PEAP authentication for laptops

Similar Messages

• PEAP authentication for domain & non-domain computers

  Hello Everyone,
  Some of our users have laptops that are not in the domain and are unable to connect to the wireless network. Although their computers aren't in the domain, the users do have an AD account and are currently a part of the security group attached to the Wireless NPS policy. The only remedy I have for this problem is to manually add the SSID to their computer which defeats the purpose of this wireless network. The ultimate goal is to allow the user to connect to the wireless network by entering their domain credentials and moving on.
  We have a WLC 2504 running 7.4.110.0 with 15 1602i APs. The SSID is configured to pass 802.1x EAP authentication to NPS running on windows 2008 R2. With mobile phones and tablets, the authentication is successful without a hitch so I don't understand why a non-domain computer is unable to connect without manually entering the SSID. In the WLC log, I will see entries such as:
  "AAA Authentication Failure for UserName:host/LastNameFirstInitial-LT.mydomain.Local User Type: WLAN USER".
  By examining this log entry, to me it says the domain profile on the computer is being sent to the NPS for authentication instead of the username and password. We have a  3rd party SSL certificate installed on the NPS server. 
  Taking it one step further - We have a second SSID for guest users that is configured with the same setup except that the NPS is configured to accept authentication attempts from a single AD user called "mydomain\guest". We decided on this approach for the guest wireless network so that we can rotate the password automatically every week with a vbscript that manipulates the password via LDAP. Users with laptops in different domains are unable to connect to the guest wireless network and I'm starting to think the machine authentication is a problem. 
  Any suggestions would be greatly appreciated.
  Thanks,
  Ali.

  Hi Ali,
  That’s all part of the wonderful world of wireless on Windows.
  When a connection to a WLAN is made on a windows machine, by selecting it from available Wireless Networks list (Passive RF Scan), and Windows as parsed the 802.11 AP Beacon to contain the WPA2, 802.1X element, by default it will attempt to connect with known or active session credentials.
  Typically it will be Machine account (they all have them whether on a Domain or not) and then /Or User. This order and preference may change depending on version of Windows (Vista to Windows 8) and service pack level.
  Regardless the only thing you can count of for sure is that the first authentication attempt from a windows client will not involve the user entering information. Once the first attempt fails the Windows supplicant will prompt the user for login information via a notification in the system tray, which may or may be noticed by the user. May or may not stay for more than 5 seconds.
  Windows XP and Vista were the worst for this. Windows 7 and Windows 8 this process and recovery and user prompt mechanism is greatly improved but not infallible.
  The only way to avoid this would be to manually configure the WLAN profile on the windows machine as you are currently doing.
  Mobile phones and tablets don’t have this issue as they don’t have issue because software coding in their supplicants. Besides the only “system” credentials on iOS or Android phone are typically your Play Store and App Store accounts, and both vendors know those won’t be accepted for network access by default anywhere.
  There isn’t an easy way to support non-domain windows systems on a domain integrated one.
  You might want to try adding another SSID.
  You could have a corporate SSID, Guest Portal and a third that is PSK + Guest Portal. ON NPS you could filter for RADIUS attribute called-station-id (includes SSID) to allow all domain ID’s access instead of the just that WLAN.
  Or you could look at swapping out NPS for a Cisco ISE VM/appliance with the new Plus licenses add lower cost for onboarding devices and Windows XP and up are supported for supplicant configuration via ISE.

• WLC PEAP authentication

  Hi
  I've created a local EAP profile for PEAP authentication and configured user accounts in the WLCs. When I tried to connect to the SSID via my iPhone, popped up a certificate (local WiSM) and I accepted it then it failed with incorrect username/password. The same username/password works fine with Windows Vista laptop. Any help?
  Thanks

  May be just show local-auth config, show wlan x, show local-auth statistics.?
  I am assuming you have only peap checked . ( and nothing else enabled like Server cert etc ). IPhone is it running latest code ?
  Thanks..Salil

• Nokia Belle - EAP-PEAP authentication without Cert...

  Its time for my half yearly bickering about the still non-support for EAP-PEAP authentication without server Certificates on Symbian Phone.
  Here is my last thread begging for help from Nokia when Anna was released.
  /t5/Software-Updates/EAP-PEAP-Authentication-without-Certificate-Is-it-fixed-in/td-p/1072133
  My question remain the same.Does the new Nokia Belle support EAP-PEAP authentication without the requirement that a server certificate be present.
  I have been living a life of ridicule and becomes an object of jokes and punchlines in office when it comes to the Phone that I carry. Lot of people now don't even know that there is company called Nokia. And when I tell them about it that say "Are you the guy carrying the phone that does not connect to our corporate network?".
  If you read that earlier thread you know that none of the exotic workaround that some have been able to do, does not work with my office as our network administration has not installed any server certificate whatsoever on the access point.
  I am fed of hearing from Nokia techs that this is supposed to be the secure and right way of doing things. When every other device, every smartphone, tablet, laptop supports this way of connecting to a EAP-PEAP access point why does Nokia has to keep this stance?
  Nokia has kept everything open on the Nokia N8, it has everything that a anyone can ask for in a smartphone, so why is Nokia so adamant on this small matter of not requiring a server certificate?
  Now that the WP7 line of Lumia devices are in the market can someone tell me if the problem exists on those phones too. I wont be surprised if this restriction is still there.
  With Nokia going downhill so fast it does not help with this kind of attitude towards diehard Nokia followers.
  Can someone from Nokia tech say once and for all if I can ever expect this thing to be fixed?
  raman

  ramany wrote:
  What should be an appropriate title for this thread. There was an older thread for the same that i started six months back when Anna was released. So i this expecting something to happen with Belle.
  If nothing happens I will probably start a new one when future updates to Symbian in Clara. Donna, Emma, Florina, Georgia, Hanna, Isabelle, Jenna, Kate, Linda, Marie, Nancy, Olivia, Patty, Quinn, Rita, Sabina, Terry, Uma, Vega, Wyome, Xandra, Yetta and Zoe are released.
  I hope Symbian (Nokia) lasts that long, but the support of this comes in Belle.
  I see no jokes yet...common guys.isn't anyone subjected to jokes because of this.
  At least give me some so i can feed more to the one going around.
  Well, I believe the example of EAP-TTLS + PAP authentication isn't 'without certificates'... it does use certificates, but EAP-TTLS + PAP just doesn't happen to be a supported authentication method with recent Symbian phones.
  I'm not any sort of wireless authentication guru, but there's probably a better, more precise description of the authentication support (probably a few methods) that's currently missing in Symbian.
  And a couple more details for some wireless authentication methods... I believe Windows users typically have to grab a third-party 'securew2' utility to support some of the more robust (read better, more secure) authentication methods for some networks.
  I think one of the more valid arguments for EAP-TTLS + PAP in general, is that I believe it may be part of the 'Eduroam' standard, although MSCHAPv2 may also be substituted for PAP, IIRC... but again, I'm not a wireless authentication guru.
  In any case, if well-known, widely-implemented (or soon to be implemented, for good reason) authentication methods aren't supported in Symbian, it just makes Symbian just looks a bit ridiculous and irrelevant.
  Your previous thread was quite good, and it may make sense to keep bumping that thread for updates periodically. I noticed that someone mentioned an MSCHAPv2 scenario in that thread, but again... that's not actually helpful for resolving EAP-TTLS + PAP support, and I think that there's probably a concise way to describe the current 'missing authentication methods support' in Symbian.
  It continues to baffle me how Nokia seems to have such a quiet, secretive presence on these forums, when I think it would make much more sense to publicly acknowledge relevant threads/discussions, and make a statement about planned fixes, updates, etc... rather than just have people wonder if/when Nokia is paying any attention to the discussions here.

• Machine authentication for ACS5.1

  Hi, I met a problem with machine authentication. Following is the conditions::
  1. WLC5508, version 6.0.196
  2. ACS 5.1.0.44
  3. WIN AD
  4. PEAP-MSCHAPv2+machine authentication
  the machine auth failed, I checked the log, it says Machine not found in AD:
  11001  Received RADIUS Access-Request
  11017  RADIUS created a new session
  Evaluating Service Selection Policy
  15004  Matched rule
  15012  Selected Access Service - WLAN Access Policy
  11507  Extracted EAP-Response/Identity
  12300  Prepared EAP-Request proposing PEAP with challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318  Successfully negotiated PEAP version 0
  12800  Extracted first TLS record; TLS handshake started.
  12805  Extracted TLS ClientHello message.
  12806  Prepared TLS ServerHello message.
  12807  Prepared TLS Certificate message.
  12810  Prepared TLS ServerDone message.
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12318  Successfully negotiated PEAP version 0
  12812  Extracted TLS ClientKeyExchange message.
  12804  Extracted TLS Finished message.
  12801  Prepared TLS ChangeCipherSpec message.
  12802  Prepared TLS Finished message.
  12816  TLS handshake succeeded.
  12310  PEAP full handshake finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12313  PEAP inner method started
  11521  Prepared EAP-Request/Identity for inner EAP method
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11522  Extracted EAP-Response/Identity for inner EAP method
  11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  Evaluating Identity Policy
  15006  Matched Default Rule
  15013  Selected Identity Store -
  24431  Authenticating machine against Active Directory
  24437  Machine not found in Active Directory
  22056  Subject not found in the applicable identity store(s).
  22058  The advanced option that is configured for an unknown user is used.
  22061  The 'Reject' advanced option is configured in case of a failed authentication request.
  11823  EAP-MSCHAP authentication attempt failed
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  5411  EAP session timed out
  However this machine account definately is in the AD, what's wrong? Any idea? Thanks in advance!

  From your screenshot, the client faied in the "Evaluating Group Mapping Policy", after "12304  Extracted EAP-Response containing PEAP challenge-response", it says "client sent result TLV indicating failure"
  For the normal process, this should be sth like:
  12304  Extracted EAP-Response containing PEAP challenge-response
  11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814  Inner EAP-MSCHAP authentication succeeded
  11519  Prepared EAP-Success for inner EAP method
  12314  PEAP inner method finished successfully
  12305  Prepared EAP-Request with another PEAP challenge
  11006  Returned RADIUS Access-Challenge
  11001  Received RADIUS Access-Request
  11018  RADIUS is re-using an existing session
  12304  Extracted EAP-Response containing PEAP challenge-response
  12306  PEAP authentication succeeded
  11503  Prepared EAP-Success
  It seems your configuration on MSCHAP has some problem, so double check your PEAP-MSCHAPv2 configuration on both the client and the ACS. In ACS5.1, it should looks like:
  in client, it should looks like:
  BTW, what had you configured for group mapping? In your case, it seems not need it because in Authorization policy, you just used AD1:ExternalGroups instead of Identity Group.
  If you can paste your configured AD parameter(General, Directory Groups, Directory Attributes), access policy(General, Allowed Protocol, Identity, Group Mapping, Authorization), all the steps for the failed auth(including Evaluating Service Selection Policy, Evaluating Identity Policy, Evaluating Group Mapping Policy,Evaluating Authorization Policy), it can help to troubleshoot your problem.

• PEAP authentication problems

  Hi,
  I configured a Cisco AP 1200 IOS with PEAP.
  Hereby the AP Config:
  aaa new-model
  aaa group server radius rad_eap
  server 192.168.4.58 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login eap_methods group rad_eap
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  dot11 arp-cache optional
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 184 key 1 size 128bit 7 xxxx transmit-key
  encryption vlan 184 mode wep mandatory mic key-hash
  encryption key 1 size 128bit 7 xxxxx transmit-key
  encryption mode wep mandatory
  broadcast-key vlan 184 change 3600
  ssid test
  vlan 184
  authentication open eap eap_methods
  authentication network-eap eap_methods
  world-mode
  speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
  rts threshold 2312
  station-role root
  dot1x reauth-period 1800
  dot1x client-timeout 1800
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.184
  encapsulation dot1Q 184
  no ip route-cache
  bridge-group 184
  bridge-group 184 subscriber-loop-control
  bridge-group 184 block-unknown-source
  no bridge-group 184 source-learning
  no bridge-group 184 unicast-flooding
  bridge-group 184 spanning-disabled
  interface FastEthernet0
  no ip address
  ip accounting output-packets
  no ip route-cache
  speed 100
  full-duplex
  interface FastEthernet0.3
  encapsulation dot1Q 3 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.184
  encapsulation dot1Q 184
  no ip route-cache
  bridge-group 184
  no bridge-group 184 source-learning
  bridge-group 184 spanning-disabled
  interface BVI1
  ip address 192.168.4.98 255.255.254.0
  ip accounting output-packets
  no ip route-cache
  ip default-gateway 192.168.4.3
  ip http server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
  ip radius source-interface BVI1
  radius-server local
  radius-server host 192.168.4.58 auth-port 1645 acct-port xxxx key xxx
  radius-server timeout 120
  radius-server deadtime 1200
  radius-server domain-stripping
  radius-server attribute 32 include-in-access-req format %h
  radius-server authorization permit missing Service-Type
  radius-server vsa send accounting
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 184 protocol ieee
  W're using a Cisco Wireless client adaptor with the latest ACU version fully installed and configured my client for PEAP. I also configured the Windows XP network settings appropriately.
  The RADIUS we are using is a Cisco ACS 3.2.1. We used a Microsoft certificate for the server that we issued ourselves.
  Without configuring security, the client can associate with the AP, but when we enable PEAP and I open the ACU status screan, the client associates with the AP, but canot authenticate successfully. Status hangs on 'autenticating'. I don't see any traffic to the RADIUS server.
  Who can help us?
  Thanks in advance!

  I just opened a TAC case on this one whereby I have already installed the latest client, made sure PEAP is installed, had the latest WAP image, network security setup on the ACU as per the documentation to select the "host base EAP(802.1x) and select dynamic wep, then turned on debug options on the WAP to see the communication between the client and the WAP:
  debug radius authentication
  debug dot11 aaa dot1x process
  debug dot11 aaa dot1x state-machine
  Guess what... there is no communication between the client and the wap for authentication. You can see association and even get an ip address from dhcp but...
  The advise as per the TAC engineer is to put in a Static WEP key for now and you should get the communication going. They have already noticed this on some calls and have not seen a bug case # assigned to it. They will be working a fix on the next release. Once you do that you should see the Raduis and 802.1x communication going on.
  After doing this I can then concentrate on why I am not getting PEAP authenticated on our Funk Radius EE Server v4.7.
  The other thing...remove the "authentication network-eap eap_methods" when you are doing PEAP. You enable that for LEAP so you have to create a different vlan for that.
  I use 1812/1813 for the radius server.
  :-) Ed

• Cisco ISE 1.3 using 802.1x Authentication for wireless clients

  Hi,
  I have stumbled into a strange issue trying to authenticate a user over wireless. I am using PEAP as the authentication protocol. I have configured my authentication and authorization policy but when I come to authenticate the authorization policy selected is the default which denies access.
  I have used the 802.1x compound conditions for matching the machine authentication and then the user authentication
  MACHINE AUTHENTICATION
  match
  framed
  Wireless
  AD group (machine)
  USER AUTHENTICATION
  match
  framed
  Wireless
  AD group (USER)
  was authenticated = true
  Below are steps taken to authenticate any ideas would be great.
  11001  Received RADIUS Access-Request  
    11017  RADIUS created a new session  
    15049  Evaluating Policy Group  
    15008  Evaluating Service Selection Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    15048  Queried PIP  
    15006  Matched Default Rule  
    11507  Extracted EAP-Response/Identity  
    12300  Prepared EAP-Request proposing PEAP with challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated  
    12318  Successfully negotiated PEAP version 0  
    12800  Extracted first TLS record; TLS handshake started  
    12805  Extracted TLS ClientHello message  
    12806  Prepared TLS ServerHello message  
    12807  Prepared TLS Certificate message  
    12810  Prepared TLS ServerDone message  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12318  Successfully negotiated PEAP version 0  
    12812  Extracted TLS ClientKeyExchange message  
    12804  Extracted TLS Finished message  
    12801  Prepared TLS ChangeCipherSpec message  
    12802  Prepared TLS Finished message  
    12816  TLS handshake succeeded  
    12310  PEAP full handshake finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    12313  PEAP inner method started  
    11521  Prepared EAP-Request/Identity for inner EAP method  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11522  Extracted EAP-Response/Identity for inner EAP method  
    11806  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11808  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated  
    15041  Evaluating Identity Policy  
    15006  Matched Default Rule  
    22072  Selected identity source sequence  
    15013  Selected Identity Source - AD1  
    24430  Authenticating user against Active Directory  
    24325  Resolving identity  
    24313  Search for matching accounts at join point  
    24315  Single matching account found in domain  
    24323  Identity resolution detected single matching account  
    24343  RPC Logon request succeeded  
    24402  User authentication against Active Directory succeeded  
    22037  Authentication Passed  
    11824  EAP-MSCHAP authentication attempt passed  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    11810  Extracted EAP-Response for inner method containing MSCHAP challenge-response  
    11814  Inner EAP-MSCHAP authentication succeeded  
    11519  Prepared EAP-Success for inner EAP method  
    12314  PEAP inner method finished successfully  
    12305  Prepared EAP-Request with another PEAP challenge  
    11006  Returned RADIUS Access-Challenge  
    11001  Received RADIUS Access-Request  
    11018  RADIUS is re-using an existing session  
    12304  Extracted EAP-Response containing PEAP challenge-response  
    24423  ISE has not been able to confirm previous successful machine authentication  
    15036  Evaluating Authorization Policy  
    15048  Queried PIP  
    15048  Queried PIP  
    24432  Looking up user in Active Directory - xxx\zzz Support  
    24355  LDAP fetch succeeded  
    24416  User's Groups retrieval from Active Directory succeeded  
    15048  Queried PIP  
    15048  Queried PIP  
    15004  Matched rule - Default  
    15016  Selected Authorization Profile - DenyAccess  
    15039  Rejected per authorization profile  
    12306  PEAP authentication succeeded  
    11503  Prepared EAP-Success  
    11003  Returned RADIUS Access-Reject  
    5434  Endpoint conducted several failed authentications of the same scenario  

   24423  ISE has not been able to confirm previous successful machine authentication  
  Judging by that line and what your policy says, it appears that your authentication was rejected as your machine was not authenticated prior to this connection.
  first thing to check is whether MAR has been enabled on the identity source. second thing to check is whether your machine is set to send a certificate for authentication. there are other things you can look at but I'd do those two first.
  log off and on  or reboot and then see if you at least get a failed machine auth on the operations>authentication page and we can go from there. 

• EAP-TLS or PEAP authentication failed during SSL handshake

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected] = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  Any ideas on this guys?? In my end, i've been reading some docs... Things started to make sens to me, but I still cannot authenticate, still the same errors. One more thing that catch my  attention now is the time it takes to open a telnet session to cisco device which has the ACS for auth server.
  My AD(Active Direct) and the ACS server are local same subnet(server subnet). Ping to the ACS from my desktop which is in different subnet is only take 1ms. To confirm that the issue is the ACS server, I decided to use another server in remote location, the telnet connection is way faster than the local ACS.
  Let's brain storm together to figure out this guys.
  Thanks in advance,
  ----Paul

• EAP-TLS & ACE Appliance "EAP-TLS or PEAP authentication failed"

  Hello - I have a version 3.2 of the ACS appliance and I am trying to set up a successful test of EAP-TLS. I have a W2K server for a CA and I believe I have the certificate install properly. However, I get the "EAP-TLS or PEAP authentication failed during SSL handshake" error message in my failed attempts log. The troubleshooting document tells me to look at the CSAuth.log file but I can't seem to find in on the ACS Appliance.
  Does anyone have any ideas how to troubleshoot this problem with the appliance?

  If the client's certificate on the ACS is invalid (which depends on the certificate's valid "from" and "to" dates, the server's date and time settings, and CA trust), then the server will reject it and authentication will fail. The ACS will log the failed authentication in the web interface under Reports and Activity > Failed Attempts > Failed Attempts XXX.csv with the Authentication Failure-Code similar to "EAP-TLS or PEAP authentication failed during SSL handshake." If the ACS rejects the client's certificate because the ACS does not trust the CA, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2003 15:47:43 E 0345 1696 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:unknown CA certificate)If the ACS rejects the client's certificate because the certificate has expired, the expected error message in the CSAuth.log file is similar to the following.
  AUTH 06/04/2005 15:02:08 E 0345 1692 EAP: ProcessResponse:
  SSL handshake failed, status = 3 (SSL alert fatal:certificate expired)
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

• EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake

  Hi All ,
               I am trying to test EAP_TLS authentication on acs 4.2.1.15 running on Appliance 1120 , I have installed my server certficate along with CA certficate on my appliance box , I have enabled features of  EAP_TLS under golbal authentication setup .
               I have downloaded client supplicant certficate file for my windows XP machine .
  When i tried to authenticated i am finding following error message under  failed attempts(EAP-TLS or PEAP authentication failed due to unknown CA certificate during SSL handshake) on my acs appliance box .
  Under certficate revocation list , I have forced my CA as CRL in use . Attached snap shot of all .
  Suggest me whether i need to enable all corresponding CA certficate undercertficate trust list , Kindly let me know were i am doing wrong on this ..

  Hello,
  I am NO expert on certificates but I have seen your error dozens of times from wireless clients on my Cisco ACS 4.2 Radius server.
  Through trial and error I wrote up this procedure for our Helpdesk for installing certs in Windows XP and Windows 7. These steps haven't failed me yet and the Helpdesk doesn't bother me as much anymore so see if this helps you:
  -          Manually install the Global CA under BOTH Trusted Root Certification Authorities\Certificates AND Intermediate Certification                      Authorities\Certificates
  -          Manually install the Intermediate CA under JUST the Intermediate Certification Authorities\Certificates
  -          Delete the wireless network from the computer
  -          REBOOT!!
  -          Open the Microsoft Management Console, “mmc”.
  -          Go FILE\Add Remove SnapIn. Select Certificates ..
  -          If promoted, do it for “My User Account”.
  -          Make sure the certificates are where you put them. 
  -          If you see any of these exact certificates out of place in either Trusted Root Certification Authorities\Certificates or Intermediate Certification                      Authorities\Certificates, remove them.
  -          Redo wireless network setup again
  I hope this helps you.
  Mike

• EAP-TLS or PEAP authentication failed during SSL handshake to the ACS serve

  We are running the LWAPP (2006 wlc's and 1242 AP's) and using the ACS 4.0 for authentication. Our users are
  experiencing an issue, where they are successfully authenticated the first time, however as the number of them is increasing, they're starting to drop the connections and being prompted to re-authenticate. At this point, they are not being able to authenticate again.
  We're using PEAP for the authentication and Win XP SP2 clients as the supplicants. The error message that we are seeing on the ACS for that controller is "EAP-TLS or PEAP authentication failed during SSL handshake to the ACS server"...Not sure if this error msg is relevant since we have other WLC's that are working OK and still generating the same error msg on the ACS...
  Thanks..

  Here are some configs you can try:
  config advanced eap identity-request-timeout 120
  config advanced eap identity-request-retries 20
  config advanced eap request-timeout 120
  config advanced eap request-retries 20
  save config

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• ISE : Authentication for IKEv2

  Just to check if anyone might be able to assist me regarind an issue that I am trying to work out a solution for.
  My Requirements are: Multitenant deployment using ASR1K with IKEv2 vpn authenticated with ISE or ACS and user databases in most cases will be in Active Directory. And authentication has to be with User and Password.
  EAP-MD5: does not work with LDAP integration with Active directory, it does however work in Radius proxy mode but security level of password storage in AD has to be degrated alot by allowing AD to store reversible passwords.
  EAP-GTC: As far as I understand from everything I read, this might be the holy grail for U/P authentication for IKEv2. But in ISE and ACS EAP-GTC is only supported as an inner method in PEAP and EAP-FAST will this change in the near future ?
  And is there possibly something else that I am missing which might be a solution to this design criteria ?

  The first method is local web authentication. In this case, the WLC redirects the HTTP traffic to an internal or external server where the user is prompted to authenticate. The WLC then fetches the credentials (sent back via an HTTP GET request in the case of external server) and makes a RADIUS authentication. In the case of a guest user, an external server (such as Identity Services Engine (ISE) or NAC Guest Server (NGS)) is required as the portal provides features such as device registering and self-provisioning. The flow includes these steps:
  Please follow below guide for step by step configuration:
  http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml

• SCCM 2012 - 802.1x authentication for zero touch installation

  Hi guys,
  I'm setting up a demo environment for sccm 2012. Our customer has the requirement to enforce 802.1x authentication (username & password without certificates) on the network. So I need a 802.1x integration into the WinPE image, that clients can access
  the install vlan instead of the guest vlan during the zero touch Windows 7 OS install process.
  What I did before:
   - mount the SCCM modified WinPE image (boot.XXX99999.wim)
   - integration of the KB972831 hotfix into the WinPE
   - creation of a lan profile and eap profile file
   - copy both files into the mounted image
   - creation of new wim file
  I've booted the boot wim via a usb stick to test the 802.1x integration with the following commands:
    net start dot3svc
    => The Wired AutoConfig service was started successfully
    netsh lan add profile filename="X:\8021x\Local Area Connection.xml " interface="Local Area Connection"
    => The profile was added successfully on the interface Local Area connection
   netsh lan set eapuserdata filename=x:\8021x\Wired-WinPE-UserData-PEAP-MSChapv2.xml allusers=yes interface="Local Area Connection"
    => Error setting user data for interface Local Area Connection. The operation is not supported.
  Actually I can't post web links here. If the files are needed I can send them per mail.
  What can I do to solve this problem?
  Thanks!
  Regards
  Bastian

  Hi!
  Did you gave a look at this website: http://myitforum.com/cs2/blogs/lakey81/archive/2011/07/06/configuring-802-1x-network-authentication-for-winpe-3-0-and-configmgr-deployments.aspx
  I've followed those steps and it worked as a charm, even for WinPE 4.0.
  If you have questions let me know.
  Cheers.

• Peap authentication issue

  I have some problems with peap authentication. Here debug of my AP:
  Mar 13 09:50:39 10.15.1.14 2370: *Mar 1 19:24:18.889: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start
  Mar 13 09:50:39 10.15.1.14 2371: *Mar 1 19:24:18.890: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001a.73ff.a214
  Mar 13 09:50:39 10.15.1.14 2372: *Mar 1 19:24:18.890: dot11_auth_dot1x_send_id_req_to_client: Client 001a.73ff.a214 timer started for 30 seconds
  Mar 13 09:51:03 10.15.1.14 2373: *Mar 1 19:24:43.549: dot11_auth_parse_client_pak: Received EAPOL packet from 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2374: *Mar 1 19:24:43.549: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,EAP_START) for 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2375: *Mar 1 19:24:43.549: dot11_auth_dot1x_send_id_req_to_client: Sending identity request to 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2376: *Mar 1 19:24:43.550: dot11_auth_dot1x_send_id_req_to_client: Client 001a.73ff.a214 timer started for 30 seconds
  Mar 13 09:51:03 10.15.1.14 2377: *Mar 1 19:24:43.554: dot11_auth_parse_client_pak: Received EAPOL packet from 001a.73ff.a214
  Mar 13 09:51:03 10.15.1.14 2378: *Mar 1 19:24:43.554: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 001a.73ff.a214
  Mar 13 09:51:04 10.15.1.14 2379: *Mar 1 19:24:43.554: dot11_auth_dot1x_send_response_to_server: Sending client 001a.73ff.a214 data to server
  Mar 13 09:51:04 10.15.1.14 2380: *Mar 1 19:24:43.554: AAA/AUTHEN/PPP (00000159): Pick method list 'eap_methods'
  Mar 13 09:51:04 10.15.1.14 2381: *Mar 1 19:24:43.554: dot11_auth_dot1x_send_response_to_server: Started timer server_timeout 60 seconds
  Mar 13 09:51:25 10.15.1.14 2382: *Mar 1 19:25:05.371: dot11_auth_dot1x_parse_aaa_resp: Received server response: FAIL
  Mar 13 09:51:25 10.15.1.14 2383: *Mar 1 19:25:05.371: dot11_auth_dot1x_parse_aaa_resp: found eap pak in server response
  Mar 13 09:51:25 10.15.1.14 2384: *Mar 1 19:25:05.372: Client 001a.73ff.a214 failed: EAP reason 1
  Mar 13 09:51:25 10.15.1.14 2385: *Mar 1 19:25:05.372: dot11_auth_dot1x_parse_aaa_resp: Failed client 001a.73ff.a214 with aaa_req_status_detail 1
  Mar 13 09:51:25 10.15.1.14 2386: *Mar 1 19:25:05.372: dot11_auth_dot1x_run_rfsm: Executing Action(SERVER_WAIT,SERVER_FAIL) for 001a.73ff.a214
  Mar 13 09:51:25 10.15.1.14 2387: *Mar 1 19:25:05.372: dot11_auth_dot1x_send_response_to_client: Forwarding server message to client 001a.73ff.a214
  Mar 13 09:51:25 10.15.1.14 2388: *Mar 1 19:25:05.373: dot11_auth_dot1x_send_response_to_client: Started timer client_timeout 30 seconds
  Mar 13 09:51:26 10.15.1.14 2389: *Mar 1 19:25:05.373: dot11_auth_dot1x_send_client_fail: Authentication failed for 001a.73ff.a214
  Mar 13 09:51:26 10.15.1.14 2390: *Mar 1 19:25:05.373: %DOT11-7-AUTH_FAILED: Station 001a.73ff.a214 Authentication failed
  Mar 13 09:51:27 10.15.1.14 2391: *Mar 1 19:25:06.611: AAA/BIND(0000015A): Bind i/f
  In IAS log I can find requests and and access is permitted.
  What is the problem?
  Thank you for your help!

  Answering partially your second question, 'Authenticate as Computer when Computer Information Available' is required to enable machine authentication and the same has to be enabled on the ACS server also.