802.11X PEAP/EAP-GTC wireless problems

I have a WPA2 wireless network that uses PEAP/EAP-GTC to authenticate. The token in this case is an RSA key, where the credentials expire after 60 seconds. I have two problems.
First. The Macbook continuously wants to use keychain to provide cached credentials anytime it reauthenticates me. I can click Deny and it will prompt me with the login window, and this login window has a checkbox for 'Only use password once', which I check. But it still wants to use cached credentials each time. Is this fixable? I have tried deleting the entry in the keychain but it always gets recreated when I authenticate on the WLAN in question.
Second has to do with sleep mode. If the laptop goes to sleep, it will not prompt me to reauthenticate unless I turn off the airport adapter and turn it back on, or reboot. This is a bigger problem.
Any ideas?

Any ideas here? The problem is getting worse. I have to fiddle with airport settings for 15 minutes sometimes to get authenticated. XP/Vista clients on the same network get on the first time, every time.

Similar Messages

How to configure PEAP/EAP-GTC on Mac OS X v10.7 Lion

I want to connect my MacBook Pro to our company WLAN using PEAP/EAP-GTC, but I dont know how to configure it. Can anybody do me a favour? Thanks in advance.

bdc9898 wrote:
I am trying to open a jar file that I could open on Snow Lepard but I cannot open it on Lion because there is no Jar Launcher, what should I do?
Presumably what you think you mean by "JAR Launcher" is a Java runtime.
Open a terminal.
Type "java -version"
If you get an answer, what is that answer? If you get asked for permission to install Java, do so.

802.1x PEAPV1 (EAP-GTC) not working on Ipad/Iphone

I am currently working on deploying 802.1x at a remote location for a University. We use Cisco WCS to query a LDAP server. Apparently the Iphones and Ipads are unable to connect using 802.1x PEAP. We have both PEAPv0(EAP-MSCHAPv2) and PEAPv1(EAP-GTC) turned on but our LDAP server only supports EAP-GTC. Does anyone know which PEAP version the Ipad/Iphone supports?? I have included output from the Iphone Configuration Utility while I tried to connect.
Fri Sep 2 10:54:50 ********** eapolclient[150] <Notice>: peap_verify_server: server certificate not trusted, status 3 0
Fri Sep 2 10:54:50 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:] event: 3
Fri Sep 2 10:54:50 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required
Fri Sep 2 10:54:55 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:] event: 1
Fri Sep 2 10:54:55 ********** Preferences[141] <Warning>: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: EAPOL failure
THANK YOU!!!

I am having the same issue..
Whenever i am trying to connect my iphone to a WPA2-Enterprise network, it by defaults connects through the MSCHAPv2 Auth protocol, whereas my LDAP supports only GTC auth protocol.
But there is no option to change the encryption type when configuring a WiFi.
Requesting to please update as to how connect to the WiFi.
Thanks in Advance.

802.1x Profile - PEAP/EAP-MSCHAPv2

I'm trying to connect my new retina Macbook Pro to our enterprise network, and am having trouble with the 802.1x profile. Looking at the settings on my Windows PC, I need to use PEAP/EAP-MSCHAPv2, but OSX Lion seems to default to PEAP/EAP-GTC. With these settings, I'm able to connect to the network but cannot access any network resources.
I'm using the iPhone Configuration Utility to generate the 802.1x profile package. As far as I can tell, I am unable to change the inner authentication method with this application. Anyone out there have any suggestions on how I can resolve this?

The prompt is specified when you create the profile on the machine. You can either have the user get prompt for login, save a username and password or use the cache credentials. You need to look at the errors in radius and in the wlc. One will have enough info to say what went wrong during the authentication process.

[SOLVED] Wireless 802.1x PEAP Windows 7 and Windows 2012 NPS and CA

Hello,
We are in progress of migrating our RADIUS (Windows 2003 R2) and Certificate (Windows 2003 R2) servers to 2012 (R2). This went fine, no problems. After that we have changed
our Wireless controller a Cisco 5508. We have change our certificate from a 1024bits to a 2048bits certificate.
We tested the other certificate functions and that went fine too.
But we experience a problem with wireless 802.1x in combination with Windows 7 machines. We have Windows 8 and 8.1 machines that do not experience this problem and wireless 802.1x?
We recreated the wireless policy but also no success.
We have seen this problem before, with a customer who had a Windows 2008 R2 certificate server and Windows XP machines with wireless 802.1x . Exact the same problem. After
decommissioning the Windows 2008 R2 certificate server and changed it to a Windows 2003 R2 certificate server, there where no problems any more.
It looks like that older versions of Windows do not work with newer certificate servers?
Do we miss something? Can someone confirm this.
We already looked for these forum posts, but with no success
http://social.technet.microsoft.com/Forums/windows/en-US/796d447f-518c-4ccb-81ff-921ee561d742/win2k8r2-peapnps-with-cisco-wireless-controller-problem?forum=winserverNIS
http://social.technet.microsoft.com/Forums/windowsserver/en-US/76644dcc-911d-451e-b7f1-39269db43ac7/nps-event-6273-reason-code-16
http://social.technet.microsoft.com/Forums/windowsserver/en-US/d543fe75-0cf9-49e7-bbfa-dd0df219cfe5/the-radius-request-did-not-match-any-configured-connection-request-policy-crp
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\NB80W7$
Account Name:
host/NB80W7.domainname.local
Account Domain:
domainname
Fully Qualified Account Name: domainname\NB80W7$
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
EAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
48
Reason:
The connection request did not match any configured network policy.
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID:
domainname\Username
Account Name:
domainname\Username
Account Domain:
domainname
Fully Qualified Account Name: domainname.local/ICT Specialisten/Username
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name: -
OS-Version:
Called Station Identifier:
08-d0-9f-ec-96-60:domain
Calling Station Identifier:
a0-88-b4-35-2e-08
NAS:
NAS IPv4 Address:
192.168.2.6
NAS IPv6 Address:
NAS Identifier:
WLC5500
NAS Port-Type:
Wireless - IEEE 802.11
NAS Port:
1
RADIUS Client:
Client Friendly Name:
WLC5500
Client IP Address:
192.168.2.6
Authentication Details:
Connection Request Policy Name:
WLC5500
Network Policy Name:
WLC5500
Authentication Provider:
Windows
Authentication Server:
DC01.domainname.local
Authentication Type:
PEAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

Hi,
Please confirm the Win7 clients has renew the certificate and deleted the old certificate. And confirm you are not using the default server certificate template.
More information:
Renew a Certificate
http://technet.microsoft.com/en-us/library/cc730605.aspx
NPS Server Certificate: Configure the Template and Autoenrollment
http://msdn.microsoft.com/en-us/library/cc754198.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

IPAD 802.1x EAP-GTC not working

I am trying to connect to wifi enterprise 802.1x rsa 802.11agn (WPA2,AESCCMP,PEAPv1(EAP-GTC)).
Our setup
Trapeze_AP-M522 -> Trapeze_MX200R (7.3.4.4.0) -> Cisco ACS (5.1) -> RSA
It's working with windows pc and android (phone, tablet) . When we use EAP-MSCHAPv2 it's working BUT I need 2 factors.
We traced the handshake in the cisco ACS, the ipad first try MSCHAPv2 then send another packet not recongnise as a GTC and then failed.
Any help and / or a sample ICU .mobileconfig would be very apreciated.
In ICU we select WPA/Enterprise , protocol PEAP, Authentication Ask for a password with each connection.
Thanks

Im having the same issue. Have you been able to resolve it?

Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

Hello,
I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
The RADIUS SERVER is M$ IAS.
Authentication is working with a laptop, but it is not with my phone
The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
Does somebody know what should I change in my phone's configuration to make it work ?
Thanks,
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein

Hi,
Sorry for the late answer since I was "out of the office" for a while
So here is the process to get the certificate.
Log in to you IAS Server.
Open the IAS Service Application.
Go to "Remote Access Policies".
Choose the policy that apply to "Wireless Connection"
Click "Edit Profile" button.
Choose "Authentication" Tab.
Click "EAP Methods"
Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
The Next Window will show you the Certificate Issuer Name & Expiration Date.
Then, click "Start" Button.
Choose "Run".
Type "mmc" in the "Run" box.
Click "File" & Choose "Add/Remove Snap-In".
Click "Add" Button.
Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
Click "Close" & "OK" Button.
Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
"Right click" on the certificate, choose "All Tasks", the "Export".
In the new window, click "Next" Button.
Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
Choose a suitable location.
Click "Next" Button & "Finnish" Button.
Certificate is now exported.
You have to install it on your Phone now.
The most simple way is to copy the certicate on a Web Server and access it with your phone.
Hope that Help, if you did not already succeed.
Ceux qui aiment marcher en rangs sur une musique :
ce ne peut être que par erreur qu'ils ont reçu un cerveau,
une moelle épinière leur suffirait amplement. -- Albert Einstein

ACS 5.5 MAB Notebook do Host-Lookup then also send PEAP (EAP-MSCHAPv2) requests

Hello Community,
i have a problem, one Notebook in our enviroment authenticates successfully with Host-Lookup (MAC-Adress) and get the right VLAN but then also sends permanantly PEAP (EAP-MSCHAPv2) requests with a diffrent Username ( Username is not an MAC-Adress) It is the Computername of Windows.
What is the Problem here ?
Thanks

Hello Sebastian. A few questions:
- How is the supplicant configured on the Windows machines?
- Is 802.1x enabled on the supplicant?
- If possible please attach screenshots of the supplicant's configuration
- Is this for wireless, wired or both?
- Can you post screenshots of the ACS log page for those events along with a screenshot of the "detailed screen" for one of those events
Thank you for rating helpful posts!

Computer Authentication /host/machine name using EAP on AP Problem

Hi All,
I have a wireless access point model 1242 with ACS server. Acs server is intigrated with windows domain. The user authentication is working ok but i would like to have a computer authentication setup. I am using PEAP with MS chapv2 on client machine and on access point using open authentication with EAP. ACS has its on certificate and client has the root certificate. I can see the acs server pulls the /host/machine name from AD but i am getting (EAP-TLS or PEAP authentication failed during SSL handshake) message on ACS server for computer authentication. What could be the problem? user authentication is working OK....
Does computer authentication require the EAP-TLS? I don't have client certificate in my setup.
I would be gratefull for any suggestion / help.

You did not mention whether your clients are running Windows or Mac OS (or some mixture of OS's)? If you are running in a pure Windows environment, it is very easy to enable PEAP machine authentication. It sounds like you have properly enabled machine authentication on the client side (since you are seeing host/machine auth attempts in the ACS log), but have you enabled machine authentication on the ACS server?
Which version of ACS are you running (hopefully 4.2).
Read up on this:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354014
ACS supports EAP-TLS, PEAP (EAP-MS-CHAPv2), and PEAP (EAP-TLS) for machine authentication. You can enable each separately on the Windows User Database Configuration page, which allows a mix of computers that authenticate with EAP-TLS or PEAP (EAP-MS-CHAPv2). Microsoft operating systems that perform machine authentication might limit the user authentication protocol to the same protocol that is used for machine authentication. For more information about Microsoft operating systems and machine authentication, see Microsoft Windows and Machine Authentication.
Windows User Database Support
ACS supports the use of Windows external user databases for:
•User Authentication—For information about the types of authentication that ACS supports with Windows Security Accounts Manager (SAM) database or a Windows Active Directory database, see Authentication Protocol-Database Compatibility, page 1-8.
•Machine Authentication—ACS supports machine authentication with EAP-TLS and PEAP (EAP-MS-CHAPv2). For more information, see EAP and Windows Authentication.
•Group Mapping for Unknown Users— ACS supports group mapping for unknown users by requesting group membership information from Windows user databases. For more information about group mapping for users authenticated with a Windows user database, see Group Mapping by Group Set Membership, page 16-3.
•Password-Aging— ACS supports password aging for users who are authenticated by a Windows user database. For more information, see User-Changeable Passwords with Windows User Databases.
•Dial-in Permissions—ACS supports use of dial-in permissions from Windows user databases. For more information, see Preparing Users for Authenticating with Windows.
•Callback Settings—ACS supports use of callback settings from Windows user databases. For information about configuring ACS to use Windows callback settings, see Setting the User Callback Option, page 6-6.

PEAP EAP-MSCHAP v2

Hi!
Does anyone know if the router wrt320n or any other linksys router (wireless or wired) support 802.1x authentification, particularly PEAP EAP-MSCHAP v2? I'm connected to a network that provides access to the internet via ethernet cable and 802.1x authentification. I'd like now to connect several devices to the network through a router, but I'm not sure if the wrt320n can log on to the network, because of the 802.1x authentification.
Thanks!

No. They don't support 802.1X authentication (neither supplicant nor authenticator). The WRT and all Linksys branded routers are consumer routers. 802.1X authentication is a business feature which you may find in Cisco Small Business or better devices.

802.11x with 2008 R2 NPS

Here's what I'm using for attempt at 802.11x:
-2008 R2 NPS
-AIR-AP1142N-A-K9
-Lenovo T510 Laptop
Here is what I followed:
1. http://techblog.mirabito.net.au/?p=87&cpage=1#comment-26452
2. http://blog.laurence.id.au/2010/03/running-peap-with-cisco-aeronet-1231g.html
Here is my config on the AP, radius related:
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
clock timezone EST -4
dot11 syslog
dot11 ssid IPC02-AP
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa version 2
   guest-mode
encryption mode ciphers aes-ccm tkip
interface BVI1
ip address 192.168.1.7 255.255.255.0
no ip route-cache
ip radius source-interface BVI1
radius-server local
nas 192.168.1.38 key 7 *
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.38 auth-port 1645 acct-port 1646 key 7 *
Here is my part of my debug:
RADIUS(000000C0): Received from id 1645/151
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Client 0026.c750.**** failed: by EAP authentication server
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed RADIUS(000000C0): Received from id 1645/151
RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes
dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
Client 0026.c750.**** failed: by EAP authentication server
dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 0026.c750.****
dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
dot11_auth_dot1x_send_client_fail: Authentication failed for 0026.c750.****
DOT11-7-AUTH_FAILED: Station 0026.c750.**** Authentication failed
I get a "connection failed" on my laptop. I don't see any logs/events relating to a failure of credentials on my 2008 server.
Any ideas?

I have not gotten any other feedback and I have not been ablet to identify anything on technet about it. It will happen with any role that requires more than 27 of the Cisco-AV-Pair settings. It is working fine for stuff like the Lobby administrator logins, that require less than 5 access rules to be passed from the NPS, but that just goes to show that it is working as long as I do ot hit the 27 "line-item" limit.

Windows Update KB3023607 Wireless Problems

Since the release of the microsoft update 3023607 our clients cannot connect to our wireless. I did some research and see this update is affecting cisco VPN, but I cannot find any information about wireless connectivity.
Our environment consists of alcatel hardware running WPA2 Enterpise Authentication through Raduis TLS. Has anyone else had any problems since the updates?
We can easily hide this update and then it solves the problem but it seems microsoft is not pulling this update and doing that for thousands of clients really is not feesable.

We're seeing the same issues with wireless on Windows 8.1 clients. Cisco Wireless controllers, WPA2-Enterprise, AES, PEAP, EAP-MSCHAP v2, Radius. When KB3023607
was released, we had to rollback the update on Windows 8.1 workstations to get users working on wireless and AnyConnect. They fixed the issues with AnyConnect with the March 10, 2015 updates but the wireless issue still persists and now I don't see KB3023607
installed on my workstation to remove so I'm still trying to figure out which update is breaking it now. The workstation reports "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 42."
42 is a bad cert error but our clients are set to ignore certificates. Any help on this would be GREATLY appreciated.

PEAP EAP-MSCHAP and Novell(NDS)

We have several 350/1220/1131 ap's and would like to implement a 802.1x solution. We have a ACS 4.0 and are running Novell(NDS) as userdatabase.
As far as I have understood, PEAP MSCHAP only support Microsoft databases, and only EAP-GTC can be used with NDS/LDAP databases.
Is this correct ?
Johann Folkestad

PEAP uses TLS to encrypt any subsequent CHAP exchanges. Yes, MSCHAP uses a hashing algorithym. But it runs within a server-side cert TLS tunnel for server-side authentication and encryption.
peter

PEAP, EAP-TLS & EAP-MD5

Hi
Just want to know is there any known problems or issues having PEAP, EAP-TLS & EAP-MD5 enabled on ACS Radius servers for wireless authentication?

Hello,
There is no problems excep you have to have CA server for certificates for both ACS and wireless users.
Regards,
Belal

802.11x tab greyed out/inaccessible

So I'm trying to configure access to a network using TTLS, however when I click on the 802.11x tab, it's inaccessible! Nothing happens when I click it, and it becomes greyed out after I click it. I'm worried that I might have to reinstall Leopard, maybe the wireless stack is messed up or something. I've tried Googl'ing this, haven't found a solution yet. I remember at one point it had been working, but it's suddenly become completely unreachable.

Reinstalling the 10.5.6 combo update doesn't take too long to do, is way way faster than an entire reinstall, and might fix this problem.

802.11X PEAP/EAP-GTC wireless problems

Similar Messages

Maybe you are looking for