E61i, Acces point config with WPA2, EAP-PEAP and ...

Similar Messages

• How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

  I am trying to connect to the company network, but it always shows "PEAP authentication failed".
  There are only instructions for iPhone and PC.
  security : WPA2-Enterprise
  authority certificate : None
  Security Type : PEAP
  Inner Link Security : EAP-MSCHAPv2
  additionally MAC address filtering.
  The access point I set is as follows:
  network status: public
  wLAN network mode: infrastructure
  security: WPA/WPA2
  WPA2 only mode: off
  EAP plug-in setting: EAP-PEAP enable only
  personal certificate: not defined
  authority certificate: not defined
  user name: user-defined   BLANK
  realm in use: user-defined   BLANK
  allow PEAPv0
  MSCHAPv2
  user name: username
  password: mypassword
  We have domain, but there are no command about domain in iPhone guide. 
  Is there anything wrong of my setting?

  WPA2-Enterprise is not supported on your device.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• EAP-PEAP and EAP-TLS on same switched network

  Hello,
  I'd like to enable both EAP-PEAP and EAP-TLS on the same network to support 802.1x authentication. The reasons are because of historical things i.e. 'older' devices use PEAP and newer devices  use TLS. Over time all will be using TLS, but for now both will the there.
  The AAA server is a Cisco ASC (4.2 or 5.1 - don't know yet)
  I've not tested this or so, but I don't think this will be an issue....because from a switch point of view, it is just passing EAP traffic to teh Radius and so the required services need to be made available on the Radius server...is that a correct assumption?
  Thanks,
  Guy

  You are right Guy, the switch just as act as an termediary device. It just passes EAPOL packet between the ACS server and client, and waits till the ACS server authenticate the client(internal DB, or external DB= AD, LDAP). You just need to enable EAP/TLS, MS-CHAP and MS-CHAPv2 for PEAP in the ACS server. Last make sure that your certificates at both side are valid and sign by the CA.
  Good Luck,
  --Jean Paul

• WPA2 EAP-PEAP error, may be Windows Server 2008 or...

  I've studied posts like /t5/Connectivity/Not-able-to-connect-to-company-WLAN-WPA2-AES-PEAP-with-E71/m-p/420301/highlight/tru... , updated firmware, no joy. On E71, get
  WLAN: EAP-PEAP authentication failed
  In the event log of the domain controller+NPS server, get:
  Log Name:      Security
  Source:        Microsoft-Windows-Security-Auditing
  Date:          5/19/2010 10:24:18 AM
  Event ID:      6274
  Task Category: Network Policy Server
  Level: Information
  Keywords: Audit Failure
  User: N/A
  Computer: Actinium.s********.com
  Description: Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information.
  User:
       Security ID: S****\****
       Account Name: d***@*****.com
       Account Domain: S*******
       Fully Qualified Account Name: S******\*****
  Client Machine:
       Security ID: NULL SID
       Account Name: -
       Fully Qualified Account Name: -
       OS-Version: -
       Called Station Identifier: 000B8651*****
       Calling Station Identifier: 0021FE3****
  NAS:
       NAS IPv4 Address: 10.0.1.253
       NAS IPv6 Address: - NAS Identifier: 10.0.1.253
       NAS Port-Type: Wireless - IEEE 802.11
       NAS Port: 1
  RADIUS Client:
       Client Friendly Name: OAW-4308
       Client IP Address: 10.0.1.253
  Authentication Details:
       Connection Request Policy Name: Secure Wireless Connections
       Network Policy Name: Secure Wireless Connections
       Authentication Provider: Windows Authentication Server: Actinium.s********.com
       Authentication Type: EAP
       EAP Type: -
       Account Session Identifier: -
       Reason Code: 1
       Reason: An internal error occurred. Check the system event log for additional information.
  I get a different "Reason" when I deliberately use the wrong certificate, so that part is probably OK. Tried many combinations of sAMAccountName, userPrincipalName, etc. in user and realm fields. I saw a perhaps related issue with somebody using a maemo device that stopped working when they upgraded to Windows Server 2008 on the back end. No problem with iPhones, Blackberry Storms, laptops.
  Help...

  In the SCVMM world a 'template' is composed of the following: a VHD with an OS that has been generalized (sysprep), virtual hardware profile (settings), and an OS profile.
  The OS profile is required to have a product key.  A MAC activation key at the minimum.  But the key is required.
  If you deploy a VM from a VHD, the same customization assumptions are not at play.  Which is why it succeeds.  (there is no template in this case, there is also no requirement that the OS in the VHD be sysprep'd).
  SCVMM has rules.  And lots of things don't make sense until you begin to understand them and play within them. (I am not saying that the SCVMM rules are a good thing, just saying they exist)
  Brian Ehlert
  http://ITProctology.blogspot.com
  Learn. Apply. Repeat.

• WPA2-Enterprise + EAP (PEAP) and 802.1x to authenticate to RADIUS server NPS

  I need to connect my iPhone and my iPad to the corporate wireless network using WPA2-Enterprise and 802.1x to authenticate against a RADIUS server with my corporate user. What is the procedure to configure the clients? Certificates is not necessary on the client. Radius server is a NPS of Microsoft and the WLC is a 5508 of Cisco.
  thanks !!!

  WPA and WPA2 are all actually interim protocols that are used until the standardization of IEEE 802.11i standard. Wi-fi appliance decided that ratification and standardization of 802.11i standards will take more time. So, they came up with WPA.
  Now, WPA2 is advanced version of WPA. WPA2 uses AES as encryption algorithm. Whereas, WPA use TKIP as encryption mode which in turn uses RC4 encryption algorithm.
  WPA and WPA2 are actually are of 2 types respectively.
  WPA/WPA2-PSK - This is mainly for small offices. This uses Pre-Shared Key for authentication.
  WPA/WPA2 -Enterprise - This uses a RADIUS Server for authentication. This is an extension to 802.1x authentication. But this uses stronger encryption scheme(WPA uses RC4 and WPA2 uses AES).
  Any authentication mechanism that involves a separation authentication server for authentication like ACS server is called 802.1x authentication.
  EAP stands for Extensible Authentication Protocol. It refers to the type or method of 802.1x Authentication by the RADIUS/Tacacs server. A RADIUS server can authenticate a wireless client with various EAP methods.
  LEAP is one type of EAP. It uses username and password for authenticating wireless clients. LEAP is cisco proprietory.
  There are also EAP types which uses other user credentials like Certificates, SIM etc for authentcation.
  The following document might clarify your doubts.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_q_and_a_item09186a00805e8297.shtml

• Certificate renewal with WPA2-Enterprise PEAP MS-CHAPv2

  Hello
  We have a wireless network which is secured with WPA2-Enterprise with PEAP and MS-CHAPv2. The Radius servers (Windows Server 2008r2 with the Radius Feature installed) currently use a public signed certificate. This is about to expire soon and will need to be renewed.
  The clients are non-managed and from all variety (OS, wifi-software, ...).
  The Wifi is 4400 controller based and managed with the new Prime Infrastructure 1.3.
  What is the best way to do the renewal with as little disturbance for the client as possible? The less manual interaction for the end user the better.
  Thanks
  Patrick                 

  Hello Patrick,
  As per your query i can suggest you the following steps-
  Since the root CA is the most critical CA in the hierarchy, you may prefer to have a strategy here that reduces the need to renew the root certificate often.
  The first consideration is choosing the key length of the root's public key and private key pair during setup of the root authority. By using a long key length, which is generally more secure against brute force attack than a shorter key length, you increase the length of time that the CA can use the same private key and have reasonable confidence that it has not been compromised. The second consideration is establishing the validity period of the root certificate itself. In general, you will want to create a root certificate that has a shorter validity period than the estimated lifetime of the key.
  For more information you can refer to the link-
  http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
  Hope this will help you.

• Cisco ISE - eap-peap and eap-tls

  Hi,
  Does anybody have an example of an ISE authentication policy where authentication requests coming from a WLC can be handled by TLS and PEAP?
  I dont seem to get that working, I do however make the ISE application crash with my config which is not the idea.
  If peap use this identity source, if tls use 'this certificate authentication profile'.
  Thx

  OK,
  so I have just fired up my lab and I actually created an Identity Sequence which contained my AD & my certificate profile.
  The authentication policy was allowing EAP-TLS & EAP-PEAP.
  I then created 2 authorization rules, 1 for users and 1 for machines permitting access based on windows AD group.
  What i found out was that the Windows 802.1x supplicant can only support 1 method of authentication, so if you want this to work properly, you need a different supplicant. I think Cisco do a more advanced one, not sure. You can then specifically choose that for machine auth you use EAP-TLS and for User Auth you use EAP-PEAP.
  In my setup. Machine auth ONLY happens when the user logs off the machine and it is sitting at Ctrl+alt+del so that it can still talk to the network and get all relevant updates etc. I found that not only did the machine authenticate using EAP-PEAP, it also authenticated using TLS... I think that is because of the wireless settings I had. I chose EAP-PEAP for wireless settings
  When the user then logs in, the user account authenticates using EAP-PEAP. I dont think you can authenticate both the logged on user and the machine at the same time. Not with the native windows supplicant anyway. Windows either sends authentication request for the user or the machine but not both.
  Hope that helps.
  Mario

• Acces point compatible with ipod touch 3G

  I want to tell me what model and brand of Access Point is compatible with my iPod Touch 3G as some internet access point does not provide wifi to my ipod, although it appears online does not grab the signal.
  Thank you.

  Well, dont know, if they have updated the description, or i just wasnt paying attention (probably the second), but i think this afternoon this app said that: https://itunes.apple.com/hu/app/temple-hydration-food-fitness/id661535754?mt=8
  Anyway, now it just says iPod Touch, which in this case probably means 4th and 5th gen.
  I think ive seen it in other apps describtion as well, and will post link next time, but now i just feel stupid
  Thanks for the fast reply!

• Worked fine with WPA2, now WPA and cannot connect

  Hi,
  I had to change the security settings on my router to accommodate another device on my network and now I cannot get my Airport Express to join the network. I've used an ethernet to plug my Macbook into the the AE, changed the security settings, click apply, and still nothing.
  If it matters, my router is a Linksys WRT54GS which it was working fine with before changing the security type.
  Please advise.
  Thank you,
  Jacob

  This indicates that the AirPort Express is not correctly joining the wireless network because the security settings are not compatible. I'm not sure what else to suggest at this point as there are only two available settings that you can use with the Express for WPA...."WPA/WPA2 Personal" and "WPA2 Personal".
  Perhaps there are some additional settings on the Linksys to try? I'm afraid that you may need to return the Linksys to WPA2 to get the green light on the Express.

• EAP-TLS and EAP-PEAP Clients

  Hi guys
  I have installed a dot.1x solution for a customer using ISE. The ip phones have certificate from CUCM server. In the ISE a wired-dot.1x with eqp-tls enabled policy is configured so that when ip phones or PC connect to network they get authenticated using EAP -TLS. I have required certificates imported on pc's and ISE server. That part works absolutely fine.
  Now I have been asked to configure EAP-PEAP for video end points which doesn't support EAP -TLS.
  The endpoints are configured with a username and password. The credentials are created in ISE server.
  I create a second policy for wired dot.1x with EAP - PEAP enabled
  The problem I am hitting is that if the PCM and phone policy is on top. The phone and pc gets authenticated. But video endpoint doesn't. I get authentication error messages saying certificate expected but received credentials.
  When I move the video end point authentication rule above the pc and phones. The video end points get authenticated successfully. But PC and phone authentication breaks. The error message I receive is saying usrname and password expected but received a certificated based authentication.
  Has anyone seen this type of scenario ? Any idea how to make EAP -PEAP and EAP TLS authentication work together ?
  Thanks in advance.
  Sent from Cisco Technical Support iPad App

  Hi,
  There are two ways you can tackle this with ISE, I will start with the easiest one and then the other one to cover your options.
  You need to create an identity store sequence. This allows you to mix both certificate based and password based authentications, keep in mind that you can only map one Certificate authentication Profile in when using identity store sequences. More informations about configuring this is provided below:
  http://www.cisco.com/en/US/docs/security/ise/1.1/user_guide/ise_man_id_stores.html#wp1117203
  The next option would be to use the authentication policy configuration to map the patterns of the username (if common with your video endpoints), to forward their requests to the internal identity store. You can use regex to make this work and you can check for the radius username attribute.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• EAP-PEAP on N80 ?

  Hi,
  Are there ANYBODY, who has this working on N80 latest fw ?
  I simply can not get this to work.
  Its the same as with LEAP: I get user auth ok, but doesnt receive any IP, and static IP on phone doesnt work eighter.
  I would like to hear if you personally have EAPPEAP/MSCHAPv2 running on N80's ?
  And if yes, what settings you run ?

  I have a new N80 (firmware version 4.0623.0.42 RM-92,
  not IE edition) and have successfully used it with
  EAP-PEAP and EAP-MSCHAPv2 on our University network.
  I have the following settings:
  Connection Name: Whatever you like
  Data Bearer: Wireless LAN
  WLAN netw. name: your network ssid
  Network Status: public
  WLAN network mode: Infrastructure
  WLAN security mode: WPA/WPA2
  WLAN security settings =>
  WPA mode: EAP
  TKIP encryption: allowed
  EAP plug-in settings =>
  EAP-PEAP selected and first. All others disabled.
  EAP-PEAP configure =>
  User Certificate: not defined
  CA Certificate: Thawte Premium Server CA
  User Name in Use: from Certificate
  User Name: empty
  Realm in Use: from Certificate
  Realm: Empty
  Allow PEAPv0: yes
  Allow PEAPv1: yes
  Allow PEAPv2: yes
  EAP-types: =>
  EAP-MSCHAPv2 selected and first. All others disabled.
  EAP-MSCHAPv2 configure: =>
  User Name: Your user name
  Prompt Password: Your choice
  Password: Your password
  Ciphers:
  RSA,3DES,SHA selected and first. All other selected.
  I have also successfully used WEP shared key with
  MAC filtering on my home network.
  home network

• 802.1x EAP-PEAP over Ethernet need help !!!

  I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
  troubleshooting this, I am not sure what else to do.  Need help.  Here
  is the scenario:
  - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
  - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
  with IP address of 129.174.2.7.  This device is connected to the same switch above.
  Firewall is OFF on the server, allow ALL,
  - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
  Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
  on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
  as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
  the port is activate to be "hot".
  - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
  and that everything is looking fine,
  I have verified that the switch can communicate fine with the radius server.
  - Configuration on the switch for 802.1x:
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
  interface FastEthernet0/39
    description windows 2003 Supplicant
    switchport access vlan 401
    switchport mode access
    dot1x port-control auto
    no spanning-tree portfast (does not matter if this is enable or disable)
  lab-sw-1#
  .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  .May 20 07:52:47.338: EAPOL pak dump Tx
  .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  lab-sw-1#
  lab-sw-1#sh dot1x interface f0/39
  Dot1x Info for FastEthernet0/39
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = PROTECT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  lab-sw-1#
  I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
  help me how to make this work.
  Many thanks in advance,

  #1:  dot1x system-auth-control is already in the switch configuration
  #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
  The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

• WPA2-EAP and WPA2-PSK supported Access Points

  Dear Team,
  I have been looking to find the Cisco Access Points that support both:
  WPA2-EAP: Encryption: AES, Authentication: IEEE 802.1X
  WPA2-PSK: Encryption: AES, Authentication: PSK (Pre Shared Key) with more than 21 Characters, combined with MAC address filtering.
  I am confused about this and need help, please advise.
  Regards,
  Farhan

  Sure.  Go HERE.  Click on the APs you want and go to their individual Data Sheets.  Use Ctrl+F and enter "WPA2" (or whatever features you want).

• EAP-PEAP, CCKM & WPA2 AES

  Hi Guys,
  Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
  There appears to multiple conflicting docs about it.
  Cheers,
  Nick

  Hi Nick,
  1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
  2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
  3. WPA with cckm works perfectly (as cisco recommanded)
  Regards
  Dont forget to rate helpful posts

• Big problem with Nokia E60 and EAP-PEAP connection

  At our University we have Wlan now.
  The Lan based on the standart 802.11 b/g with 54 Mbit/s
  The Authentifikation based on the standart 802.1x (Peap) with the connection WPA/TKIP.
  My Firmware:
  V3.0633.09.04
  20-11-06
  RM-49
  Nokia E60
  My Configuration:
  Connection Name: FH-Hof
  Data Bearer:Wireless LAN
  WLAN netw.Name: FHHof
  Network status: Hidden
  WLAN netw.mode: Infrastructure
  WLAN security Mode: WPA/WPA2
  WLAN security settings:
  WPA mode: EAP
  TKIP-Security: allowed
  EAP plugin settings:EAP-PEAP
  User Cert: not defined
  CA Cert: CA-FH-Hof
  username in use: User configured
  username: aschmidt
  real in use: user configured
  realm: FH-Hof
  Allow PEAPv0: yes
  Yes for v1 and v2
  EAP: EAP-mschapv2
  Username: aschmidt
  prompt password: Yes
  password: entered my password
  Extended Settings:
  IPv4-Settings: No Changes
  IPv6-Settings: No Changes
  Proxserver-Address: proxy.fh-hof.de
  Prxy-Port-Number: 3128
  If I started to try the connection I have to enter my Username and my password. After that the handy asked me about my username and password again after a time.
  Now it takes circa one minute and the connection failed.
  The Error-Message ist: No Connection! WPA authentification failed.
  My´account is not blocked.
  Have I to enter any Ciphers?
  Thanks for every help and sorry for my bad English!
  EDIT: Removed non english linkMessage Edited by sailer_one on 27-Apr-200710:07 AM
  Message Edited by sailer_one on 27-Apr-200710:07 AM
  Message Edited by sailer_one on 27-Apr-200710:12 AM
  Message Edited by ajak on 27-Apr-2007 10:21 AM

  also try change "WLAN security Mode" from WPA to 802.1x
  I think Nokia referrs to WPA as WPA-PSK, but when you say TKIP then it also could be 802.1x as TKIP is the encryption used.
  So infact your wireless domain might be a 802.1x/EAP-PEAP/MS-CHAPv2 network.Message Edited by mbil on 30-Apr-200702:58 PM