ACS authentication with WiSM

Unanswered Question
Oct 9th, 2008
User Badges:

Dear Friends,


I am presently deploying in a Campus network of 2 WiSM's with 280 1250 AP's .


Authentication is carried by means of ACS appliance,1113. I have generated a certificate and installed on the appliance itself.


Now the problem lies, when a client tries to authenticate ,it stucks with Validating identity, but when I manually install the certificate from ACS to the client machine , it works but gives disconnection after sometime.


Any ideas / advises.



Thanks ,


Sid

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Scott Fella Thu, 10/09/2008 - 14:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

What errors are you seeing on the ACS? Here is a guide that show how to setup PEAP:


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml


aaron7181 Thu, 10/09/2008 - 20:52
User Badges:

Hi ,


Thanks for the reply.


I get errors from the ACS appliance-something like 'EAP-TLS or PEAP authentication failed , incorrect handshake'


Regards,


SID

patoberli Thu, 10/09/2008 - 22:05
User Badges:
  • Bronze, 100 points or more

What OS are your clients running?

If Windows XP and WPA2, then you need to add the profile by hand and not with double clicking on the SSID. Then you need to change several options in the settings dialog of this connection and after that you are able to connect and authenticate.

aaron7181 Thu, 10/09/2008 - 22:38
User Badges:

Hi,


I have made the ACS 1113, self signed certificate and installed on the appliance itself.


After that , I have downloaded the certificate and manually installed in the client PC , which is joined to the domain , where the users exist.


Also I have checked on the ACS appliance, PEAP and MS-CHAP v1 and MS-CHAP v2.


As per instructions from cisco examples and technotes, I have adjusted the setting in the WZC , in which I can find the certificate which has been installed.


It takes time to install and gets connected, but after sometime it automatically gets disconnected and displays in the WZC as 'attempt to authenticate'.


At the same time when i checked the ACS logs under failure attempts, I see the error shown something like

'Invalid SSL handshake ......'


Any clues/advises please.


Sid

Scott Fella Fri, 10/10/2008 - 03:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

That error mean the certificate is invalid. If you load a certificate on the client and on ACS you also have EAP-TLS enabled, then you are doing EAP-TLS authentication and not PEAP. Attach a screen shot of you ACS security setting page.

dewmancco Fri, 10/10/2008 - 10:36
User Badges:

If you are using a self-signed cert then you need to either install the cert on every client you want to use PEAP on - or un-check the 'Validate server certificate' checkbox on the Windows client. Also, I uncheck 'automatically use my windows domain logon and password' this way I have to type in the username / password and I know it will be correct.

Actions

This Discussion

 

 

Trending Topics - Security & Network