Cisco :: 1140 - Win XP Clients Not Authenticating Using PEAP
Apr 2, 2013
A customer has RADIUS running on a Win Server 2008 R2 machine, has Autonomous 1140 APs and a mix of Windows 7 and XP Pro clients. Using PEAP as the authentication method the Win 7 clients can access the WLAN, but the Win XP clients cannot. The Win XP clients are at least SP2. I am doing some research before going to site on Friday and wanted to poll the community. I found an older post speaking to a MS Hotfix under KB#885453, but it referes to "third-party RADIUS servers," not MS servers URL.
View 14 Replies
ADVERTISEMENT
Jan 25, 2012
I bought 2 Cisco 1140 series Access Points a couple of months ago. We would like to use PEAP to autheticate with Microsoft IAS Radius Server & Active directory. I cannot find a document which describes how to setup this type of configuration. The only document which is close is how to setup LEAP & with ACS: [URL] I initially followed the 'TechReplublic's Ultimate Guide to Enterprise Wireless LAN Security' which has all the steps to setup Radius server, client side configuration, Certificates and finally a handy excel script to generate a config for the AP. This did not work. [URL] I am now trying to configure the AP using the Web GUI. I can see the network on the client machine but when I try to connect it timesout.
View 1 Replies
View Related
Apr 17, 2012
So if I do a static ip address it works fine, but if I turn off static, the machine authenticates fine, but is not assigned to the access vlan, and it does not get an ip address.now when I use static I notice in the ISE live authentication logs, 11213 No response received from Network Access Device, for the switch even though its configured correctly.
View 5 Replies
View Related
Jun 24, 2007
Here at HQ we have a 4402 WLC. At our remote sites we have 1231G APs running in autonomous mode. I upgraded one of the APs -- IOS 12.4(3g)JA -- to run LWAPP. Per release notes I've read upgraded 1231's do not support REAP/HREAP mode, consequently, it's running in LOCAL mode.
The AP is managed by the WLC. I created a WLAN for the remote site and assigned it to the MGMT interface; the remote site subnet doesn't exist in HQ. The DHCP server for the remote site is presently at that site; AP and DHCP server reside at the same place.
Clients authenticate successfully to the remote site AP, however, they are not getting DHCP addresses assigned. Does the DHCP server for the remote site have to reside in HQ since the AP is running in local mode? If so, where is that specified, on the MGMT interface config?
View 4 Replies
View Related
May 27, 2013
i have 2 1260 Access points one is in root mode , one is wgb mode. Authentication is EAPFAST. There are 5 devices connected via WGB bridge to the rest of the network.
- If clients are sending some data , then WGB AP announces this client mac via IAPP to root AP and rest of the network sees them correctly
- If clients are "passive" , then after WBG AP announces them to root AP , they timeout after 6 minutes on root AP and obviously they are not pingable from the rest of the network. The only way to restore connectivity is to ping that device from WGB AP, then WGB AP announces via IAPP to root AP , then and only then they become visible from the rest of the network.
My question is related to this 6 minute timeout on root AP . Is it normal behaviour ?
View 5 Replies
View Related
Apr 18, 2011
I need this SSL certficate installation on my acs appliance 1120 for PEAP clients.I have exported SSL server certficate from my old acs 3.3 server which is under acscertstore folder issued by CA vendor . I need to reuse this same SSL certificate on my acs appliance .ACS appliance certficate setup requires following two certificate to be installed for PEAP clients authentication
1) Server Certificate
2) CA certificate
Server Certificate : For server certifcate , I have my old certificate which is exported from my old acs 3.3 server , when i tried to download my server certficate via ftp server on my acs appliance , its looking for private key & private key file .Private key & file is generated intially on CSR request when this server certificate is requested to CA vendor for my old acs 3.3 . I dont know the private key password . If i need private key & file , then i need to generate new CSR from my acs appliance and i need to submit this CSR output to my CA vendor to generate new SSL server certificate .which is something like new server certificate request .CA certficate : For CA certficate , when i open my existing SSL certificate under detials tab in CRL distribution point , i could see below URL . whn i open this URL it giving certificate revocation list . [1]CRL Distribution Point.
View 10 Replies
View Related
Feb 10, 2011
I have a WPA2/AES network with PEAP MsChapv2 authentication. I have 2 ACS servers for authentication. The problem I have is dropped clients. Both ACS servers are setup identical. The database replcation has been preformed.A series of 10 clients connects wirelessly and they are all successful. ACS server 1 is the primary and ACS server 2 is the backup. We verified that the 10 users authenticated to the primary ACS. My time out to reauth is 30 minutes on the WiSM. 10 minutes into the test we took down the Primary server. This should have had no impact on the clients. 5 minutes later the clients lost thier authentication and were dropped from the network. They were able to reconnect by shutting down thier wireless client and reconnecting. The authentications were seen on the Backup ACS server.on a test of falling back to the primary the same thing happened again to the clients.
View 2 Replies
View Related
Feb 18, 2013
We have cisco 5508 office extend in dmz running code 7.3.112. 1132 AP seems to register and authenticate fine but OEAP 600 series dont seem to authenticate. they seem to join the controller and download the SSID but just wont authenticate ? not even registering on the AAA server
View 9 Replies
View Related
Jul 12, 2012
how to Configure ACS 5.x so LMS 4 users can authenticate via TACACS+? I have ACS 5.x setup and authenticating to Active Directory. Have changed the LMS 4.x Authentication Module to TACACS+. Have gotten past the user / password problem by configuring a local user in LMS 4.x. Now, am hitting the Default rule in ACS and Shell Profile is deny access..
View 1 Replies
View Related
Feb 23, 2011
We are starting to roll out a few Win7 devices. Even on our Guest WLAN, they are taking longer to authenticate on the AP1231 than WinXP. The APs are controlled by a WLC, which connects to NAC?
View 3 Replies
View Related
Feb 3, 2013
Dell inspiron 1525 / Windows XP
Linksys/Cisco Router.
When trying to connect (wireless or wired), I can't get past the authenticating status. Have used this computer with same router for 3 years. If there was ever a problem, I would unplug/replug the router.I am currently connected through my neighbor's unsecured network.
View -1 Replies
View Related
Aug 22, 2011
I have a WAP4410n which I'd like to authenticate users against our corporate active directory. I would like to know how to achieve this - whether we require a dedicated RADIUS server, whether AD has a RADIUS engine which can be used, etc. Also, what would the pros / cons be of this setup versus using a WPA2 password?
View 2 Replies
View Related
Jun 6, 2011
I have deployed a Cisco wireless environment at one of our sites. The problem is that we are rolling out new motorola handhelds (MC75) are not authenticating with the ACS. I have copied the same config as it was with the exsisting wireless that was installed. Funny thing is we have another set of motorola handhelds (MC70) all use the same certificates and can authenticate without any issues.When i look at the ACS for logs I get the following error; EAP-TLS or PEAP authentication failed during SSL handshake.
View 6 Replies
View Related
Mar 15, 2012
My computers inability to connect to the internet. It is a 2006 Dell Inspiron 6000 with a 1370 WLAN card. I just moved into a new house and was able to connect to my roommates wireless connection with no problem. Then a couple weeks ago we both lost our ability to connect. When we disconnected the router and modum and then reconnected she was able to get on the internet again. I was unable to. A computer savvy friend came over and through some finagling was able to get my connection going again. I might try cleaning my computer up and putting stuff onto an external hard drive. Since then I have tried some different stuff I have seen on the internet, such as ipconfig to no avail, tried repairing the connections doesn't do anything.
View 11 Replies
View Related
May 5, 2011
I've got a problem with Cisco ACS 4.2 authenticating Cisco 4710 ACE appliance.
ACS4.2 has been configured to use both internal and external database. It's been working fine for a couple or years.
Recently we bought a Cisco 4710 ACE appliance. When I use ACS4.2 internal username and password to login the Cisco 4710 ACE appliance, I have no problem. I can also see the passed authentication log on ACS4.2. However, if I use AD username and password, I couldn't login in. The message is "Login incorrect". I checked the failed attempts log on the ACS4.2, there was no log regarding the failed attempt. My AD username and password works fine on all other cisco routers and switches.
I've posted my AAA configuration of the 4710 ACE below. ACE is running on the latest version A4(1.1).
tacacs-server key 7 "xxxxxxxxxxxxx"aaa group server tacacs+ tac_admin server xx.xx.xx.xx
aaa authentication login default group tac_admin local aaa authentication login console group tac_admin local aaa accounting default group tac_admin
View 2 Replies
View Related
May 22, 2013
I am having problems authenticating client computers onto the wireless network using a Cisco AP1252 via radius
Setup:
I have a Cisco AP1252 wireless Access Point connected to a Cisco ASA5510 on subnet X.X.5.Z The access point ip address is X.X.5.101
The ASA on another port is also connected to the wired network on a different subnet X.X.0.Z
On the wired network are two radius servers - Ubuntus servers running freeradius which are running fine and reliably authenticate wired users for ssh connections to the ASA and importantly to the AP1252 as well (The radius servers ip addresses are X.X.0.191 and X.X.0.192)
Problem:
When a wireless user tries to connect to the wireless network via the AP1252 after being disconnected form it for a while (or after waking from a long sleep) they are never authenticated. They just try over and over and never obtain an IP
Interestingly in such a case neither Ubuntu server shows any sign of receiving an authentication request from the AP - Both ubuntu servers are running in debug mode so they show any activity - there is none
Oddly:
If i try to authenticate a user wirelessly to the AP and leave it in the usual state of trying over and over (with no visible activity on the ubuntu servers) BUT then go to a wired machine and attempt to authenticate an ssh connection to the AP1252 using a terminal command ssh user1@X.X.5.101 THEN as soon as I hit enter on that request (and before I enter a password for the ssh connection) THE WAITING WIRELESS USER IS IMMEDIATELY AUTHENTICATED (and the ubuntu server shows the authentication activity for the wireless user
I really do not understand this and cannot use this method to facilitate wireless user authentication 
What might be causing this behavior - it seems like the AP sleeping and the wired ssh request wakes it up so that it sees the pending wireless user waiting and then acts on that completing the wireless user authentication request.
View 11 Replies
View Related
Oct 16, 2012
Web clients are receiving login failed messages and VPN clients are getting disconnected by host messages. I am able to ping the server from the ASA5510. Users authenticate in AD. I am not sure if the problem is on the server or the ASA.
View 1 Replies
View Related
Apr 28, 2011
I will set up a Dhcp server on the inside interface of my pix. I would like to have the DHCP Server authenticate to the Active Directory Server that is located on the DMZ.
Inside --pix--dmz
Inside interface
Win 2008 DHCP
DMZ interface
Active Directory Server
What would be the issues that I could run in to when I try to authenticate this server from the inside interface to the dmz? I see that Dhcprelay option is available on the PIX 6.3 I'm guessing this is the only command that I need to use: dhcprelay enable dmz
View 3 Replies
View Related
Feb 18, 2012
I put a password on my WRT54GC ver 2.0. After that i couldn't access internet. It keeps authenticating and never connects.
View 2 Replies
View Related
Jan 28, 2013
I am using ACS 5.3 What I am about is setting user authentication against existence of the user in specific AD group, not just being a member in any AD. What is happening now, users get authenticated as long as they exists in the AD, luckily they fail on authorization, as it is bound to specific AD group.
how can I bind the authentication aginst specific group in AD, not just using AD1 as the identity source.
View 1 Replies
View Related
Apr 12, 2012
I see many errors in the ACS 5.1(or 5.3) :5411 EAP session timed out..Becasue I checked the "remember my username and password everytime login" in the wireless network properties, and I can succeed to login finally. but in the ACS will see many errors like ”5411 EAP session timed out“
(Cisco Controller) >debug client 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Sending EAP-Request/Identity to mobile 58:1f:aa:8f:ea:44 (EAP Id 1)
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received EAPOL EAPPKT from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 Received Identity Response (count=1) from mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 EAP State update from Connecting to Authenticating for mobile 58:1f:aa:8f:ea:44
Fri Apr 13 16:09:36 2012: 58:1f:aa:8f:ea:44 dot1x - moving mobile 58:1f:aa:8f:ea:44 into Authenticating state
[code]....
View 2 Replies
View Related
Jul 24, 2011
I was able to successfully implement MS-PEAP authentication with 5508 WLAN controllers and Cisco ACS v4.2. However, when I integrated 4402 WLC with version code 7.0.116, it did not pass across any authentication requests. Did a debug aaa events enable and there was no output. Configured another SSSID with PSK to test that my controller was OK and aaa debug was working, and there were CLI messages when I associated an AP.
why the 4402 is not working as I have compared configs with the 5508 and there is no difference. The shared secret is configured on both ACS and Controller and CA is downloaded on the ACS.
View 5 Replies
View Related
Nov 12, 2012
I was pondering on getting a certificate fro ma public CA to maintain easier configuration for end users. There will be a multitude of devices on this wireless network configured with 802.1x PEAP. (iPhones, iPADs, Droids, and PC's of course).
If you were to get a certificate from a public CA, I'm assuming this would be just a regular server certificate from GoDaddy, or Verisgn?
View 2 Replies
View Related
Jan 23, 2012
I have 802.1x/peap authentication in my wireless network with ACS 4.2 as the authentication server. I enabled PEAP machine authentication under the Unknown user policy --->database configuration sub-menu. I discovered that I was still able to access the wireless network on my android phone with my domain logon. I later discovered that there is an option in Group policy to force Windows XP clients to perform computer authentication. Now the problem is that windows 7 clients do not have the EAPOL option in the registry, hence the group policy object may not work. How to enforce machine authentication and stop unwanted devices without having to purchase a NAC server.
View 10 Replies
View Related
Jun 29, 2011
ACS 5.1 EAP-PEAP Machine Authentication,
I have configured ACS 5.1 to check AD domain computer accounts then permit access, the next rule authenticates AD domain users and checks machine accounts with WAS MACHINE AUTHENTICATED "TRUE" permit.
My dilemma - Windows XP supplicant work fine and I can see the host/machine (Wireless device) authenticating followed by user credentials, but when I use the Intel Pro/set supplicant version 12.1 the same device fails authentication due to ACS not being able to verify a good previous machine authentication?
Is this problem ACS related or down to the Intel supplicant.
View 3 Replies
View Related
Jun 18, 2012
I have a ASA5505 and it has a vpn set up. The VPN user connects using the Cisco VPN client. They can connect fine (the get an ip address from the ASA), but they can't ping the asa or any clients on the network. Here is the running config:
Result of the command: "show running-config"
: Saved
:
ASA Version 7.2(4)
!
hostname ASA
domain-name default.domain.invalid
[code].....
what I need to add to get the vpn client to be able to ping the router and clients?
View 3 Replies
View Related
Nov 5, 2012
We currently have an ASA 5520 communicating with 10 ASA 5510's, all on static outside addresses. I was asked to add 5 additional 5510's on dynamic address. All worked well in testing until it was decided that some of the dynamic clients needed to talk to each other.
My testing shows packets just dying in the 5520.
View 1 Replies
View Related
Apr 23, 2013
how the certificates work when using PEAP on ACS 5.2.Currently we have clients which are Cisco wireless IP phones that are using the ACS server(s) for authentication to the wireless network. The phones are configured to use PEAP with server validation enabled. The phones have a Godaddy root certificate, and Godaddy intermediate certificates installed on them, (in addition they have all the certs that are on the phone by default). On the ACS server there is a certificate that is signed by Godaddy. This was creating doing the CSR process etc...
So from what I understand, because all the phones are set up to validate the server certificate, they require the public root certs and the intermediate certs that are installed on them, in order to validate the private cert that is on the ACS server. The private certificate (the one signed and issued by Godaddy), expires the middle of next year (2014) (a little ways off I know, but it is never too early be concerned about stuff). When we go to get a new private certificate for the ACS servers (or get a renewal) and when we install this new signed certificate onto the ACS servers…will all the clients still trust this new certificate, and everything will continue to work smoothly? Or will the clients all need to have new root certs installed, and new intermediate certificates installed? From what I can gather I think the first scenario should be the case, because the root certs and intermediate certs are there to trust certs that are signed by Godaddy, so as long as the new private certificate is signed by Godaddy everything should be okay.
View 8 Replies
View Related
Jun 11, 2012
configure PEAP for wireless with Windows 2008. The doc we have only mentions Windows 2003. When we follw that document we get a faulure when we try to bind the certificate to we have generated to ACS 5.0 .
View 1 Replies
View Related
Apr 3, 2012
I have been trying to figure out for days now how to get Windows XP/Windows 7 and Apple iPads to connect to a broadcasted SSID and authenticate with PEAP without getting prompted to verify a certificate that exists on ACS.
In Windows 7, I get a window that says the connection attempt could not be completed and get a warning that the certificate could not be validated. If I manually configure a wireless connection and specify PEAP to accept my trusted root certificate authority (in the default list), it doesn't prompt but having users do this is not acceptable and more work than to just verify when prompted. I have no control over the devices connecting so I can't push anything down using GPOs.
For the iPad, I get a similar message that the certificate authority can't be verified and you have to accept.
For the certs, I have tried GoDaddy and Starfield. How to get this working without getting prompted to verify/validate a certificate authority? If so, what cert are you using? I have the intermediate certs installed in ACS and Windows and iPads see them because as soon as I delete, the screen that pops up changes to my actual cert.
View 5 Replies
View Related
Sep 11, 2011
Any good guide for configuring PEAP with Machine Authentication to allow for domain login?This is a clean install on a new 5.2 install.We are moving from 4.X to 5.2 and i want to make sure i dont miss anything.
View 3 Replies
View Related
Aug 9, 2012
Is it possible to strip suffix on wireless client running PEAP (MS-CHAPv2). ACS version 5.3 (patch 5) - 5-3-0-40-5
Look like ACS 5.1 does not support this - see below link [URL]
View 12 Replies
View Related
Feb 1, 2011
I have 4 desktops cat5 to Dlink DIR 615 router. All work fine. Any wireless clients, laptop or netbooks, see the desktop computers for a while then disconnect somehow. All machines can see the Internet through the router at all times. The desktops disappear from the laptop/netbooks but the wireless machines can be seen from the desktop computers but clicking on them gets 'Access Denied' message after a wait.3 desktops = XP, 1 98SE. All laptop/netbooks = XP
View 2 Replies
View Related
