PEAP.

Similar Messages

• Having a problem with PEAP and Cisco 2960 Switch

  Hi All,
      I am attempting to use PEAP with a LDAP backend on FreeRadius witht he MS Supplicant.  I have it all working, in debug on the Radius server I see it sending all the information, the tunnel, medium etc. but with PEAP the Cisco switch is not changing VLANS.  If I install the Cisco or Juniper client it works just fine if I use eap-mschapv2 but peap-mschapv2 does not switch the port to the right vlan.  Is there something extra on the switch I need to do to allows PEAP or is there something on the FreeRadius? 
      The only difference between the PEAP and EAP versions that I can tell is that the PEAP authenticates ands the information is sent once(according to the debug on the Radius server) where as with the EAP the connection information is sent several times, that is I will see the Tunnell and medium info sent more then once in the Radius log for just one login.
  Any ideas?

  Thought I mentioned the client in the first post, I am using the 3 different types of clients with a goal of getting the MS client to work.  I am using the Juniper Odyssey client, Cisco CSSC client and the MS built-in client.  I mentioned the EAP-MSChanpV2 because I tested that login so I could compare the Radius output with that of PEAP-MSChapV2.  I did not release logs from the Radius server because it seems to be centered with something on the switch changing Vlans but if you want output I can give that..
  CSSC Client pops out:
  14:25:08.453  Network Connection requested from user  context.
  14:25:08.468  Connection authentication started using the logged in  user's credentials.
  14:25:08.468  Port state transition to  AC_PORT_STATE_CONNECTING(AC_PORT_STATUS_STARTED)
  14:25:08.796  Port state  transition to  AC_PORT_STATE_UNAUTHENTICATED(AC_PORT_STATUS_8021x_FORCED_UNAUTH)
  14:25:09.828   Port state transition to  AC_PORT_STATE_AUTHENTICATING(AC_PORT_STATUS_8021x_ACQUIRED)
  14:25:09.843   Identity has been requested from the network.
  14:25:09.875  Identity has been  sent to the network.
  14:25:09.890  Authentication started using method type  EAP-PEAP, level 0
  14:25:09.890  The server has requested using authentication  type: EAP-PEAP
  14:25:09.890  The client has requested using authentication  type:  EAP-PEAP
  14:25:09.968  Profile does not require server  validation.
  14:25:10.031  Identity has been requested from the  network.
  14:25:10.031  Identity has been sent to the  network.
  14:25:10.046  Authentication started using method type  EAP-MSCHAP-V2, level 1
  14:25:10.046  The server has requested using  authentication type: EAP-MSCHAP-V2
  14:25:10.046  The client has requested  using authentication type:  EAP-MSCHAP-V2
  14:25:10.078  Port state transition  to AC_PORT_STATE_AUTHENTICATED(AC_PORT_STATUS_EAP_SUCCESS)
  14:25:10.078  The  authentication process has succeeded.
  *************************Raidus Ouptut for PEAP:**************************
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.7 seconds.
  Waking up in 0.7 seconds.
  Waking up in 0.1 seconds.
  Waking up in 3.7 seconds.
  Waking up in 0.1 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for anonymous
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  rlm_ldap: object not found or got ambiguous search result
  [ldap] search failed
  rlm_ldap: ldap_release_conn: Release Id: 0
  [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
  Waking up in 0.9 seconds.
  Waking up in 0.9 seconds.
  Waking up in 0.9 seconds.
  Waking up in 0.8 seconds.
  Waking up in 0.8 seconds.
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  [ldap] performing user authorization for RadiusUser
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user RadiusUser authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.8 seconds.
  Waking up in 0.7 seconds.
  Waking up in 3.7 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  **************************Radius ouput for EAP******************************
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.7 seconds.
  Waking up in 0.7 seconds.
  Waking up in 0.1 seconds.
  Waking up in 3.7 seconds.
  Waking up in 0.1 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  Ready to process requests.
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  [ldap] performing user authorization for Radiususer
  rlm_ldap: ldap_get_conn: Checking Id: 0
  rlm_ldap: ldap_get_conn: Got Id: 0
  [ldap] Added the eDirectory password Whatever in check items as Cleartext-Password
  [ldap] No default NMAS login sequence
  [ldap] looking for check items in directory...
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 == "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 == IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 == VLAN
  [ldap] looking for reply items in directory...
  rlm_ldap: radiusServiceType -> Service-Type = Authenticate-Only
  rlm_ldap: radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "SomeVlan"
  rlm_ldap: radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802
  rlm_ldap: radiusTunnelType -> Tunnel-Type:0 = VLAN
  [ldap] user Radiususer authorized to use remote access
  rlm_ldap: ldap_release_conn: Release Id: 0
  Waking up in 0.9 seconds.
  Waking up in 3.9 seconds.
  Ready to process requests.
  Hope that Helps.

• PEAP works with Windows zero but not with CSSC

  I got PEAP to work using the windows zero config but I cannot get PEAP to work when usin CSSC on the same laptop.
  When using CSSC I get asked for the password and authentication fails.  ACS is reporting PEAP authentication failed due to unknown CA certificate during SSL handshake.
  Any suggestions?
  Seth

  Look at this ....
  Server Validation
  –The Personal stores are not used for server validation.
  –When the configuration specifies validateChainWithAnyCaFromOs, the certificate must be installed in the Local Computer\Trusted Root store.
  –Any Root CA certificate included in the configuration is ignored and the configuration is translated to validateChainWithAnyCaFromOs. The Root CA certification must be installed by some other means.
  –The certificate store is limited to Local Computer during machine authentication and user authentications when the connection is attempted before Windows logon.
  http://www.cisco.com/en/US/docs/wireless/wlan_adapter/secure_client/5.1.1/administration/guide/C2_SetupSSC.html

• WPA PEAP No working under 10.4.8 and Macbook Pro C2D

  After the Core 2 Duo upgrade I finally decided to buy a Macbook Pro to use at work.
  Everything working fine so far (Love the MBP) except that at work we are using a Radius Server to authenticate with PEAP under WPA for wireless.
  I created the 802.1x connection and after giving it the Network name and UID and pwd (SID is not broad casted) it sees the network and connects OK (after accepting the certificate) but I do not get an IP from the DHCP.
  I looked at the forum discussions and apparently this has been an issue before o certain Intel machines but was fixed on 10.4.6 or so, well apparently is brocken again.
  Called Apple Support but they did not know how to resolve.
  Anyone else having the problem?

  If anyone is interested the problem of instability resurfaced despite doing an archive and instal to reinstal 10.4.8 and then go through the upgrade process from there to instal the updates to bring it back to 10.4.10. Even after that the instability got to the stage that I only had to sneeze and it would crash.
  Ultimately I resorted to backing up all my data onto a 120Gb USB HD, erased the HD drive and started from the beginning again with the discs that came with the MBP. As you can imagine that was a long process and took me from about 4pm in the afternoon to 1am in the morning. Eyes were hanging out of my head after that effort.
  So far I have not had any further problems.
  I really don't know now to what extent that Safari 3 Beta was the cause of all my instability problems but the crash logs seemed to point to it. Some people are reporting no problems with Safari 3 whatsoever so that begs the question if there was a conflict with some 3rd party application I was running or something got corrupted that could not be repaired for whatever the reason.
  After the rebuild I was thinking that re-establishing my iPhoto and iTunes library would be a slow nightmarish process by having to import each photo group or each iTunes album one at a time. I chose to gamble on copying the entire directory for iPhoto and the entire directory for iTunes across from my USB HD. Well I needn't have worried because it worked perfectly. I also had copied out some user/library/.... folders and gambled on copying them back after rebuild in the hope of restoring various setups etc and that worked too. Things like Application Support files, Mail files, selected Preferences, Safari bookmarks and history and Widgets. That sort of approach worked on my well used Windows XP box so thought it would work on the MBP. Worst case is that I would have had to start all over again if I messed it up.

• Can't create a WPA2-Enterprise wireless connection; missing Microsoft: PEAP

  OS: Windows 7 64-bit Enterprise
  Hardware: Lenovo T410S w/Intel 5300 ABGN Wireless
  If I try to build the wireless connection manually and choose WPA2-Enterprise, then click next, I get 'An unexpected error occurred.' and no options to configure; just close.
  I then tried to create a Preshared Key WPA2 connection. This worked fine. When I go to edit the connection, I have the ability to select the WPA2-Enterprise options, however in the list of Network Authentication methods (under Security Tab), I don't have
  the Microsoft: PEAP or SmartCard options. I only have Cisco: LEAP,PEAP,EAP-FAST and Intel: EAP-SIM,EAP-TTLS,EAP-AKA (6 entries).
  It's my theory that because the Microsoft options are missing, the wizard gets the unexpected error. I'm wondering how I get the MS ones back.

  Hi,
  Thanks for posting in Microsoft TechNet forums.
  Do you have Symantec installed? It is said the issue could be due to conflict with Symantec Endpoint Protection. Please uninstall\reinstall Symantec
  if it is there.
  Best Regards
  Magon Liu
  TechNet Subscriber Support
  in forum. If you have any feedback on our support, please contact
  [email protected]
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• ISE 1.2 - MAR cache with PEAP vs EAP Chaining

  Does EAP chaining with EAP-FAST v2 and NAM 3.1 present the machine certificate for authentication during each connection to wireless?  It's not still tied to the windows log in event as with PEAP?
  I found this article, but would like to see if anyone has experience working with EAP chaining in ISE.
  https://tswireless.wordpress.com/2012/09/22/cisco-ise-machine-authentication-cache/

  Yes if you set up NAM for EAP-Chaining - Machine and User, and then select EAP-TLS w/cert, nam will send both when a user logs in. When the machine is booting only the machine identity will be sent (because we don't know the users identity before they have attempted to log in).

• ISE 1.2, Patch 7: "NAK requesting to use PEAP instead"

  We're experiencing seemingly random occurrences of users failing authentication because they're trying PEAP vs EAP. Does anyone know if it is possible to force the Windows supplicant to use EAP only?
  For what it's worth, the user can fail authentication for hours and I can either allow open authentication on the port for a bit, or the user can leave for the day and come back tomorrow and authentication will succeed. I'm not sure if it's an ISE problem or a supplicant problem, but I'm leaning towards supplicant.
  Personas:
  Administration
  Role:
  PRIMARY(A)
  System Time:
  Apr 24 2014 08:26:58 AM America/New_York
  FIPS Mode:
  Disabled
  Version:
  1.2.0.899
  Patch Information:
  7,1,3
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  11507
  Extracted EAP-Response/Identity
  12500
  Prepared EAP-Request proposing EAP-TLS with challenge
  12625
  Valid EAP-Key-Name attribute received
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12301
  Extracted EAP-Response/NAK requesting to use PEAP instead
  12300
  Prepared EAP-Request proposing PEAP with challenge
  12625
  Valid EAP-Key-Name attribute received
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12302
  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
  12318
  Successfully negotiated PEAP version 0
  12800
  Extracted first TLS record; TLS handshake started
  12805
  Extracted TLS ClientHello message
  12806
  Prepared TLS ServerHello message
  12807
  Prepared TLS Certificate message
  12810
  Prepared TLS ServerDone message
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12318
  Successfully negotiated PEAP version 0
  12812
  Extracted TLS ClientKeyExchange message
  12804
  Extracted TLS Finished message
  12801
  Prepared TLS ChangeCipherSpec message
  12802
  Prepared TLS Finished message
  12816
  TLS handshake succeeded
  12310
  PEAP full handshake finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  12313
  PEAP inner method started
  11521
  Prepared EAP-Request/Identity for inner EAP method
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11522
  Extracted EAP-Response/Identity for inner EAP method
  11806
  Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11808
  Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
  15041
  Evaluating Identity Policy
  15006
  Matched Default Rule
  15013
  Selected Identity Source - *****
  24431
  Authenticating machine against Active Directory
  24470
  Machine authentication against Active Directory is successful
  22037
  Authentication Passed
  11824
  EAP-MSCHAP authentication attempt passed
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  11810
  Extracted EAP-Response for inner method containing MSCHAP challenge-response
  11814
  Inner EAP-MSCHAP authentication succeeded
  11519
  Prepared EAP-Success for inner EAP method
  12314
  PEAP inner method finished successfully
  12305
  Prepared EAP-Request with another PEAP challenge
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12304
  Extracted EAP-Response containing PEAP challenge-response
  15036
  Evaluating Authorization Policy
  24433
  Looking up machine in Active Directory - host/*****
  24435
  Machine Groups retrieval from Active Directory succeeded
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule - Default
  15016
  Selected Authorization Profile - DenyAccess
  15039
  Rejected per authorization profile
  12306
  PEAP authentication succeeded
  11503
  Prepared EAP-Success
  11003
  Returned RADIUS Access-Reject 

  salodh,
  Thank you for your response. Below is the authorization policy it should hit. The trouble is the workstation wants to use PEAP for some reason but we don't want PEAP because we're certificate-based. I understand what you're saying, and it's because I didn't word my question correctly. 
  12500
  Prepared EAP-Request proposing EAP-TLS with challenge
  12625
  Valid EAP-Key-Name attribute received
  11006
  Returned RADIUS Access-Challenge
  11001
  Received RADIUS Access-Request
  11018
  RADIUS is re-using an existing session
  12301
  Extracted EAP-Response/NAK requesting to use PEAP instead 
  If the NAK would not request PEAP, it would continue on to the following Authorization Policy (and succeed):
  Name
  Wired-******-PC
   Conditions
  Radius:Service-Type EQUALS Framed
  AND
  Radius:NAS-Port-Type EQUALS Ethernet
  AND
  *******:ExternalGroups EQUALS **********/Users/Domain Computers
  AND
  Network Access:EapAuthentication EQUALS EAP-TLS
  Again, this PEAP request only happens occasionally. This same workstation will work at other days/times. If I could figure out why some workstations randomly request PEAP (or find a way to force EAP only) I think that would take care of it.
  Thanks again, sir.
  Andrew

• Windows client intermittent connection to PEAP WIFI backed off to ISE 1.2 wildcard cert

  I am setting up a topology whwere for the first time I am deplying ISE with a wildcard certificate.  This is on ISE 1.2 patch 6, WLC's running 7.6 and Windows 7 clients in AD.  The ISE policy is just to match on machine auth.
  The setting up of the wildcard cert went ok as guided by the CCO ISE 1.2 deployment/cfg guide.
  When it came to testing the client auth as always I start off with the PEAP settings of Validate server certificate off, just to confirm the WLC and ISE are playing ball.  They were, the auth passed.
  I then tick the Validate server certificate, make sure the CA (Windows AD) is in the Trusted Root Certification Authorities.  Retest and the client passes.
  If I then disconnect the wifi and reconnect, either manually or by doing a reboot, the next authenticaiton fails, but nothing has changed.  ISE reports that my Windows client rejected the server certificate.  Which is odd as it just accepted it.
  If I untick the validate the client passes, if i tick it again it will authenticate fine, once.  The next connection it will fail again with the client rejecting ISE.
  Anyone got any ideas?

  I have had a similar issue consistently with 1.2 on both pathc 5 and 6 (not sure about earlier one). Basically what I am seeing is the client rejecting the Server cert when validate is unticked. Most of the time the client connects just fine a few seconds later but some clients need a reboot to fix it. As a rule I put this down to client issue but not 100% sure some times.

• 802.1x EAP-PEAP over Ethernet need help !!!

  I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
  troubleshooting this, I am not sure what else to do.  Need help.  Here
  is the scenario:
  - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
  - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
  with IP address of 129.174.2.7.  This device is connected to the same switch above.
  Firewall is OFF on the server, allow ALL,
  - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
  Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
  on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
  as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
  the port is activate to be "hot".
  - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
  and that everything is looking fine,
  I have verified that the switch can communicate fine with the radius server.
  - Configuration on the switch for 802.1x:
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
  interface FastEthernet0/39
    description windows 2003 Supplicant
    switchport access vlan 401
    switchport mode access
    dot1x port-control auto
    no spanning-tree portfast (does not matter if this is enable or disable)
  lab-sw-1#
  .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  .May 20 07:52:47.338: EAPOL pak dump Tx
  .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  lab-sw-1#
  lab-sw-1#sh dot1x interface f0/39
  Dot1x Info for FastEthernet0/39
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = PROTECT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  lab-sw-1#
  I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
  help me how to make this work.
  Many thanks in advance,

  #1:  dot1x system-auth-control is already in the switch configuration
  #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
  The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

• 5760 WLC & ISE 1.2 PEAP Issues

  I have the following setup:
  WLC 5508 (7.4.100)
  WLC 5760 (03.03.02)   (I'm replacing the 5508 with the 5760)
  ISE 1.2
  Im currently running 802.1x PEAP with external AD authentication, on the 5508 and everything is working 100%.
  As soon as I switch the users over to the 5760 I get the following errors on the ISE:
  Event
  5440 Endpoint abandoned EAP session and started new
  Failure Reason
  5440 Endpoint abandoned EAP session and started new
  Resolution
  Verify known NAD or supplicant issues and published bugs. Verify NAD and supplicant configuration.
  Root cause
  Endpoint started new authentication while previous is still in progress. Most probable that supplicant on that endpoint stopped conducting the previous authentication and started the new one. Closing the previous authentication.
  I took the config of a working 5760, why would this one give the above errors ?
  Jaco

  Hello!
  Turn on debugs on your 5760 to track authentication activities. Most probably you'll spot the issue from them. If not - post them here, so we'll have a look as well.
  Thanks, Irina

• Has anyone included an AUP Page as part of a PEAP Auth process on ISE?

  I was wondering if somebody has ever tried to include UAP in a PEAP wireless connection using ISE. I am still doing tests and trying to make it work. Any general ideas are well-received.
  thanks

  Hi Jan,
  Thanks for answering. In fact, I could see the AUP displayed after the AUTH succeeded on IPAD 2/4 (I have not tested the rest of the devices I have - Samsung tab/Blackberry/Iphone/Win7).
  I created an AUTHZ policy which pointed to an AUTHZ Profile after the successful AUTH. It is something like you mentioned, doing CWA after dot1x validation but only applies for user identity. I am still trying to make it work the part on which I accept the AUP and click OK because it is redirecting me to the default ISE Guest Portal and falling in a loop (similar to the one mentioned on the CWA configuration).
  If you have any other ideas is welcomed.

• PEAP EAP-MSCHAP v2

  Hi!
  Does anyone know if the router wrt320n or any other linksys router (wireless or wired) support 802.1x authentification, particularly PEAP EAP-MSCHAP v2? I'm connected to a network that provides access to the internet via ethernet cable and 802.1x authentification. I'd like now to connect several devices to the network through a router, but I'm not sure if the wrt320n can log on to the network, because of the 802.1x authentification.
  Thanks!

  No. They don't support 802.1X authentication (neither supplicant nor authenticator). The WRT and all Linksys branded routers are consumer routers. 802.1X authentication is a business feature which you may find in Cisco Small Business or better devices.

• PEAP MSCHAP restriccion to block connections from Iphone

  Good day my name is Ivan
  I have a problem about my wireless network.
  I have a Cisco WLC 5508 in which I have configured two SSID's. An SSID is working on my corporate network users, which uses 802.1X PEAP MSCHAP v2 session to authenticate user and computer in the wireless network.
  Computers are validated as part of the domain objects
  Everything works great but when I use a mobile device like an iPhone, iPad, or other similar, the iPhone asks me to write the domain user account (username and password) and below asks me inherit ACS certificate v5 .4 (Security server). I give a click to accept the certificate and admission to corporative wireless network.
  That is a security hole, since from the IPhone any person who knows the credentials of a corporate user, may enter the corporate network by the SSID set.
  What I can do in the ACS v5.4 for the IPhone not automatically inherit the user certificate. Any restrictions or configuration to support PEAP MSCHP V2 in Cisco ACS?.
  My ACS v5.4 is integrated to Active Directory with Machine authentication.
  My other solution is to use EAP TLS. But I would like to exhaust all MSCHAPV2 PEAP.
  I understand that PEAP user certificate valid only, not machine.
  Can you help with some advice?
  Thank you.

  Hi Scott, thanks for your answer
  Is there any special settings in policies, because I already I have configured two policies, one for authentication and authorization of users and one for computers.
  I have enabled MAR (Machine Access Restriction)
  Maybe I need to add some policy or characteristic of politics
  Maybe some condition especially as
  Compund condition: service type: match framed, nasport IEEE 802.1X wireless type?
  Thank you.

• Cannot connect to wlan eap-peap athentication fail...

  Hi all
  I have A nokia N97 which I tried to connect to my work WLAN but I get  eap-peap athentication failed. We do user a certificate which I have installed on the phone but it does not connect. It does not even promt for user name or password. I can connect to my home wireless which just ask for a security key which i enter and it works please please help.
  Please help

  I got it working please read my How to
  /t5/Connectivity/How-to-connect-to-wlan-with-n97-u​sing-ca-certificate/td-p/659372

• How to connect to AP with WPA2, EAP-PEAP, MSCHAPv2...

  I am trying to connect to the company network, but it always shows "PEAP authentication failed".
  There are only instructions for iPhone and PC.
  security : WPA2-Enterprise
  authority certificate : None
  Security Type : PEAP
  Inner Link Security : EAP-MSCHAPv2
  additionally MAC address filtering.
  The access point I set is as follows:
  network status: public
  wLAN network mode: infrastructure
  security: WPA/WPA2
  WPA2 only mode: off
  EAP plug-in setting: EAP-PEAP enable only
  personal certificate: not defined
  authority certificate: not defined
  user name: user-defined   BLANK
  realm in use: user-defined   BLANK
  allow PEAPv0
  MSCHAPv2
  user name: username
  password: mypassword
  We have domain, but there are no command about domain in iPhone guide. 
  Is there anything wrong of my setting?

  WPA2-Enterprise is not supported on your device.
  ‡Thank you for hitting the Blue/Green Star button‡
  N8-00 RM 596 V:111.030.0609; E71-1(05) RM 346 V: 500.21.009

• Enterprise Wireless using WPA, TKIP, PEAP

  I received my wireless protocols from my work. However, it doesn't look like iPhone will be able to connect. Here are the instructions for connecting a Windows computer to the network. Is there a way to configure the iPhone to do the same?
  1. Manually Add Network
  2. Choose WPA network authentication
  3. Choose TKIP data encryption
  4. Choose PEAP, EAP type
  5. Do not automatically log in
  6. Have a login page come up with user name, password and domain options available.
  Thanks.

  Can't be done at this time...iphone will not connect to a domain.
  My work just setup a access point that gives free wifi internet access only. No network resources are available only internet access. Maybe an option for your work as well.