or at least it doesn't mean what I think it should (i.e., that a WPA RADIUS-connected client OR a permitted MAC-associated client can connect and send/receive traffic).

    Has anyone gotten a WET54 working in this configuration or will I have to convince my boss to buy Cisco wireless bridges instead?

    DB:3.10:Aironet 1200+Wet54+Peap? 1j


    I am trying to get a Linksys WET54GS5 bridge connected to an Aironet 1200 using PEAP.

    PEAP authentication to the Aironet 1200 works fine from a Windows XP wireless client setup to use PEAP. We are using Windows IAS for RADIUS authentication on the backend.

    I bought the WET54 specifically because it claimed to support WPA RADIUS authentication and EAP. I have loaded the certificate from our Windows certificate server into the WET54, set it up to use TKIP, and used a username and password that definitely has access to connect to the Aironet 1200. If I enable EAP -or- MAC authentication for the particular ssid on the 1200, the WET54 will associate and stay linked, but no traffic is permitted because WEP-Encryption is set to mandatory, which I gather is a requirement when you associate an ssid to a VLAN. So really the "or" part is not really true or at least it doesn't mean what I think it should (i.e., that a WPA RADIUS-connected client OR a permitted MAC-associated client can connect and send/receive traffic).

    Has anyone gotten a WET54 working in this configuration or will I have to convince my boss to buy Cisco wireless bridges instead?

  • RELEVANCY SCORE 3.05

    DB:3.05:Having A Problem With Peap And Cisco 2960 Switch ac



    Hi All,

        I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 

        The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.

    Any ideas?

    DB:3.05:Having A Problem With Peap And Cisco 2960 Switch ac


    Just updating like I mentioned in the previous post, the setting I changed was the "use_tunneled_reply = yes".  This fixed the issue mentioned above.

    Thanks

  • RELEVANCY SCORE 3.05

    DB:3.05:Is Possible Configure Cisco Ssl Vpn Works With Nap Radius Client? k3


    Hello,
    We planning to setup ASA SSL( Microsoft CA) VPN through NPS using NAP. Is there a way to configure Radius/NAP server allow PEAP/EAP
    and NAP client to go through when using the ASA SSL VPN?
    Thanks,
    Mike

    MCSE

    DB:3.05:Is Possible Configure Cisco Ssl Vpn Works With Nap Radius Client? k3


    Hi Mike,

    Thanks for posting here.

    You might consider to specified IP address range for ASA VPN client and set connection exception in NAP:

    Design an Exception Management Strategy

    http://technet.microsoft.com/en-us/library/dd125358(WS.10).aspx

    Thanks.

    Tiger Li
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

  • RELEVANCY SCORE 3.04

    DB:3.04:Peap With Eap-Fast zp



    Hi,

    Is possible to configure a Lightweight Access Point LAP1242AG as 802.1x supplicant using Microsoft NPS radius server that not use EAP-FAST authentication method? Can I use PEAP in NPS radius?          

    DB:3.04:Peap With Eap-Fast zp


    You can only use EAP-FAST with anonymous provisining.

    The reason why you can't use PEAP is that with PEAP you must have a certificate on the AAA server that is trusted by the supplicant (the AP in our case) but the AP has no certificate authorities trust list to know if the server certificate is trusted or not. Hence, all methods that uses certificates on either the server can not be used (PEAP, EAP-TLS, EAP-TTLS).

    One more reason is that the AP as a supplicant is configured with the EAP method = EAP-FAST. It is hard coded and can not be changed. no parameters to modify also excep the username and the password that you have to provide.

    You can only use EAP-FAST with anonymous PAC provisning. You can't even use the manual provisning simply because there is no mechanism to put the PAC manually on the AP.

    HTH

    Amjad

  • RELEVANCY SCORE 3.03

    DB:3.03:Proxy Distribution Table Issue With Peap Auth And Vpn Concentrator As Nas 7d



    I'm using ACS for windows server Release 3.2(3) Build 11 performing AP's management admin through TACACS+, LEAP authentic to WDS through RADIUS (aironet), PEAP for wireless clients through Radius aironet and IPSec on VPN Concentrator through Radius vpn 3000 concentrator.

    After i've created an entry on Proxy Distribution table @xxx for acs server striping this suffix and default for externally Radiator, i've registered the following:

    - Everything works fine except PEAP and VPN clients without authentication.

    From PEAP, the user appears with realm which seems strip is not working for PEAP

    From VPN users, ACS entry is registered as pass authentication but VPNConcentrator gives the following error:

    "8 03/11/2005 13:15:48.130 SEV=3 AUTH/5 RPT=496 1.1.1.1

    Authentication rejected: Reason = Unspecified

    handle = 428, server = 10.10.10.10, user = ACL, domain = not specified"

    Can this behavior to be caused by a bug release?

    Grateful for any support

    Thanks

    Nuno Santos


    DB:3.03:Proxy Distribution Table Issue With Peap Auth And Vpn Concentrator As Nas 7d


    You can debug the error using the VPN Client GUI Error Lookup Tool.

    http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_tech_note09186a00801f253d.shtml

  • RELEVANCY SCORE 3.03

    DB:3.03:Cisco Ise And Wlc Timeout Best Practices a9



    I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.

    I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.

    Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.

     

    DB:3.03:Cisco Ise And Wlc Timeout Best Practices a9


    Refer the link for the configuration : http://www.cisco.com/c/en/us/support/docs/wireless/5700-series-wireless-lan-controllers/117717-config-wlc-00.html

  • RELEVANCY SCORE 3.03

    DB:3.03:Session Authentication Issue 9p


    I have set up a 2008 ad / radius server to authenticate wireless clients, it all works great using peap and certificates. I followed a couple of MS methods which enabled me to get this working. A user selects the wireless SSID a notice bubble comes up to
    log in, they log in using their domain username and password. Then hey presto they are accessing the network. The issue is when they logout of their desktop then log back in the wireless reconnects them using their prevoious session credentials. I want to
    make them log in for each new wireless session. How do I go about adding a policy? to enforce new wireless sessions have to be authenticated by username and password. I tohught about using idle timeout but this is not the right way to do it.
    Thanks for any help or suggestions
    Mick

    DB:3.03:Session Authentication Issue 9p

    Hi Mick,

    Win7 use WLAN AutoConfig service to auto connect wireless network. You could setup wireless network policies(802.11) in GPO,
    add your infrastructure wireless SSID in available network list, in security tab, uncheck Cache user information for subsequent connections to this network.

    Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-MS-CHAP v2 Authentication
    http://technet.microsoft.com/en-us/library/dd759176.aspxRegards, Rick Tan

  • RELEVANCY SCORE 3.01

    DB:3.01:Nps Radius - Use Anonymous Identities 8a


    Hello,
    I would like to ask you if it is possible to use Anonymous Identities when using NPS as RADIUS server for authenticating WiFi users. Anonymous Identities are described at
    http://www.interlinknetworks.com/app_notes/eap-peap.htm and are part of EAP-PEAP that we use for authentication.

    We need this function to work to join Eduroam network (http://eduroam.org).

    Thank you!

    Best wishes,
    Marko

    DB:3.01:Nps Radius - Use Anonymous Identities 8a

    Hello,
    Yes, according to Microsoft that is configurable. To configure your clients so that they will not send their identity in plain text before the client has authenticated the RADIUS server, select Enable Identity Privacy, and then in Anonymous Identity, type
    a name or value, or leave the field empty.
    Below you will find a step by step guide to configuring Anonymous Identity:
    http://technet.microsoft.com/en-us/library/dd759219.aspx

    I know its a late answer but hope it helps.MCTS...

  • RELEVANCY SCORE 3.01

    DB:3.01:Wlse Express Radius Server Not Working With Spectralink Phone 87



    I have a WLSE Express that am am using as a radius server for my Spectralink IP phones. I also have WDS and FSR setup and running. The problem is that the WLSE will not authenticate the phones. The radius server log shows the phone coming in and getting challenged, but it never accepts it. It looks like the radius server is trying to use Cisco-PEAP, when it should be using LEAP. Any ideas?

    DB:3.01:Wlse Express Radius Server Not Working With Spectralink Phone 87


    That's another question. I don't know if it's possible to turn off the other EAP types.

  • RELEVANCY SCORE 3.01

    DB:3.01:Radius/Peap Not Working When Nat Is Enabled? fs


    (Moving this thread to the right forum - my mistake for posting in the wrong place!)

    Setup: Airport Extreme firmware 5.6, Windows Admin Utility 5.2
    Airport's WAN port connected to an internal network with Windows 2003 IAS RADIUS server; Airport's LAN port disconnected.

    Windows XP client (using Microsoft zero-configuration client)

    client and server set up to use PEAP authentication

    If I set up the Airport in bridge mode (uncheck the "Distribute IP Addresses" box in the Network setup tab), the client can authenticate correctly and can obtain an IP address from a DHCP server on my internal network.

    If I check the "Distribute IP Addresses" box, select "Share a single address with DHCP NAT" and the 192.168.1.1/24 address range, the client can no longer authenticate. I haven't changed anything else on either the Airport or the RADIUS server.

    Network traces taken on the wired (WAN) and wireless side of the Airport show that the first few exchanges of the EAP handshake go through fine, but the server's reply to the client's "TLS Hello" message are being blocked by the Airport. Up to that point, I don't see any significant difference between the exchanges with NAT enabled or disabled; it's just that the Airport passes the server's message to the client correctly when NAT is off and blocks it when NAT is on.

    DB:3.01:Radius/Peap Not Working When Nat Is Enabled? fs

    (Moving this thread to the right forum - my mistake for posting in the wrong place!)

    Setup: Airport Extreme firmware 5.6, Windows Admin Utility 5.2
    Airport's WAN port connected to an internal network with Windows 2003 IAS RADIUS server; Airport's LAN port disconnected.

    Windows XP client (using Microsoft zero-configuration client)

    client and server set up to use PEAP authentication

    If I set up the Airport in bridge mode (uncheck the "Distribute IP Addresses" box in the Network setup tab), the client can authenticate correctly and can obtain an IP address from a DHCP server on my internal network.

    If I check the "Distribute IP Addresses" box, select "Share a single address with DHCP NAT" and the 192.168.1.1/24 address range, the client can no longer authenticate. I haven't changed anything else on either the Airport or the RADIUS server.

    Network traces taken on the wired (WAN) and wireless side of the Airport show that the first few exchanges of the EAP handshake go through fine, but the server's reply to the client's "TLS Hello" message are being blocked by the Airport. Up to that point, I don't see any significant difference between the exchanges with NAT enabled or disabled; it's just that the Airport passes the server's message to the client correctly when NAT is off and blocks it when NAT is on.

  • RELEVANCY SCORE 3.01

    DB:3.01:Connectivity Issues When Using Wpa2 Enterprise ds



    hello everyone,

    im using 3 AP's 1140 with local authentication using local radius (flex connect mode).

    the radius server im using is MS 2008 R2.

    authentication is working great on all devices pc'smobile.

    authentication method is PEAP wpa2 aes enterprise.

    after 3 or 4 hours devices loose connectivity to the web.

    the device seems to be still connected to the ap but there is no ping to host from local lan or any arp learnd on local router.

    only manual disconnect on device and reconnecting brings connectivity up again.

    in one case only reseting the AP's helped.

    DB:3.01:Connectivity Issues When Using Wpa2 Enterprise ds


    Well the AP crashes internally:)  So if you search the forums, search for "1142 v7.4", you will find others that had to reboot the AP to fix it almost once a day.

    Thanks, Scott Help out other by using the rating system and marking answered questions as "Answered"

  • RELEVANCY SCORE 2.98

    DB:2.98:Peap Eap-Mschapv2 Authentication Problems k8



    Hi! I´m trying to configure ADU client(Cisco client version 2.6) to use PEAP EAP-MSCHAPv2 on Windows 2000 SP4 and XP SP2 operational systems.

    My problem ocurrs when I configure an option on ADU for that PEAP authentication ocurrs before Novell client for Windows´s authentication.

    After Novell login process finishes, I always receive an error message that tell me that the Novell server was not reached. Although, I see on my RADIUS SERVER´s log(ACSv3.3), that PEAP authentication is always completed with success, Novell authentication never does that.

    Anybody has already faced this kind of problem??

    DB:2.98:Peap Eap-Mschapv2 Authentication Problems k8


    Thank you for your attention!!!

    I didn´t get to find a tip on these documents that help me to solve the problem.

    Anyway, Thank you very much!!!

  • RELEVANCY SCORE 2.98

    DB:2.98:Ap 1200 Local Authentication Peap 9a



    Can I use AP 1200 with configured local radius server as authenticator for Windows XP clients using PEAP auhentication metod ?

    DB:2.98:Ap 1200 Local Authentication Peap 9a


    Unfortunately the answer is no because the PEAP method is based on a certificate authentication that you install on the Server and on the client, so since you cannot install the certificate on the AP it would not work.

  • RELEVANCY SCORE 2.98

    DB:2.98:Wireless Policy Loses Settings fc



    What we haveis this:

    Self SSL certificate made on server 03 pushed out by a GPO to clients.
    Radius server with shared secret with Meru APs.
    PEAP-WPA Mschapv2 security authentication all sent via GPO.

    What happens is, most of the time they work fine, then all of a sudden a few laptops will stop connecting when booted up and they need a policy refresh on the wired network to log in. It's almost as if a GPO stops working for some reason.
    Cannot find any pattern in pc event viewer andnothing in the RADIUS logs.
    Any help appreciated!

    DB:2.98:Wireless Policy Loses Settings fc


    What we haveis this:

    Self SSL certificate made on server 03 pushed out by a GPO to clients.
    Radius server with shared secret with Meru APs.
    PEAP-WPA Mschapv2 security authentication all sent via GPO.

    What happens is, most of the time they work fine, then all of a sudden a few laptops will stop connecting when booted up and they need a policy refresh on the wired network to log in. It's almost as if a GPO stops working for some reason.
    Cannot find any pattern in pc event viewer andnothing in the RADIUS logs.
    Any help appreciated!

  • RELEVANCY SCORE 2.98

    DB:2.98:Session Key And Broadcast Key 9m



    Hi,

    I have WLAN working on PEAP.

    I need to understand the working of the Broadcast key and Unicast Key.

    It's mentioned in many doc's that during PEAP negociation,

    1. RADIUS Server and Client derive Unicast Key

    2.RADIUS server delivers Unicast WEP Key to Access Point.

    3.Access Point delivers Broadcast WEP key encrypted with Unicast WEP key to Client.

    4.Client and AP activate WEP Key and use broadcast and Unicast WEP keys for transmission.

    Questions

    1. The question is how does RADIUS server deliver Unicast WEP Key to client?

    2. How does the Client and RADIUS server exchange the Unicast WEP Keys?

    3. What role does the broadcast Key do?

    Is it that AP and client talks to each other using Broadcast WEP key and the client session with RADIUS with Unicast WEP?

    Any Inputs/ Links/ Doc.

    Thanks and Regards,

    FG

    DB:2.98:Session Key And Broadcast Key 9m


    Thank you.

    That did clarifiy most of the stuff.

    I am unable to reach the link, could you mail it me fijo_george@yahoo.com

    Thanks a lot!!!

    Regards,

    FG

  • RELEVANCY SCORE 2.97

    DB:2.97:Peap Certificate When Using Radius Proxy 99


    Hi,
    I need to use PEAP in the wireless environment. I am using Win2012 R2 for Radius proxy server and Radius servers.

    When I configure PEAP at first Radius server, I get the following message:

    I need to know where to import the certificate for PEAP in a RADIUS Proxy environment:

    Only At Radius Proxy Server?
    Or
    Only At all of the Radius servers? If yes, Does the same certificate need to be imported at all of the radius servers? or I need to obtain different certificates for every Radius server?

    Or
    At Radius Proxy server and Radius servers?

    Thanks in advance!

    DB:2.97:Peap Certificate When Using Radius Proxy 99

    SSL server refers to the required purpose of the certificate, called Extended Key Usage. This is to be defined in the certificate template at the Enterprise CA.
    You could for example copy the existing template Webserver (this is for SSL server -
    Server Authentication) and then add the EKU for Client Authentication at the
    Certificate Templates Extensions tab, under Application Policies.

    As a template copied from Webserver it is already configured for submitting the Subject Name in the request - which is required when you request a certificate for a server in the other forest (as cross-forest enrollment would not work out
    of the box without some additional solutions that are probably overkill).
    As for how to create the request at the NPS,
    this article lists all the options.
    If you haven't done this before the Certificates MMC is probably the easiest way. Or you could add the Web Server role to the NPS machine and use IIS' wizard to create a key and request.

  • RELEVANCY SCORE 2.97

    DB:2.97:Aaa Protocol To Use For Communications With The Wlc 9a



    Dear,

    Can you give me more information about the AAA protocol to use for communication between the Radius (ACS 4.2) and the WLC (7.0.98.0)?

    We use PEAP, MSCHAPv2 as authentication method via the wired network. Therefore I must use the same authentication method 'over the air'

    According to the

    Cisco Wireless LAN Controller Configuration Guide (7.0),

                   chapter 6: configuring Security Solutions

                                            Configuring Radius on the ACS,

    "RADIUS (Cisco Aironet)" has to be selected from the Authenticate using list.

    However when I look at the

    User Guide for Cisco Secure Access Control Server 4.2

         Configuring AAA clients

              AAA Client Configuration Options,

    There is a note: If all authentication requests from a particular Cisco Aironet Access Point are PEAP or EAP-TLS requests, use RADIUS (IETF) instead of RADIUS (Cisco Aironet). ACS cannot support PEAP authentication by using the RADIUS (Cisco Aironet) protocol.

    My questions are:

    What AAA protocol should I use for communication between the ACS and the WLC when using MSCHAPv2 as authentication method  ?

    What is the difference between RADIUS (Cisco Airespace) and RADIUS (Cisco Aironet)? Is RADIUS (Cisco Aironet) for LEAP or EAP-TLS only?

    Thank you.

    DB:2.97:Aaa Protocol To Use For Communications With The Wlc 9a


    Correct.

    Let me paste the part of the ACS 4 config guide talking about this :

    RADIUS (Cisco Aironet)—RADIUS  using Cisco Aironet VSAs. Select this option if the network device is a  Cisco Aironet Access Point used by users who authenticate with the  Lightweight and Efficient Application Protocol (LEAP) or the Extensible  Authentication Protocol-Transport Layer Security (EAP-TLS) protocol,  provided that these protocols are enabled on the Global Authentication  Setup page in the System Configuration section.

    When an authentication request from a RADIUS (Cisco Aironet) AAA client  arrives, ACS first attempts authentication by using LEAP; if this fails,  ACS fails over to EAP-TLS. If LEAP is not enabled on the Global  Authentication Setup page, ACS immediately attempts EAP-TLS  authentication. If neither LEAP nor EAP-TLS is enabled on the Global  Authentication Setup, any authentication attempt received from a Cisco  Aironet RADIUS client fails. For more information about enabling LEAP or  EAP-TLS, see Global Authentication Setup, page 9-21.

    Using this option enables ACS to send the wireless network device a  different session-timeout value for user sessions than ACS sends to  wired end-user clients.

    Users accessing the network through a Cisco Aironet network device can only be authenticated against the:

    –ACS internal database

    –Windows user database

    –ODBC user database

    –MCIS database

  • RELEVANCY SCORE 2.96

    DB:2.96:Peap Hardware Acs Appliance 38



    Hi I have a client wanting to upgrade to PEAP, they have configured a CA and certificate and want to use the ACS for the radius part. Does anybody have any experiance of getting the certificate onto a acs appliance and how to get the mschap portion working with windows. I can see lot of info on using a acs on a windows platfrom but very little on the hardware acs.

    DB:2.96:Peap Hardware Acs Appliance 38


    Rob,

    Many thanks for your kind words, glad it was of some use. : )

  • RELEVANCY SCORE 2.95

    DB:2.95:Problem Authenticating Wireless Users With Peap 19



    Good afternoon,

     

    I am currently trying to authenticate wireless users using PEAP and an external RADIUS server. The problem is when I try to authenticate I get this error :

     

    AAA/AUTHEN/PPP : Pick method list 'Permanent Local'

    DOT11-7-AUTH_FAILED : Station ... Authentication failed

     

    It shouldn't use local authentication, but the aaa server I configured.

     

    I looked on the internet but didn't find a working solution.

    Does anyone know why it is not working ?

     

    Here is my running configuration :

     

    Current configuration : 4276 bytes!! Last configuration change at 00:45:40 UTC Mon Mar 1 1993! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014! NVRAM config last updated at 16:38:23 UTC Thu Jul 24 2014version 15.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname ap!!logging rate-limit console 9enable secret 5 $1$QVC3$dIVAarlXOo52rN3ceZm1k0!aaa new-model!!aaa group server radius rad_eap server 192.168.2.2 auth-port 1812 acct-port 1813!aaa group server radius rad_mac!aaa group server radius rad_acct!aaa group server radius rad_admin!aaa group server tacacs+ tac_admin!aaa group server radius rad_pmip!aaa group server radius dummy!aaa authentication login eap_methods group rad_eapaaa authentication login mac_methods localaaa authorization exec default localaaa accounting network acct_methods start-stop group rad_acct!!!!!aaa session-id commonno ip routingno ip cef!!!dot11 syslog!dot11 ssid test   authentication open eap eap_list   authentication key-management wpa version 2   guest-mode!!eap profile peap method peap!crypto pki token default removal timeout 0!...!!bridge irb!!!interface Dot11Radio0 no ip address no ip route-cache ! encryption mode ciphers aes-ccm ! ssid test ! antenna gain 0 stbc beamform ofdm station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Dot11Radio1 no ip address no ip route-cache shutdown antenna gain 0 no dfs band block channel dfs station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface GigabitEthernet0 no ip address no ip route-cache duplex auto speed auto dot1x pae authenticator bridge-group 1 bridge-group 1 spanning-disabled no bridge-group 1 source-learning!interface BVI1 ip address 192.168.3.10 255.255.255.0 no ip route-cache!ip default-gateway IPip forward-protocol ndip http serverip http secure-serverip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eagip radius source-interface BVI1!radius-server attribute 32 include-in-access-req format %hradius-server host 192.168.2.2 auth-port 1812 acct-port 1813 key 7 140441081E501F0B7Dradius-server vsa send accounting!bridge 1 route ip!!!line con 0line vty 0 4 transport input all!end

     

     

     

    Thank you

    DB:2.95:Problem Authenticating Wireless Users With Peap 19


    It happens to all of us :) Glad I was able to help!

  • RELEVANCY SCORE 2.95

    DB:2.95:Eap-Peap Authentication Failed With Funk Radius Server. 3x



    Hi.

    Does anyone know the the meaning of the following error message on Funk Radius server:

    EAP-PEAP authentication failed - client issued alert 'client closed the session before handshake was completed'

    We use PEAP to authenticate Windows XP client with Funk Radius server and the client always disconnected to be requested to input the username and password again. When this happened, above error message always appeared in log of the radius server.

    Thanks.

    DB:2.95:Eap-Peap Authentication Failed With Funk Radius Server. 3x


    There are two phrases in PEAP. The first phrase is set up a TLS tunnel; so that the authentication server (i.e. radius server) can authenticate the supplicant in a secured tunnel. Please go to the following URL for the PEAP phrase:

    http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39068

    If you use a Cisco AP, you can enable the following debugs:

    1. debug radius authentication

    2. debug dot11 aaa authenticator process

    3. debug dot11 aaa authenticator state

    4. debug dot11 aaa authenticator rxdata

    5. debug dot11 aaa authenticator txdata

    If you use IOS version 12.2(13)JA4 or earlier, please replace #2-5 by debug dot11 aaa all

    Please be aware that the above debugs consumes a lot of CPU resource on the AP. I suggest you to run the debugs when there is only one wireless client trying to associate. Please go to the following URL about the debugs:

    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml

  • RELEVANCY SCORE 2.95

    DB:2.95:Wap 4410n Issues With Win 2003 Ias Radius Server 8k



    I am using WAP 4410N with Windows 2003 ent version IAS radius server.  There are 4 ap connected in auto frequency. It is configured and it is working with Raidus server for all network users. Including roaming users it is working fine.

    Our Problem is , User connection goes in to "validating identity " in between. When we disable and enable the wireless connection it is connecting again

    We are using the latest firware 2.0.3.3. Security Type is WPA - Ent, Encryption type is AES, Authentication method is PEAP.

    Please help!!!

    DB:2.95:Wap 4410n Issues With Win 2003 Ias Radius Server 8k


    Maybe you should check what the IAS is saying at the same time ? Are there any authetnication failures ? Any successful attempts ?

    Nicolas

  • RELEVANCY SCORE 2.94

    DB:2.94:The Connection Attempt Did Not Match Any Network Policy c3


    I get this error The connection attempt did not match any network policy when client try authenticate via RADIUS. There's one custom network policy which defines authentication type (PEAP) in Network Policies. There's only default policy in Connection Request Policies. When I change default or add a new policy in Connection Request Policies which enable PEAP, I get internal error in Event Viewer.

    DB:2.94:The Connection Attempt Did Not Match Any Network Policy c3

    OK,we eliminated "The connection attempt did not match any network policy", but new error occured: "The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server."There's no value in EAP type in error message.In policy as well as in client we use "Secured password (EAP-MSCHAP v2)".Client runs Windows XP Professional SP3.

  • RELEVANCY SCORE 2.94

    DB:2.94:Hp Wireless Msm 720 Wireless Ap Wlc Cannot Authentication With Radius m8


    Hi guy
    I am having problems setting up RADIUS authentication for Wireless clients. We have wireless are using WPA2 Enterprise security to allow access to any users that have a domain account. We have set up NPS on the domain controller and are trying to use PEAP-MSCHAPv2
    as the auth method. The RADIUS server is registered in Active Directory and is able to validate users, but the process fails at thecertificatestage.
    I have enabled tracing on the server and the logs from various files are below. We have tried many different combinations of authentication methods and the error is always the same.
    Currently the policy conditions are as follows;
    NAS Port Type - Wireless - IEEE 802.11
    Allowed EAP Types - PEAP
    Authentication Types - PEAP
    Any help/support you can provide would be greatly appreciated!
    Regards
    BR

    BR

    DB:2.94:Hp Wireless Msm 720 Wireless Ap Wlc Cannot Authentication With Radius m8

    Seems like a Certification Authority related issue. Do you have a certificate server?
    We could find a lot of related information regarding deploy authenticated wireless on TechNet. See:
    802.1X Authenticated Wireless Deployment Guide
    http://technet.microsoft.com/en-us/library/dd283093(v=ws.10).aspx
    Successful mutual PEAP-MS-CHAP v2 authentication has two main parts:
    1.The client authenticates the NPS server. During this phase of mutual authentication, the NPS server sends its server certificate to the client computer so that the client can verify the NPS server's identity with the certificate. To successfully authenticate
    the NPS server, the client computer must trust the CA that issued the NPS server certificate. The client trusts this CA when the CA’s certificate is present in the Trusted Root Certification Authorities certificate store on the client computer.

    If you deploy your own private CA, the CA certificate is automatically installed in the Trusted Root Certification Authorities certificate store for the Current User and for the Local Computer when Group Policy is refreshed on the domain member client
    computer. If you decide to deploy server certificates from a public CA, make sure that the public CA certificate is already in the Trusted Root Certification Authorities certificate store.

    2.The NPS server authenticates the user. After the client successfully authenticates the NPS server, the client sends user’s password-based credentials to the NPS server, which verifies the user’s credentials against the user accounts database in Active Directory
    Doman Services (AD DS).
    TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tnmff@microsoft.com.

  • RELEVANCY SCORE 2.93

    DB:2.93:Problems Using Peap With Ias 8k


    I am trying to authenticate PEAP clients (W2K) for Cisco

    1200 access points using IAS on Windows 2003. When the

    initial RADIUS request packet is sent to the IAS it

    includes the following information:

    RADIUS: ----- RADIUS HEADER -----

    RADIUS:

    RADIUS: Code = 1 (Access-Request)

    RADIUS: Identifier = 0

    RADIUS: Length = 173

    RADIUS: Authenticator =

    30F51BA0C55ABDC0E7028131C927E056

    RADIUS:

    RADIUS: Attributes follow

    RADIUS: Attribute Type = 1

    RADIUS: Attribute Length = 19

    RADIUS: User-Name = "PEAP-0009B7F1111F"

    RADIUS:

    RADIUS: Attribute Type = 26 (Vendor Specific)

    RADIUS: Attribute Length = 25

    RADIUS: Vendor ID = 9 (Cisco)

    RADIUS: Attribute = 1 (minimum links)

    RADIUS: Vendor Length = 19

    RADIUS: Vendor Data =

    737369643D496E7465726E65744F4E4C5904

    RADIUS:

    RADIUS: Attribute Type = 6

    RADIUS: Attribute Length = 139

    The RADIUS response that is sent back from the IAS looks

    like this:

    RADIUS: ----- RADIUS HEADER -----

    RADIUS:

    RADIUS: Code = 3 (Access-Reject)

    RADIUS: Identifier = 0

    RADIUS: Length = 20

    RADIUS: Authenticator =

    FAE99D0AFF61F66129DF6153B1AEED13

    RADIUS:

    RADIUS: No attributes

    RADIUS:

    The event written to the event log by the IAS for the

    above request is as follows:

    User PEAP-0009B7F1111F was denied access.

    Fully-Qualified-User-Name = BOUNCER\PEAP-0009B7F1111F

    NAS-IP-Address = 139.127.8.251

    NAS-Identifier = HOMEAP2

    Called-Station-Identifer = 0009b7d1fe47

    Calling-Station-Identifier = 0009b7f1111f

    Client-friendly-Name = HOMEAP2

    Client-IP-Address = 139.127.8.251

    NAS-Port-Type = Wireless - IEEE 802.11

    NAS-Port = 38

    Proxy-Policy-Name = Use Windows authentication for all

    users.

    Authentication-Provider = Windows

    Authentication-Server = undetermined

    Policy-Name = undetermined

    Authentication-Type = EAP

    EAP-Type = undetermined

    Reason-Code = 8

    Reason = The specified user does not exist.

    Based on the above event message, it appears that the IAS

    is looking for user BOUNCER\PEAP-0009B7F1111F in the local

    user database. This doesn't seem to make sense since in

    the first phase of PEAP, the IAS should return an identity

    request message to the access point and then establish a

    TLS tunnel directly to the authenticating wireless

    client. Once the tunnel has been established, then the

    client should deliver the actual username/password

    combination to the IAS for authentication. Does anyone

    know how to fix this problem?

    .

    DB:2.93:Problems Using Peap With Ias 8k


    I have the same problem. When I use MS PEAP, it works fine. After I install ACU and use Cisco PEAP. The user name change to PEAP-XXXXXXXXX. Anyone know what's wrong?

  • RELEVANCY SCORE 2.93

    DB:2.93:How Can I Add Radius Authentication (802.1x) To My 877 Wireless Router? ds



    Hi, I have a working Cisco 877w. It's working in VPN mode as a site-to-site connection to my HQ and I have turned the wireless on and configured an SSID with WPA-PSK/AES etc and I can wirelessly to the router and over the VPN.

    Right I have a Windows RADIUS server and wondered how I can authenticate the wireless users using RADIUS (EAP/PEAP)? Has anyone done this?

    Thanks

    DB:2.93:How Can I Add Radius Authentication (802.1x) To My 877 Wireless Router? ds


    Thanks, I will take a look, have you managed to get RADIUS Authentication to work on a wireless router?

  • RELEVANCY SCORE 2.92

    DB:2.92:Ip Address Assigment ak


    We've got a wi-fi network(WPA2) with working NPS(PEAP) server. Users are authenticated on NPS. User list - is AD list of users. When we have authentication request to RADIUS, I've to grab the user name in order to generate IP address according to user
    name.

    How can I do that ?

    by the way, my DHCP server says: DHCP Server is unable to bind to UDP port number 67 as it is used by another application. This port must be made available to DHCP Server to start servicing the clients. - this is another help-needed problem.

    Please)

    DB:2.92:Ip Address Assigment ak

    Hi,
    DHCP and static IP addresses are different. The Active Directory object you are discussing is for assigning a
    static IP. You cannot assign a static IP with DHCP, although the DHCP server itself does have the ability to
    reserve a specific IP address.The addressreservation is for adevice (via MAC address) rather than a user.
    DHCP NAP allows you to evaluate computeridentity and/or health(using NPS)and make decisions on whether to supply 1) a fully functional IP configuration, 2) a restricted access IP configuration, or 3) no IP address at all. You cannot evaluate
    user identity this way, and even if you could it would not be possible to assign a specific IP address dynamically.
    If you want to apply user-based policies, I recommend you look at 802.1X authentication. Otherwise, I think DHCP reservations are probably your best bet.
    I hope this helps,
    -Greg

  • RELEVANCY SCORE 2.92

    DB:2.92:Peap Works On Xp But Not On 2000 Sp4! j3



    I have set up PEAP-MSCHAPv2 to work on XP sp1 with Aironet 1220 (latest IOS upgrade from vxworks), MS IAS (on 2000server sp4), Aironet 350 series cards and a varieties of WLAN cards. To migrate from our current static WEP setting, I created 3 vlans. Vlan 1 uses the static WEP key for current corporate users, Vlan 7 is the new secure corporate vlan using PEAP, Vlan 9 is a consultants vlan using PEAP. All three vlans are working fine with XP sp1.

    When I deployed the new setting yesterday, I ran into a couple 2000 sp4 desktop/laptop with 350 serious cards. They connected fine to the legacy vlan 1. But I have not been able to make them connect to the vlan 7 through PEAP.

    I installed the latest 350 client/firmware from CCO. Failed to connect through either the Cisco PEAP supplicant or MS PEAP supplicant. The PC would never associate. Debug aaa authentication, aaa authorization, radius authentication wouldnshow nothing but "xxxx.xxxx.xxxx failed to authenticate". No attempts for any Radius calls.

    I double-checked all the client (ACU, authentication tab, trust root CA, etc.) and AP settings. CCO documents always assume you use XP but they will mention somewhere in there that SP4 or sp3 with 802.1x client should work.

    I think the problem is at the wireless client. Does anyone ever make the same configurations work 2000 SP4? If yes, I'd love to hear about it!

    Thanks very much in advance!

    daniel

    DB:2.92:Peap Works On Xp But Not On 2000 Sp4! j3


    I am glad I could help. So my many hours are not all wasted!

    Although Mr. Ho of Cisco is trying to say we should blame Microsoft, the problem is still within the ACU setup. Microsoft is not going to tell you how to configure ACU.

    daniel

  • RELEVANCY SCORE 2.92

    DB:2.92:No Radius-Accept-Request Received On Radius Server zs



    Hi,

    I'm trying to access my network through 802.1X Radius authentication. My PC is connected to a 2950 switch with following configuration:

    aaa new-model

    aaa authentication dot1x default group radius

    dot1x system-auth-control

    radius-server host 11.0.0.2 key Ralf

    on interface level(connection to PC):

    switchport mode access

    switchport access vlan 8

    dot1x port-control auto

    on interface level(connection to Radius server):

    switchport mode access

    switchport access vlan 8

    I enabled 802.1X authentication on my PC via the service 'Wired Autoconfig' and in the tab authentication (one of the tabs of the interface configuration)

    I choose PEAP.

    Result:

    When I trace my PC-interface with Wireshark, I see an EAPOL- EAP-Request and a EAP-Response message. The next message in the flow should be a Radius-Accept-request message but it seems that this message is never sent. Although, when i open a 'debug radius' session on the switch, the logs are indicating that the accept-request message is sent. Strange because I see no message coming in on the Radius-server interface.

    The Radius-server has IP-address 11.0.0.2 and my PC 11.0.0.3.

    Does anybody see a reason why the Radius-Accept-Request message is not received on my Radius-server interface?

    Kind regards,Ralf.

    DB:2.92:No Radius-Accept-Request Received On Radius Server zs


    I found a solution to my problem. I administered an IP-adress for the VLAN-interface on the switch:

    int vlan 8

    ip address 11.0.0.4 255.255.255.0

    Apparentlt the switch needs an IP-address to send the Radius-accept-request from.

    Next step is to get a Radius-server running and get the PC authenticated.

  • RELEVANCY SCORE 2.92

    DB:2.92:Peap Version 0 7x


    Dear All,
    I have xp windows machines, and they are authenticated by AD/Certificate , Cisco wireless controller and with ACS 5 (RADIUS server).
    I found that Microsoft is using PEAP version 0, and some other vendors (Cisco)is usingPEAP version 1.

    I would like to allow only PEAP version 0 in the RADIUS server.

    My Question is what is the RADIUS attributes for PEAP version 0 (how to match it).
    Below is the logs from the RADIUS server:
    11001 Received RADIUS Access-Request
    11017 RADIUS created a new session
    Evaluating Service Selection Policy
    15004 Matched rule
    15012 Selected Access Service - 802.1X
    11507 Extracted EAP-Response/Identity
    12300 Prepared EAP-Request proposing PEAP with challenge
    11006 Returned RADIUS Access-Challenge
    11001 Received RADIUS Access-Request
    11018 RADIUS is re-using an existing session
    12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

    12319 Successfully negotiated PEAP version 1
    12800 Extracted first TLS record; TLS handshake started.
    12805 Extracted TLS ClientHello message.
    12806 Prepared TLS ServerHello message.
    12807 Prepared TLS Certificate message.
    12810 Prepared TLS ServerDone message.
    12305 Prepared EAP-Request with another PEAP challenge
    11006 Returned RADIUS Access-Challenge
    11001 Received RADIUS Access-Request
    11018 RADIUS is re-using an existing session
    12304 Extracted EAP-Response containing PEAP challenge-response
    12305 Prepared EAP-Request with another PEAP challenge
    11006 Returned RADIUS Access-Challenge
    11001 Received RADIUS Access-Request
    Thanks in advanced.
    Regards,
    MKD

    DB:2.92:Peap Version 0 7x

    Hi,
    As you mentioned, within Cisco products, PEAPv0 supports EAP-MSCHAPv2 and EAP-SIM while PEAPv1 support EAP-GTC and EAP-SIM. However, Microsoft only supports PEAPv0 and doesn’t support and version of EAP-SIM. For detailed information about Microsoft PEAPv0,
    please check the following RFC document.
    Microsoft's PEAP version 0 (Implementation in Windows XP SP1)
    http://tools.ietf.org/html/draft-kamath-pppext-peapv0-00
    For more specific log generated by ACS 5, I would recommend to contact Cisco for further support. Your understanding is highly appreciated.
    Best Regards,
    AidenAiden Cao
    TechNet Community Support

  • RELEVANCY SCORE 2.91

    DB:2.91:Peap Help jd



    Trying to make PEAP work. Using FreeRaudis, AP1200 IOS and WinXP clients. Can't get anything working

    DB:2.91:Peap Help jd


    you can check out the following options :

    1. On client side enable LEAP.

    when u enable LEAP, Data Encryption changes to DYnamic WEP and set Access Point authentication to open.

    2.On AP.

    Enable accept Authentication type to Network EAP.Also check out the Use of Data Encryption by station to Full Encryption.

    Configure Raduis IP address and Port on AP.

    you need to configure Shared key also.

    TACACs+ use port no. 1645.

    3.On Radius server configure AP ip address and Shared Key.

  • RELEVANCY SCORE 2.91

    DB:2.91:Local Radius / Leap Only pm



    With a Cisco 1120, does the local radius server only support LEAP? Any way to get support for PEAP?

    Thanks,

    DB:2.91:Local Radius / Leap Only pm


    The "Local Authentication Server" is currently LEAP only.

  • RELEVANCY SCORE 2.91

    DB:2.91:Ipaq Peap Problem ca



    I have an Aironet 1200 using PEAP and using Funk steelbelted radius server to authenticate users.

    It's working well with the PC's but I got problems when I tring to connect with an Ipaq.

    It's says it's has been authenticated correctly, but I got no IP address from the AP.

    I have tryed different PDA's but I still got the same problem.

    DB:2.91:Ipaq Peap Problem ca


    I have an Aironet 1200 using PEAP and using Funk steelbelted radius server to authenticate users.

    It's working well with the PC's but I got problems when I tring to connect with an Ipaq.

    It's says it's has been authenticated correctly, but I got no IP address from the AP.

    I have tryed different PDA's but I still got the same problem.

  • RELEVANCY SCORE 2.90

    DB:2.90:Windows Xp Built-In 802.1x Supplicant Problem kx



    Hi, we are deploying PEAP for wireless access, we had no problem to get this working with laptop vendor supplied wireless management software (which includes 802.1x supplicant), but when I switch to Windows Zero configuration and let Windows XP management wireless, the laptop can not associate with wireless SSIDs, back end Radius server (MS IAS) log shows that user (with AD credentials) is successfully authenticated, but Windows XP supplicant seems did not receive authentication successful response from Radius server, and keeps retrying and finally gives up. Any idea what is going on with Windows XP dot1x supplicant? Laptop is running XP SP3.

    DB:2.90:Windows Xp Built-In 802.1x Supplicant Problem kx


    We had this issue and found that going to the Microsoft site and downloading the latest Digital Certificate Root Store.

    The current Microsoft Windows root store may be downloaded at:

    http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

  • RELEVANCY SCORE 2.90

    DB:2.90:Peap With Vista, Lhs 6001, And Linksys Wrt54g j8


    I am able to use PEAP from my Vista client when I configure my Linksys WRT54G to use "WPA2 Enterprise". I am pointing the Access Point to my Radius (NPS) on Longhorn, with shared secret. When I enable a policy and enforce NAP, my logs don't show much. I have enabled NAP and the wired autoconfig on my Vista client. I have installed the Health REgistration Authority on my LHS.Is the problem here that my Linksys device is not NAP aware? It doesn't look like the right info is getting forwarded to the LHS. Help!Thanks!ByronLog:Log Name: SystemSource: NPSDate: 1/20/2007 3:38:29 PMEvent ID: 7Task Category: NoneLevel: InformationKeywords: ClassicUser: N/AComputer: homer.simpson.localDescription:Machine not present was given full access.OS-Version = not presentFully-Qualified-Machine-Name = undeterminedFully-Qualified-User-Name = simpson.local/Thompson Household/Laura ThompsonNAS-IP-Address = 192.168.5.2NAS-IPv6-Address = not presentNAS-Identifier = 0016b621ea7eCalled-Station-Identifier = 0016b621ea7eCalling-Station-Identifier = 00c0a8bd0bc1Account-Session-Identifier = not presentProxy-Policy-Name = Use Windows authentication for all usersPolicy-Name = Wireless PEAP with no NAP EnforcementQuarantine-Session-Identifier = undeterminedQuarantine-System-Health-Result = undeterminedEvent Xml:Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"System Provider Name="NPS" / EventID Qualifiers="16384"7/EventID Level4/Level Task0/Task Keywords0x80000000000000/Keywords TimeCreated SystemTime="2007-01-20T21:38:29.000Z" / EventRecordID13350/EventRecordID ChannelSystem/Channel Computerhomer.simpson.local/Computer Security //SystemEventData Data%%2147483686/Data Data%%2147483686/Data Data%%2147483685/Data Datasimpson.local/Thompson Household/Laura Thompson/Data Data192.168.5.2/Data Data%%2147483686/Data Data0016b621ea7e/Data Data0016b621ea7e/Data Data00c0a8bd0bc1/Data Data%%2147483686/Data DataUse Windows authentication for all users/Data DataWireless PEAP with no NAP Enforcement/Data Data%%2147483685/Data Data%%2147483685/Data Binary00000000/Binary/EventData/Event

    DB:2.90:Peap With Vista, Lhs 6001, And Linksys Wrt54g j8

    Your AP need not be 'nap aware' - it does not need to understand the NAP messages in order to enforce quarantine.
    The 'NAP messages' (e.g. the SOH and SOHresponse) are communicated back to the client via the PEAP tunnel.
    The AP/switch need only support some form of network selection - most commonly, we've used vLAN assignment to enforce isolation upon clients.  So on the 'full access' policy, you assign the client to one vLAN (via profile settings handed to the ap/switch), and on the 'restricted' policy, you assign the client to another vLAN that has limited access to the rest of the network.
    The AP you are using may or may not support vLAN assignments...
    -Chris
    Chris.Edson@online.microsoft.com *SDET, Network Access Protection* Remove the online make the address valid.** This posting is provided AS IS with no warranties, and confers no rights.

  • RELEVANCY SCORE 2.90

    DB:2.90:Dot1x Authentication Using Radius 2003 And Cat 6513 7f



    Hi,

    I have installed a new Radius server on 2003 enterprise edition and configured my cat 6513(cat OS) as radius client.

    When I test my radius server using Xp client, I get authentication failure log message and the client is not able to log on to the domain.

    I am using PEAP-MSCHAP-V2 as the authentication method.dot1x has been configured on the switchport where client Xp is connected.

    I cannot understand where the things are going wrong.

    Pls help

    DB:2.90:Dot1x Authentication Using Radius 2003 And Cat 6513 7f


    Hi,

    There was a remote access policy that was configured as Ethernet. When I remove that policy, I was able to logon. Here's the IAS log which defines NAs port-type="not present" which I am not able to understand.

    User ITLINFOSYS\sagar_shetty was granted access.

    Fully-Qualified-User-Name = ad.infosys.com/IND/BLR/KEC/Users/GEN/Sagar Ramanna Shetty

    NAS-IP-Address = XX.YY.ZZ.AA

    NAS-Identifier =

    Client-Friendly-Name = B19_20 Radius Client

    Client-IP-Address = AA.BB.CC.DD

    Calling-Station-Identifier =

    NAS-Port-Type =

    NAS-Port =

    Proxy-Policy-Name = Use Windows authentication for all users

    Authentication-Provider = Windows

    Authentication-Server =

    Policy-Name = Connections to Microsoft Routing and Remote Access server

    Authentication-Type = PEAP

    EAP-Type = Secured password (EAP-MSCHAP v2)

    regards

  • RELEVANCY SCORE 2.90

    DB:2.90:Error When Using Cloudessa Radius Server / Peap j1



    Hi,

    I am trying to use external hosted RADIUS server http://cloudessa.combut I am getting "Error Untrusted Certificate" on the laptop.

    Can Aruba work with external RADIUS servers? I am setting the algorithm to PEAP with MSCHAP2.

    Also which version of PEAP is good 1.0 or 1.1?

    Thank you,

    Kamatchi







    Solved!
    Go to Solution.

  • RELEVANCY SCORE 2.90

    DB:2.90:Wireless Policy Loses Settings kk


    What we have is set upis this:

    Self SSL certificate made on server 03 pushed out by a GPO to clients.
    Radius server with shared secret with Meru APs.
    PEAP-WPA Mschapv2 security authentication all sent via GPO.

    What happens is, most of the time they work fine, then all of a sudden a few laptops will stop connecting when booted up and they need a policy refresh to log in. It's almost as if a GPO stops working for some reason.
    Cannot find any pattern in pc event viewer or on the RADIUS logs.
    Any help appreciated!

    DB:2.90:Wireless Policy Loses Settings kk

    Hi dawgerr,

    Your Windows question is more complex than what is typically answered in the Microsoft Answers forums. It is better suited for the IT Pro audience on TechNet. Please post your question in the TechNet forum.
    Link you may refer to:
    http://social.technet.microsoft.com/Forums/en/itproxpsp/threads

    Regards:
    Samhrutha G S - Microsoft Support.
    Visit ourMicrosoft Answers Feedback Forum and let us know what you think.

  • RELEVANCY SCORE 2.90

    DB:2.90:Nanostation M2 Radius Doesn't Work. kp


    I've set my NanoStation M2 in Access Point mode. I want it to connect to my radius server 10.0.10.18 port 1812 to get eap peap user authentication. I've set RADIUS IP 10.0.10.18, RADIUS PORT 1812 and Secret to testing123, as configured in radius files. (I tried this on other access point it does work, but i want to use this nanostation). When i try to connect to AP i haven't got any sign ot AP connecting to RADIUS in radius debug console. Windows 7 client does have error "System Windows cannot connect to network". i don't even have info about "additional authentication settings". It looks like my Nanostation doesn't even try to connect my radius server. What's going on ? How to get this working? I want to create a big WLAN network using UniFi devices. But if it doesn't work with RADIUS and RADIUS peruser VLAN assignment i'm gonna be sad

    DB:2.90:Nanostation M2 Radius Doesn't Work. kp

    I've set my NanoStation M2 in Access Point mode. I want it to connect to my radius server 10.0.10.18 port 1812 to get eap peap user authentication. I've set RADIUS IP 10.0.10.18, RADIUS PORT 1812 and Secret to testing123, as configured in radius files. (I tried this on other access point it does work, but i want to use this nanostation). When i try to connect to AP i haven't got any sign ot AP connecting to RADIUS in radius debug console. Windows 7 client does have error "System Windows cannot connect to network". i don't even have info about "additional authentication settings". It looks like my Nanostation doesn't even try to connect my radius server. What's going on ? How to get this working? I want to create a big WLAN network using UniFi devices. But if it doesn't work with RADIUS and RADIUS peruser VLAN assignment i'm gonna be sad

  • RELEVANCY SCORE 2.90

    DB:2.90:Windows 7 And Radius Auth Not Working 8m



    I have recently configured my 2008 Server to act as a Radius Server for the Aruba 620 Controlled Wireless network we are using. I am able to connect to the wireless using our Active Directory Credentials without any problem using iOS devices and Apple OSX devices, however I am unable to get Windows 7 devices to connect.

    The w7 computer is a fresh install, on either a Windows native machine, or the bootcamp Partition of a Macbook Pro that was connecting in OSX. When I try to connect on windows, the machine asks for the credentials, and then processes for a few seconds and then reports that "Windows was unable to connect to Faculty (SSID)"

    I tried running a windows hotfix that is related to cetrification errors in W7 but that did nothing to solve the problem. I feel bad constantly coming to THIS forum for help because a lot of my issues with the radius server endup being problems with my Win2008 configuration, however, Technet is just too slow to respond. So those with experience in WinServer Radius Config, I appreciate any help you could offer

    I lack an in-depth understanding useful for effective diagnosis of the problem, but this is what I know,

    -The Wireless Controller is able to succesfully Authenticate fia its Auth Diag

    -Apple devices are able to authenticate, and automatically re-authenticate as they re enter network coverage.

    -Windows 7 Devices SEE the network

    -Windows 7 devices get the AUTH request; they ask for Username, and Password as credentials

    -The NPS Event viewer in server 2008 does not show any event associated with a failed authentication.

    -If I type a wrong password in intentionally, the NPS server does not log it, its as though the message is blocked well before.

    -The win2008 server is functionally using the Microsoft PEAP authentication type, with MS-CHAPv2 and MS-CHAP enabled.

    -The wireless is accessible only to those in the "Faculty" user-group, and again, this works on OSX/iOS, but same credentials fail in W7

    this is the thread in the technet forum, that may have some other usefull information, but I think i covered most of the same ground here already.

    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/83ffd300-0f6c-411a-9231-3a0aa7c40250

    Thanks in advance for any help you are able to render.

    Dave







    Solved!
    Go to Solution.

    DB:2.90:Windows 7 And Radius Auth Not Working 8m

    Hi, Im having the exact same issue here.Did you solve this and does anyone have anymore additional information?Thanks.

  • RELEVANCY SCORE 2.90

    DB:2.90:Finding Out Root Cause For Ise 802.1x Failure ? 7a



     

    I am trying to get  a MacBook up on our internal Wifi.

    For that, I create an XML file using IPhone Configuration Utility. Pretty straightforward. You tell it what SSID, PEAP, certs to use, then I import that file into the MacBook.

    Bottom line is it never matches my ISE rules, so I get the default Deny.

    This is the first attempt to get a Mac on this network. Windows machines are set up and working fine on the internal Wifi.

    I confirmed with the AD administrator that this machine name is in their system. As you can see, it authenticates to AD.

    So it appears that it 802.1x is failing. How do I find out *exactly* why? I cannot tell if it is a cert issue, or something else.

    Any suggestions on finding the root cause?

     

    Thanks!

     

    From ISE, for my Mac's MAC address:

    [snip]

    11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12302 : Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  12319 : Successfully negotiated PEAP version 1  12800 : Extracted first TLS record; TLS handshake started  12805 : Extracted TLS ClientHello message  12806 : Prepared TLS ServerHello message  12807 : Prepared TLS Certificate message  12810 : Prepared TLS ServerDone message  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12319 : Successfully negotiated PEAP version 1  12812 : Extracted TLS ClientKeyExchange message  12804 : Extracted TLS Finished message  12801 : Prepared TLS ChangeCipherSpec message  12802 : Prepared TLS Finished message  12816 : TLS handshake succeeded  12310 : PEAP full handshake finished successfully  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  12313 : PEAP inner method started  11521 : Prepared EAP-Request/Identity for inner EAP method  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  11522 : Extracted EAP-Response/Identity for inner EAP method  11806 : Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  11808 : Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  15041 : Evaluating Identity Policy  15006 : Matched Default Rule  15013 : Selected Identity Source - AD-myconame  24430 : Authenticating user against Active Directory  24402 : User authentication against Active Directory succeeded  22037 : Authentication Passed  11824 : EAP-MSCHAP authentication attempt passed  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  11810 : Extracted EAP-Response for inner method containing MSCHAP challenge-response  11814 : Inner EAP-MSCHAP authentication succeeded  11519 : Prepared EAP-Success for inner EAP method  12314 : PEAP inner method finished successfully  12305 : Prepared EAP-Request with another PEAP challenge  11006 : Returned RADIUS Access-Challenge  11001 : Received RADIUS Access-Request  11018 : RADIUS is re-using an existing session  12304 : Extracted EAP-Response containing PEAP challenge-response  24423 : ISE has not been able to confirm previous successful machine authentication for user in Active Directory  15036 : Evaluating Authorization Policy  24432 : Looking up user in Active Directory - myfirstname.mylastname  24416 : User's Groups retrieval from Active Directory succeeded  15048 : Queried PIP  15048 : Queried PIP  15048 : Queried PIP  15048 : Queried PIP  15048 : Queried PIP  15004 : Matched rule - Default  15016 : Selected Authorization Profile - DenyAccess  15039 : Rejected per authorization profile  12306 : PEAP authentication succeeded  11503 : Prepared EAP-Success  11003 : Returned RADIUS Access-Reject 

    DB:2.90:Finding Out Root Cause For Ise 802.1x Failure ? 7a


    Thanks for taking the time to come back and share the solution to the problem (+5 from me). Can you also share the bug ID that you were hitting?

    Also, you should mark the thread as "Answered" if your issue is resolved :)

  • RELEVANCY SCORE 2.90

    DB:2.90:Xp Clients Failing To Run Startup Scripts Because Wireless Radius Nps Server Connects After Login 1k


    Hi,

    Sorry sent from my phone so the body of text didn't attach.

    We have setup a radius server using NPS and PEAP to connect our wireless laptops. Windows 7 machines connect fine but the XP clients often on logon do not run the startup scripts or setup the shares (throwing up a not available error). Often when it does
    this the wireless connesction is down but reconnects shortly after.

    My question is how can we stop the wireless connection from dropping out so that the startup scripts etc. run without issue? Is there a way to ensure the laptop is connected when the user is not connected (sometimes when logging in we recieve the 'domain
    not available error' but shortly after can login as normal without reboot)?

    Our succrent setup is:
    Server 2008 running NPS server
    1 AP running Radius with WPA2 (TKIP AES)
    The wireless settings are sent out via GPO in the wireless security settings

    XP GPO settings
    EAP type - PEAP
    Auth Mode - User Transmit (Seemed a bit flaky with user or computer)
    Authenticate as computer when info... checked
    XP seems to work best with the 'authenticate as guest' enabled.

    Any ideas,
    Thanks,
    Jon

    DB:2.90:Xp Clients Failing To Run Startup Scripts Because Wireless Radius Nps Server Connects After Login 1k

    Hi Andy,

    Sorry for the delayed response, we were trying a couple of other solutions. The address you posted sounds like the same problem but we've tried all of the solutions mentioned.

    Does anyone have a really clear tutorial for setting up wireless RADIUS on server 2008 for XP so that we can check our settings. It's frustrating how it works fine for Win 7 but is so temperamental on XP!

    Thanks in advance,
    Jon

  • RELEVANCY SCORE 2.89

    DB:2.89:Web Auth With , Intenal Web Page Of Wlc And Ise As Radius Server k8



    Hi All ,

    We have created a SSID as web auth with internal web page for login . In advanced tab we configured AAA server.  AD is integrated with ISE .

    When the user tries to get connect , he is getting redirect URL . But during the authentication , we are getting error in ISE as

    "ise has problems communicating with active directory  using its machine credentials "  and authentication getting failed .

    When we have L2 security mechanism enabled with PEAP , ISE is able to read the AD and providing authentication .

    Only for L3 web auth it is not happening..

    Any clue on this ..???

    Thanks,

    Regards,

    Vijay.

    DB:2.89:Web Auth With , Intenal Web Page Of Wlc And Ise As Radius Server k8


    Machine credentials requires a lookup on the computer OU and that has to be defined on the client side.

    Thanks, Scott Help out other by using the rating system and marking answered questions as "Answered"

  • RELEVANCY SCORE 2.87

    DB:2.87:Aruba Instant Nps 2008 R2 Error jj



    Hi,

    im trying to set up radius authentication with my aruba instant setup.

    i set up the clients. on the nps server(ive done this before)

    i have it set up the exact same as i did at another customer.

    termination off, added a group for users. and domain computers to be allowed in the policy

    ignoring dial in rule

    however when a client tries to connect they are prompted for credentials(they shouldnt be because the computer account is allowed) and when they type them in it doesnt work

    error is attached

    i have PEAP authentication type enabled

    i noticed the authentication type is EAP in the error

    when in my other organization the successful authentication type is PEAP










    Attachments:







    eap error.png ‏12 KB

    DB:2.87:Aruba Instant Nps 2008 R2 Error jj


    Did you issue a server certificate for your NPS server?




    Colin JosephAruba Customer EngineeringLooking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

  • RELEVANCY SCORE 2.87

    DB:2.87:Checkpoint Vpn + Ms-Peap = Bsod df



    We're just beginning to test wireless and wanted to use MS-PEAP as the authentication method. Unfortunately we found that when we enabled PEAP on the adapter (Centrino on IBM laptop w/ WinXP SP1) we got the dreaded Blue Screen of Death. It blue screens on boot too but you can go into safe mode and disable the Checkpoint VPN client (installed and running by default) and it will boot and work.

    Has anyone else seen this? Our security folks are going to Checkpoint but haven't been very speedy about it.

    Thanks

    -- Dave

    DB:2.87:Checkpoint Vpn + Ms-Peap = Bsod df


    We're just beginning to test wireless and wanted to use MS-PEAP as the authentication method. Unfortunately we found that when we enabled PEAP on the adapter (Centrino on IBM laptop w/ WinXP SP1) we got the dreaded Blue Screen of Death. It blue screens on boot too but you can go into safe mode and disable the Checkpoint VPN client (installed and running by default) and it will boot and work.

    Has anyone else seen this? Our security folks are going to Checkpoint but haven't been very speedy about it.

    Thanks

    -- Dave

  • RELEVANCY SCORE 2.87

    DB:2.87:Radius Issue 1j



    I am receiving tons of this messages:

    %DOT1X-4-INVALID_MSG_TYPE: authlib.c:86 Invalid message type 9 received from AAA

    i did debug my radius server (freeradius) and show nothing about "message type 9"

    Someone with the same issue?

    We have 60 Cisco LWAP ap, and PEAP autenticated clients via Freeradius+Active Directory

    Everything working great but this message it is constant and flooding

    Thank you in advance

    DB:2.87:Radius Issue 1j


    hmmm i dont trhink is a shared key, it got to be something with the freeradius, it seems to be sending something else that might be not needed...

    Do a packet capture of the radius packets, and compare it with a radius packets from an IAS.

  • RELEVANCY SCORE 2.87

    DB:2.87:Acs 3.3(1) Build 16 Problem - Csradius Service 7z



    We are in the process of setting up a wireless network using ACS 3.3(1) and Cisco 1200 Access Points. The access points have several SSID’s configured, each on it’s on VLAN. Two of the SSID’s are used by XP SP2 clients to logon to a Windows 2003 Active Directory Domain using Radius and PEAP Authentication. Another SSID is used for LEAP to provide network access to PDA’s running Windows Mobile 2003/Windows Mobile 5. Unknown user policy is configured to use the external Windows Database.

    90% of the time everything is working perfectly, the XP Clients are connecting using PEAP machine authentication at boot up and user authentication after logon to the domain. The PDA’s also connect with no problem.

    However, every couple of hours we are finding that authentication stops working. The clients (XP and PDA) cannot associate with the access points and we have identified the CSRadius service as the problem. To get things going again we have to restart the CSRadius service (which at the point of failure is using 50% of the CPU cycles). We have enabled full logging and having monitored the logs over the last couple of weeks (especially the CSAuth and CSRadius logs) we can find no standout problems.

    Our current config consists of:

    ACS 3.3(1) Build 16 running on Windows Server 2003 (no SP or Patches installed)

    Cisco AP’s 1200 Series with firmware 12.3.8

    10 x XP SP2 Clients (Hotfix KB885453 installed) using Intel 2200BG/Atheros Wireless Adapters with PEAP on Windows Wireless Zero Config

    25 x Dell Axim X50/X51 PDA’s using LEAP on Funk Odyssey client

    PEAP Settings:

    ACS self-generated Certificate

    EAP-MSCHAPv2 Enabled

    EAP-GTC Disabled

    Fast Reconnect Disabled

    Machine Authentication Enabled – Aging time 12 hours, No Access for unsuccessful machine authentication

    Does anyone have any suggestions where we may be going wrong?

    DB:2.87:Acs 3.3(1) Build 16 Problem - Csradius Service 7z


    If youre getting exceptions in the Radius extension point handler you DEFINATELY need to contact the TAC.

    An exception is basically like a GPF (aka crash) only its been caught and logged.

    These are serious and need to be escalated to ACS dev.

    Darran

  • RELEVANCY SCORE 2.87

    DB:2.87:Radius Configuration For 802.1x On Radiator ms



    Greetings:

    We are using Radiator 3.16 (http://www.open.com.au/radiator/) as our Radius server. Its working fine for VPN authentication.

    We're trying to use 802.1X on our wireless network. Does anyone have a Radiator config for using EAP-PEAP? We can't seem to figure the Radiator part out.

    Thanks.

    DB:2.87:Radius Configuration For 802.1x On Radiator ms


    The IEEE 802.1x standard defines a client-server-based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.Refer URL

    http://www.cisco.com/en/US/partner/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00805a64d7.html#wp1205506

  • RELEVANCY SCORE 2.86

    DB:2.86:Understanding Flexconnect - Local Vs Central Switching, And Wlc Failover Scenario ?? fj



    Hello Experts

    We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.

    My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)

     

    Questions:

    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.

    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?

    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?

    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?

     

    Thanks.

    DB:2.86:Understanding Flexconnect - Local Vs Central Switching, And Wlc Failover Scenario ?? fj


    Hi

    The LAN subnet is same for both Buildings connected via a dark fiber.

    If this is the case there is no need of FlexConnet, as you have enough bandwidth same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.

    Anyway if you want to do this here is the answer for your specific queries.

    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.

    You can have both local switching central switching available for a given SSID. Only FlexConnect mode AP will do Local switching all Local mode AP will do central switching, though both using the same SSID.

    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?

    No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.

    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?

    This is applicable only to FlexConnect mode APs it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" still do local switching.

    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?

    Yes, when this option configured WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator pass radius messages to Auth Server directly.

    This is a very good Ciscolive presentation you should see as it describe lots of these features which WLC codes they introduced.

    BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless

     

    HTH

    Rasika

    **** Pls rate all useful responses ****

  • RELEVANCY SCORE 2.86

    DB:2.86:Not Able To Connect To Peap-Mschapv2 7m


    I am not sure if this has been asked before. But anyway, here goes: Our Corporate Wireless is a EAP with PEAP-MSCHAPv2. The authentication is from a Windows Server 2008. This server presents the Server Cert which is signed by our Corporate CA. We have
    a GP which pushes the CA as Trusted CA to all our clients. We have a GP which also pushes the Server Cert as valid Cert to all the clients. Recently our Server Cert expired. We did not realize that it expired so did not Revoke the old Server Cert. We
    created another Cert, signed from our CA and then started using that as our Server Cert for Radius Authentication. When clients are connecting to the Wireless, the only way we can make it work, is disable Validate server certificate, connect to wireless,
    then enable it again. This time it will pop-up a window stating that additional information about the certificate is required. We click on Connect (the other button being Terminate) we can connect. This works well until we restart the computer. When
    computer is restarted, the wireless stops working we get the message on our clients stating the wireless could not be authenticated. Putting the computer to Sleep or disconnecting connecting to some other wireless network all works fine as long
    as, once the Validate server certificate disabled enabled. We have tried deleting the certificate wireless profile from the client certificate store. But that does not help either.

    DB:2.86:Not Able To Connect To Peap-Mschapv2 7m

    There is no need to push the server cert to your client computers, only the cert of the CA must be in the trusted root. When a wireless client connects to the network, the NPS presents this cert to the client, which the wireless client will use to create
    the PEAP tunnel and the wireless client must have access to the CRL/OCSP to verify the cert of the NPS.Johan Loos CISSP,MCT,ISO 27001 and others

  • RELEVANCY SCORE 2.85

    DB:2.85:Ipad Wireless Connection 93


    Hi, I am using IPad and trying to connect to corporate Wireless network. The Corporate Radius server is configured for Certificate based authentication. I have installed user cert in IPad but when trying to connect it is saying wrong credentials. I hv checked the logs of RADIUS server and it is saying that wrong authentication method used. The same user cert is working in Laptops. The IPad is not added to any domain. I need to configure PEAP with Certificate authentication in IPad. Please suggest

    DB:2.85:Ipad Wireless Connection 93

    Hi, I am using IPad and trying to connect to corporate Wireless network. The Corporate Radius server is configured for Certificate based authentication. I have installed user cert in IPad but when trying to connect it is saying wrong credentials. I hv checked the logs of RADIUS server and it is saying that wrong authentication method used. The same user cert is working in Laptops. The IPad is not added to any domain. I need to configure PEAP with Certificate authentication in IPad. Please suggest

  • RELEVANCY SCORE 2.85

    DB:2.85:802.1x Authentication Issues da



    I have a c2969-48PST-L switch running IOS Version 12.2(55) SE. The switch is configured for 802.1x authentication. The radius server is a Cisco ACS 5.2. We are using PEAP and allowing EAP-TLS and EAP-MS-CHAPv2. Windows 7 PCs (HP Elitebooks) are using the "windows" supplicant and configured to 802.1x authentication is enabled using Microsoft Protected EAP (PEAP), we are not validating any certificates and the authentication method is Secured password (EAP-MSCHAP v2). What is occurring every so often is that the PC will fail authentication (intermittently) and the ACS shows the reason as being 5411 EAP session timeout. This is a pretty generic message according to TAC.

    The interesting part to me is the Authentication Method showing on the ACS when the authentication fails is simply PEAP. However, when it does not fail the Authenication Method is shown as PEAP (EAP-MSCHAPv2). We have the Cisco TAC looking at the ACS and they are saying the issue is the client not reponding to the request correctly from the switch.

    However, I am wondering if the version of IOS softare on the switch maynot be handling the communication to the ACS correctly.

    I have wireshark traces of a successful authenication and unsuccessful one. There does seem to be any difference from the client side at all.

    Can anyone shed any light on this?

    Thanks,

    Doug

    DB:2.85:802.1x Authentication Issues da


    I'm having the exact same issue. Were you able to get any answers from cisco TAC?

    Thanks

    A.Z.

  • RELEVANCY SCORE 2.85

    DB:2.85:Eap-Tls With Certificate, Nps And Client Not Connecting d8


    Hello,
    I am trying to put WPA-Enterprise security on my wireless network. In my environment, all the wireless users are Domain users and their will be no Mobile Phones. Now at first I started with PEAP Authentication and that worked for me. I was using Server 2008
    Root CA, NPS as radius server and different clients including Windows 7, XP, 2003, 2008
    When I enabled PEAP authentication, clients used to ask domain username and password, once the username and password are entered, all different clients were getting connected with my WPA-Enterprise wireless enabled.
    Then I use certificate-based-authentication that is EAP-TLS,So When I changed my Network Policies in NPS to accept EAP-TLS by selecting Smart card or other certificate option for authentication and respective changes on clientside. My wireless
    is no longer working with the new settings.
    I found that EAP-TLS requires user certificate on the client side to authenticate user and a computer certificate on the NPS server. NPS server already have the computer certificate and then I issued a user certificate and imported to the client under Trusted
    Root Authority it didnt work either.
    I have imported the certificate to client but still showing error A certificate is required to connect to SSID, contact your network administrator
    Can anybody tell me a simple way to authenticate wireless clients using certificates. I am ready to import the certificates to the clients manually.

    DB:2.85:Eap-Tls With Certificate, Nps And Client Not Connecting d8

    Hi Steven,
    Thanks, your last link worked and i have created the profile again. It's now working fine. I will test with Windows XP client as well and then replicate the changes on live environment.
    thanks once again

  • RELEVANCY SCORE 2.85

    DB:2.85:Certification With Ise sf



    Hi, all

    I have weird experience with certification with ISE.

    I was using ACS 5.1 with local certification, and I imported it to ISE 1.1.2.

    in WLC, SSID with ACS as radius server is working as well as ISE as radius server except few laptops.

    these laptops are able to use SSID with ACS as radius server but not SSID with ISE as radius server.

    we are using PEAP authentication..

    I don't know how much make it sense.... but I could not find the reason...

    can anybody help with that ?                  

    Thank you..

    DB:2.85:Certification With Ise sf


    Please review the below link which might be helpful:

    http://www.cisco.com/image/gif/paws/113476/wireless-byod-ise-00.pdf

    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_man_cert.pdf

    http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise10_client_prov.pdf

  • RELEVANCY SCORE 2.85

    DB:2.85:Multiple Eap Certificates In Acs 5.2 mp



    I want to use multiple cert (enterprise certs and verisign cert) for authentication in wireless.Users that have their computer in the domain should use EAP-TLS and PEAP (verisign) are for users in the domain but on non-domain computers.

    I can only enable one certificate in system adminstration-local server certificates- local certificates to use EAP.

    I have installed both enterprise and verisign cert in the CA store in User and Identy store and enbled the enterprise cert for EAP-TLS.

    The EAP-TLS connection works fine when the enterprise cert is enabled for EAP (in local certificates) but PEAP does not. If I enable EAP on the verisign cert in local certificates the enterprise cert get EAP disabled and that authentication stops working av PEAP starts working.

    Is the ACS5.2 only able to have one certificate enabled at the time for EAP?

    DB:2.85:Multiple Eap Certificates In Acs 5.2 mp


    Yes, exactly the guide i was referring to.

    In a distributed environment the ISE server that gets the RADIUS request from your switch/wireless contr. will send it's own EAP certificate to the client. You need unique fqdn for each ise server, otherwise you won't be able to join them together. The servers fqdn (hostname.domainname) should also be the CN in your cert request, and the first entry in your SAN attributes.

    So lets say you had two ISE servers :

    Server 1 :

    FQDN : gateway1.customer.publicdomain.com

    SAN DNS.1 : gateway1.customer.publicdomain.com

    SAN DNS.2 : internalname1.internaldom.local

    Server 2

    FQDN : gateway2.customer.publicdomain.com

    SAN DNS.1 : gateway2.customer.publicdomain.com

    SAN DNS.2 : internalname2.internaldom.local

    My own openssl template looks like this :

    [ req ]

    default_bits        = 2048

    default_keyfile     = newkey.pem

    distinguished_name  = req_distinguished_name

    req_extensions     = req_ext

    [ req_distinguished_name ]

    commonName            = Common Name (eg, YOUR name)

    commonName_max        = 100

    stateOrProvinceName        = State (ST=)

    localityName            = Locality (L=)

    organizationName        = Orgname (O=)

    organizationalUnitName    = Orgname (OU=)

    countryName        = Country (C=)

    [ req_ext ]

    subjectAltName          = @alt_names

    [alt_names]

    DNS.1   = gateway1.publicdomain.com

    DNS.2   = ise01.internaldom.local

    ......

    Also you could add names for the sponsor portal, and mydevices here in the alt_names section if you wish, this will allow you to use a simpler url for guest sponsors and device registration.

    With regards to licenses, i think you will get a different serial number if you reinstall ISE. So always keep a VM backup once you installed your licenses.

    Hope this clears it up for you

  • RELEVANCY SCORE 2.85

    DB:2.85:Client Intel Card Rejecting 802.1x Auth Or Config Issue? kk



    I'm trying to configure the controller to allow clients to connect via WPA/TKIP w/ 802.1x through steel belted radius. I created a wlan with WPA/TKIP and 802.1x and also added my external raidus server on there. The radius server checks with an external ldap server to verify user names and pws. I have it set to use peap and ms-chap v2. I believe I configured my client correctly as well. When I try to a authenticate on an intel 1200 or 3945 it does not work.

    I checked the logs and the radius server is passing ldap auth success to the controller. The logs from the controller state:

    Jun 18 15:37:38 cont-01**** CONT-01: *Jun 18 15:37:58.545: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1

    I tried doing an open ssid and I can connect, i tried wpa/wpa2 psk and I can connect. I only have issues when using 802.1x. I need to find a way to have users connect to the wireless to authenticate through radius/ldap. I went through a lot of configs and cisco docs and can't figure out if I'm missing something. I opened a TAC case and they said it's a vendor card issue. Any help would be greatly appreciated.

    DB:2.85:Client Intel Card Rejecting 802.1x Auth Or Config Issue? kk


    I was able to authenticate via local eap (peap) through that wlan. I opened a case with Juniper and everything is set fine on my side and it sends the accept response to the controller but authentication on the controller does not happen. One thing I noticed on the radius server was once I had it authenticate through EAP only on the radius server authentication was instantly rejected by the controller. Usually it just times out. I don't know if this is an Intel issue like tac claims or what.

  • RELEVANCY SCORE 2.85

    DB:2.85:Captive Portal Uses Pap Instead Of Peap For Radius? 9z



    Hello -

    I am working on configuring a captive portal setup for our network.

    I find that when I assign the Radius servers as the authentication method for the captive portal authentication keeps failing. Looking at my Radius logs, I find this:

    ------------

    Authentication Details:Proxy Policy Name: Use Windows authentication for all usersNetwork Policy Name: FacStaff Dot1x Wireless (Offices Net)Authentication Provider: WindowsAuthentication Server: sturgeon.evergreen.eduAuthentication Type: PAPEAP Type: -Account Session Identifier: -Reason Code: 66Reason: The user attempted to use an authentication method that is not enabled on the matching network policy.

    ------------

    However, I can log in just fine to the management web ui, using the exact same AAA profiles / servers. When I review the logs for my login on the management ui, it shows this:

    -----------Authentication Details:Proxy Policy Name: Use Windows authentication for all usersNetwork Policy Name: FacStaff Dot1x Wireless (Offices Net)Authentication Provider: WindowsAuthentication Server: sturgeon.evergreen.eduAuthentication Type: PEAPEAP Type: Microsoft: Secured password (EAP-MSCHAP v2)Account Session Identifier: -

    -----------

    Is this by design? Or am I missing something? I understand that normally PEAP would be used to encapsulate the request and pass it through to the radius server, but if the Web UI is able to that, why can't the captive portal? Or perhaps the question is why *won't* the captive portal?

    DB:2.85:Captive Portal Uses Pap Instead Of Peap For Radius? 9z


    Thank you Colin.

    But, is the communication between wireless controller and Radius server in clear text?

  • RELEVANCY SCORE 2.85

    DB:2.85:Radius Domain Controllers Certificate s1


    Hi All,
    I have configured 802.1x authentication for a university eduroam system, which is working fine. The service has 2 2008 r2 NPS radius servers at the front end, which then forward requests to NPS enabled domain controllers configured in remote radius
    server groups. The 4 domain controllers each have a certificate installed with their name in the subject, and the companies dns name in subject alternative name. The problem is the clients that download the certificate see the name of the domain
    controllers if they inspect the certificate. I want to advertise a service name like radius.contoso.com, instead of using the domain controllers names, but I am unsure how to achieve this. We are authenticating using PEAP with EAP-MSCHAPV2.
    Any help would be much appreciated. I am a registered professional technet user.Regards PowerShell90

    DB:2.85:Radius Domain Controllers Certificate s1

    Hi Annie,
    Thank you very much for all your help. The Technet subscriptionis worth every penny.Regards PowerShell90

  • RELEVANCY SCORE 2.84

    DB:2.84:Mac Peap Auth Problems f7



    Hi everybody, Has anybody had problems authenticating Mac PEAP clients ? We have sniffed the exchange over the air and see that the WiSm sends an access accept message to the client, but the subsequent EAPOL key exchange fails. We are using the "Radiator" radius package. Windows/Linux PEAP works fine.

    Thanx

    DB:2.84:Mac Peap Auth Problems f7


    This might be due to incompatibilty between the client and the Radiator Radius server. You can try upgrading Client software.

  • RELEVANCY SCORE 2.84

    DB:2.84:Cisco 1200 And Peap 98



    I'm setting up a WLAN using Cisco 1200 access points. I'm using Cisco ACS 3.3 for 802.1x Radius authentication and authenticating using Active Directory.

    I have a Cisco Aironet CB21AG client adapter working perfectly with LEAP and no authentication. I cannot get it to work with PEAP. I have followed the Cisco Secure ACS for Windows v3.2 With PEAP−MS−CHAPv2 Machine that is posted in the documentation page in the 1200 APs. I have the certificate installed on both the server and pc but I keep on getting the following error message in ACS.

    EAP-TLS or PEAP authentication failed during SSL handshake

    Any ideas?

    DB:2.84:Cisco 1200 And Peap 98


    This is a well known bug for CB21AG. The bug ID is CSCee06008. If you use XP, you can install driver only and use the Microsoft supplicant (i.e. Wireless Zero Configuration).

  • RELEVANCY SCORE 2.84

    DB:2.84:Eap-Tls And Ise 1.1 With Ad Certificates 8j



    Hello,

    I am trying to configure EAP-TLS authentication with AD certificates.

    All ISE servers are joined to AD

    I have the root certificate from the CA to Activie Directory installed on the ISE servers

    I created the certificate authentication profile using the root certificate

    I have PEAP\EAP-TLS enabled as my allowed protocol

    I am getting the following error for authentication:

    "11507  Extracted EAP-Response/Identity

    12500  Prepared EAP-Request proposing EAP-TLS with challenge

    11006  Returned RADIUS Access-Challenge

    11001  Received RADIUS Access-Request

    11018  RADIUS is re-using an existing session

    12301  Extracted EAP-Response/NAK requesting to use PEAP instead

    12300  Prepared EAP-Request proposing PEAP with challenge

    11006  Returned RADIUS Access-Challenge

    11001  Received RADIUS Access-Request

    11018  RADIUS is re-using an existing session

    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

    12318  Successfully negotiated PEAP version 0

    12800  Extracted first TLS record; TLS handshake started

    12805  Extracted TLS ClientHello message

    12814  Prepared TLS Alert message

    12817  TLS handshake failed

    12309  PEAP handshake failed"

    I have self-signed certificates on the ISE servers – do they need to be signed by the same CA as the client?

    Any other issues I am missing?

    Thanks,
    Michael Wynston
    Senior Solutions Architect
    CCIE# 5449
    Email: Michael.Wynston@eplus.com
    Phone: (212)401-5059
    Cell: (908)413-5813
    AOL IM: cw2kman
    E-Plus
    http://www.eplus.com

    DB:2.84:Eap-Tls And Ise 1.1 With Ad Certificates 8j


    Please review the below link which might be helpful :

    http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_60_byod_certificates.pdf

    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.pdf

  • RELEVANCY SCORE 2.83

    DB:2.83:2008 R2 Radius Server With Certificate Authentication For Wireless Networks x3


    H
    I have built a Windows 2008 R2 NPS server. We have connected a RADIUS client (WIFI AP). I specified the authentication method on the Network Policy as Microsoft: PEAP with MS-CHAP-v2 and MS-CHAP. When a user logs onto a client PC their
    AD User certiciate autoenrolled into the Users personal certificate store. So far so good.
    All Windows 7 users can connect without any problems to the WIFI network now. No XP clients can though.
    Win 7 clients have the option in the WLAN Advanced Settings Specify Authentication Mode: User or computer authentication enabled. This is why they can connect successfully.
    XP clients do not have this option though. I am unsure at the moment how I can get XP clients to connect using their AD user certificate
    Can anyone help?
    Many thanks in advance!

    DB:2.83:2008 R2 Radius Server With Certificate Authentication For Wireless Networks x3

    Hi,
    We have two-tier CA in our organization.
    I installed NAP service and added Cisco router as RADIUS client.
    How to setupthat domain machines and non-domain machines (including smart phones) can connect to wireless network
    only if they have computer certificate?
    I dont know how to setup things so that non-domain machines can connect to network, how to create certificate for this
    machines?
    What type of certificate we need to use and how to do request on CA for non-domain machines...

    Please help.

  • RELEVANCY SCORE 2.83

    DB:2.83:Acs 4.2, Wireless Authentication Peap/Eap-Tls Certificates xa



    Hi All,

    I have a requirement on our wireless network to ONLY approve authentication from machines that are pre-approved. We have our wireless network setup and it's all working well using RADIUS to Microsoft AD servers on the ACS for end user/machine authentication.

    We've recently installed a new digital certificate and have enabled EAP-TLS for machine authentication - again all is working as expected with the certificate being downloaded/provided to the remote client as when connection occurs.

    Waht I want to do now is actually STOP the provision of the certificate so that I have to use a microsoft Group Policy to install onto the remote clients. In this way I'm thinking that I can then ONLY approve clients that have the correct certificate installed.

    Sounds simple, but can I find a way of doing it? - no ... (is what I'm trying to do even possible?)

    Any assiatance greatly received ...

    Regards,

    Stu

    DB:2.83:Acs 4.2, Wireless Authentication Peap/Eap-Tls Certificates xa


    Hi,

    I'm having exactly the same problem, but backwards. I want to install automatically the certificate in my wireless clients. I'm running ACS 4.2 also and I have been running tests, but I have to install manually the generated certificate in each wireless client (300 laptops).

    So I would like to know which configuration are you using (in case it's possible you could send me the running config that you have actually installed).

    Thank you very much.

  • RELEVANCY SCORE 2.83

    DB:2.83:Eap-Sim ss


    Hi Friends, EAP-SIM initiated by Sony Xperia mobile not reaching Access Point or AP not forwarding EAP-SIM message to Free Radius Server. Am facing a problem in EAP-SIM evaluation with free radius. Please find the below points and help me out.... 1. Using Sony Xperia as User End. Dlink dir615 or linksys wrt120n for access point and free radius as authentication server. 2. Free radius tested with eap-sim option with the help of eap-sim06 test client provided with free radius, its working fine. 3. If i configure PEAP on free radius and Dlink as AP with Xperia as UE, its working fine. 4. If i configure EAP-SIM on free radius and if i select SIM option on Xperia, am not getting access-request on free radius. Is AP supports partial EAP. Like supporting PEAP, TLS, TTLS and leaving SIM and AKA ? If AP not supports SIM, still can we do something to get access request ? coz specs tell old AP should also work ! Please suggest me the solution.

    DB:2.83:Eap-Sim ss

    Hi Friends, EAP-SIM initiated by Sony Xperia mobile not reaching Access Point or AP not forwarding EAP-SIM message to Free Radius Server. Am facing a problem in EAP-SIM evaluation with free radius. Please find the below points and help me out.... 1. Using Sony Xperia as User End. Dlink dir615 or linksys wrt120n for access point and free radius as authentication server. 2. Free radius tested with eap-sim option with the help of eap-sim06 test client provided with free radius, its working fine. 3. If i configure PEAP on free radius and Dlink as AP with Xperia as UE, its working fine. 4. If i configure EAP-SIM on free radius and if i select SIM option on Xperia, am not getting access-request on free radius. Is AP supports partial EAP. Like supporting PEAP, TLS, TTLS and leaving SIM and AKA ? If AP not supports SIM, still can we do something to get access request ? coz specs tell old AP should also work ! Please suggest me the solution.

  • RELEVANCY SCORE 2.83

    DB:2.83:Authenticating Wifi Phones Through Radius In Windows xx


    Hi we have just installed radius, and associated the certificate to it.
    Associate the RADIUS with Cisco

    But when I authenticate my android Phone (using Wifi) ,
    the information below is provided
    EAP method: PEAP
    Phase 2 Authentication: MSCHAPV2
    CA Certificate: Unspecified
    User certificate: Unspecified
    Identity: Domain\ADUsername
    Password: ADUserPassword
    The authentication always failed. The CA Certificate does not show any certificate even the one issued in the RADIUS server.
    My knowledge is CA and RADIUS is very novice. Any kind response is appreciated.

    DB:2.83:Authenticating Wifi Phones Through Radius In Windows xx

    Hi we have just installed radius, and associated the certificate to it.
    Associate the RADIUS with Cisco

    But when I authenticate my android Phone (using Wifi) ,
    the information below is provided
    EAP method: PEAP
    Phase 2 Authentication: MSCHAPV2
    CA Certificate: Unspecified
    User certificate: Unspecified
    Identity: Domain\ADUsername
    Password: ADUserPassword
    The authentication always failed. The CA Certificate does not show any certificate even the one issued in the RADIUS server.
    My knowledge is CA and RADIUS is very novice. Any kind response is appreciated.

  • RELEVANCY SCORE 2.83

    DB:2.83:Acs 3.3.4 With Linux Client ja



    I've got some problems with a Linux wireless network connection. NetworkManager is installed on the Linux laptop. PEAP profile is created.

    When the default Character String in ACS points to "Self" or his own IP adress, the Linux client can authenticate and succesfully log in to the wireless network.

    When the default "Character String" is set to an extended RADIUS server, the client cannot login anymore. I created a new "Character String" that contains the @domain.local suffix. It is not working. Same problem for a Nokia (Symbian) cellphone.

    What can it be ?

    DB:2.83:Acs 3.3.4 With Linux Client ja


    I've got some problems with a Linux wireless network connection. NetworkManager is installed on the Linux laptop. PEAP profile is created.

    When the default Character String in ACS points to "Self" or his own IP adress, the Linux client can authenticate and succesfully log in to the wireless network.

    When the default "Character String" is set to an extended RADIUS server, the client cannot login anymore. I created a new "Character String" that contains the @domain.local suffix. It is not working. Same problem for a Nokia (Symbian) cellphone.

    What can it be ?

  • RELEVANCY SCORE 2.83

    DB:2.83:802.1x Supplicant On Wap4410n 11



    Hi Everyone.

    I want to setup 802.1x authentication on a Catalyst 2960 port where a WAP4410N Small Bussiness Access Point is connected. All other clients (windows 7 workstations) which are connected to that switch are successfully authenticated - PEAP is used as a authentication method. Microsoft NPS acts as a RADIUS.

    I created login and password in a Domain for that AP and configured it accordingly on WAP4410N options.

    When I enabled dot1x on that port the authentication was rejected, I got following info on the RADIUS:

    Authentication Details:

        Connection Request Policy Name:    Use Windows authentication for all users

        Network Policy Name:        802.1x

        Authentication Provider:        Windows

        Authentication Server:        HOST1

        Authentication Type:        EAP

        EAP Type:            -

        Account Session Identifier:        -

        Logging Results:            Accounting information was written to the local log file.

        Reason Code:            22

        Reason:                The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

    Do anyone know what could be wrong? I enabled less secure authentication methods on a RADIUS but with no effect.

    Regads,

  • RELEVANCY SCORE 2.83

    DB:2.83:Peap Configuration With Ios Versus Vmworks xx



    --begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

    Hi

    I have a Cisco Aironet 350 Series Wireless LAN Adapter running Ver 8.3.10 Firmware Along with ACU 6.0 we have it working on PEAP to a AP 350 running vmWorks ver 12.01T. However when we tried an AP 1100 Series running IOS we are unsuccessful. The AP1100 is configured as per the configuration guide.

    Any suggestions?

    Here is the AP 1100 config.

    aaa new-model

    !

    !

    aaa group server radius rad_eap

    server 10.12.1.135 auth-port 1645 acct-port 1646

    !

    aaa group server radius rad_mac

    !

    aaa group server radius rad_acct

    server 10.12.1.135 auth-port 1645 acct-port 1646

    !

    aaa group server radius rad_admin

    !

    aaa group server tacacs+ tac_admin

    !

    aaa group server radius rad_pmip

    !

    aaa authentication login eap_methods group rad_eap

    aaa authentication login mac_methods local

    aaa authorization ipmobile default group rad_pmip

    aaa accounting network acct_methods start-stop group rad_acct

    aaa session-id common

    !

    ip subnet-zero

    !

    ip ssh time-out 120

    ip ssh authentication-retries 3

    dot11 holdoff-time 600

    !

    bridge irb

    !

    !

    interface Dot11Radio0

    no ip address

    no ip route-cache

    encryption key 1 size 128bit 7 xxxxxxxxxxxxxxxxxxxx transmit-key

    encryption mode wep mandatory

    !

    broadcast-key change 300

    !

    ssid tsunami

    authentication open eap eap_methods

    authentication network-eap eap_methods

    accounting acct_methods

    guest-mode

    !

    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

    rts threshold 2312

    station-role root

    no cdp enable

    bridge-group 1

    bridge-group 1 subscriber-loop-control

    bridge-group 1 block-unknown-source

    no bridge-group 1 source-learning

    no bridge-group 1 unicast-flooding

    bridge-group 1 spanning-disabled

    !

    interface FastEthernet0

    no ip address

    no ip route-cache

    duplex auto

    speed auto

    bridge-group 1

    no bridge-group 1 source-learning

    bridge-group 1 spanning-disabled

    !

    interface BVI1

    ip address 10.12.0.246 255.255.252.0

    no ip route-cache

    !

    ip http server

    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

    ip radius source-interface BVI1

    radius-server host 10.12.1.135 auth-port 1645 acct-port 1646 key 7 xxxxxxxxxxxxxxxxxxxxxxxxx

    radius-server retransmit 3

    radius-server attribute 32 include-in-access-req format %h

    radius-server vsa send accounting

    bridge 1 route ip

    DB:2.83:Peap Configuration With Ios Versus Vmworks xx


    Change your config as follows:

    ssid tsunami

    authentication open eap eap_methods

    authentication network-eap eap_methods -TAKE OUT

    accounting acct_methods

    guest-mode

    The following link is a good guide to setting up PEAP.

    http://www.missl.cs.umd.edu/Projects/wireless/8021x/

  • RELEVANCY SCORE 2.82

    DB:2.82:Wireless Authentication Using Acs And Rsa az



    Hello,

    We have ACS authentication with RSA Token enabled for VPN users.

    We are also using the ACS for user authentication using TACACS. Both are working fine. I am trying to enable Wireless user authentication with ACS and RSA.

    I am using CISCO AP 1142 Autonomous mode which is configured as a Radius client on ACS and I am able to see authentication attempt from user when we connects to the WLAN

    But the user authentication is failing with reason code 22056. I am using windows 7 with 802.1x PEAP authentication.

    I have been through the support forums and I can see that there is EAP-GTC supplicant-for windows XP  for authentication. Can you let me know the configuration needed for this and if EAP-GTC supplicant is available for windows7.

    What are the other configuration options I can look into enabling wireless authentication using ACS and RSA Tokens.

    TIA

    DB:2.82:Wireless Authentication Using Acs And Rsa az


    Hi Ajai,

    Windows 7 should already include a Cisco plug-in for EAP-FAST and PEAP (EAP-GTC):http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638However, please note that such a plug-in is supported by the vendor of the wireless card directly.

    So resuming, on Windows XP you might want to consider CSSC, and on Windows 7 you could look into the PEAP plugin. Supplicants do vary a lot between Windows XP and Windows, so I am afraid you might need to consider dependencies based on the OS.

    Regards,

    Fede

    --If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • RELEVANCY SCORE 2.82

    DB:2.82:Radius Server For Authentication Using Pap For Router..Want To Use Ms-Chapv2 cz



    I noticed that when our routers or switches use the RADIUS server for authentication, they are using PAP. I also noticed that when our WLC uses the RADIUS server for authentication, it uses PEAP with MS-CHAPv2.

    Can we change the routers so that all the authentication is done using something more secure than PAP? Perhaps PEAP with MS-CHAPv2 for everything?

    I tried to implement on our server with MS-CHAP and I couldn't access any device with my window credentials, so I reverted back to PAP.

    The bad thing about PAP is that it transmits usernames and passwords in the clear, so I'd like to get away from it if possible. Please advice. If i need to add some kind of config on router side to make sure it support MS-CHAPv2..

    Thanks in advance

    DB:2.82:Radius Server For Authentication Using Pap For Router..Want To Use Ms-Chapv2 cz


    Sorry Tarjeet, I meant the RADIUS authentication, not the dot1x authentication.

    Searching, a cisco employee said there is no way to do that.

    check this:

    https://supportforums.cisco.com/thread/2126960

    in ASA you can enable the password-management command and it then uses chap. But for routers (or switches) I am not sure if there is any such commands that does same things.

    I suggest you ask in the routers/switches forums because this is a device's behavior. They can give you more updated information if this feature is enabled or if it will be in the future.

    Regards,

    Amjad

    Rating useful replies is more useful than saying "Thank you"

  • RELEVANCY SCORE 2.82

    DB:2.82:Migration Acs To Ise: Ldap Question pz



    Hello,

    I'm planning migration from ACS 3.3 to a new machine, so I'm thinking about new Cisco ISE.

    I have the following question: ACS 3.3 acts as AAA RADIUS with LDAP repositoriy for wireless deployment, using PEAP-GTC. Is possible, with ISE, to use a different EAP method, such as PEAP-MsCHAPv2 or EAP-TTLS?

    In ACS 5.X I think it's only supported PEAP-GTC and EAP-TLS when identity repository is LDAP. Is the same in Cisco ISE?

    Kind regards,

    Ignacio Siles.

    DB:2.82:Migration Acs To Ise: Ldap Question pz


    Just adding the link to the documentation about this:

    http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_id_stores.html#wp1090065

    Cheers,

    Federico

  • RELEVANCY SCORE 2.81

    DB:2.81:Getting Unifi To Work With Radius On Windows Server 2008 R2 1x



    Hi

    I'm trying to get UniFi working with my Radius Windows 2008 Server for Active Directory Authentication

    I'll try to give as much detail as what I've done as I know this is a tricky thing to diagnose!

    The worst thing is that a year ago I had this working. I was going thru everything I did last time but I just can't get this to work

    Configure New Server with Server 2008 R2Install UniFi as serviceConfigure networks, test networks with stand WPA2-PSK to make sure network and DHCP and connectivity is okCreated new network in UniFi for radius and saved secret and pointed to ip of new serverInstall Certificate Authority Role on new serverDo stand CA Role configuration, 5 year validity of self signed certCreated Active Directory Group, added test user to group for testing authenticationInstall NPS RoleFollowed Configration wizard for "RADIUS server for 802.1x Wireless or Wired Connections"Add Radius Clients - My UniFI ApsSelect EAP Type - Microsoft Protected EAP (PEAP). Clicked on Configure, could see cetficated issued was the cert I created when adding the Certificate AuthoritySelect my Active Directory Group to apply policy too.
    On the Client

    The client is a Windows 7 test PC that is not domain joined
    Open Network and Sharing Center, Add a new NetworkNetwork Name - The same as set up in UniFI, security type WPA2-EnterpriseClick on Change Settings, click on security TabBeside Microsoft: Protected EAP (PEAP) click on settingsUncheck "Validate server Certificate", click on Configure and Uncheck "Automatically use my windows logon name and password"Go back to Advanced Settings. Click on Specficy Authentication Mode, select 'User Authentication'. Type in credentials of test user in Active Directory Group.Click of to everything
    Attached is screen shot of the IAS Radius Server log and error message I get

    Amy help really appreciated!










    Attachments:




    DB:2.81:Getting Unifi To Work With Radius On Windows Server 2008 R2 1x


    Hi there, did you make any progress with your RADIUS configuration?I thought I had NPS all sorted but still have issues where windows clients can't connect, and I don't really know why

  • RELEVANCY SCORE 2.81

    DB:2.81:Cisco Ise And Peap Cert 8j



    Any one know where you load the CA Certiricate for PEAP if you use ISE as a radius server ?

    DB:2.81:Cisco Ise And Peap Cert 8j


    Hello Chris,

    For wireless configuration, You may download  Trustsec “Universal Wireless Configuration” from the following location: http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_11_universal_wlc_config.pdf

    For machine authentication, review the chapter 5 "Managing External Identity Source" Additionally, ISE 1.1.x user guide is available at this location: http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_user_guide.html

  • RELEVANCY SCORE 2.80

    DB:2.80:When The Ciscosecure Acs For Windows Solution Engine 3.3 Is Used , Peap Ms-Chap Authentication Fails With The Nas Duplicated Authentication Attempt Log Message 87


    Core issueThe issue is due to the presence of Cisco bug ID CSCeg01533.
    When Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication is used with two CiscoSecure ACS for Windows servers with one server acting as a proxy server that strips the realm, the authentication can fail. This issue is first seen with CiscoSecure ACS for Windows version 3.2.3.

    What is PEAP?

    Protected Extensible Authentication Protocol (PEAP) belongs to the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) in order to create an encrypted channel between an authenticating PEAP client and a PEAP authenticator, such as RADIUS server.

    PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.
    ResolutionThe workaround for this issue is to not strip the realm and configure the end server accordingly. This bug is fixed in CiscoSecure ACS for Windows version 4.0(1.27).
    In order to download CiscoSecure ACS for Windows version 4.0(1.27), open a service request with Cisco Technical Support.

    DB:2.80:When The Ciscosecure Acs For Windows Solution Engine 3.3 Is Used , Peap Ms-Chap Authentication Fails With The Nas Duplicated Authentication Attempt Log Message 87

    Core issueThe issue is due to the presence of Cisco bug ID CSCeg01533.
    When Protected Extensible Authentication Protocol (PEAP) Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication is used with two CiscoSecure ACS for Windows servers with one server acting as a proxy server that strips the realm, the authentication can fail. This issue is first seen with CiscoSecure ACS for Windows version 3.2.3.

    What is PEAP?

    Protected Extensible Authentication Protocol (PEAP) belongs to the family of Extensible Authentication Protocol (EAP) protocols. PEAP uses Transport Layer Security (TLS) in order to create an encrypted channel between an authenticating PEAP client and a PEAP authenticator, such as RADIUS server.

    PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as EAP-MS-CHAP v2, that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for 802.1X wireless client computers, but is not supported for virtual private network (VPN) or other remote access clients.
    ResolutionThe workaround for this issue is to not strip the realm and configure the end server accordingly. This bug is fixed in CiscoSecure ACS for Windows version 4.0(1.27).
    In order to download CiscoSecure ACS for Windows version 4.0(1.27), open a service request with Cisco Technical Support.

  • RELEVANCY SCORE 2.79

    DB:2.79:Nps 3rd Party Certificate With Peap f9



    I'm hoping to get some direction / help with the following issue:

    Goals
    Allow domain and non-domain devices to authenticate via NPSUse 3rd party (not self signed) certificateWhen joining the wireless network for the first time, DO NOT receive the "verify certificate" pop up.

    Wireless Design
    Windows 2008 R2 server running NPS for radius authentication 3rd party certificate from Network Solutions (CN=nps.mydomain.net; SAN=npsservername.mydomain.local)Using PEAP/MsCHAPv2 for authentication

    Current Issue

    I've been able to get obtain my first two goals, but I'm continuing to get a pop up requesting for me to validate the certificate when I'm joining the wireless network for the first time.  Once I accept the certificate, I never recevie the pop up again, but I need to get rid of the initial pop up.  All other items are working as expected.  Can someone help me through this?

    DB:2.79:Nps 3rd Party Certificate With Peap f9


    I ran into the same issue when deploying 802.1x + NPS/PEAP.

    The issue is Microsofts implementation of the wireless management client.  It (by default) does not trust any Root CA.  If you use a 3rd party wireless client such as IntelProSet it does work and you can find a list of trusted Root CAs in the settings somewhere.

    Then configuration also works for Macs.  Only Microsoft Windows does not work out-of-the-box with PEAP, 802.1x wireless.  Go figure as they made the blasted thing.

    https://supportforums.cisco.com/thread/2053466

  • RELEVANCY SCORE 2.79

    DB:2.79:Radius Authentication. a9



    Hi

    we are getting problem with WLC authentication (management users) with windows radius server.The wireless user authentication is happening prpoerly and they get authenticated and ip address assignment is working properly.

    when we redirect the device authentication request (Management users) to radius,even though the admin user defined in radius,post telnet it gives the error saying no response from server.If second option for authentication is given as local,even though the radius server is reachable,authentication for the device is happening properly.Radius server is windows Radius.WLC is 2112 with version 5.2.157.0.....

    when the user deifined locally as well as in radius,as mentioned in the doc local authentication take preference so user get authenticated so tried creating user only in radius without local defination but its not successful and giving the error no response from server.radius is reachable from wlc and radius logs can see the login attempt from the particular user in  radius logs.

    In WLC

    Radius server ip and shared secret defines properly.

    Management us enabled under radius to ensure Management users will be authenticated via radius.

    In RAdius

    wlc ip address has been defined as radius client

    shared secret is defined properly.

    user-password defined properly in radius database.

    service-type attribute defined as Administrator for the management users.

    DB:2.79:Radius Authentication. a9


    Link to the document is here:   Configuring Radius Management with IAS

  • RELEVANCY SCORE 2.79

    DB:2.79:Peap-Mschapv2 Problems 37



    Hi,

    I have a problem with PEAP-MSCHAPV2 authentication in combination with Wireless Service Module en Cisco ACS 4.1(and later i tested with IAS).

    When i use the Windows Supplicant i can get no connection with my wireless network, when i used the Intel Pro Client its works very good. The Windows supplicant asked very 5 seconds my usercredentinals and in the log files of the RADIUS is nothing to see.

    Can somebody help me with this problem ?

  • RELEVANCY SCORE 2.79

    DB:2.79:Using Cisco Secure Acs Express With Wireless Ap 1c



    Hi Support,

    Unable to establish WI-FI connection when access point (linksys WAP54G) is configured to authenticate through ACS 5.0 Express appliance.

    1) ACS configuration

       Protocol - EAP - PEAP(EAP-MSCHAPv2)

       Auth DB - Active Dir

       Radius Response - Accept (Default - Accept without any Radius Attributes)

    2)  Linksys Setting

        Protocol - Radius

        Mode-    WPA-Enterprise

        Encryption - Tried both AES and TKIP

        Radius Port - 1812 /1645

    3) acsxp_server_trace.log - attached.

    Support on the same would be appreciated.

    Regards,

    $kumar

    DB:2.79:Using Cisco Secure Acs Express With Wireless Ap 1c


    Hi Support,

    Unable to establish WI-FI connection when access point (linksys WAP54G) is configured to authenticate through ACS 5.0 Express appliance.

    1) ACS configuration

       Protocol - EAP - PEAP(EAP-MSCHAPv2)

       Auth DB - Active Dir

       Radius Response - Accept (Default - Accept without any Radius Attributes)

    2)  Linksys Setting

        Protocol - Radius

        Mode-    WPA-Enterprise

        Encryption - Tried both AES and TKIP

        Radius Port - 1812 /1645

    3) acsxp_server_trace.log - attached.

    Support on the same would be appreciated.

    Regards,

    $kumar

  • RELEVANCY SCORE 2.79

    DB:2.79:Getting Started With Peap And Tablet Pcs c1



    I've been trying to get PEAP working with the following devices:

    CiscoSecure ACS 3.1

    Compaq TC1000 Tablet PC with latest drivers for built in wireless card

    Cisco Aironet 1100 AP

    I believe everything is configured correctly on the AP - I have Open and Network EAP checked. No VLANs configured. The ACS box has the AP registered as a network device with the same key as entered on the AP itself, and with Radius (Cisco Aironet) selected.

    Unfortunately my clients associate but fail to obtain a DHCP address and pass traffic.

    The Tablet PC is configured for windows XP networking, using PEAP and dynamic wep keys (or the key is provided for me).

    Has anyone had experience with these devices? We have been successful in getting LEAP working with Cisco ACU on a full laptop. The Tablet PCs won't run the ACU software.

    Edit:

    Just found some past replies which have helped clear things up a little. Could someone tell me if my thinking below is correct please?

    ACS version 3.1 supports PEAP for Cisco wireless cards/clients only and does not support PEAP for 3rd party cards and the Microsoft supplicant.

    ACS version 3.2 supports PEAP for Cisco cards, but also supports PEAP with third party cards and the Microsoft supplicant.

    So in theory, upgrading to 3.2 would enable us to use Tablet PCs such as the TC1000 with our wireless APs and PEAP authentication.

    Regards,

    DB:2.79:Getting Started With Peap And Tablet Pcs c1


    The tabletpc will require an update to it's driver to support PEAP. I ended up using a third-party application, Aegis client, that supports LEAP.

    bernie

  • RELEVANCY SCORE 2.79

    DB:2.79:Peap Wont Work When Vlan Is Enabled 88



    I have some 1220B migrated to the latest 12.2 IOS in a w2k active directry. I used PEAP on them with MS IAS on a 2000 server. Now we have a need to allow visitors to connect to our wireless network. Since their machines are not members of our domain, I set up another SSID with PEAP to allow for guest users in the AD to connect and configured their laptops to skip computer credentials and prompt for user credentials to authenticate through PEAP and RADIUS.

    All worked fine until I decided to VLAN the corporate users and guests to tighten up the security. I set the corporate SSID to use VLAN1 as the native VLAN (corporate traffic, RADIUS, mgmt traffic, BVI1, etc.) and the GUEST SSID to use VLAN9. Turned on the corresponding subinterfaces on Dot11Radio 0 and F0, and trunk port on the 3550 switch.

    Now I can telnet to the AP from the wired side and logged in through RADIUS authentication. But my wireless client won't associate. Debug aaa authentication and debug aaa RADIUS protocol don't show any RADIUS activities caused by the wireless client. They only show activities when I logged in from wired side.

    If, under each SSID, I set authentication to just open with guest mode or no WEP key, the VLANs will work. Once I put "authentication open eap eap_methods" back on, No Association! No RADIUS activities! But everything works if I take VLAN out!

    Does that mean I have to configure VLANs as a RADIUS attribute on the IAS instead of on the AP?

    ---------------------------------------

    Here is my AP configuration WITH ONLY the corporate SSID:

    ...

    ip subnet-zero

    !

    aaa new-model

    !

    aaa group server radius IAS

    server 172.16.2.106 auth-port 1645 acct-port 1646

    server 172.16.2.102 auth-port 1645 acct-port 1646

    !

    aaa authentication login default group IAS local

    aaa authentication login eap_methods group IAS

    aaa authentication login mac_methods local

    aaa authorization exec default group IAS local

    aaa session-id common

    dot11 network-map

    !

    !

    bridge irb

    !

    !

    interface Dot11Radio0

    no ip address

    no ip route-cache

    !

    encryption mode wep mandatory

    !

    ssid CORPORATE

    vlan 1

    authentication open eap eap_methods

    !

    speed basic-1.0 basic-2.0 basic-5.5 basic-11.0

    rts threshold 2312

    station-role root

    dot1x reauth-period server

    dot1x client-timeout 5

    !

    interface Dot11Radio0.1

    encapsulation dot1Q 1 native

    no ip route-cache

    bridge-group 1

    bridge-group 1 subscriber-loop-control

    bridge-group 1 block-unknown-source

    no bridge-group 1 source-learning

    no bridge-group 1 unicast-flooding

    bridge-group 1 spanning-disabled

    !

    interface FastEthernet0

    no ip address

    no ip route-cache

    duplex auto

    speed auto

    !

    interface FastEthernet0.1

    encapsulation dot1Q 1 native

    no ip route-cache

    bridge-group 1

    no bridge-group 1 source-learning

    bridge-group 1 spanning-disabled

    !

    interface BVI1

    ip address 172.16.8.10 255.255.255.0

    no ip route-cache

    !

    ip default-gateway 172.16.8.1

    ip http server

    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100

    ip radius source-interface BVI1

    logging 172.16.2.106

    access-list 1 permit 172.16.2.0 0.0.0.255

    snmp-server community XXXXX RO 1

    snmp-server enable traps tty

    radius-server attribute 32 include-in-access-req format %h

    radius-server host 172.16.2.106 auth-port 1645 acct-port 1646 key 7 XXXXXX

    radius-server retransmit 2

    radius-server timeout 2

    radius-server key 7 XXXXX

    radius-server authorization permit missing Service-Type

    radius-server vsa send accounting

    bridge 1 route ip

    !

    line con 0

    line vty 0 4

    exec-timeout 0 0

    logging synchronous

    line vty 5 15

    DB:2.79:Peap Wont Work When Vlan Is Enabled 88


    Thank for all the previous inputs and especially for pointing out that encryption is the problem. I happened to find it out just a couple days ago. I didn't like the GUI. Had trouble using it to set up PEAP initially. Maybe I should use it more because on the feature it does support it won't miss those commands like I did.

    The majority of the client adapters are Cisco 350 series. Client OS varies from 2000 to XP. Therefore we did not turn on LEAP and TKIP.

    I was able to create 3 vlans -- one for the current, legacy static wep, one for the new PEAP-enabled corporate users, and one for the new PEAP-enabled, access-controlled guests/consultants. It seemed to work fine in the lab. I am going to migrate all the APs in a couple days and then take our time to reconfigure wireless clients.

    Thanks again to everyone who took the time to help me out on this issue!

    daniel

  • RELEVANCY SCORE 2.79

    DB:2.79:Peap Ms-Chap V2 W/Validate Server Certificate: Reason = The Supplied Message Is Incomplete. The Signature Was Not Verified. a3


    Hello, trying to run wired 802.1x port base authentication with Windows XP SP2 client with Peap MS-CHAP V2 via longhorn RADIUS, but getting error below. Any help? thanks. Authentication-Type = PEAP EAP-Type = undetermined Account-Session-Identifier=not present Reason-Code = 262 Reason = The supplied message is incomplete.  The signature was not verified.Again, this only happen with Validate server certificate enabled. Server certificated have been installed on XP PC already.

    DB:2.79:Peap Ms-Chap V2 W/Validate Server Certificate: Reason = The Supplied Message Is Incomplete. The Signature Was Not Verified. a3

    having the same issue and i have manually imported the cert into trusted root cert. Still a problem. What should i be looking for in the tracing logs?

  • RELEVANCY SCORE 2.79

    DB:2.79:More Peap Questions fx



    We are evaluating the best way to secure our wireless networks and have decided that PEAP looks like the best bet. I have a test setup using Secure ACS as the radius server, a 1200 AP w/ 12.2(11)JA IOS, and an XP laptop w/ an Aironet 350 card.

    I have been unable to get PEAP to work using the Cisco supplicant or the MS supplicant. LEAP works fine.

    There is a CA setup and the ACS server has the server cert installed.

    ACS is enabled for PEAP.

    Here is a debug of the unseccessful PEAP authentication process if that will help.

    Jul 9 10:51:41: dot11_aaa_dot1x_start: in the dot11_aaa_dot1x_start

    Jul 9 10:51:41: dot11_dot1x_run_rfsm: Executing Action(INIT,EAP_START) for 000b

    .fde1.5ccd

    Jul 9 10:51:41: dot11_dot1x_send_id_req_to_client: sending identity request for

    000b.fde1.5ccd

    Jul 9 10:51:41: dot11_dot1x_client_send_eapol: sending eapol to client 000b.fde

    1.5ccd

    Jul 9 10:51:43: dot11_dot1x_distribute_bkey: Updating Group Key: vlan=0, index=

    1, len=13

    Jul 9 10:51:43: dot11_dot1x_distribute_bkey: Multicast key distributed to 0 cli

    ents

    Jul 9 10:51:51: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for

    000b.fde1.5ccd

    Jul 9 10:51:51: dot11_dot1x_send_response_to_client: Respond not sent to client

    !

    Jul 9 10:51:51: dot11_dot1x_send_client_fail: Authentication failed for 000b.fd

    e1.5ccd

    Jul 9 10:51:51.820 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica

    tion failed

    Jul 9 10:51:53: dot11_dot1x_distribute_bkey: Updating Group Key: vlan=0, index=

    2, len=13

    Jul 9 10:51:53: dot11_dot1x_distribute_bkey: Multicast key distributed to 0 cli

    ents

    Jul 9 10:51:57: dot11_aaa_dot1x_start: in the dot11_aaa_dot1x_start

    Jul 9 10:51:57: dot11_dot1x_run_rfsm: Executing Action(INIT,EAP_START) for 000b

    .fde1.5ccd

    Jul 9 10:51:57: dot11_dot1x_send_id_req_to_client: sending identity request for

    000b.fde1.5ccd

    Jul 9 10:51:57: dot11_dot1x_client_send_eapol: sending eapol to client 000b.fde

    1.5ccd

    Jul 9 10:52:07.245 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica

    tion failed

    Jul 9 10:52:22.709 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica

    tion failed

    Jul 9 10:52:38.134 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica

    tion failed

    Does anyone have any idea or guidance on how best to get PEAP working?

    Thanks......

    DB:2.79:More Peap Questions fx


    Thanks for the responses. I figured it out myself - it was a certificate trust issue.

  • RELEVANCY SCORE 2.78

    DB:2.78:Peap Not Working 1a



    Can anyone help we are currently using Aironet 1200 AP and .11a/b/g cards for laptops, with ACS 3.2 and Microsoft Server 2003 (CA).

    We cannot get PEAP working yet LEAP will, we have configured everything certificates, AAA clients on ACS etc etc... but will not get an IP Address or connected when using PEAP.

    Does this mean anything.See attached text file.

    Thanks in advance to any replies....

    DB:2.78:Peap Not Working 1a


    Check the Authentication Protocol-Database Compatibility :

    http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs32/user02/o.htm#wp624132

  • RELEVANCY SCORE 2.77

    DB:2.77:5508 + 3502i + Eap-Peap Using Rsa? xz



    Can i set up my rsa radius server as the EAP authentication? in an eap-peap config?

    I ask because i saw some posts about it not working with RSA authentication manager 7 and the 5508.

    DB:2.77:5508 + 3502i + Eap-Peap Using Rsa? xz


    Can i set up my rsa radius server as the EAP authentication? in an eap-peap config?

    I ask because i saw some posts about it not working with RSA authentication manager 7 and the 5508.

  • RELEVANCY SCORE 2.77

    DB:2.77:802.1x With Ldap And Peap ? 83



    Hello

    In ACS4.2 i configured profile with NAF (switches which will be 802.1x enforcement points). Then in authentication selected LDAP database. In protocols i've enabled EAP-MSCHAPv2 and PEAP and EAP-MD5. The problem is that durring authentication ACS see's PEAP or EAP-MD5 and try to "forward" that request to ldap database which do not understeand it. Is this the problem of ldap database ? Could not ACS simply check username/password in LDAP ? and respond with proper EAP protocol ?

    Do you know any working solution with 802.1x + LDAP and microsoft PEAP ? (any links for howto?)

    Thanx

    DB:2.77:802.1x With Ldap And Peap ? 83


    Hello

    In ACS4.2 i configured profile with NAF (switches which will be 802.1x enforcement points). Then in authentication selected LDAP database. In protocols i've enabled EAP-MSCHAPv2 and PEAP and EAP-MD5. The problem is that durring authentication ACS see's PEAP or EAP-MD5 and try to "forward" that request to ldap database which do not understeand it. Is this the problem of ldap database ? Could not ACS simply check username/password in LDAP ? and respond with proper EAP protocol ?

    Do you know any working solution with 802.1x + LDAP and microsoft PEAP ? (any links for howto?)

    Thanx

  • RELEVANCY SCORE 2.77

    DB:2.77:Cisco 2504 With Radius Server Using Eap(Peap) 8j



    Hi Guys,

    Recently I've deployed wireless at my work place. Everything is working perfectly fine. I got two WLAN'S one for corporate user which gives them domain access using radius server and second one is guests one. Only for internet.

    I used PEAP for my corporate WLAN using WPA+WAP2 802.1x. I want to ask you guys to please tell me if its correct and secure how i configured it.

    Also under corporate WLAN under AAA Server tab there is a option for Local EAP Authentication. Its not enabled at the moment.

    Could you please confirm does this needs to be checked or its ok without this option? I have uploaded screen shots of my corporate wlan.

    Please advise if you think it’s not secure enough.

    Thanks for your help

    Umar

    DB:2.77:Cisco 2504 With Radius Server Using Eap(Peap) 8j


    You do not need to enable that. That is only enabled if your doing EAP off the WLC itself.Sent from Cisco Technical Support iPhone App

  • RELEVANCY SCORE 2.77

    DB:2.77:Eap-Tls Or Peap-Tls On Lion kf


    Hi i have WLAN infrastracture with autentication via PEAP-TLS, CA, radius and ldap is on Windows Server 2008 R2.All windows machin work well but i have problem with apple computer MacBook Air with Lion 10.7.My question is that Lion support PEAP-TLS (PEAP Microsoft: Smart card or other certificate) or i should chose only Microsoft: Smart card or other certificate (this is EAP-TLS).In Internet is a lot information but nothing works. Pleas if any one have working configuration gave us hint what I should set on serwer and lion. best regards mhuba

    DB:2.77:Eap-Tls Or Peap-Tls On Lion kf

    Hi i have WLAN infrastracture with autentication via PEAP-TLS, CA, radius and ldap is on Windows Server 2008 R2.All windows machin work well but i have problem with apple computer MacBook Air with Lion 10.7.My question is that Lion support PEAP-TLS (PEAP Microsoft: Smart card or other certificate) or i should chose only Microsoft: Smart card or other certificate (this is EAP-TLS).In Internet is a lot information but nothing works. Pleas if any one have working configuration gave us hint what I should set on serwer and lion. best regards mhuba