Different wireless clients, should go for LEAP, PEAP or EAP-TLS?
Hi ,
I have a mixture of wireless clients in this customer environment such as PDA, Cisco clients and third party PCMCIA cards.
Customer requires me to propose an EAP authentication method to authenticate them. WHat suits them?
I plan to have authentication done on application level. Could you recommend any?
Thanks.
Delon
Delon
It will more be a matter of what all the clients support, you normally set it up for the least supported client or have different VLANs with different security levels based on what you clients support
LEAP is only on Cisco or CCX certified cards
If you base OS is Windows XP and the client cards they have support EAP then EAP-TLS is a pretty good choice if they will support PEAP then that is even better again.
So to make this choice you really need to know exactly what client cards you have and what they support The AP will support all of them so the choice is based on the clients
Similar Messages
-
PEAP vs EAP-TLS Wireless Authentication Method
Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks,Hi,
I'm looking at implementing Certificate based authentication in my 10k+ user Cisco Wireless Network and currently deciding between PEAP and EAP-TLS.
I read the following post which was very useful, however I see the post was back in 2005 and would like to check if EAP-TLS is easier to deploy now with Windows Server certificate auto-enrollment https://supportforums.cisco.com/thread/2142396.
Is it possible to deploy EAP-TLS reasonably easily with certificate auto-enrollment? We also have iPads on the network and guess certificates will still need to be manually installed on these devices?
We will eventually get ISE and Mobile Iron for BYOD, however they are not in my network and can't use them to deploy certificates yet.
Thanks, -
No longer using Linksys router. Should I uninstall Cisco LEAP, PEAP, and EAP?
Should I uninstall the Cisco LEAP, PEAP, and EAP programs if I am no longer using a Linksys router? I am replacing with an Asus router.
thanks,
KGHi! It's best to uninstall them all if you are not going to use them for the sake of freeing some memory on your computer. Should you change your mind and get a new Linksys router one of these days, I am sure it will come with its own installation software anyway.
-
Possible to select self-signed certificate for client validation when connecting to VPN with EAP-TLS
In windows 8.2, I have a VPN connection configured with PPTP as the outer protocol and EAP : "Smart card or other certificate ..." as the inner protocol. Under properties, in the "When connecting" section I've selected "Use a certificate
on this computer" and un-checked "Use simple certificate selection".
My preference would be to use separate self-signed certificates for all clients rather than having a common root certificate that signed all of the individual client certificates. I've tried creating the self-signed certificate both with and without the
client authentication EKU specified, and I've added the certificate to the trusted root certificate authority store on the client. But when I attempt to connect to the VPN I can not get the self signed certificate to appear on the "Choose a certificate"
drop down.
Are self signed certificates supported for this use in EAP-TLS? If it makes a difference, I'm working with makecert (not working with a certificate server).
TIA,
-RickHi Rick,
Thank you for your patience.
According to your description, would you please let me know what command you were using to make a self-signed certificate by tool makecert? I would like to try to reproduce this issue. Also based on my experience, please let me
know if the certificate has private key associated and be present in the local machine store. Hence, please move the certificate from the trusted root certificate authority store to personal store.
Best regards,
Steven Song
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
EAP-PEAP and EAP-TLS on same switched network
Hello,
I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices use TLS. Over time all will be using TLS, but for now both will the there.
The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
Thanks,
GuyYou are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
Good Luck,
--Jean Paul -
Hi,
Does Cisco have any plan to support PEAP and EAP-TLS in the next release version of ACU?
Thank you.
Regards,
DelonAs far as I know, there is no such plan as of now.
-
Cisco ISE - eap-peap and eap-tls
Hi,
Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
If peap use this identity source, if tls use 'this certificate authentication profile'.
ThxOK,
so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
The authentication policy was allowing EAP-TLS & EAP-PEAP.
I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
Hope that helps.
Mario -
Wireless Client Hardware/Software requirements
We are building a new wireless network full of the 3500 series LWAP. Along with this new wireless network, my boss wants me to provide her with minimum hardware/software specifications for all new wireless clients purchased. I know the basic stuff such as 802.11n dual band, etc... I was wondering if anyone had a good list of detailed requirements that would provide me with a best case connection for my wireless clients on the new network that they would share with me.
Thanks for any Help
In a nut shell, i need to make sure the wireless clients we purcahse for our new network can take full advantage of our wireless network. i want to make sure i'm educated on more details besides the basic requirements of 802.11n dual band specification. There must be more detailed technical requiremetns i need to be aware of so I can be sure i don't end up with a bunch of flaky half working wireless clients.thanks for you help. I got the following infomration from sales team
at Cisco. They say it should be sufficient requirements of any proposed wireless clients:
o Provide options to control roaming between wireless access points.
o Dual-band support
o AES support
o 802.1x supplicant support
o CCX (Information can be found at the following link: http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html) -
Windows Client cannot connect to wireless LAN through EAP-TLS
I have a Cisco Aironet Access point which cannot be authenticated by a remote RADIUS server to connect to wireless lan through EAP-TLS. These is the debug output from the AAA process.
*Mar 7 10:56:56.337: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:56:56.369: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:56.385: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:56.385: dot11_auth_parse_client_pak: id is not matching req-id:1re
sp-id:2, waiting for response
*Mar 7 10:56:56.401: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:56.717: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:56.717: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:56.785: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:57.097: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:57.097: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:57.101: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:57.393: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:57.393: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:57.397: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:57.673: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:57.673: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:57.677: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:57.953: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:57.953: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:57.957: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:58.317: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:58.317: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:58.321: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:58.685: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:58.685: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:58.685: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:56:58.993: dot11_auth_dot1x_parse_aaa_resp: Received server response:
GET_CHALLENGE_RESPONSE
*Mar 7 10:56:58.993: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server r
esponse
*Mar 7 10:56:59.041: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:57:01.077: Client 0811.9650.8cb0 failed: reached maximum retries
*Mar 7 10:57:08.997: %RADIUS-4-RADIUS_DEAD: RADIUS server 165.72.12.12:1812,181
3 is not responding.
*Mar 7 10:57:08.997: %RADIUS-4-RADIUS_ALIVE: RADIUS server 165.72.12.12:1812,18
13 is being marked alive.
*Mar 7 10:57:14.481: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:57:14.521: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:57:44.521: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
n failed
*Mar 7 10:57:44.801: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:57:44.829: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:58:14.829: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
n failed
*Mar 7 10:58:15.105: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:58:15.141: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:58:45.141: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
n failed
*Mar 7 10:58:45.425: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:58:45.449: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:59:15.449: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
n failed
*Mar 7 10:59:15.729: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:59:15.753: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:59:45.753: %DOT11-7-AUTH_FAILED: Station 0811.9650.8cb0 Authenticatio
n failed
*Mar 7 10:59:46.009: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:59:46.037: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:59:50.077: Client 0811.9650.8cb0 failed: reached maximum retries
*Mar 7 10:59:50.349: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:59:50.373: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 10:59:55.077: Client 0811.9650.8cb0 failed: reached maximum retries
*Mar 7 10:59:55.341: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 10:59:55.361: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 11:00:00.077: Client 0811.9650.8cb0 failed: reached maximum retries
*Mar 7 11:00:00.333: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 11:00:00.357: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 11:00:05.077: Client 0811.9650.8cb0 failed: reached maximum retries
*Mar 7 11:00:05.341: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
*Mar 7 11:00:05.365: dot11_auth_parse_client_pak: Received EAPOL packet from 08
11.9650.8cb0
*Mar 7 11:00:10.077: Client 0811.9650.8cb0 failed: reached maximum retriesKindly get verified the configuration and the compatibility if there is a mismatch. Please find the link below for more information on EAP-TLS functions in Access points and clients.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39110 -
Airtunes distortion with wireless clients
I have a wireless network that consists of an Apple Snow Airport Extreme and Apple TV. My MacPro is connected via Ethernet to the Airport Extreme. I regularly play music from my MacPro through my Apple TV with no issues.
But... anyone that comes by with their laptop and connects wirelessly to play music though my Apple TV has a serious problem. The audio is distorted and sounds awful, like it has too much gain and distorts with the last 8-12db of headroom.
Has anyone experienced this? I used to use an Airport Express to play music though my stereo and had the exact same issue. Without doing a lot of experimenting, this issue seems to be related to wireless clients using Airtunes but may be more pervasive.
Any other insight or experiments would be helpful.Just purchased a new Airport Extreme (gigabit) and still have the problem with:
*) Wireless client
*) Wireless music playback (AppleTV, Airport Express)
using Airtunes in iTunes.
This makes no sense that I am the only person having this issue. I have tried a different base station, different playback device, and different wireless client. This is a brand new configuration.
Things still work fine with my MacPro connected via ethernet to the Airport, streaming wirelessly to the AppleTV.
Anybody? -
Hi guys
I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
The endpoints are configured with a username and password. The credentials are created in ISE server.
I create a second policy for wired dot.1x with EAP - PEAP enabled
The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
Thanks in advance.
Sent from Cisco Technical Support iPad AppHi,
There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
Thanks,
Tarik Admani
*Please rate helpful posts* -
ACS Not installing renewed SSL Certificate for PEAP/EAP-TLS?
We recently renewed our SSL certificate through RapidSSL. While attempting to install the new certificate into ACS, I was given the prompt to showing the updated dates, confirmed and installed the new certificate, deleting the old. I restarted ACS, as required, but when trying to enable PEAP or EAP-TLS, I am getting the error "Failed to initialize PEAP or EAP-TLS authentication protocol because ACS certificate is not installed."
The worst part, is that I when I tried to reinstall the old certificate, I am now getting the same problem.
Any suggestions?Matt,
How did you perform the CSR.... did you use ACS or OpenSSL? Also, did you verify that the certificate is in the trusted personal folder on the server?
Scott -
EAP-TLS or PEAP authentication failed during SSL handshake
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected] = my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
Let's brain storm together to figure out this guys.
Thanks in advance,
----Paul -
EAP-TLS PEAP FAIL DURING SSH HANDSHAKE
Hi Pros,
I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
When I check my log in the failed attemps, there is what I found:
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
Network Access Profile Name
Authen-Failure-Code
Author-Failure-Code
Author-Data
NAS-Port
NAS-IP-Address
Filter Information
PEAP/EAP-FAST-Clear-Name
EAP Type
EAP Type Name
Reason
Access Device
Network Device Group
06/23/2010
17:39:51
Authen failed
000e.9b6e.e834
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1101
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Networ
06/23/2010
17:39:50
Authen failed
[email protected]
Default Group
000e.9b6e.e834
(Default)
EAP-TLS or PEAP authentication failed during SSL handshake
1098
10.111.22.24
25
MS-PEAP
wbr-1121-zozo-test
Office Network
[email protected]
= my windows active directory name
1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
2. Why sometimes it just shows the MAC of the client for username?
3. Why it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
2. Secondly, When I check in pass authentications... there is what i saw
Date
Time
Message-Type
User-Name
Group-Name
Caller-ID
NAS-Port
NAS-IP-Address
Network Access Profile Name
Shared RAC
Downloadable ACL
System-Posture-Token
Application-Posture-Token
Reason
EAP Type
EAP Type Name
PEAP/EAP-FAST-Clear-Name
Access Device
Network Device Group
06/23/2010
17:30:49
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
06/23/2010
17:29:27
Authen OK
groszozo
NOC Tier 2
10.11.10.105
1
10.111.22.24
(Default)
wbr-1121-zozo-test
Office Network
In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did check ENABLE EAP-TLS machine authentication.
Thanks in advance for your help,
Crazy---I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
Hope this helps. -
EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve
We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
Thanks..Here are some configs you can try:
config advanced eap identity-request-timeout 120
config advanced eap identity-request-retries 20
config advanced eap request-timeout 120
config advanced eap request-retries 20
save config
Maybe you are looking for
-
Printing a Special Message in ALV Report
Hi, I have a requirement to print a special message in an ALV report. Customer wants to see this single line message between Report Header and ALV grid. This is a dynamic message to be displayed based on the values in the ALV table. Please suggest me
-
Missing tracking information after restarting Color 1.5.1
Hi, when I do trackings for grades in the Secondary, all works fine. But when I close Color, and open the project with the trackings again, all trackings are lost and In and Out point of the tracking are on the same position (the tracking has a red f
-
I have an unlocked iphone (Australia) and am traveling to Korea. Am I able ot use global roaming there, or does anyone know if I can buy a prepaid SIM and put it in my iphone 4S? Thanks!
-
Pivot table with very large number of columns
Hello, here is the situation: One table that contains raw data; from this table I feed one with extract information (3 fields); I have to turn the content in a pivot table Ro --- Co --- Va A A 1 A B 1 A C 2 B A 11 Turned in A B C... A 1 1 2 B 11 null
-
Not sure what I am doing wrong but when I back to the info panel to take CS5 back to 64-bit mode because some plug ins had been updated but the check box was no longer visible. So I am in 32 bit mode and do not know how to get out. Any ideas what I