802.1x EAP-PEAP - Radius Question

We're going to be deploying a wireless solution to a customer at some point shortly. So far we have a WLC 2500 Series,
1140 LAPs, and a 2960-S switch. We're going to have Windows 7, iPhone, iPAD devices, and I was going to implement
802.1x EAP-PEAP. I'm going to need a RADIUS server, but I was just wondering is there a cheaper solution than just
getting a Cisco ACS to run a simple RADIUS server which is all I need.
Also, when the Supplicant sends its NAI in a EAP-ResponseIdentity message, what exactly is this username
and how does it differ from the username you provide after the secure TLS tunnel has been configured.                  

Hey John,
Yes, in fact its all about feeling comfortable. So here is a video showing LOCAL PEAP on a WLC.
http://www.youtube.com/watch?v=YIxG4OEfwtY
The 2000 is becuase there is a database limit this includes MACS, LOCAL ACCOUNTS and AP MACs for AP policy. The mac is 2048 .. Here I blogged about this ..
http://www.my80211.com/cisco-wlc-cli-commands/2009/12/27/configure-local-mac-authentication-on-cisco-wlcs.html
So yes it sounds right and you should be good.
Hope this makes you feel a little bit better with your direction. If this helps can you mark the question as answered ?
Thanks John!
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Similar Messages

  • 802.1x EAP-PEAP over Ethernet need help !!!

    I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
    troubleshooting this, I am not sure what else to do.  Need help.  Here
    is the scenario:
    - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
    - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
    with IP address of 129.174.2.7.  This device is connected to the same switch above.
    Firewall is OFF on the server, allow ALL,
    - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
    Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
    on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
    as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
    the port is activate to be "hot".
    - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
    and that everything is looking fine,
    I have verified that the switch can communicate fine with the radius server.
    - Configuration on the switch for 802.1x:
    aaa new-model
    aaa authentication dot1x default group radius
    radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
    interface FastEthernet0/39
      description windows 2003 Supplicant
      switchport access vlan 401
      switchport mode access
      dot1x port-control auto
      no spanning-tree portfast (does not matter if this is enable or disable)
    lab-sw-1#
    .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
    .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
    .May 20 07:52:47.338: EAPOL pak dump Tx
    .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
    .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
    .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
    lab-sw-1#
    lab-sw-1#sh dot1x interface f0/39
    Dot1x Info for FastEthernet0/39
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    Violation Mode            = PROTECT
    ReAuthentication          = Disabled
    QuietPeriod               = 60
    ServerTimeout             = 30
    SuppTimeout               = 30
    ReAuthPeriod              = 3600 (Locally configured)
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 30
    RateLimitPeriod           = 0
    lab-sw-1#
    I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
    help me how to make this work.
    Many thanks in advance,

    #1:  dot1x system-auth-control is already in the switch configuration
    #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
    The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

  • 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

    I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
    autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
    Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
    even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
    Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
    in the username password Setting.
    Is it possible edit or change the way the client PC is sett up to prevent this?
    Is there any way make a policy setting? or is there other solutions?
    I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
    Thanks

    Hi,
    As I know, this goal cannot be achieved.
    Reference:
    Use the 802.1X Wizard to Configure NPS Network Policies
    For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
    Microsoft: Smart Card or other certificate, click
    Configure, click
    OK, and then click
    Next.
    For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
    Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Smart Card or other certificate, click the
    Move Up button to position a smart card or other certificate at the top of the list, click
    OK, and then click
    Next.
    For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
    version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Secured password (EPA-MSCHAP v2), click the
    Move Up button to position the secured password authentication type at the top of the list, click
    OK, and then click
    Next.
    Regards,
    Sabrina
    TechNet Subscriber Support
    in forum.
    If you have any feedback on our support, please contact
    [email protected]
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    This can be beneficial to other community members reading the thread.

  • Android ASUS tab into 802.1X EAP/PEAP wireless network

    Hi Guys,
                    I have been fighting with this for awhile now, i decided to call the exeprt.  At work with have a 802.1x EAP wirless network. PCs and Blackberies work fine once they grab their cert. However,  things aren't that esay with the Android tablets. I have been testing with  an ASUS, i have both cert(CA, and user) into the /etc/security folder of the tablet. But tablet still unable to authenticate, i don't even receive any logs in the Radius SERVER.
    Any tricks or ideas will be very appreciate.
    Thanks,
    GV

    Jean,
    When you say your using PEAP, that means you only need a certificate on the radius server and not the client device.  What radius server are you using and are you setup for PEAP or EAP-TLS?

  • Wireless WPA2-Enterprise + 802.1x (EAP-PEAP/MSCHAPv2) config

    Hello,
    We're in the process of moving all of our wireless from WPA-PSK to WPA2-Enterprise with 802.1x EAP-MSCHAPv2 (PEAP). All workstations are Windows 7 with the 2SP3 IR2 client. What we'd like is for the 802.1x SSO functionality to work so users do not have to sign in computer only first and then use the novell login after connecting. I've followed the documentation for enabling 802.1x that Novell provides with no success. I'm hoping someone has done this or can point me in the direction of documentation that can use to better understand what configuration is needed to make this work.

    Originally Posted by djaquays
    I haven't had a chance to play with this yet on IR8, but I'd be curious of your steps to get this working.
    I'm not sure why FreeRadius would make any difference vs ClearPass.. they both speak RADIUS.
    This is the only documentation I can find from Novell: https://www.novell.com/documentation...a/b8jn9w6.html
    It's a couple of years since I did this so my memory is a bit vague... :(
    Did you install the peap plugin on the workstation, if I remeber correctly this was needed?
    http://support.arubanetworks.com/TOO...4/Default.aspx
    Thomas

  • Nokia E51 with 802.1x / EAP-PEAP & EAP-MSCHAPv2 pr...

    Hello,
    I'm trying to connect my phone to a Wireless AP (Cisco AP1130) using 802.1x, EPA-PEAP & EAP-MSCHAPv2 authentication.
    The RADIUS SERVER is M$ IAS.
    Authentication is working with a laptop, but it is not with my phone
    The only difference during the authentication process on the AP is that during Phase 1 my laptop is sending REALM\Username while my phone is sending Username@REALM.
    Does somebody know what should I change in my phone's configuration to make it work ?
    Thanks,
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

    Hi,
    Sorry for the late answer since I was "out of the office" for a while
    So here is the process to get the certificate.
    Log in to you IAS Server.
    Open the IAS Service Application.
    Go to "Remote Access Policies".
    Choose the policy that apply to "Wireless Connection"
    Click "Edit Profile" button.
    Choose "Authentication" Tab.
    Click "EAP Methods"
    Choose "Protected EAP (PEAP)" Entry & click "Edit" Button.
    The Next Window will show you the Certificate Issuer Name & Expiration Date.
    Then, click "Start" Button.
    Choose "Run".
    Type "mmc" in the "Run" box.
    Click "File" & Choose "Add/Remove Snap-In".
    Click "Add" Button.
    Choose "Certificates" entry, click "Add" Button & Choose "My User Account" in the "Certificates Snap-In" Window & click Finnish.
    Click "Close" & "OK" Button.
    Expand the "Certificates - Current User" Entry" & "Intermediate Certification Authorities" & Select "Certificate".
    The left window will show you a list of certificate. One of them should have the same name as the one in the "Certificate Issuer" Entry of the IAS Service Application.
    "Right click" on the certificate, choose "All Tasks", the "Export".
    In the new window, click "Next" Button.
    Choose "DER Encoded Binary X.509 (.cer) entry & click "Next" Button.
    Choose a suitable location.
    Click "Next" Button & "Finnish" Button.
    Certificate is now exported.
    You have to install it on your Phone now.
    The most simple way is to copy the certicate on a Web Server and access it with your phone.
    Hope that Help, if you did not already succeed.
    Ceux qui aiment marcher en rangs sur une musique :
    ce ne peut être que par erreur qu'ils ont reçu un cerveau,
    une moelle épinière leur suffirait amplement. -- Albert Einstein

  • 802.1X EAP-PEAP Authentication issue

    Hi Experts,
    I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
    The networks in question  are set up identically, here is an overview:
    Layer 2 security is WPA & WPA2
    WPA - TKIP
    WPA2 - AES
    Auth Key Management is 802.1X
    Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
    This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
    We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
    This is the only change I can think of that could possibly be relevant.
    Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
    Debugs as follows:
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
    *Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
    *Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
    *Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
    *Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
    *Oct 11 16:13:01.113: New PMKID: (16)
    *Oct 11 16:13:01.113:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.116: Including PMKID in M1  (16)
    *Oct 11 16:13:01.116:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
    *Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    *Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2  VLAN: 110
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo Frames = N
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 0, flags: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.23.26.53
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   server id: 1.1.1.1  rcvd server id: 172.19.0.50
    *Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
    *Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
    At this point, the client is connected and everything is working.

    Hi,
    It looks like some issue on the client side...
    Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
    Looking at the logs:
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    ===================
    This logs show exactly what you describe...
    The AAA sends an EAP request asking for the credentials.
    The login pops up and the EAP timeout starts decrementing.
    If the user does not enter credentials, it will expire and another EAP Request is sent.
    If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
    As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
    HTH,
    Tiago

  • 802.1X EAP-PEAP with Apple devices

    We have deployed a variety of wireless networks using Cisco WLC (2504, 5508 and Virtual WLCs) with (1550e, 1260, 2602 access points) and we have been unable to get apple device to successfully authenticate to corporate SSID's that use 802.1X against a Microsoft IAS server. We have spent numerous hours building different profiles with OS-X Server and other profile configuration utilities with no luck.
    Apple devices authenticate just fine to corporate SSIDs if we use autonomous access points using 802.1x against the same Microsoft Radius server but continue to fail when we attempt the same through any of the WLC options referenced above.
    Can anyone shed some light into this issue? It seems that radius request only show up on the IAS logs when something is entered in the "outer identity field"
    Thanks in advance.
    Ivan Chacon

    Complete these steps to troubleshoot the configurations:
    1.    Use the debug lwapp events enable command in order to check if the AP registers with the WLC.
    2.    Check if the RADIUS server receives and validates the authentication request from the wireless client. Check the NAS-IP- Address, date and time in order to verify if the WLC was able to reach the Radius server.
    Check the Passed Authentications and Failed Attempts reports on the Radius server in order to accomplish this.
    3.    You can also use these debug commands in order to troubleshoot AAA authentication:
    •    debug aaa all enable—Configures the debug of all AAA messages.
    •    debug dot1x packet enable—Enables the debug of all dot1x packets.
    Here is a sample output from the debug 802.1x aaa enable command:
    (Cisco Controller) >debug dot1x aaa enable
    4.    Monitor the logs on the WLC in order to check if the RADIUS server receives the user credentials. Click Monitor in order to check the logs from the WLC GUI. From the left-hand side menu, click Statistics and click Radius server from the list of options.
    This is very important because in some cases, the RADIUS server never receives the user credentials if the RADIUS server configuration on the WLC is incorrect.
    This is how the logs appear on the WLC if the RADIUS parameters are configured incorrectly:
    You can use a combination of the show wlan summary command in order to recognize which of your WLANs employ RADIUS server authentication. Then you can view the show client summary command in order to see which MAC addresses (clients) are successfully authenticated on RADIUS WLANs. You can also correlate this with your Raduis attempts or failed attempts logs.
    •    Verify on the controller that RADIUS server is in active state, and not on standby or disabled.
    •    Use the ping command in order to check if the Radius server is reachable from the WLC.
    •    Check if the RADIUS server is selected from the drop down menu of the WLAN (SSID).

  • EAP-PEAP, CCKM & WPA2 AES

    Hi Guys,
    Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
    There appears to multiple conflicting docs about it.
    Cheers,
    Nick

    Hi Nick,
    1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
    2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
    3. WPA with cckm works perfectly (as cisco recommanded)
    Regards
    Dont forget to rate helpful posts

  • Big problem with Nokia E60 and EAP-PEAP connection

    At our University we have Wlan now.
    The Lan based on the standart 802.11 b/g with 54 Mbit/s
    The Authentifikation based on the standart 802.1x (Peap) with the connection WPA/TKIP.
    My Firmware:
    V3.0633.09.04
    20-11-06
    RM-49
    Nokia E60
    My Configuration:
    Connection Name: FH-Hof
    Data Bearer:Wireless LAN
    WLAN netw.Name: FHHof
    Network status: Hidden
    WLAN netw.mode: Infrastructure
    WLAN security Mode: WPA/WPA2
    WLAN security settings:
    WPA mode: EAP
    TKIP-Security: allowed
    EAP plugin settings:EAP-PEAP
    User Cert: not defined
    CA Cert: CA-FH-Hof
    username in use: User configured
    username: aschmidt
    real in use: user configured
    realm: FH-Hof
    Allow PEAPv0: yes
    Yes for v1 and v2
    EAP: EAP-mschapv2
    Username: aschmidt
    prompt password: Yes
    password: entered my password
    Extended Settings:
    IPv4-Settings: No Changes
    IPv6-Settings: No Changes
    Proxserver-Address: proxy.fh-hof.de
    Prxy-Port-Number: 3128
    If I started to try the connection I have to enter my Username and my password. After that the handy asked me about my username and password again after a time.
    Now it takes circa one minute and the connection failed.
    The Error-Message ist: No Connection! WPA authentification failed.
    My´account is not blocked.
    Have I to enter any Ciphers?
    Thanks for every help and sorry for my bad English!
    EDIT: Removed non english linkMessage Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:12 AM
    Message Edited by ajak on 27-Apr-2007 10:21 AM

    also try change "WLAN security Mode" from WPA to 802.1x
    I think Nokia referrs to WPA as WPA-PSK, but when you say TKIP then it also could be 802.1x as TKIP is the encryption used.
    So infact your wireless domain might be a 802.1x/EAP-PEAP/MS-CHAPv2 network.Message Edited by mbil on 30-Apr-200702:58 PM

  • 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication

    I am a network administrator at seven schools, and a few of these schools are now using 802.1x EAP-PEAPv0 (MSCHAPV2) with computer authentication  only, for wireless security. 
    We are a mixture of 2008 and 2003 (Windows Domain) servers running IAS or NPS for RADIUS.  
    I push out the wireless client’s setting via group policy, and the clients are using WZC. 
    Every now and then, a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. 
    To fix this I have to hard wire the computer and do a gpupdate, even though the computer already had the updates applied previously, and is still part of the domain. 
    Many of our classrooms lack network drops, so wireless is the best for us. 
    Except for this one downfall, it is working great. Any help is appreciated.

    Hi Ryan,
    Thanks for posting here.
    Could you discuss the situation that you mentioned “a client will be unable to authenticate/validate during the authentication phase. 
    Some clients this will never happen to and a few it will happen repeatedly. ”
      in detail ? Can you verify if there is any error or warring that relate with this authentication issue recorded in event log on client and radius server ?
    Only certain computers are facing this issue or all?
    What’s OS running on these client computers?
    According the situation right now , I’d like to share some suggections with you:
    1. An 802.1x client may fail to connect to an Radius server if the Trusted Root CA certificate that issued the Radius server certificate is not installed on
    the client computer. Either verify that the trusted root authority is installed on the client computer or disable certificate validation on the client. To disable certificate validation, access the properties of the connection, and on the Authentication tab,
    click Properties. Click to clear the Validate server certificate check box. EAP-TLS requires the installation of a computer certificate on each RADIUS server and a computer or user certificate, or smart card on all clients. PEAP-MS-CHAPv2 requires the installation
    of a computer certificate on each RADIUS server and the root CA certificates of the issuing CAs of the RADIUS server certificate on each of the client computers.
    2. Verify that Radius is configured for the logging of rejected authentication attempts to the event log. Try the connection again, and then check the system
    event log for an IAS event for the failed connection attempt. Use the information in the log to determine the reason the connection attempt was either rejected or discarded. Logging options are configured on the General tab of the Radius server Properties
    dialog.
    3. Any rejected or discarded connection attempt recorded should identify the Connection Request Policy used. A RADIUS request message is processed only if the
    settings of the incoming RADIUS request message match at least one of the connection request policies. Examine the conditions of the policy identified to see where the request fails.
    4. Determine from the IAS system event log entries whether the authentication failure is for computer auth, user auth, or both. By default, Windows performs
    an 802.1x authentication with computer credentials before displaying the Windows logon screen. Another authentication with user credentials is performed after the user has logged on, and if this fails the machine will be disconnected from the network. Similarly,
    if computer authentication fails but user auth is successful, symptoms will include failure to process login scripts or apply group policies and machine password expiration will not be updated since the user will only be able to logon with cached credentials.
    If you use a smart card for authentication, you can only perform user authentication because smart card usage requires manual entry of a personal identification number (PIN). There is no way to provide the PIN to unlock the smart card certificate during computer
    authentication.
    5. Examine the wireless trace logs captured and search for keywords error, failed, failure, or rejected. This should give an indication as to what point in the
    authentication process the failure occurs.
    Meanwhile, I ‘d like suggest you may start troubleshooting with following the guides below and see if it will help:
    Windows Server 2003 Wireless Troubleshooting
    http://technet.microsoft.com/en-us/library/cc773359(WS.10).aspx
    Troubleshooting Windows Vista 802.11 Wireless Connections
    http://technet.microsoft.com/en-us/library/cc766215(WS.10).aspx
    Thanks.
    Tiger Li
    TechNet Subscriber Support in forum
    If you have any feedback on our support, please contact
    [email protected]
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Random computers running Windows XP have this problem.  It does not happen to all of them at once. 
    It is very random.  A computer that has been connecting to the secure network for weeks will all of a sudden not be able to connect. The message is “attempting to authenticate” and it never makes the connection. 
    I checked if logging is turned on and I can see successful events from computers that are working. 
    I can also see failed events from computers that are not ours that tried to connect to our wireless. 
    However for the computers that are having this problem there are no logged events. 
    It is as if they don’t even communicate with the server. 
    Other clients on the same AP are working fine.  I rebooted the IAS service, and RADIUS clients, but this did not help. 
    I also checked all the settings and they are correct, using PEAP, and validating the server certificate is disabled. 
    I did notice that the firewall is also turned on through group policy when the domain is not available.
       Do you think the firewall is blocking the communication? 
    I added an exception to port 1812 UDP and this did not make a difference.

  • WPA2 EAP-PEAP error, may be Windows Server 2008 or...

    I've studied posts like /t5/Connectivity/Not-able-to-connect-to-company-WLAN-WPA2-AES-PEAP-with-E71/m-p/420301/highlight/tru... , updated firmware, no joy. On E71, get
    WLAN: EAP-PEAP authentication failed
    In the event log of the domain controller+NPS server, get:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          5/19/2010 10:24:18 AM
    Event ID:      6274
    Task Category: Network Policy Server
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: Actinium.s********.com
    Description: Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information.
    User:
         Security ID: S****\****
         Account Name: d***@*****.com
         Account Domain: S*******
         Fully Qualified Account Name: S******\*****
    Client Machine:
         Security ID: NULL SID
         Account Name: -
         Fully Qualified Account Name: -
         OS-Version: -
         Called Station Identifier: 000B8651*****
         Calling Station Identifier: 0021FE3****
    NAS:
         NAS IPv4 Address: 10.0.1.253
         NAS IPv6 Address: - NAS Identifier: 10.0.1.253
         NAS Port-Type: Wireless - IEEE 802.11
         NAS Port: 1
    RADIUS Client:
         Client Friendly Name: OAW-4308
         Client IP Address: 10.0.1.253
    Authentication Details:
         Connection Request Policy Name: Secure Wireless Connections
         Network Policy Name: Secure Wireless Connections
         Authentication Provider: Windows Authentication Server: Actinium.s********.com
         Authentication Type: EAP
         EAP Type: -
         Account Session Identifier: -
         Reason Code: 1
         Reason: An internal error occurred. Check the system event log for additional information.
    I get a different "Reason" when I deliberately use the wrong certificate, so that part is probably OK. Tried many combinations of sAMAccountName, userPrincipalName, etc. in user and realm fields. I saw a perhaps related issue with somebody using a maemo device that stopped working when they upgraded to Windows Server 2008 on the back end. No problem with iPhones, Blackberry Storms, laptops.
    Help...

    In the SCVMM world a 'template' is composed of the following: a VHD with an OS that has been generalized (sysprep), virtual hardware profile (settings), and an OS profile.
    The OS profile is required to have a product key.  A MAC activation key at the minimum.  But the key is required.
    If you deploy a VM from a VHD, the same customization assumptions are not at play.  Which is why it succeeds.  (there is no template in this case, there is also no requirement that the OS in the VHD be sysprep'd).
    SCVMM has rules.  And lots of things don't make sense until you begin to understand them and play within them. (I am not saying that the SCVMM rules are a good thing, just saying they exist)
    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.

  • 802.1x/EAP clarification and implementation

    Dear SIr,
    To setup LEAP authentication using ACS, the client needs a supplicant such as the ACU to run LEAP independent of OS.
    Cisco AP will be the carrier of the EAP message between the client and the Radius server sitting between the client and the server. I know from the fact that Cisco AP support LEAP, PEAP, EAP-TLS, EAP-MD5 and EAP-SIM. From my understanding, those types of EAP mentioned earlier can be relay to the Radius server(ACS), am I right?
    Does it mean that these messages are transparent from the AP point of view? If I replace the Cisco AP with other third party access point that they claim support 802.1x/EAP but they never specify the type of EAP protocol, can I still run LEAP with a third party AP though my client is Cisco and the Radius server is CSACS?
    What type of OS or supplicant support EPA-MD5? I know that Windows XP and 2000 support 802.1x driver, what about their EAP protocol supported on XP and 2000?
    Thanks.
    Delon

    I think the following document will clear most of your doubts,
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008019fea2.shtml

  • Cisco ISE: 802.1x [EAP-TLS] + List of Applicable Hot-Fixes

    Dear Folks,
    Kindly suggest the list of all possible Hot-Fixes required for the Cisco ISE EAP-TLS solution... We have applied 9 HotFixes so far. But, still the connectivity is intermittent. Is there any list for all applicable Hot-Fixes?
    OS = Win 7 SP1 (32/64 Bit) and Win 8
    Thanks,
    Regards,
    Mubasher Sultan

    Hi Mubasher
    KB2481614:      If you’re configuring your 802.1x settings via Group Policy you’ll see      sometimes EAP-PEAP request from clients in your radius server log during      booting even if you’ll set EAP-TLS. This error happened in our case with      1/3 of the boots with some models. The error is caused by a timing problem      during startup. Sometimes the 802.1x is faster and sometimes the Group      Policy is, and if the 802.1x is faster than the default configuration is      taken, which is PEAP. Which lead to a EAP-NAK by the radius server.
    KB980295:      If an initial 802.1x authentication is passed, but a re-authentication      fails, Windows 7 will ignore all later 802.1x requests. This hotfix should      also fix a problem with computers waking up from sleep or hibernation –      but we’ve disabled these features so I can’t comment on them.
    KB976373:      This hotfix is called “A computer that is connected to an IEEE      802.1x-authenticated network via another 802.1x enabled device does not      connect to the correct network”. I can’t comment on this, as we’ve not      deployed 802.1x for our VoIP phones at this point.I would guess it is the      same for Windows 7 too. The linked article tells you to install the patch      and set some registry key to lower the value.
    KB2769121:      A short time ago I found this one: “802.1X authentication fails on a      Windows 7-based or Windows 2008 R2-based computer that has multiple      certificates”. At time of writing I’m not sure if it helps for something      in my setup. According to the symptoms list of the hotfix, it does not,      but maybe it helps for something else, as the one before does.
    KB2736878:      An other error during booting – this time it happens if the read process      starts before the network adapter is initialized. Really seems that they      wanted to get faster boot times, no matter the costs.
    KB2494172:      This hotfix fixes a problem if you’ve installed a valid and invalid      certificate for 802.1x authentication. The workaround is just deleting the      invalid certificate. I’m not sure at this point if it affects also wired      authentication.
    KB976210:This      problem occurs only during automated build processes and if you use an EAP      method which needs user interaction – as I don’t do that I can’t comment      on this hotfix.
    For more information please go through this link:
    http://robert.penz.name/555/list-of-ieee-802-1x-hotfixes-for-windows-7/
    Best Regards:
    Muhammad Munir

  • EAP-PEAP and EAP-TLS on same switched network

    Hello,
    I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
    The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
    I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
    Thanks,
    Guy

    You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
    Good Luck,
    --Jean Paul

Maybe you are looking for