EAP-PEAP, CCKM & WPA2 AES

Hi Guys,
Can someone advise on the pros/cons implementing both WPA2 (AES) and CCKM to a single WLAN running 802.1x (EAP-PEAP)?
There appears to multiple conflicting docs about it.
Cheers,
Nick

Hi Nick,
1. WPA2 (AES) and CCKM do NOT work together properly as most of the experts say like this. (but I have this scenario and still i did not herad any issue from employees)
2. Most of the clients don't support WPA2 with CCKM combined because they have overlapping roaming mechanism(this is the reason provides by expert).
3. WPA with cckm works perfectly (as cisco recommanded)
Regards
Dont forget to rate helpful posts

Similar Messages

  • WPA2 EAP-PEAP error, may be Windows Server 2008 or...

    I've studied posts like /t5/Connectivity/Not-able-to-connect-to-company-WLAN-WPA2-AES-PEAP-with-E71/m-p/420301/highlight/tru... , updated firmware, no joy. On E71, get
    WLAN: EAP-PEAP authentication failed
    In the event log of the domain controller+NPS server, get:
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          5/19/2010 10:24:18 AM
    Event ID:      6274
    Task Category: Network Policy Server
    Level: Information
    Keywords: Audit Failure
    User: N/A
    Computer: Actinium.s********.com
    Description: Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information.
    User:
         Security ID: S****\****
         Account Name: d***@*****.com
         Account Domain: S*******
         Fully Qualified Account Name: S******\*****
    Client Machine:
         Security ID: NULL SID
         Account Name: -
         Fully Qualified Account Name: -
         OS-Version: -
         Called Station Identifier: 000B8651*****
         Calling Station Identifier: 0021FE3****
    NAS:
         NAS IPv4 Address: 10.0.1.253
         NAS IPv6 Address: - NAS Identifier: 10.0.1.253
         NAS Port-Type: Wireless - IEEE 802.11
         NAS Port: 1
    RADIUS Client:
         Client Friendly Name: OAW-4308
         Client IP Address: 10.0.1.253
    Authentication Details:
         Connection Request Policy Name: Secure Wireless Connections
         Network Policy Name: Secure Wireless Connections
         Authentication Provider: Windows Authentication Server: Actinium.s********.com
         Authentication Type: EAP
         EAP Type: -
         Account Session Identifier: -
         Reason Code: 1
         Reason: An internal error occurred. Check the system event log for additional information.
    I get a different "Reason" when I deliberately use the wrong certificate, so that part is probably OK. Tried many combinations of sAMAccountName, userPrincipalName, etc. in user and realm fields. I saw a perhaps related issue with somebody using a maemo device that stopped working when they upgraded to Windows Server 2008 on the back end. No problem with iPhones, Blackberry Storms, laptops.
    Help...

    In the SCVMM world a 'template' is composed of the following: a VHD with an OS that has been generalized (sysprep), virtual hardware profile (settings), and an OS profile.
    The OS profile is required to have a product key.  A MAC activation key at the minimum.  But the key is required.
    If you deploy a VM from a VHD, the same customization assumptions are not at play.  Which is why it succeeds.  (there is no template in this case, there is also no requirement that the OS in the VHD be sysprep'd).
    SCVMM has rules.  And lots of things don't make sense until you begin to understand them and play within them. (I am not saying that the SCVMM rules are a good thing, just saying they exist)
    Brian Ehlert
    http://ITProctology.blogspot.com
    Learn. Apply. Repeat.

  • How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

    I am trying to connect to the company network, but it always shows "PEAP authentication failed".
    There are only instructions for iPhone and PC.
    security : WPA2-Enterprise
    authority certificate : None
    Security Type : PEAP
    Inner Link Security : EAP-MSCHAPv2
    additionally MAC address filtering.
    The access point I set is as follows:
    network status: public
    wLAN network mode: infrastructure
    security: WPA/WPA2
    WPA2 only mode: off
    EAP plug-in setting: EAP-PEAP enable only
    personal certificate: not defined
    authority certificate: not defined
    user name: user-defined   BLANK
    realm in use: user-defined   BLANK
    allow PEAPv0
    MSCHAPv2
    user name: username
    password: mypassword
    We have domain, but there are no command about domain in iPhone guide. 
    Is there anything wrong of my setting?

    WPA2-Enterprise is not supported on your device.
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • E61i, Acces point config with WPA2, EAP-PEAP and ...

    How can you activate the AES encryption on a Nokia E61i.
    I'm running the 1.0633.62.05 firmware.
    In documentation I've found there is mentioned I need to disable the TKIP encryption but this option is not available
     Select “WLAN security sett.”
    • In “WPA mode” choose EAP
    ● In “TKIP encryption” choose Not allowed (thus enabling AES encryption)
     Disable everything except EAP-PEAP
     Highlight EAP-PEAP
    • Choose “EAP plug-in settings”le
    They mention firmware above 2.xxx but this one is not available
    Any hints ?

    Hey all, It seems I have the same problem!!! I don't know whats the problem. I asked the guys in IT support in my school about this problem and they told me that the phone has to support PEAP-Enterprise in order to be able to connect.. I don't know what does that mean but if anyone guys can help here, it will be soooo respected!! I am using the new firmware ,by the way. TKIP is not exist in the connection settings anywhere!!! and the message is exactly "Unable to Connect. WPA authentication failed" .... help help pleaseeeeeeeeeeeeeeeee

  • Does 7921 support WPA2+AES+PKC?

    Does Cisco IP Phone 7921G support WPA2+AES+PKC? I know it supports WPA2+AES, but documentation is not clear if it supports PKC.
    Or do I _have to_ use WPA+TKIP+CCKM to support fast secure roaming in CUWN environment?
    VoWLAN design guide 4.1 recommends using WPA+TKIP+CCKM. Is that because the phone doesn't support PKC? Is that going to change?

    Ok first off the 7921G and 7925G are WPA/WPA2 certified.
    7921G
    http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA5040
    7925G
    http://certifications.wi-fi.org/pdf_certificate.php?cid=WFA6945
    The 7921G is not officially WPA/WPA2 Enterprise certified as we didn't support certicate based authentication at the time (PEAP and EAP-TLS), but do now and the 7925G code is the same as the 7921G, just a slightly different hardware.
    As for the 792xG Deployment Guides, I am the one that wrote those docs. :)
    There is a statement there in regards to WPA2+CCKM on page 10.
    Also WPA2(TKIP) is not a common or recommended configuration. If wanting to use WPA2 key-management it is also advised to use AES.
    But the 792xG does support all those methods, but only supports fast roaming (CCKM) with WPA(TKIP) at the moment.
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/6_0/english/deployment/guide/7921dply.pdf
    Cisco Centralized Key Management (CCKM)
    When using 802.1x type authentication, you should implement CCKM for authentication. 802.1x can introduce delay during
    roaming due to its requirement for full re-authentication. CCKM centralizes the key management and reduces the number of
    key exchanges. Also, WPA introduces additional transient keys and can lengthen roaming time.
    TKIP encryption is recommended when using CCKM for fast roaming as CCKM does not support AES currently.

  • WLC 5508 Web Auth and EAP / PEAP

       Morning all, I'm looking for some clarification.
    Current setup:
    I work in a school, a few years age I installed a 4400 WLC and several APs as a proof of concept exercise to see whether wireless technology would be of benefit to teaching and learning. It was deemed to be so.
    This summer I installed 2 x 5508 WLCs and increased AP coverage to 50 - copied over the configs from the old controller - all works fine.
    Currently only the staff can access the WLANs with the exception of a public WLAN in the canteen area.
    Because there are a limited number of devices, WPA2 in conjunction with MAC filtering was used. However the school wants to open the wireless network to all of the students - potentially this means up to 1000 devices that will no doubt change on a regular basis so MAC filtering is out.
    In line with child protection policies I need an 'auditable' trail when students access wireless resources.
    Planned setup:
    I have setup a test WLAN that uses Web Auth - the WLC is configured to pass authentication requests  ( through an ASA ) onto a RADIUS server which is tied into AD. I have a CA setup as well as a NAP server.
    There is no layer 2 security set on the test WLAN and layer 3 is just web authentication. From any mobile device I can authenticate against AD and gain access to the Internet.
    Clarification:
    With no layer 2 security the WLAN is exposed so I need to introduce some form of end to end encryption - so I am looking at deploying EAP / PEAP.
    Would the introduction of EAP / PEAP keep the network as secure as if I was using WPA2 ?
    Many thanks.

    If you are web authentication you cannot use dot1x as L2 security , so EAP is not an option.
    But you can use preshared security , like WPA2 AES with web auth to insure that the traffic is encrypted.
    or you can define a wlan profile with dot1x security on l2 and nothing on l3 , by doing so you would definetely hit the utmost security poossible.
    Check the following link which contain couple of EAP config examples:
    http://www.cisco.com/en/US/partner/tech/tk722/tk809/tech_configuration_examples_list.html
    Please make sure to rate correct answers

  • E63: WLAN; EAP (PEAP) settings.

    I am a student at UCT. They use a WLAN, with a WPA security mode. The EAP settings i have tried are not working and neither I nor the computer guy could figure it out.
    The WLAN settings I have set are as follows:
    WPA/WPA2 is EAP.
    WPA2 only mode is OFF.
    The EAP plug-in settings are:
    All types of EAPs are disabled apart from the EAP-PEAP.
    those settings are then as follows.
    Personal certificate is NOT DEFINED.
    Authority certificate is Thawte Premium.
    user name in use is USER DEFINED.
    User name is my user name.
    Realm in Use is USER DEFINED.
    Realm is the relevant realm.
    Allow PEAPv0 is yes.
    Allow PEAPv1 is yes.
    Allow PEAPv2 is no. 
    The EAPs: the only one which is active is the EAP-MSCHAPv2.
    Those settings are my user name 
    Prompt password YES
    My password is entered.
    The in terms of Ciphers I have 5 which are selected. I don't know what they do so I have not played with them too much.
    The enabled ones are:
     RSA, 3DES, SHA
    DHE-RSA,3DES, SHA
    DHE-DSS,3DES,SHA
    RSA, AES, SHA
    DHE-RSA, AES, SHA
     I have also tried connecting leaving all else the same but activating all ciphers and then again with no ciphers active.
    The problems i experience are either a endless cycle where i have to enter my user name and password or it simply says 'no gateway reply'.
    Assistance in this would be greatly appreciated as this is one of the primary functions I bought this phone for. 
    Thanks H 

    Are you sure you are using the right certificates and why dont you allow PEAPv2? You might need a personal certificate. Switch off the automatic settings in the advanced settings of your WLAN, scroll down to Power saving and disable to avoid "no gateway".
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • 802.1X EAP-PEAP Authentication issue

    Hi Experts,
    I am experiencing an issue where the authentication process for two of my Wireless networks prompts the user to enter their credentials at least two times before letting them onto the network.
    The networks in question  are set up identically, here is an overview:
    Layer 2 security is WPA & WPA2
    WPA - TKIP
    WPA2 - AES
    Auth Key Management is 802.1X
    Radius Servers are microsoft Windows 2008 Network Policy Service (Used to be IAS) - All users are in Active Directory and IAS policy allows access absed on AD group.
    This has all worked fine previously and still works fine if you enter the username/password combo at least twice on the initial profile setup. (For info, once the wireless profile is setup, you do not get prompted for credentials again, so this issue is ony during intial setup)
    We have recently added another WLAN that uses web auth, pointing to a RADIUS server to. In order to get this going, we changed the "Web Radius Authentication" setting to "CHAP" from "PAP" under the Controller . General config.
    This is the only change I can think of that could possibly be relevant.
    Would anyone be able to shed any light on why I would be prompted to authenticate twice? Affected clients are Windows 7 and Mac OSX at the mo.
    Debugs as follows:
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 apfProcessProbeReq (apf_80211.c:4598) Changing state for mobile 00:23:12:08:25:28 on AP 00:13:5f:fb:0f:40 from Idle to Probe
    *Oct 11 16:12:10.237: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.238: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.247: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:10.388: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.076: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.077: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.086: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.228: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.229: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:11.239: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.296: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.305: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.306: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.317: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.448: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.449: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.458: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.459: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.600: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:14.610: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.715: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.725: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.868: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:16.878: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:17.031: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.927: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.934: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:19.938: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.080: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.090: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.233: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:20.243: 00:23:12:08:25:28 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 apfMsExpireCallback (apf_ms.c:417) Expiring Mobile!
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [00:13:5f:fb:0f:40]
    *Oct 11 16:12:24.941: 00:23:12:08:25:28 Deleting mobile on AP 00:13:5f:fb:0f:40(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Adding mobile on LWAPP AP 00:11:5c:14:6d:d0(0)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Reassociation received from mobile on AP 00:11:5c:14:6d:d0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (8): 139 150 24 36 48 72 96 108 0 0 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 STA - rates (10): 139 150 24 36 48 72 96 108 12 18 0 0 0 0 0 0
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Processing RSN IE type 48, length 20 for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 Received RSN IE with 0 PMKIDs from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Initializing policy
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)
    *Oct 11 16:12:25.219: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfPemAddUser2 (apf_policy.c:208) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Idle to Associated
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Stopping deletion of Mobile Station: (callerId: 48)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 Sending Assoc Response to station on BSSID 00:11:5c:14:6d:d0 (status 0)
    *Oct 11 16:12:25.220: 00:23:12:08:25:28 apfProcessAssocReq (apf_80211.c:4310) Changing state for mobile 00:23:12:08:25:28 on AP 00:11:5c:14:6d:d0 from Associated to Associated
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Disable re-auth, use PMK lifetime.
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Connecting state
    *Oct 11 16:12:25.223: 00:23:12:08:25:28 Sending EAP-Request/Identity to mobile 00:23:12:08:25:28 (EAP Id 1)
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Received Identity Response (count=1) from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 EAP State update from Connecting to Authenticating for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticating state
    *Oct 11 16:12:25.243: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.250: 00:23:12:08:25:28 Entering Backend Auth Req state (id=2) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.251: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 2)
    *Oct 11 16:12:25.260: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 2, EAP Type 25)
    *Oct 11 16:12:25.262: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Entering Backend Auth Req state (id=3) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.265: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 3)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 3, EAP Type 25)
    *Oct 11 16:12:25.269: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.270: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Entering Backend Auth Req state (id=4) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.271: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 4)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 4, EAP Type 25)
    *Oct 11 16:12:25.274: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Entering Backend Auth Req state (id=5) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.275: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 5)
    *Oct 11 16:12:25.285: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 5, EAP Type 25)
    *Oct 11 16:12:25.286: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Entering Backend Auth Req state (id=6) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.292: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 6)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 6, EAP Type 25)
    *Oct 11 16:12:25.318: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Entering Backend Auth Req state (id=7) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.320: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 7)
    *Oct 11 16:12:25.321: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 7, EAP Type 25)
    *Oct 11 16:12:25.323: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Entering Backend Auth Req state (id=8) for mobile 00:23:12:08:25:28
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 8, EAP Type 25)
    *Oct 11 16:13:01.094: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Entering Backend Auth Req state (id=9) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.098: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 9)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 9, EAP Type 25)
    *Oct 11 16:13:01.102: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Processing Access-Challenge for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Entering Backend Auth Req state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.106: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Received EAP Response from mobile 00:23:12:08:25:28 (EAP Id 10, EAP Type 25)
    *Oct 11 16:13:01.108: 00:23:12:08:25:28 Entering Backend Auth Response state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Processing Access-Accept for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Setting re-auth timeout to 7200 seconds, got from WLAN config.
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Station 00:23:12:08:25:28 setting dot1x reauth timeout = 7200
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Creating a PKC PMKID Cache entry for station 00:23:12:08:25:28 (RSN 2)
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Adding BSSID 00:11:5c:14:6d:d3 to PMKID cache for station 00:23:12:08:25:28
    *Oct 11 16:13:01.113: New PMKID: (16)
    *Oct 11 16:13:01.113:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.113: 00:23:12:08:25:28 Disabling re-auth since PMK lifetime can take care of same.
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 PMK sent to mobility group
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAP-Success to mobile 00:23:12:08:25:28 (EAP Id 10)
    *Oct 11 16:13:01.116: Including PMKID in M1  (16)
    *Oct 11 16:13:01.116:      [0000] 15 9e 3d 61 e3 94 bb 82 2b 6f 7e 05 74 49 81 52
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Starting key exchange to mobile 00:23:12:08:25:28, data packets will be dropped
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Entering Backend Auth Success state (id=10) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 Received Auth Success while in Authenticating state for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.116: 00:23:12:08:25:28 dot1x - moving mobile 00:23:12:08:25:28 into Authenticated state
    *Oct 11 16:13:01.996: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    *Oct 11 16:13:01.997: 00:23:12:08:25:28 Retransmit 1 of EAPOL-Key M1 (length 121) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Received EAPOL-key in PTK_START state (message 2) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.999: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.000: 00:23:12:08:25:28 Sending EAPOL-Key Message to mobile 00:23:12:08:25:28
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.02
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-Key from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.002: 00:23:12:08:25:28 0.0.0.0 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:11:5c:14:6d:d0 vapId 4 apVapId 4
    *Oct 11 16:13:02.004: 00:23:12:08:25:28 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *Oct 11 16:13:02.006: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4391, Adding TMP rule
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo F
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:02.007: 00:23:12:08:25:28 Stopping retransmission timer for mobile 00:23:12:08:25:28
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:02.010: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:02.283: 00:23:12:08:25:28 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4072, Adding TMP rule
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Replacing Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumb
    *Oct 11 16:13:03.906: 00:23:12:08:25:28 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *Oct 11 16:13:03.909: 00:23:12:08:25:28 Sent an XID frame
    *Oct 11 16:13:04.879: 00:23:12:08:25:28 DHCP received op BOOTREQUEST (1) (len 308, port 29, encap 0xec03)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selecting relay 1 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP selected relay 1 - 172.19.0.50 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.880: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selecting relay 2 - control block settings:
                dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
                dhcpGateway: 0.0.0.0, dhcpRelay: 172.23.24.2  VLAN: 110
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP selected relay 2 - 172.19.0.51 (local address 172.23.24.2, gateway 172.23.24.1, VLAN 110, port 29)
    *Oct 11 16:13:04.881: 00:23:12:08:25:28 DHCP transmitting DHCP REQUEST (3)
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 4, flags: 0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 172.23.24.2
    *Oct 11 16:13:04.883: 00:23:12:08:25:28 DHCP   requested ip: 172.23.26.53
    *Oct 11 16:13:04.885: 00:23:12:08:25:28 DHCP sending REQUEST to 172.23.24.1 (len 350, port 29, vlan 110)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 DHCP setting server from ACK (server 172.19.0.50, yiaddr 172.23.26.53)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
    *Oct 11 16:13:04.890: 00:23:12:08:25:28 172.23.26.53 RUN (20) Reached PLUMBFASTPATH: from line 4856
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 00:11:5c:14:6d:d0, slot 0, interface = 29, QOS = 0
      ACL Id = 255, Jumbo Frames = N
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 172.23.26.53 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 Assigning Address 172.23.26.53 to mobile
    *Oct 11 16:13:04.891: 00:23:12:08:25:28 DHCP sending REPLY to STA (len 430, port 29, vlan 0)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP transmitting DHCP ACK (5)
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   xid: 0x53839a5f (1401133663), secs: 0, flags: 0
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   chaddr: 00:23:12:08:25:28
    *Oct 11 16:13:04.892: 00:23:12:08:25:28 DHCP   ciaddr: 0.0.0.0,  yiaddr: 172.23.26.53
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *Oct 11 16:13:04.894: 00:23:12:08:25:28 DHCP   server id: 1.1.1.1  rcvd server id: 172.19.0.50
    *Oct 11 16:13:04.898: 00:23:12:08:25:28 172.23.26.53 Added NPU entry of type 1, dtlFlags 0x0
    *Oct 11 16:13:04.900: 00:23:12:08:25:28 Sending a gratuitous ARP for 172.23.26.53, VLAN Id 110
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP received op BOOTREPLY (2) (len 327, port 29, encap 0xec00)
    *Oct 11 16:13:04.907: 00:23:12:08:25:28 DHCP dropping ACK from 172.19.0.51 (yiaddr: 172.23.26.53)
    At this point, the client is connected and everything is working.

    Hi,
    It looks like some issue on the client side...
    Thelogs presented here are not related with the Web Auth WLAN and it has no impact on the behavior you are seeing.
    Looking at the logs:
    *Oct 11 16:12:25.326: 00:23:12:08:25:28 Sending EAP Request from AAA to mobile 00:23:12:08:25:28 (EAP Id 8)
    At this point, the username and password dialog pops up again.
    If credentials are not entered, the following timeout message pops up....
    *Oct 11 16:12:53.973: 00:23:12:08:25:28 802.1x 'timeoutEvt' Timer expired for station 00:23:12:08:25:28
    If the credentials are re-entered the it continues:
    *Oct 11 16:12:53.975: 00:23:12:08:25:28 Retransmit 1 of EAP-Request (length 79) for mobile 00:23:12:08:25:28
    *Oct 11 16:13:01.093: 00:23:12:08:25:28 Received EAPOL EAPPKT from mobile 00:23:12:08:25:28
    ===================
    This logs show exactly what you describe...
    The AAA sends an EAP request asking for the credentials.
    The login pops up and the EAP timeout starts decrementing.
    If the user does not enter credentials, it will expire and another EAP Request is sent.
    If you let the EAP timeout it is expected that you enter credentials twice, if by the time you press enter, the timeout has already expired.
    As you say, if you have a profile configured, this should not happen and the authentication should be smooth.
    HTH,
    Tiago

  • WPA2\AES and PSK

    We have a situation that we need to implement WPA2, AES with PSK on our WLC. If I put a complex passphrase of 63 ASCI characters, how safe is my wireless network? After reading multiple forums, it seems that is quite safe, even if this setup is design for a home or medium office.
    Your feedback is very much appreciated.
    Thank you.

    As far as the security algorithm itself is concerned, a very long, random PSK is extremely secure.
    However, there are human factor issues that come into play: that long PSK has to be written down somewhere and that location must be kept secure; the number of people who have access to the key must be limited and all of them must carefully maintain the security of the key; if the key is compromised you must manually change the keys on all clients; etc.
    Another issue is that with a PSK you have no way to map a given wireless connection to any individual user, as you would with 802.1X. So if an EAP account is compromised you at least know who to yell at, whereas if your key is compromised you have no clue.
    Nobody's going to crack a 63-character passphrase using over-the-air tools. But they won't bother. They'll just find a way to get into your helpdesk office and take a picture of the whiteboard where it's written down.

  • WPA2-AES with Certifiacte authentication in WLC

    Hello,
    I have currently setup with 1200 series AP's as a Stand alone, the authentication is done via radius  with Certiface Installed in Client Domain Laptops (WPA2 + AES). The certificate is installed on the domain laptops and when I connect wireless it shows up as WPA2 (Peap). As we migrating to WLAN Controller we unable to authenticate the client with WPA2 AES. In controller if we enable PSK ( Preshared key) its works fine. with 802.1x the authentication not happening and I am getting the error as RADIUS is not responding. But we dont have a control with RADIUS which is in Remote Site. Can some one guide me in RADIUS what needs to check, and with IOS AP its works fine.
    Thanks in Advance

    You will need to have access to your RADIUS server to set up your controller to support PEAp, its not as simple as upgrading the aps and adding a controller as the controller will need adding as a client to the RADIUS server as a client and depending on your remote access policies adding into the RAS policy. You will need to liaise with the RADIUS support team

  • EAP-PEAP setting on Nokia E6 crashes!

    I just updated my Nokia E6 to Symbian Belle. When I try to edit the EAP-PEAP settings for my corporate WPA2 secured network, the settings simply crashes and returns to the home screen.

    Hi Eelke,
    I've had the same problem as you for two days now, but finaly solved it ...
    The important thing is to NOT use the Option -> Edit (just craches ... must be a bug)
    Instead tap on the EAP-PEAP option. Also when disabeling/enabeling I pressed the screen and held finger there and an option menu will appear (or if not enabled it will enable the option).
    Hope this works for you as well. I just created an account to be able to post this for you :-), since the post came up on a google search I did.
    Surfin' Swede

  • WLC-4404. WPA2 - AES (L2) - Microsoft IAS- unable to authenticate

    Hi am upgrading from EAP - TLS with WEP to WPA2 - AES with smartcard / machine certificates. AAA server is Microsoft IAS. New SSID and config for WPA2 looks straightforward.
    Created new policy for this SSID on IAS, again looks straightforward. Unable to authenticate, debug on WLC looks as though not all server to client transactions are taking place , no EAPOL messages etc.
    Any ideas?

    This mostly occurs due to incompatibility on the client side. Try these steps in order to fix this issue:
    Check if the client is Wi-Fi certified for WPA2 and check the configuration of the client for WPA2.
    Check the data sheet in order to see if the client Utility supports WPA2. Install any patch released by the vendor to support WPA2. If you use Windows Utility, make sure that you have installed the WPA2 patch from Microsoft in order to support WPA2.
    Upgrade the client's Driver and Firmware.
    Turn off Aironet extensions on the WLAN.

  • EAP-PEAP on N80 ?

    Hi,
    Are there ANYBODY, who has this working on N80 latest fw ?
    I simply can not get this to work.
    Its the same as with LEAP: I get user auth ok, but doesnt receive any IP, and static IP on phone doesnt work eighter.
    I would like to hear if you personally have EAPPEAP/MSCHAPv2 running on N80's ?
    And if yes, what settings you run ?

    I have a new N80 (firmware version 4.0623.0.42 RM-92,
    not IE edition) and have successfully used it with
    EAP-PEAP and EAP-MSCHAPv2 on our University network.
    I have the following settings:
    Connection Name: Whatever you like
    Data Bearer: Wireless LAN
    WLAN netw. name: your network ssid
    Network Status: public
    WLAN network mode: Infrastructure
    WLAN security mode: WPA/WPA2
    WLAN security settings =>
    WPA mode: EAP
    TKIP encryption: allowed
    EAP plug-in settings =>
    EAP-PEAP selected and first. All others disabled.
    EAP-PEAP configure =>
    User Certificate: not defined
    CA Certificate: Thawte Premium Server CA
    User Name in Use: from Certificate
    User Name: empty
    Realm in Use: from Certificate
    Realm: Empty
    Allow PEAPv0: yes
    Allow PEAPv1: yes
    Allow PEAPv2: yes
    EAP-types: =>
    EAP-MSCHAPv2 selected and first. All others disabled.
    EAP-MSCHAPv2 configure: =>
    User Name: Your user name
    Prompt Password: Your choice
    Password: Your password
    Ciphers:
    RSA,3DES,SHA selected and first. All other selected.
    I have also successfully used WEP shared key with
    MAC filtering on my home network.
    home network

  • N8 - It can't connect on EAP-PEAP network! Help!

    I went to IT department of my University hoping they could give me the right certificate and the right configurations, they did so, then I installed that but I still can't connect! I have searched around the other topics, and the solution was basically on getting the right certificate and changing some configs. Any suggestions?
    Here are my configs:
    Wi-Fi Security Mode: 802.1x
    WPA/WPA2: EAP
    EAP Plugin settings: Just EAP-PEAP enabled, others are disabled.
    Personal Certificate: Not Defined
    Authority Certificate: Unoesc (http://www.unoesc.edu.br/funoesc.crt)
    Username in use: 164334
    Real in Use: User Defined
    Realm: unoesc
    TLS privacy: off
    Allow PEAPv0: Yes
    Allow PEAPv1: No
    Allow PEAPv2: No

    I forgot to mention that only EAP-MSCHAPv2 is enabled, with my username that is "164334" and my password.

  • Big problem with Nokia E60 and EAP-PEAP connection

    At our University we have Wlan now.
    The Lan based on the standart 802.11 b/g with 54 Mbit/s
    The Authentifikation based on the standart 802.1x (Peap) with the connection WPA/TKIP.
    My Firmware:
    V3.0633.09.04
    20-11-06
    RM-49
    Nokia E60
    My Configuration:
    Connection Name: FH-Hof
    Data Bearer:Wireless LAN
    WLAN netw.Name: FHHof
    Network status: Hidden
    WLAN netw.mode: Infrastructure
    WLAN security Mode: WPA/WPA2
    WLAN security settings:
    WPA mode: EAP
    TKIP-Security: allowed
    EAP plugin settings:EAP-PEAP
    User Cert: not defined
    CA Cert: CA-FH-Hof
    username in use: User configured
    username: aschmidt
    real in use: user configured
    realm: FH-Hof
    Allow PEAPv0: yes
    Yes for v1 and v2
    EAP: EAP-mschapv2
    Username: aschmidt
    prompt password: Yes
    password: entered my password
    Extended Settings:
    IPv4-Settings: No Changes
    IPv6-Settings: No Changes
    Proxserver-Address: proxy.fh-hof.de
    Prxy-Port-Number: 3128
    If I started to try the connection I have to enter my Username and my password. After that the handy asked me about my username and password again after a time.
    Now it takes circa one minute and the connection failed.
    The Error-Message ist: No Connection! WPA authentification failed.
    My´account is not blocked.
    Have I to enter any Ciphers?
    Thanks for every help and sorry for my bad English!
    EDIT: Removed non english linkMessage Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:07 AM
    Message Edited by sailer_one on 27-Apr-200710:12 AM
    Message Edited by ajak on 27-Apr-2007 10:21 AM

    also try change "WLAN security Mode" from WPA to 802.1x
    I think Nokia referrs to WPA as WPA-PSK, but when you say TKIP then it also could be 802.1x as TKIP is the encryption used.
    So infact your wireless domain might be a 802.1x/EAP-PEAP/MS-CHAPv2 network.Message Edited by mbil on 30-Apr-200702:58 PM

Maybe you are looking for

  • How do I use a static reference to keep a VI in memory but then call it in parallel?

    Hello all, I have a MainVI and I want to call from it a SubVI in parallel so that I can have both windows open and responsive at the same time.  The SubVI may be closed and reopened any number of times, but only one in existance at a time.  I know ho

  • Itunes will not launch after fresh install and repeated re-installs

    I've been browsing around the forums here and the support system hoping for an answer to this question. On Monday my hard drive died and I had to buy a new one. I reinstalled windows and itunes among other things. I have a brand new Video Ipod as wel

  • Email signatures not displaying in received emails.

    I can't see the signatures in the emails which I received from other people (not my own signatures in emails I sent out). All my emails are viewed in HTML format. I have no problem when I send an emails with my signature. I still sees it when I recei

  • Sort in Pivot View

    We have created dashboard in OBIEE 11 G. In that dashboard there are reports with Pivot view. When we are trying to sort on columns like quantity and amount it is not getting sorted properly. Can somebody help on this. Thanks in advance.

  • Issuing a Credit memo - G/L account is missing

    Why the error message coming up when you issue a credit memo.  It says the G/L account is missing.  what could be the problem? Thanks SV Reddy