WDS & PEAP

Similar Messages

• WDS: Keys managment with PEAP

  Hi
  I have to install a WLAN in my company
  I have to make 4 Vlan (1 for the wired managment equipments and 3 SSID)
  I have 30 1231AP with 12.3 JA version, 4 2950-24XL and 4 PIX 506E (1/vlan)
  I have Windows XP SP2 stations, and I want to use the native PEAP option ( without vendors supplicants)
  Questions
  Does the WDS AP cache the user session key when using WPA/PEAP methods or does it cache keys only with CCKM methods?
  If it's not working with WPA/PEAP methods, does it usefull to implement WDS Infrastructure?
  Best regards
  Julien

  WDS caches the Master key as used in CCKM authentication for fast re-authentication for roaming clients. As a client roams to new AP, it will re-authenticate with WDS using this Master key & CCKM key authentication protocol.
  If clients are not CCKM-capable, the WDS merely passes a session key to the AP.

• PEAP support with WDS

  Hi,
  I understand that the WDS can provide fast roaming by caching the authenticated user credentials when using LEAP. But what if I use PEAP with certificates for both server and client authentication? I suppose the WDS won't be able to cache the certificates. Then, how doesn't it work? Or is PEAP supported by WDS? Thanks.

  WDS is a centralized method of security that can be used with any EAP method for the authentication of your clients. Refer
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml#backinfo

• EAP-TLS PEAP FAIL DURING SSH HANDSHAKE

  Hi Pros,
                 I am a newbie in the ACS 4.2 and EAP-TLS implementation, with that being said. I face an issue during a EAP-TLS implementation. My search shows that this kind of error message is already certificate issue;However, I have deleted and recreated the certificate in both ACS and the client with the same result. I have deleted and re-install the certchain as well.
  When I check my log in the failed attemps, there is what I found:
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  Network Access Profile Name
  Authen-Failure-Code
  Author-Failure-Code
  Author-Data
  NAS-Port
  NAS-IP-Address
  Filter Information
  PEAP/EAP-FAST-Clear-Name
  EAP Type
  EAP Type Name
  Reason
  Access Device
  Network Device Group
  06/23/2010
  17:39:51
  Authen failed
  000e.9b6e.e834
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1101
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Networ
  06/23/2010
  17:39:50
  Authen failed
  [email protected]
  Default Group
  000e.9b6e.e834
  (Default)
  EAP-TLS or PEAP authentication failed during SSL handshake
  1098
  10.111.22.24
  25
  MS-PEAP
  wbr-1121-zozo-test
  Office Network
  [email protected]
  = my windows active directory name
  1. Why under EAP-TYPE it shows MS-PEAP not EAP-TLS? I did configure EAP-TLS....
  2. Why sometimes it just shows the MAC of the client for username?
  3. Why  it puts me in DEFAULT-GROUP even though i belongs to a group well definy in the acs?
  2. Secondly, When I check in pass authentications... there is what i saw
  Date
  Time
  Message-Type
  User-Name
  Group-Name
  Caller-ID
  NAS-Port
  NAS-IP-Address
  Network Access Profile Name
  Shared RAC
  Downloadable ACL
  System-Posture-Token
  Application-Posture-Token
  Reason
  EAP Type
  EAP Type Name
  PEAP/EAP-FAST-Clear-Name
  Access Device
  Network Device Group
  06/23/2010
  17:30:49
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  06/23/2010
  17:29:27
  Authen OK
  groszozo
  NOC Tier 2
  10.11.10.105
  1
  10.111.22.24
  (Default)
  wbr-1121-zozo-test
  Office Network
  In the output below, it says that the user is authenticate and it puts the user in the right group with the right username, but the user never really authenticate. Maybe for the first few seconds when I initiate the connection.
  Before I forget, the suppliant is using WIN XP and 802.1x is enable. I even uncheck not verify the server and the ACS under External User Databases, I did  check ENABLE EAP-TLS machine authentication.
  Thanks in advance for your help,
  Crazy---

  I had this message recently. The first issue I found was that the username entered into the laptop was not correct (I had djohnson, need to have DJohnson)
  The second issue I had was that my AP's were not authenticating to my WDS access point. I had turned off LEAP on my ACS server by accident causing the WDS authentication to fail. Once I turned this back on, my AP's authenticated to my WDS device and my users authenticated to the AP's.
  Otherwise, the meaning of this is that the certs are not matching up correctly with the server either due to expiered certs, incorrect cert type on the users machine or incorrect information in the cert.
  Hope this helps.

• EAP-TLS or PEAP authentication failed during SSL handshake error

  I have 2 Windows 2003 ACS 3.2 servers. I am in the process of upgrading them to ACS 4.0. I am using them for WPA2/PEAP wireless authentication in a WDS environment. I recently upgraded one to ACS 4.0 and ever since that time some (not all) of my Windows XP clients have started to not be authenticated and logging the error "EAP-TLS or PEAP authentication failed during SSL handshake" on the ACS 4.0 server. During the upgrade (which was successful) I did change the Certificate since the current one was going to expire November 2007.
  The clients that do not authenticate on the ACS 4.0 server I can point to the ACS 3.2 server and they successfully authenticate there. I am able to resolve the issue by recreating the Windows XP PEAP profile for the wireless network and by getting a new client Cert. But, I have a couple of questions:
  Is the "EAP-TLS or PEAP authentication failed during SSL handshake" error due to the upgrade to ACS 4.0 or to the fact that I changed the Certificate, or both?
  Can this error ("EAP-TLS or PEAP authentication failed during SSL handshake") be resolved without me touching every Windows XP client (we have over 250+)?
  Thanks for the help

  My experience suggests that the problem is the certificate.
  I'm running ACS 3.3.
  I received the same error message when my clients copied the certificate to the wrong location, or otherwise did not correctly follow the provided instructions.
  Correctly following the instructions led to a successful connection and no more error message.

• Windows XP WPA2 PEAP authentication prompt

  We are using Windows XP clients with WPA2 enterprise PEAP machine and user authentication (using windows supplicant, with the PEAP patch installed). We are using ACS 4.0.1 servers for authentication in a WDS environment.
  The issue is sometimes we will see the laptop request authentication to the network once the user logs in. A yellow dialog box will appear in the lower right hand corner of the screen and request they reenter the username, password and domain. It does not happen often and most of the time this happens if for some reason the WLAN goes away, like a power outage, etc. But it does drive the users crazy and they drive me crazy about it.
  Has anyone experianced this issue and know of why it is doing it and how to make it go away?
  Thanks

  yes, authentication is succesful after that.
  I forgot to mention that the prompt says: "Click here to select a certificate or other credentials for conection to the network (SSID)"
  This may just be a normal function of the Windows XP supplicant I have just been wondering.
  Thanks for the responses.

• Are there any benifits to enabling WDS without WLSE?

  My clients will be using WPA with PEAP and 2 ACS 3.3 servers for authentication. Other than having an AP to be the focal point for authentication for a Wireless segment. Are there any benefits to using WDS without having WLSE?

  Yes, there are benefits from WDS:
  - list of client associations
  - list of access points in domain
  - fast secure roaming for LEAP (and EAP-FAST?)
  - local authentication (radius backup) for LEAP and EAP-FAST
  - radio management aggregation
  Only radio management needs WLSE to be useful.
  Local authentication is possible without WDS.
  WDS can be configured on an access point and also on an IOS router (like the 2811) from IOS 12.3(11)T with security feature sets.
  As an network administrator I would not do it without WDS. I does not cost extra or performance but it gives centralized information on the WDS device.
  Jens Neelsen

• AMD CPU with Vista cannot connect to WLAN using MS-PEAP with WEP-128

  We have a notebook "HP Pavilion tx1000 (AMD Turion64 CPU with Vista 32bits)". The notebook is using Broadcom 802.11a/b/g chipset, running AMD and Vista. It cannot associate to WLAN using MS-PEAP and WEP-128. Also, it cannot associate to PEAP and WPA2-AES.
  The AP's log shows:
  Oct 11 15:35:20 CCT: %DOT11-7-AUTH_FAILED: Station xxxx.xxx.xxxx Authentication failed
  The ACS's log shows:
  "EAP-TLS or PEAP authentication failed during SSL handshake"
  We do not validate the certificate in the wireless setup. Vista's WLAN AutoConfig is used to configure the wireless profile. We are running Autonomous AP with Switch-Based WDS (WLSM).
  We have no issue with Intel Centrino on the above authentication and encryption scheme.
  Have checked the CCX program, broadcom 802.11a/b/g chipset is supported only for windows 2000 and xp. There is no mentioning about support for vista. Could this be a compatibility issue?
  Please advise and thks

  Maybe look at this post: http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=WLAN%20Radio%20Standards&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddf9be9/5#selected_message

• Is WDS useful for non CCKM capable clients?

  Hi,
  I have been reading abut WDS recently and let's say you have a couple of 1140s and want to have users authenticating with MS IAS (using PEAP) and enable roaming for them.
  There aren't any funky IP Phones or other clients that would support CCKM. Just laptops from different vendors.
  What benefit can you get from running WDS? Does it support roaming in the way that when a user roams from one AP to another not all of PEAP auth packets go to the RADIUS server so it's quick? And with CCKM it would be super extra quick?
  Or, there's no benefit and setting up both APs with the same SSID and auth on non-overlapping channels would be enough?
  Thanks and regards,
  Miro

  What happens if you only have the same SSID and roam, the clients will reauthenticate with PEAP to the IAS. Count on 1 second gap every time you roam.
  This is actually totally ok for data clients usually (applications rarely notice when network is unreachable for less than a second).
  Having a WDS has the advantage that it's always the same AP doing the authentication towards IAS so that's less configuration on the IAS side.
  The biggest advantage is when used with CCKM indeed.
  If CCKM is not an option, you have to rely on WPA2 fast roaming. But on IOS APs, it only occurs when a client roams to an AP it was already associated to. It then reuses the same keys.
  Not as effective obviously

• Using WDS with Windows IAS

  We have an autonomous wireless network that is using WPA/TKIP, and authenticating back to a Windows 2003 IAS Server.
  We are going to be adding wireless to other offices, and are looking at implementing WDS. I have found documenation on Cisco's site regarding WDS, but none of the documents refer using WDS with IAS. Has anyone been able to implement this?

  What I don't understand is in the configuration process of WDS. When adding an access point to WDS, it mentions entering in a username and password. Do I set this username and password as a local account on the IAS server?
  http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37roamg.html#wp1052310
  I think I failed to mention this, but on the client side, the EAP type is PEAP that we are using. I also noticed that in order to enable 802.11N, I had to change the encryption type to WPA2/AES in order to enable the N speeds.

• Unable to WDS install Win 8.1 VM on Hyper-V 2012 R2

  Hi.
  We've recently gone from Server 2008 R2 (Data Center) to Windows 2012 R2 (Data Center) and we're now trying to install Windows 8.1 clients on our Hyper-V solution.
  When using the virtual machine creation wizard I create two test machines.
  One machine is a gen1 and one machine is gen2 both are set to install via network (MDT 2013) and both a given a 40GB disk and 4GB of ram. Both installations fail.
  "Windows setup could not configure windows to run on this computer's hardware".
  According to everything I've found on the web this could happen if you try and install Windows 7 - something to do with 4K disks I think. This shouldn't happen on Windows 8.x.
  I've seen a few posts where they explain the IDE controller being unable to handle 4K disks so that might explain something but in my case I also have a gen2 machine where disk is attached to a SCSI controller.
  As I understand it a server 2012 R2 with Hyper-V should be able to have a Windows 8.1 installed on a VHDX file on a SCSI controller.
  Can anyone help out here?
  Thank you!

  According to the web setup.exe /quiet /norestart should be valid parameters for the components.
  What I mean by Applicaton Install is that there's a part of a Deployment Share where you can choose to install applications. A Task which will run at a appropriate time, e.g. Office is installed into our base image at that time. I tried including the Integration
  Components before the Office install creating a base image with Office 2013 and the IC.
  I also tried to use the base image a create a task for VMs only where no driver what so ever gets installed - it simply installs the base image created and activates Windows and nothing more. That doesn't work either.
  The problem in a nutshell is this:
  I want to install via MDT/WDS. I don't care if it's a regular machine or a virtual one. Both should work.
  I've created several base images (Win7_x86, Win7_x64, Win8_x64 etc.) with Office included and everything has worked fine except when I try and install Windows 8 as a VM.
  I must say that I've tweaked around and tried a few things while trying to find the problem so I probably have to test some things again to make sure what I say goes but we've installed both Win7 & Win8 on regular machines without problems but I can't
  seem to install a Windows 8 machine via MDT/WDS for some reason as a VM - only on regular PCs.
  As tested above installing via ISO works fine and creating a new image didn't help either.
  The way I capture an OS is by simply write DoCapture=YES in my Deployment Share Rules section and boot into that Deployment Share (then I get a menu where I can choose to capture the machine and it simply installs the imported Windows ISO via a Standard
  Client Task Sequence (where it also installs Office - there's an Application Install section part of the Standard Client Task Sequence).
  So really really short; the image I try to install works fine on a regular PC but won't install on Hyper-V.

• Unable to get Airport Express to extend Time Capsule via WDS

  Hi all,
  I have a Time Capsule that's a couple years old, and recently decided to try to extend its network given that we recently did a lot of re-arranging things in our home.  I followed the instructions posted here for using version 5.5.2 of the Airport Utility but I'm not having any luck...  I've triple-checked that the SSID, security settings, etc. are identical between the two devices.  I set the Time Capsule as the main WDS device and entered the airport ID of the Airport Express into it, and set the Airport Express as the remote WDS device and put the airport ID of the Time Capsule there.  As far as I can tell I've got all the settings correct.
  What really confuses me is that I can get the two devices so that the Time Capsules status light is green but the Airport Extreme's status light is yellow.  The Time Capsule reports that WDS is functioning properly but the Airport Extreme is unable to connect to the WDS network.  I have the two devices only about 5 feet from each other so signal strength certainly shouldn't be an issue. 
  Any ideas what's going on?
  Thanks,
  -Bruce

  I would not use WDS unless your AEX is so old that is all it supports.  Much easier to configure the TC to allow the network to be extended under the Wireless tab.  Then configure the AEX's Wireless Mode to Extend Existing Network from the dropdown menu.

• The Difference between Extending a Wireless network and WDS?

  I have an Extreme (n) and an Express (n).
  I want to make sure the signal is strong upstairs and share a printer (connected to the express) and use AirTunes. I also may add an external drive to the Extreme.
  What's the difference between Extending a Wireless Network and using WDS? Will there be a speed difference?
  Message was edited by: J. Christopher Edwards

  I think you don't get it
  If I have another draft N router that operates at 2.4G and I have only n devices I can still use WDS and it will connect using draft n in the 2.4G band.
  If one g device connects to the network will go in mixed mode.
  The AEBS will still report 130 Mbps for your n clients and 54 for your g clients.
  If the other router is g only obviously you can't connect between the two router at n mode but still the AEBS will be in mixed mode and not in g. The Extreme will still report 130 Mbps for the connected n clients.
  I can tell you that because I have actually implemented it am not taking off the documentation.
  The same device if I try to use the "extend n network" does not even see the AEBS but will happily keep the n in the WDS mode and though the bandwidth is halved it is still more than g.
  In any case enough for this!

• WDS and Surface Pro 2

  I have a Windows Deployment Server and I am using Windows ADK to load essential drivers onto my boot/install images.
  I downloaded the latest Surface Pro 2 driver pack and used DISM to load drivers on to an offline boot image from a Windows 8.1 ISO. I then un-mount the image and load it onto my WDS server.
  My problem is the Surface Pro 2 won't pxe boot into my Windows Deployment Server. When I PXE boot, it displays media present and then waits for user input to start PXE over IPv4. I press enter but it times out and then prompts for IPv6 (no error given) when
  that times out it boots the machine into windows.
  I had been successfully imaging Surface Pro tablets from this deployment server using the same methods, but we recently got in the Surface Pro 2 and I haven't been able to get it working.
  I have the latest version of MDT installed but I'm not that familiar with it. When we first started deploying tablets I had attempted to create boot wims with MDT but I never got it working and decided just to use the WADK and DISM.
  Any ideas on what I could try next?

  I am running WDS on Windows server 2008 R2.
  I am using a Type Cover 2 from Microsoft.
  I am using the Microsoft Surface Ethernet Adapter. I loaded the drivers for the adapter into the boot image as well as the other drivers from the February driver pack.
  Thank you for your response.

• XP with AirPort Express and WDS ... works brilliant!!! Read how to ...

  I have worked out an interesting setup which uses max. power of AE with my 3Com Router, Dell and Denon AVR-4306.
  It took some hours of testing and finding the right configs, which was a pain in my brain. But now: YEEEHAAA!
  My home setup is:
  - AirPort Express 6.3
  - 3Com OfficeConnect Model 3CRWDR100B-72
  IMPORTANT: IT SUPPORTS WDS!!!
  - Dell Inspiron 9300 with WLAN
  - Epson Stylus Color 740
  - DENON AVR-4306 [Receiver with Ethernet connection]
  Till yesterday I used AE as a client which turns off the ethernet port. And I had a router without WDS support. AND: I had those audio drop outs which made no fun.
  The new configuration at the end is not such complicated.
  AE is connected by WDS to my router, by Toslink and ethernet cable to my receiver. A printer by USB of course.
  Now I am able to:
  - WLAN stream AAC by Dell with AirTunes through AE to my receiver
  - WLAN printing
  - WLAN config of my receiver and internet radio streaming
  - write that posting by WLAN and DSL ... STRIKE!
  AND THE BEST: NO AUDIO DROP OUTS ANYMORE!!!
  The configuration:
  I will not discribe the WLAN setup between my Dell and 3Com in all details because this should be a basic knowledge.
  First I configure router and Dell with WEP. I didn't test WPA with WDS yet. I set the router to my ISP settings to get connection to DSL. The router config by webbrowser is not complex. This is done by the shipped manual. DHCP turned on etc..
  Next step I will setup my DELL for WLAN connection to the router. My router eg. just uses WEP HEX. I can use a ASCII passphrase but this will be converted to HEX. What's now important: I had to use HEX also for DELL WLAN config and AE WITHOUT "$" before the key what's often discribed in the web. Otherwise AE config will give an error message and ASCII will prevent connection by WEP. I set my DELL to IP by DHCP. I use the same ISSD of the router and set WEP. The first setup was done by ethernet cable which is discribed in my manual. After all steps I turned off LAN and am able to connect to WLAN DSL.
  Now the important part:
  I configured the router after config and restart of AE again. The router MUST SUPPORT WDS!!! Otherwise my config will not work. In my 3Com config I turn on WDS and scan for AE when it is set up right. This will grab the right MAC address automatically. But it's also possible to set the AE MAC manually and then:
  I will do a AE reset by holding down the reset button till the yellow light flashes fast. This will set the AE to basic settings. After a while you will recognize the AE's factory name in your WLAN network list on your PC where you also see your router WLAN connection.
  Now drop the router connection by connecting to AE which is unprotected.
  Open the AirPort Admin Utility.
  Choose the factory AE name.
  Open the config.
  Change the password of your AE which is basic "public" to the SAME of your router.
  Choose „AirPort“ and set „Wireless Mode“ to „Create a Wireless Network“.
  Eg. I use for „Network Name“: „DELL9300“ which matches with the SSID of the router.
  Set „Channel“ to „1“ [it seems most robust here].
  Set „Wireless Security“ with WEP. In my case I have to use the router's HEX key.
  On page „Internet“ set „Connect using“ to „AirPort (WDS)“.
  The „MAC Address“ MUST be the MAC address of the WLAN router, BUT THE WLAN ADDRESS ... NOT LAN ADDRESS!!!
  [this was one trap and time killer because I just tried to use the printed MAC address on my routers label which is WRONG because there's a WLAN MAC ADDRESS I found by accident in my router's config overview]
  Activate „Also allow wireless client computers“.
  I use a static IP:
  IP 192.168.1.200
  Subnet 255.255.255.0
  Router 192.168.1.1
  DNS 192.168.1.1
  On page “Network” activate “Distribute IP addresses”.
  On page „WDS“ set to „remote base station“.
  Activate „Allow wireless client computers“.
  You will recognize here that the WLAN MAC address was copied automatically.
  On page "Music" activate AirTunes and define a name. In my case "DENON".
  Save the config to harddrive and then save it to AE.
  AE will restart automatically.
  NOW PRAY! If everything is done right you will reconnect your PC to the router [automatically because AE is dropped or try manually] and after a while the AE lamp shows "green".
  The full power of AE is unlocked and ... actually ... AirTunes still plays without drop outs. GREAT! This could also be router related or WDS works generally better than client mode.
  president

  The 802.11n AirPort Express Base Station (AXn) can be configured in a number of ways when the topic is around extending.
  If you just want to support wired clients, you can configure the AXn as a wireless Ethernet bridge. In this configuration, the AXn would "join" an existing wireless network and share that connection via its Ethernet port.
  The other option is to configure the AXn to extend another AirPort. In this configuration, the AXn would both extend the other AirPort's wireless range, but it would also have its Ethernet port enabled for wired clients.