03-30-2008 04:06 PM - edited 07-03-2021 03:37 PM
I've setup my 1130ag like the cisco walkthrough for wpa2 support. When I try to connect with my Thinkpad R60 with XP SP2 (with wpa2 hotfix) or my Acer with Vista, it just keeps popping up the credentials prompt. If I switch to WPA2-PSK, they both work fine.
All the event log shows is the machine failed authent. Anybody have any thoughts?
03-30-2008 08:48 PM
What type of encryption are you trying to do? 802.1x or Pre-shared?
03-31-2008 08:22 PM
leap via the built in radius server.
04-05-2008 06:36 PM
Sounds like your RADIUS server isn't matching on the right attributes. Look in your RADIUS server detail log to understand why it is denying the login.
04-05-2008 08:00 PM
Not knowing how you set this up, have you looked at this doc: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml
04-05-2008 10:57 PM
Using the internal RADIUS server, it works fine with the Intel ProSet software. When I use the XP utility, it just keeps prompting and the "Unknown Usernames" and "Invalid Packet from NAS" counters go up. I've tried with a vista laptop and get the same thing. The username success/fail counters don't incriment except for the success's with the Intel utility.
I've set fast reconnect, unchecked verify server and user computer/user info to login. It looks like Microsoft doesn't play nice with WPA2 Enterprise.
04-06-2008 04:44 AM
been a while since I used an autonomous AP for local EAP authentication...but I don't remember it accepting PEAP auths...M$ WZC won't do LEAP or EAP-FAST, right? Think you may have an EAP-type mismatch...
04-06-2008 06:01 AM
That is correct.... MS WZC doesn't support LEAP of EAP-FAST not PEAP-GTC. When you say you can use the Intel PROset, what is your configuration there.
04-07-2008 03:38 PM
The Intel client is set to Enterprise Security, network auth is wpa2-ent, data encryption is aes-ccmp, authent type is leap, and my username/password.
Is there any way to get windows xp/vista to natively work with wpa2 ent on a cisco ap? Or is a suplicant like Intel's required?
04-09-2008 06:09 PM
A suplicant is required. The only way you can have Windows XP/Vista to work with WPA2-Enterprise is to configure PEAP or use EAP-TLS. Instead of setting the auth to LEAP, you would set it to PEAP or EAP-TLS. A radius server is required and a server side cert for PEAP. If using EAP-TLS, a server and client side cert is required.
04-09-2008 08:22 PM
What a PITA! I was hoping Microsoft would get their "better security" right for a change :) Guess I'll setup that radius server I was hoping to avoid. Thanks for all the help guys!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: