WPA2 Enterprise Windows keeps prompting for credentials

Unanswered Question
Mar 30th, 2008

I've setup my 1130ag like the cisco walkthrough for wpa2 support. When I try to connect with my Thinkpad R60 with XP SP2 (with wpa2 hotfix) or my Acer with Vista, it just keeps popping up the credentials prompt. If I switch to WPA2-PSK, they both work fine.

All the event log shows is the machine failed authent. Anybody have any thoughts?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Scott Fella Sun, 03/30/2008 - 20:48

What type of encryption are you trying to do? 802.1x or Pre-shared?

armonk_netdesk Sat, 04/05/2008 - 18:36

Sounds like your RADIUS server isn't matching on the right attributes. Look in your RADIUS server detail log to understand why it is denying the login.

michaelhess Sat, 04/05/2008 - 22:57

Using the internal RADIUS server, it works fine with the Intel ProSet software. When I use the XP utility, it just keeps prompting and the "Unknown Usernames" and "Invalid Packet from NAS" counters go up. I've tried with a vista laptop and get the same thing. The username success/fail counters don't incriment except for the success's with the Intel utility.

I've set fast reconnect, unchecked verify server and user computer/user info to login. It looks like Microsoft doesn't play nice with WPA2 Enterprise.

ED CARMODY Sun, 04/06/2008 - 04:44

been a while since I used an autonomous AP for local EAP authentication...but I don't remember it accepting PEAP auths...M$ WZC won't do LEAP or EAP-FAST, right? Think you may have an EAP-type mismatch...

Scott Fella Sun, 04/06/2008 - 06:01

That is correct.... MS WZC doesn't support LEAP of EAP-FAST not PEAP-GTC. When you say you can use the Intel PROset, what is your configuration there.

michaelhess Mon, 04/07/2008 - 15:38

The Intel client is set to Enterprise Security, network auth is wpa2-ent, data encryption is aes-ccmp, authent type is leap, and my username/password.

Is there any way to get windows xp/vista to natively work with wpa2 ent on a cisco ap? Or is a suplicant like Intel's required?

Scott Fella Wed, 04/09/2008 - 18:09

A suplicant is required. The only way you can have Windows XP/Vista to work with WPA2-Enterprise is to configure PEAP or use EAP-TLS. Instead of setting the auth to LEAP, you would set it to PEAP or EAP-TLS. A radius server is required and a server side cert for PEAP. If using EAP-TLS, a server and client side cert is required.

michaelhess Wed, 04/09/2008 - 20:22

What a PITA! I was hoping Microsoft would get their "better security" right for a change :) Guess I'll setup that radius server I was hoping to avoid. Thanks for all the help guys!


This Discussion



Trending Topics - Security & Network