cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6161
Views
0
Helpful
10
Replies

WPA2 Enterprise Windows keeps prompting for credentials

michaelhess
Level 1
Level 1

I've setup my 1130ag like the cisco walkthrough for wpa2 support. When I try to connect with my Thinkpad R60 with XP SP2 (with wpa2 hotfix) or my Acer with Vista, it just keeps popping up the credentials prompt. If I switch to WPA2-PSK, they both work fine.

All the event log shows is the machine failed authent. Anybody have any thoughts?

10 Replies 10

Scott Fella
Hall of Fame
Hall of Fame

What type of encryption are you trying to do? 802.1x or Pre-shared?

-Scott
*** Please rate helpful posts ***

leap via the built in radius server.

Sounds like your RADIUS server isn't matching on the right attributes. Look in your RADIUS server detail log to understand why it is denying the login.

Not knowing how you set this up, have you looked at this doc: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c0912.shtml

-Scott
*** Please rate helpful posts ***

Using the internal RADIUS server, it works fine with the Intel ProSet software. When I use the XP utility, it just keeps prompting and the "Unknown Usernames" and "Invalid Packet from NAS" counters go up. I've tried with a vista laptop and get the same thing. The username success/fail counters don't incriment except for the success's with the Intel utility.

I've set fast reconnect, unchecked verify server and user computer/user info to login. It looks like Microsoft doesn't play nice with WPA2 Enterprise.

been a while since I used an autonomous AP for local EAP authentication...but I don't remember it accepting PEAP auths...M$ WZC won't do LEAP or EAP-FAST, right? Think you may have an EAP-type mismatch...

That is correct.... MS WZC doesn't support LEAP of EAP-FAST not PEAP-GTC. When you say you can use the Intel PROset, what is your configuration there.

-Scott
*** Please rate helpful posts ***

The Intel client is set to Enterprise Security, network auth is wpa2-ent, data encryption is aes-ccmp, authent type is leap, and my username/password.

Is there any way to get windows xp/vista to natively work with wpa2 ent on a cisco ap? Or is a suplicant like Intel's required?

A suplicant is required. The only way you can have Windows XP/Vista to work with WPA2-Enterprise is to configure PEAP or use EAP-TLS. Instead of setting the auth to LEAP, you would set it to PEAP or EAP-TLS. A radius server is required and a server side cert for PEAP. If using EAP-TLS, a server and client side cert is required.

-Scott
*** Please rate helpful posts ***

What a PITA! I was hoping Microsoft would get their "better security" right for a change :) Guess I'll setup that radius server I was hoping to avoid. Thanks for all the help guys!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: