PEAP XPsp1 AP1200 ACS3.1

Similar Messages

• PEAP failed with ACS3.3

  Hi Sir,
  I would like to find out is there anyone facing any problem when implementing PEAP using XP clients with ACS 3.3 and integrate with Microsoft AD to manage user database.
  I have used ACS to generate self certificate and copy the .cer file and install it on client so that it is a Trusted Root CA inside the Xp client.
  I have certain clients can be authenticated when Validate Server Certificate checkbox are checked. For other clients I need to uncheck the Validate Server Certificate checkbox, then they are authenticated. All are XP clients. There is incosistency in the configuration. WHat can I do next? Can anyone share any solution with me?
  Thank you.
  Delon

  We also had a problem with authenticating XP Clients using PEAP. Turns out there is a Windows Hotfix that solved the problem. Hopefully this will help.
  http://support.microsoft.com/?kbid=885453

• MS Peap,XP SP1,Non Cisco Card, ACS 3.2,Ap1200

  Hi,
  I am trying to set up MS Peap with the required hardware. I have read through the document ID:43486. In this, the software they use to test for AP1200 was 12.01T.
  My query is that I am running 12.2(13)JA3 the latest and greatest on Ap1200. Will it work for Peap or I can only setup Peap with the 12.01T.
  Can you please recommend any documentation. Since a month I am trying to get it working.
  Hardware:
  ACS 3.2
  Linksys Wireless Card
  Xp Sp1
  Regards
  Khaleefa Mahmood

  Yes, 13JA3 works with PEAP just fine.

• 4402 PEAP w/ACS3.3 using Novell NDS.

  I am trying to configure WPA2 with 802.1x authentication through ACS 3.3. Having issue with using PEAP authentication through ACS 3.3 configured for Novell NDS as External Database. Client is stuck "Verifying credentials". Controller sends authentication requests to ACS, but it is not getting any response back from ACS. ACS is on the same subnet, no firewalls of any kind in between. Under Failed Authentication on ACS nothing gets logged if I have PEAP enabled under Global Authentication Setup (EAP-MSCHAPv2). If I uncheck PEAP options under Global Authentication, then ACS will log under Failed Attempts error message saying that "EAP type not configured. Check Global Authentication Setup". Correct IP address of ACS and secret key is entered in Wireless Controller. I have also tried using port 1645 and 1812 with the same result.
  Any ideas would be appreciated. Thanks.

  If you are authenticating against Novell eDirectory/NDS, you should use EAP-GTC. Also, when you create your database configuration, be sure to enter all contexts (separated by commas) in which your user accounts reside.

• Authentication PEAP issue (I believe!).

  I'm using PEAP, AP1200, ACS 3.2, WXP SP2 and Microsoft AD to authenticate machine and user. The authentication process supplies the WEP key to the client.
  When I'using a Cisco 350 client adapter all works fine. When I'm using another adapter, the ap log shows a continuous association/deasso.
  Any ideas?
  Thanks.
  Andrea.

  are you using the client software for the wireless or windows. One or the other must be disabled.
  Start/settings/ control panel/Administrative tools/ Services/ Windows Zero configuration/disable...

• Problems w/config AP1200 - WPA Enterprise/Local RADIUS Server

  I have been attempting to reconfigure a AP1200 in our lab environment from using static WEP keys to WPA/TKIP. I can make the solution work with WPA-PSK, but not enterprise. I believe I have everything configured correctly but cannot "validate identity" on the client. Below are the details to my configuration.
  SSID: labssid (Open authentication with EAP)
  Cipher: TKIP
  Key management: Mandatory (WPA)
  I have a Cisco ACS server but am attempting to get this running intially using the local RADIUS server on the Access Point. I have a user defined locally called "test" with a password of "test".
  I am using an IBM ThinkPad T43 with the built-in wireless (Intel PRO/Wireless 2915ABG NIC) for testing. I have the "Use Windows to configure my wireless network settings" checked so I am using the inherant Windows configuration screens. However, I have also attempted to use the IBM NIC configuration utility and receive the same failures. I have the client device configured as follows:
  1. Network authentication: WPA
  2. Data encryption: TKIP
  3. Authentication: Protected EAP (PEAP) (only option other than smartcard, cert.)
  3a. (PROPERTIES) - AuthMethod: Secured Password (EAP-MSCHAP v2)
  4. Authenticate as computer whe computer information is avail (UNCHECKED)
  5. Authenticate as guest when user or computer is unavailable (UNCHECKED)
  When I attempt to provide my test/test credientials the Access Point logs the following:
  Station 0016.6f77.9ccd Authentication failed
  When I look at the Local RADIUS server stats, for each authentication failure the following stat is recorded:
  "Unknown EAP Type"
  If I try to authenticate 5 times, there will be 5 Unknown EAP Type stats logged.
  What am I missing?

  I didn't realize the local RADIUS couldn't do PEAP. That makes sense now, as in testing I decided to point the AP at my ACS server and was able to authenticate. I'm having an issue authenticating at times because it seems the AP looses it's connection TO the ACS server. The Access Point logs the following:
  1. Station 0016.6f77.9ccd Authentication failed
  2. RADIUS server 192.168.102.82:1645,1646 has returned.
  3. RADIUS server 192.168.102.82:1645,1646 is not responding.
  The "not responding" and "returned" logs are recorded at the exact same time period. In my most recent case, it was "Aug 31 18:19:36.981". Both have that time stamp. It's as if the AP looses some heartbeat to the RADIUS server and doesn't check to see if it's alive until a certain interval. When I'm not able to authenticate, if I log into the ACS and manually "restart" the services through the GUI, I authenticate right away. I'm thinking this is an ACS issue not an AP issue, but am wondering if anyone else has ever noticed this behavior.

• Secure ap1200 with ACS

  Hi,
  We have cisco ACS3.3(radius) and aironet 1200.
  We'd like to authenticate users via the radius server.
  what's the configuration to do on the ap and on user's pc ?
  is there other something else we need apart the acs and nic's driver ?

  Hi, first thing.. What kind of authentication do you want to deploy? Your Cisco ACS supports the ff:
  LEAP
  EAP-FAST
  PEAP
  TLS
  etc...
  Now, if you wanted to use EAP-FAST. You can visit this website for more detailed intructions.
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_configuration_guide09186a008046dc81.html
  Hope this will help you.
  Goodluck

• PEAP/IAS - 350 Card driver problems

  Hi,
  When I update the drivers for the Cisco 350 wireless card IAS fails user authentication.
  We are using:
  Win2003(IAS) - PEAP MSCHAPv2
  Cisco AP 1200 - 12.2(13)JA1
  WinXPSP1
  Driver version 7.50.01 works OK
  Driver version 8.5.24.0 FAILS
  We have tried updating firmware and have installed MS patches on XP: KB826942, KB822725
  Any ideas?

  I found the problem:
  Disable "Enable Fast Reconnect" - problem with XPSP1
  Microsoft will fix in SP2
  In IAS configuration select Vendor as Cisco not "RADIUS Standard".

• Yet another PEAP question...non-Cisco cards...

  So, we are about to embark on building a wireless network infrastructure using 1220 AP's. So far all wireless clients use Cisco cards and Win2k.
  People are interested in all sorts of wireless devices now, some including built in wireless nics or no pci or pcmcia card slots.
  We have ACS 3.1.1. Can we use PEAP in our situation with a client using say a Compaq tablet PC with an integrated NIC? Or, how about a desktop PC running Win2k using something other than a Cisco card? If so, what are the required pieces? PEAP supplicants? etc?
  Thanks!

  Hi ,
  In short answer is
  a) If ACS supports eap-chap ( which microsoft supports ) , you can use
  non cisco card with microsoft supplicant and will work fine
  I believe acs 3.2 will support is , I am not sure on acs3.1.1
  b) You can buy 3rd party supplicant like meeting house etc and can use
  non cisco card
  http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps458/prod_bulletin09186a0080100194.html
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_qanda_item09186a008010018c.shtml
  PEAP is hybrid process ( combination of leap and eap tls )
  To download server side certificate on ACS you can use eap tls doc.
  Depending on AP use either of following doc
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap350ch8.htm
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/i1224ja/i1224icg/ivicgaut.htm
  You have to careful while selecting the client supplicant , you can choose Cisco peap supplicant or Microsoft peap supplicant
  You can have Microsoft peap supplicant or Cisco Peap supplicant .
  If you have windows 2000 OS , than if you load service pack3 , Microsoft peap supplicant is installed . On top of this if you install ACU 5.05 microsoft supplicant wil be overwritten by Cisco supplicant .
  In case of XP , if you install service pack 1 , it will install microsoft peap supplicant , if you install ACU 5.05 it will be overwriteen by Cisco Peap supplicant .
  Microsoft peap supplicant send eap-Chap in EAP tunnel and Cisco support EAP-GTC in eap tunnel .
  with non cisco card it depends on which radius server and database you are running .
  At present ACS 3.1 supports EAP-GTC so it will not interoperate with Microsoft supllicant . In later release ACS will have support for EAP-Chap so
  that you can use 3rd party card with Microsoft supplicant and ACS3.2
  http://www.cisco.com/warp/public/779/smbiz/wireless/wlan_security.shtml
  http://www.cisco.com/en/US/products/hw/wireless
  Nilesh

• Another peap question ...

  Who is really using peap right now? =) And does it really works perfect?
  I play around since about 2 month with peap and i got it working 2 times.
  Now i have to implement it at a customer site. yeah =)
  I have now ACS 3.2 AP1100 and i got it work againts AD one time on ONE laptop (2k SP3) with cisco card. I have also another laptop with orinocco nad xp and there it doesnd work.
  The one nb with worked went in standby mode then i wake him up and then i have to reenter the username and password. Doesntwork!! disable the card avtice the card doesnt work.
  Yesterday i have tested it with an AP350 vxworks and an upgraded AP1200 from vxworks to ios doesnt work (same config as 1100)?!?!?
  i cant find any REALLY usefull documentation how to !! configure PEAP RIGHT, on the cisco site there is an document with how to config an ap1100 and there are screen shots of an ap350 =) the newest ios also hase some new features (wpa and so on) which i dont know which is to activate witch not.
  im really a bit frustrated.
  Has anybody got Peap really working with: AP1100 ACS 3.2 (not really out now but i got it for tests (mschapv2) i have also tested it with 3.1 i got it running ONCE!) and laptops with 2k and xp?
  hope somebody could help me =)
  regards Bernhard

  Peap will work absolutely fine in AP 1100 with ACS 3.2 . But I have come across scenarios in which there are issues when using the 3.2 Beta version.
  I think the follwoing is the document you are referring to ( The screenshot is for 350AP):
  http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/peapr_tr.htm
  Eventhough the screenshot is for AP350, this is applicable to the AP 1100 also. The same procedure can be followed.

• Having a problem with PEAP and Cisco 2960 Switch

  Hi All,
      I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 
      The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
  Any ideas?

  Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work.  I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client.  I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2.  I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
  CSSC Client pops out:
  14:25:08.453  Network Connection requested from user  context.
  14:25:08.468  Connection authentication started using the logged in  user's credentials.
  14:25:08.468  Port state transition to  AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
  14:25:08.796  Port state  transition to  AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
  14:25:09.828   Port state transition to  AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
  14:25:09.843   Identity has been requested from the network.
  14:25:09.875  Identity has been  sent to the network.
  14:25:09.890  Authentication started using method type  EAP-PEAP, level 0
  14:25:09.890  The server has requested using authentication  type: EAP-PEAP
  14:25:09.890  The client has requested using authentication  type:  EAP-PEAP
  14:25:09.968  Profile does not require server  validation.
  14:25:10.031  Identity has been requested from the  network.
  14:25:10.031  Identity has been sent to the  network.
  14:25:10.046  Authentication started using method type  EAP-MSCHAP-V2, level 1
  14:25:10.046  The server has requested using  authentication type: EAP-MSCHAP-V2
  14:25:10.046  The client has requested  using authentication type:  EAP-MSCHAP-V2
  14:25:10.078  Port state transition  to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
  14:25:10.078  The  authentication process has succeeded.
  *************************Raidus Ouptut for PEAP:**************************
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.7 seconds.
  Waking up in 0.7 seconds.
  Waking up in 0.1 seconds.
  Waking up in 3.7 seconds.
  Waking up in 0.1 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for anonymous
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  rlm_ldap: object not found or got ambiguous search result
  [ldap] search failed
  rlm_ldap: ldap_release_conn: Release Id: 0
  [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  Waking up in 0.9 seconds.
  Waking up in 0.9 seconds.
  Waking up in 0.9 seconds.
  Waking up in 0.8 seconds.
  Waking up in 0.8 seconds.
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  Waking up in 0.7 seconds.
  Waking up in 3.7 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  **************************Radius ouput for EAP******************************
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.7 seconds.
  Waking up in 0.7 seconds.
  Waking up in 0.1 seconds.
  Waking up in 3.7 seconds.
  Waking up in 0.1 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  Waking up in 3.9 seconds.
  Ready to process requests.
  Hope that Helps.

• PEAP works with Windows zero but not with CSSC

  I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.
  When using CSSC I get asked for the password and authentication fails.  ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.
  Any suggestions?
  Seth

  Look at this ....
  Server Validation
  –The Personal stores are not used for server validation.
  –When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.
  –Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.
  –The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/administration/guide/C2_SetupSSC.html

• WPA PEAP No working under 10.4.8 and Macbook Pro C2D

  After the Core 2 Duo upgrade I finally decided to buy a Macbook Pro to use at work.
  Everything working fine so far (Love the MBP) except that at work we are using a Radius Server to authenticate with PEAP under WPA for wireless.
  I created the 802.1x connection and after giving it the Network name and UID and pwd (SID is not broad casted) it sees the network and connects OK (after accepting the certificate) but I do not get an IP from the DHCP.
  I looked at the forum discussions and apparently this has been an issue before o certain Intel machines but was fixed on 10.4.6 or so, well apparently is brocken again.
  Called Apple Support but they did not know how to resolve.
  Anyone else having the problem?

  If anyone is interested the problem of instability resurfaced despite doing an archive and instal to reinstal 10.4.8 and then go through the upgrade process from there to instal the updates to bring it back to 10.4.10. Even after that the instability got to the stage that I only had to sneeze and it would crash.
  Ultimately I resorted to backing up all my data onto a 120Gb USB HD, erased the HD drive and started from the beginning again with the discs that came with the MBP. As you can imagine that was a long process and took me from about 4pm in the afternoon to 1am in the morning. Eyes were hanging out of my head after that effort.
  So far I have not had any further problems.
  I really don't know now to what extent that Safari 3 Beta was the cause of all my instability problems but the crash logs seemed to point to it. Some people are reporting no problems with Safari 3 whatsoever so that begs the question if there was a conflict with some 3rd party application I was running or something got corrupted that could not be repaired for whatever the reason.
  After the rebuild I was thinking that re-establishing my iPhoto and iTunes library would be a slow nightmarish process by having to import each photo group or each iTunes album one at a time. I chose to gamble on copying the entire directory for iPhoto and the entire directory for iTunes across from my USB HD. Well I needn't have worried because it worked perfectly. I also had copied out some user/library/.... folders and gambled on copying them back after rebuild in the hope of restoring various setups etc and that worked too. Things like Application Support files, Mail files, selected Preferences, Safari bookmarks and history and Widgets. That sort of approach worked on my well used Windows XP box so thought it would work on the MBP. Worst case is that I would have had to start all over again if I messed it up.

• Can't create a WPA2-Enterprise wireless connection; missing Microsoft: PEAP

  OS: Windows 7 64-bit Enterprise
  Hardware: Lenovo T410S w/Intel 5300 ABGN Wireless
  If I try to build the wireless connection manually and choose WPA2-Enterprise, then click next, I get 'An unexpected error occurred.' and no options to configure; just close.
  I then tried to create a Preshared Key WPA2 connection. This worked fine. When I go to edit the connection, I have the ability to select the WPA2-Enterprise options, however in the list of Network Authentication methods (under Security Tab), I don't have
  the Microsoft: PEAP or SmartCard options. I only have Cisco: LEAP,PEAP,EAP-FAST and Intel: EAP-SIM,EAP-TTLS,EAP-AKA (6 entries).
  It's my theory that because the Microsoft options are missing, the wizard gets the unexpected error. I'm wondering how I get the MS ones back.

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  Do you have Symantec installed? It is said the issue could be due to conflict with Symantec Endpoint Protection. Please uninstall\reinstall Symantec
  if it is there.
  Best Regards
  Magon Liu
  TechNet Subscriber Support
  in forum. If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• ISE 1.2 - MAR cache with PEAP vs EAP Chaining

  Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?
  I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
  https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

  Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).