PEAP failure

srosenthal · ‎07-07-2008

I have a 4404 controller with a Microsoft IAS server running radius. I can connect to the WLAN when I have no encryption. When I turn on WPA2 with AES and try to connect it fails. I ran the debug dot1x events enable and here is the output. There is one line that states AAA Error no Server.

Mon Jul 7 18:29:58 2008: 00:13:02:14:c7:b3 Sending EAP-Request/Identity to mobile 00:13:02:14:c7:b3 (EAP Id 1)

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Received EAPOL EAPPKT from mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Received Identity Response (count=1) from mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Processing AAA Error 'No Server' (-7) for mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Processing RSN IE type 48, length 22 for mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Received RSN IE with 0 PMKIDs from mobile 00:13:02:14:c7:b3

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Station 00:13:02:14:c7:b3 setting dot1x reauth timeout = 0

Mon Jul 7 18:29:59 2008: 00:13:02:14:c7:b3 Stopping reauth timeout for 00:13:02:14:c7:b3

I can ping the server from the 4404, have re-entered the shared secret several times. I even deleted and re-added the radius information with no luck.

Does anyone have any ideas?

Seth

rseiler · ‎07-07-2008

Send a 'show wlan summary' and a 'show wlan ' for the ssid that you are having this issue with.

Scott Fella · ‎07-07-2008

Take a look at the event viewer in the IAS box to see if it even receiving anything from the WLC. Also you have the IAS set to Radius Standard when you created the Radius Client?

-Scott
*** Please rate helpful posts ***

srosenthal · ‎07-14-2008

Here are outputs

show>wlan summary

Number of WLANs.................................. 2

WLAN ID WLAN Profile Name / SSID Status Interface Name

------- ------------------------------------- -------- --------------------

1 EOC / EOC Enabled management

2 Guest / EOCGuest Enabled guest

Here is the output from the show wlan 1 command:

(Cisco Controller) show>wlan 1

WLAN Identifier.................................. 1

Profile Name..................................... EOC

Network Name (SSID).............................. EOC

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Enabled

Quality of Service............................... Silver (best effort)

WMM.............................................. Allowed

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

--More-- or (q)uit

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

Authentication................................ 172.23.4.4 1812

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Disabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Disabled

AES Cipher.............................. Enabled

Auth Key Management

802.1x.................................. Enabled

PSK..................................... Disabled

--More-- or (q)uit

CCKM.................................... Disabled

CKIP ......................................... Disabled

IP Security................................... Disabled

IP Security Passthru.......................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

Cranite Passthru.............................. Disabled

Fortress Passthru............................. Disabled

H-REAP Local Switching........................ Disabled

Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

Client MFP.................................... Optional

Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

Scott Fella · ‎07-14-2008

This wlan looks like it is setup correcdtly for 802.1x and wpa2/AES. What errors do you see in the IAS server event viewer.

-Scott
*** Please rate helpful posts ***

srosenthal · ‎07-15-2008

Nothing is showing up in the event viewever. Can anyone direct me to a guide on setting up IAS 2003 to work with the WLC?

Thanx

bhbachman · ‎07-18-2008

This is the guide we used for configuring IAS.

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

You should atleast see the WLC hitting the IAS server in the IAS server logs. Are you looking in the IAS logs or just the system event viewer?