PEAP & ACS & machine authentication

Unanswered Question
Feb 6th, 2008

OK, here's the issue :

Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.

ACS SE 4.0 and a second ACS SE with 4.1

Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.

Machine authentication not working. i.e. a user can't logon until they've previously logged on.

Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.

Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.

ACS using a self signed cert, option to validate server cert on XP wzc unchecked.

Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....

Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?

Help, someone, help...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mba-pd Fri, 02/08/2008 - 13:57

You cannot use WCZ. You will have to use Cisco Secure Service client, this work on every wireless card or the client with the wireless card you have if they support this. I now Broadcom card support this if you have it. I will suggest use Cisco Sec Service client.

andrew.butterworth Sat, 02/09/2008 - 03:18

This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....

I referred to this document on MS's site:

http://www.microsoft.com/technet/network/wifi/ed80211.mspx

Plus probably the same document you were using from CCO.

I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.

You don't need to use the Cisco supplicant.

HTH

Andy

mattgraham Mon, 02/11/2008 - 01:33

Cheers for all the replies.

I also installed hotfix x 2 for XP SP2 wireless / supplicant, it fixed an issue with fast roaming, where the client would drop a few pings, and either prompt for re-auth or show the credentials again.

However, the big fix - the customer had "inadvertantly" installed MS IAS on the DC that was hosting the remote agent for ACS.

Uninstalled IAS and happy days, everything works.

So in summary - WZC, PEAP, fast-reconnect, ACS SE all works.

Thought my marbles had been displaced, but all sane again now....

Thanks again for taking time to reply, much appreciated.

Actions

This Discussion

 

 

Trending Topics - Security & Network