PEAP-MSCHAPV2 problems

Hi,
I have a problem with PEAP-MSCHAPV2 authentication in combination with Wireless Service Module en Cisco ACS 4.1(and later i tested with IAS).
When i use the Windows Supplicant i can get no connection with my wireless network, when i used the Intel Pro Client its works very good. The Windows supplicant asked very 5 seconds my usercredentinals and in the log files of the RADIUS is nothing to see.
Can somebody help me with this problem ?

Hi,
Apply this MS hotfix.
Regards,
~JG

Similar Messages

  • 802.1x EAP PEAP MSCHAPv2 on Windows 7 Client.

    I have problems autenticate a w7 client at our Enterprice WiFi network. XP, Apple clients and all SmartPhones works fine...  We use Radius assigned Vlans based on username and ream routed on our Meru Network to Navis radius as centralied point of
    autentication. Navis proxes client autenticatinon recuest to the customers Radiuses based on the realm.
    Windows 7 32 client use the radius CA (installed and ticked) and EAP PEAP MSCHAPv2 in the SSID settings. The customer radius is an Freeradius. In autentication logs we se that the client sends the Maschinename, eg. Machine-x200/username@realm
    even we in the client settings, under SSID Propirties, Security, MS Protected EAP(PEAP), Settings and EAP-MSCAPv2 Configuration, have removed tick on the default setting:
    Use Autom. Windows-username... AND under Security Advanced (back one step), in the 802.1X Settings, choose User autentication only! (not user and maschine, mascine only or guest) and we have saved corectly username@reame =(username here) and password...
    in the username password Setting.
    Is it possible edit or change the way the client PC is sett up to prevent this?
    Is there any way make a policy setting? or is there other solutions?
    I have teste te Cisco: PEAP option too, but stil noe autenticatoin from Radius
    Thanks

    Hi,
    As I know, this goal cannot be achieved.
    Reference:
    Use the 802.1X Wizard to Configure NPS Network Policies
    For authentication using Extensible Authentication Protocol – Transport Layer Security (EAP-TLS), select
    Microsoft: Smart Card or other certificate, click
    Configure, click
    OK, and then click
    Next.
    For authentication using Protected Extensible Authentication Protocol – Transport Layer Security (PEAP-TLS), select
    Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Smart Card or other certificate, click the
    Move Up button to position a smart card or other certificate at the top of the list, click
    OK, and then click
    Next.
    For secure password authentication using Protected Extensible Authentication Protocol – Microsoft Challenge Handshake Authentication Protocol
    version 2 (PEAP-MS-CHAP v2), select Microsoft: Protected EAP (PEAP). In
    Eap Types, click
    Add, click
    Secured password (EPA-MSCHAP v2), click the
    Move Up button to position the secured password authentication type at the top of the list, click
    OK, and then click
    Next.
    Regards,
    Sabrina
    TechNet Subscriber Support
    in forum.
    If you have any feedback on our support, please contact
    [email protected]
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
    This can be beneficial to other community members reading the thread.

  • Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

    Help!
    After installing Snow Leopard 10.6.1 on my 2.16 GHz Core Duo MacBook Pro running OS 10.5, I can no longer connect to the WPA2 Enterprise network at the University of Ottawa. I can still connect to other encrypted networks, such as my home WEP encrypted network. Before the installation I was able to connect to the WPA2 enterprise network.
    When attempting to connect, under network preferences I can see that my computer is Authenticated via PEAP(MSCHAPv2) and a timer showing my time connected is running. However under status, it says that I have a self assigned IP and that I cannot connect to the internet. As a result I cannot connect to the internet.
    I have included a picture that describes my problem exactly:
    Does anyone have this problem? Can anyone help me?
    Thanks!

    The thing you and many others forget is that these forums are for those with problems. Those for whom the installs works without fault do not visit here. They do not post. There are about 9,000 topics in the Installation and Using forums (the largest two) and even if every topic were an unique fault, this would mean a small fraction of the installed base.
    According to AppleInsider the Q1 sales of SL would be circa 5 million copies, and other reports indicate these numbers have been surpassed in the early months. So lets go for one months sales at only 1.5 million copies. 9,000 faults in 1.5 million copies is only a 0.6% rate and that's if every topic is a different fault (which it plainly isn't).
    So I'm afraid your argument is even less convincing - a few people report your fault, and even if only 1% of the installed base uses it, its still infinitesimal. IMO, the vast majority of problems arise from an initial Leopard installation that had enough variability of build to make enhancements problematical. I'd be the first to admit its not Apples finest hour, but its certainly not bad for the overwhelming majority.
    Perhaps you could apply to be an Apple tester, to help solve this issue ? Its better than standing on the sidelines complaining about everyone elses work for certain.
    Or log a fault request as it will get looked at I can assure you, but only if there is a tester who is actually able and willing to test that particular piece of functionality.

  • ISSUE: Wifi and Enterprise Networks - No PEAP-MSCHAPv2 & PEAP-GTC support.

    Since owning my HP Touchpad i have not been able to connect to my schools Wifi network making the unit a digital photo frame.
    The issues seems to be well documented across many forums with no aknowledgement from hp/webOS.
     A post from another forum
    Davegarbs Wrote:
    At least for me, importing the cert did nothing, as WiFi appears to be broken with both PEAP-GTC and PEAP-MSCHAPv2. I have had a bug report open with HP for 3 weeks now and haven't heard a single word. I even captured a ton of logs from the device that I thought would help get things taken care of.
    The only way I found to fix this is to use wpa_cli to reconfigure wpa_supplicant with the proper config for your network. This HAS to be done right as you log into the network in the WiFi app. Judging by the following link, this has been a problem for a long time:
    Advanced Wifi - WebOS Internals
    I'll be really surprised if HP gets back to me, but I'll update this thread if/when I hear from them. 
    So there seems to be a fix, but some users might find that a little bit difficult.
    Can HP/PALM/webOS/OBAMA/Astronaught please fix this issue?, it also seems to effect webOS phones.
    I can confirm both android and apple ipad/iphone/imac do not have this issue.
    I would like to be able to use my HP Touchpad to its full potential rather than just slide showing photos.
    Cheers
    Post relates to: HP TouchPad (WiFi)
    Post relates to: HP TouchPad (WiFi)

    I'm in the exact same boat at Texas A&M Health Science Center. I seriously wonder if this is part of the reason they dropped the line. They released a product that can't function in business/school environments.

  • Unable to move between PEAP (MSCHAPv2) to WPA2 Personal

    I just started to have a problem changing from my wireless network at work to my home network. At the office, I authenticate using PEAP (MSCHAPv2) and connect just fine. I put the computer to sleep, to go home and when my MBP tries to connect to my WPA2 Personal wireless at home, it times out. The only way to make the connection work is to reboot. It will then connect perfectly. For the record, I don't have the problem in the other direction, meaning that I can go from WPA2 Personal to PEAP seamlessly.
    Thanks for any help!
    Message was edited by: BocaBoy

    No great ideas here, but you could try removing wireless protection from home for a brief period of safe use; resetting the router; and then setting up WPA2 again.

  • E6 EAP-PEAP MSCHAPv2 authority certificate

    I am unable to connect to our company WLAN. I tried various username/domain/realm combinations for the EAP-PEAP MSCHAPv2 settings but it keeps giving message authentication failed. Our ocmpany does not have authority certificate and hence I select "not defined". I was told by our network admin that Nokia phones have this problem that they cannot connect without authority certificate.
    Is there any work around? I tried excporting an interim certificate of our company from my laptop but to no avail. Pls help.

    If there is actual workaround to get EAP-PEAP MSCHAPv2 to use with WLAN to use Eduroam, that would help me and many other people.
    Maybe Nokia has not build it to Nokia E6 phones.
    But if there would be an update for Belle OS to use this security authentication with WLAN that would help as well.
    greetings
    IT Support, helpdesk (not for Nokia).

  • Can we still use PEAP-MSCHAPV2 for authenticating to a WPA2-Enterprise network?

    L.S,
    For authenticating to a BYOD wireless network a lot of companies use WPA2-Enterprise connected to a Microsoft IAS/NPS server to authenticate against Active Directory. There seems to be a way to intercept this wireless traffic using a roque accesspoint using the same (company) SSID-name and tools like freeradius-WPE and cloudcracker.
    If the BYOD client doesn't check the certificate provided by the fake radius server, the MSCHAPv2-negotiation can be discovered and the hacker will get the username AND hashed password which can be lookup'd by rainbow tables sites like cloudcracker.
    Is there still a safe way to deploy AD-authentication to BYOD clients?
    Kind Regards,
    Arjen

    I have tested the WPA2-enterprise/PEAP-MSCHAPv2 exploit this week placing a laptop in my car on the company parking lot with a Kali image, using hostap and freeradius-wpe configured with the company SSID. It was very easy to find out the mschapv2 challenge/responses of a number of android/windows phones that there just walking past my car. Also iPhone has a bad WPA2-enterprise implementation (see: http://research.edm.uhasselt.be/~bbonne/docs/robyns14wpa2enterprise.pdf), so bye bye WPA2-enterprise/PEAP-MSCHAPv2.
    Wonder what other (large) companies are using for their BYOD wireless networks! EAP-TLS using certificate sounds like the only feasible option, however, we are afraid that the enrolment of certificates to the BYOD-clients will be a total disaster. I heard stories that some android phones lose their client certificate after a reboot :(

  • Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

    Hi,
    I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
    The WLCs are running 7.3 and ISE is 1.1.1
    I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
    They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
    The credentials will be created by the sponsor, using the sponsor portal on the ISE.
    Now to the questions:
    Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
    Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
    When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
    As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
    Thankyou very much :-)
    Best Regards,
    Niels J. Larsen

  • IBNS with two groups of XP Machines, one PEAP-MSCHAPv2 & one EAP-TLS

    Hello,
    I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
    1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
    2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
    Thanks in advance for your help.

    Hello,
    I'm planning to implement a IBNS network. We have two groups of XP Machines. One group has machine certs and we're planning to check their certs using EAP-TLS. The second group of machines is managed by other departments, each having their own Active Directory, and configured with PEAP-MSCHAPv2. I'm not very familiar with this kind of setup, so hints are highly appreciated.
    1. Can I assume that, when properly configured, we can differentiate the authorizations per group (for exemple, at least two VLANs one for group 1 and another one for group 2 - I must at least seggregate the users per group and can't mix them in the same environment, since they belong two different departments).
    2. For the first group, no big issue. I can check against my central AD. For the users of the second group, since they can come from different departments, each having its own AD, can I differentiate them, by any means, to know which AD I'll have to query? Or do I have to query only one single AD? Is it required that all the users of group 2 belong to the same domain?
    Thanks in advance for your help.

  • How to ACS 5.0.0.21 Expresss integrate with Active Directory Standar 2003 and authenticate PEAP MSCHAPV2

    Hi:
    My name is Ivan, I have a trouble
    I have a ACS 5.0.0.21 express, and i have to integrate with Active Directory (AD)  2003 Standar. I should authenticate the users of the Domain in the LAN with PEAP MSCHPAV2, using the follow:
    Cisco WLC 4402 + Cisco ACS 5.0.0.21 + Active Directory
    I need to know if i should to install a certificate in the ACS 5.0.0.21 or some agent remote install  in the AD.
    I put in the ACS a external database with the AD, and i already select the users on the domain in the ACS Express.
    Please could you tell me all the steps to autenticate the users on the Domain using the ACS Express and the Active Directory,
    I would like to know wich are the configuration that i have to do in my ACS express to authenticate using PEAP MSCHAPV2
    Regards
    Ivan

    See the below URL - multiple config guides on what you want to do:-
    http://www.cisco.com/en/US/products/ps6366/prod_configuration_examples_list.html
    HTH>

  • PEAP-MSCHAPv2 & MAC-AUTH with WEP on same AP

    Hi,
    is it possible to have PEAP-MSCHAPv2 authentication and MAC Authentication against Central Cisco ACS, on the same Access Point on different SSID's without conflicting with each other?
    Thanks
    Jorge

    The answer would depend upon the configuration done on the AP..
    a) if you have configured vlans on your AP then you can set SSID , map it to each vlan and accordingly configure encryption to each vlan
    b) if there are no vlan then too the two ssid would work but you then you have to have the same encryption on both the ssid.

  • Nokia N95 8G can't connect to EAP-PEAP MSCHAPv2 Ne...

    HELP HELP HELP!! I have a problem getting my Nokia N95 8G connect to my LSU wireless network,,, Here my network sittings, I tried many possible configurations but, unfortunately, I didn't make it!!!
    ESSID (Network Name): lsusecure
    Network Type: Infrastructure (or Access Point)
    TCP/IP: DHCP
    EAP Type: PEAP
    Network Authentication: WPA (WPA-enterprise)
    Data Encryption: TKIP
    Authentication Method/Protocol: MSCHAP-V2
    Inner EAP Type: EAP-MSCHAPv2
    servers name: acs-wlan.net.lsu.edu;acs-wlan.lsu.edu
    Certification Authorities: GTE CyberTrust Global Root
    username: whatever
    password: urwhatever
    for more settings if needed check this link:
    http://grok.lsu.edu/Article.aspx?articleId=1465
    another think might help, is the certificate for some linux machines, the file is attached(the file name is acs-wlan-cert-chain without extension)...
    I hope some of you can make this, I am really need it. Thanks to everybody will help
    Attachments:
    acs-wlan-cert-chain.txt ‏2 KB

    We have a similar setup at my university in the UK, and by extension many of the sites in the EDUROAM network. The local staff have been working hard at this for a couple of years, but as far as we can tell, Nokia's implimentation just will not work in this scenario under any circumstances. You're going to have to wait until Nokia properly supports this kind of authentication. Our own techs are going to start annoying Nokia about it as soon as they finish this year's wave of wi-fi installations.
    Help I'm trapped in a sig factory.

  • PEAP intermittent problem

    Hi,
    I am using PEAP with mschapv2 and authentication using ACS with AD.
    The client is winXP/SP2. I am using windows configuration to configure the wireless setup in XP.
    The client can connect to the network via wireless. But after i disconnect and try to connect again, connection will fail. I couldn't see any logs in the ACS.
    THe next day i try to connect again, it worked. After disconnect, it did not work again.
    Any one has encountered such problem b4?
    Thanks
    Eng Wee

    Can you give us some more detail?
    What sort of messages is the client displaying, and what do you mean by "fail" (no IP address? what?)
    What sort of messages are you seeing on the wireless controller or AP?
    If everything is working fine for other clients/users (ruling out the wireless network itself), the only time I have seen problems with WZC is due to older wireless card drivers and not applying the wireless client updates from Microsoft (http://support.microsoft.com/kb/917021). If you are using an Intel card, driver updates are a must.

  • How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

    I am trying to connect to the company network, but it always shows "PEAP authentication failed".
    There are only instructions for iPhone and PC.
    security : WPA2-Enterprise
    authority certificate : None
    Security Type : PEAP
    Inner Link Security : EAP-MSCHAPv2
    additionally MAC address filtering.
    The access point I set is as follows:
    network status: public
    wLAN network mode: infrastructure
    security: WPA/WPA2
    WPA2 only mode: off
    EAP plug-in setting: EAP-PEAP enable only
    personal certificate: not defined
    authority certificate: not defined
    user name: user-defined   BLANK
    realm in use: user-defined   BLANK
    allow PEAPv0
    MSCHAPv2
    user name: username
    password: mypassword
    We have domain, but there are no command about domain in iPhone guide. 
    Is there anything wrong of my setting?

    WPA2-Enterprise is not supported on your device.
    ‡Thank you for hitting the Blue/Green Star button‡
    N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

  • Ipad 2 802.1X PEAP Authentication problem (With profile from IPCU)

    Hi!
    I'm in the processes of setting up a new wireless network for a costumer.
    A little info about the hardware:
    Cisco WLC 5508
    Cisco AP 2602i
    Cisco ISE - radius server
    ipads gen 4 (iOS 6)
    EAP-TLS (windows machines) and PEAP (Other stuff, ipads, andriod etc) as authentications methods
    The radius server is using a server certificate from thier own PKI infrastructure therefor i need to push the root certificate of their CA to the clients in order to verify the authentication server. For this I use the iphone/ipad configuration utility.
    I use the Use Per-connection password option
    User that are allowed to connect are placed in a specific group in there AD.
    The problem that I have is:
    When a user thats not allowed to connect tries to authenticate to the network the ipad says stop and thats the way it supposed to be.
    BUT after someone has faild to authenticate to the network and somebody else tries to connect the ipad only ask for a password and not a username.
    I cant seem to get rid of this popup and therefor the ipad cant connect.
    If I don't use the profile I can forget about the network and after that i can connect with a different user.
    But then i can't verify the server-certificate and use the option per-connection password!
    Please help!
    Has someone else seen this type of bug.
    //Simon

    Hi, I am new with 802.1x, and was hoping that someone would help with these queries:
    1. How is a certificate requested without being allowed on a network that is not authenticated with 802.1x. I had to first connect to an active network, retrieve a certificate with the proper username and password, and then physically connect to the port on the 2950 switch which was enabled to do 802.1x
    2. My config is as below:
    aaa new-model
    aaa authentication dot1x default group radius
    aaa authenication login default group radius
    dot1x system-auth-control
    interface f0/1
    switchport mode access
    dot1x port-control auto
    end
    I able to login using the radius server, so radius is working (on ports other than f1/0). However when connecting to f1/0, the port on the 2950 remains blocked.
    3. The certificate is issued by the ca server, is viewable via Internet explorer,and is issued to the correct username which is on the active directory.
    I even tried using local authenication with 802.1x, this did not work
    4. If I have a certificate, will this automatically give me access to the 802.1x port?
    5. I have windows 2000, and authenication is set to 'Smart Card or other certificate.
    Am I missing anything?
    Any advise will be greatly appreciated
    Chris

Maybe you are looking for