PEAP ????

Unanswered Question
Mar 15th, 2007

I have the follow scenary

- a w2k3 server with IAS radius server, CA server and AD server

- a wxp , the client

- and a cisco 2950 (sh run output attached)

And i'm using PEAP with MSCHAPv2.

I have two question to solve...

1 ) How make to the user logon at first time ? how he get the certificate ? I have to authorize port on switch and log with the user to he get certificate on machine ?

After this, the authentication process works.

2 )When a user logged on client , executes loggof, the connection on switch isn't closed.

The EAP session continues until the switch executes the re authentication

So, when a user logoff from radius client, the port on switch continues active, and if other user logon machine, the user will

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
scottmac Thu, 03/15/2007 - 17:37

With PEAP, the client does not get a certificate; the certificate is only on the server side.

EAP-TLS uses client-side certs (and server-side certs)

Until you can register your server/CA with the client, you'll probably need to uncheck the box in the client setup that says " Verify Server Certificate."

Good Luck


Antonio Brandao Fri, 03/16/2007 - 05:53


ref : Question 1

i tried this...but it isn't working

the first logon, i have to turn off the 802.1x on switch port.

I think that the client xp doesn't can build a certificate on server at first time.



Antonio Brandao Fri, 03/16/2007 - 14:53

ref : Question 1

it's working now..

i created a auth-fail vlan and guest vlan, also i set this on switch port.

and that ad server is on vlan 10, so when the xp not connect, or is starting the S.O. the switch put port on vlan 10 (guest and fail vlan's), when the user try logon first time...the machine found the ad server and logon ad server....

so, i only have to set the timers..because the switch is very slow to authorize the ports...

and about question 2 ?

Anybody have any idea ?


This Discussion