Using PEAP getting "Authentication Failed" in the Event Log

Answered Question

I'm trying to set up a RADIUS server and PEAP on a CISCO ARI-AP1242AG-A-K9 and I am getting an Authentication failed message in the event log.

First I see RADIUS Server 10.209.128.61:1645,1646 is not responding.

Then I see RADIUS Server 10.209.128.61:1645,1646 has returned.

Then I get the "Station <MAC address> authentication failed" message.


The association tab shows the client state as "association processing"



The clients are a Silex MX-560 and a windows XP SP2 HP laptop with a intel PRO/Wireless 3945ABG internal network card.


I've been able to get the Silex to work using LEAP, but no luck at all on either with PEAP.


Can anyone help me?


Thanks!




Correct Answer by ansalaza about 8 years 2 months ago

PEAP makes it possible to authenticate wireless users without requiring them to have USER-Certificates, but we still require a ROOT Certificate.


Here are some more specific details about PEAP:

..."the Protected

Extensible Authentication Protocol (PEAP) Version 2, which provides

an encrypted and authenticated tunnel based on transport layer

security (TLS) that encapsulates EAP authentication mechanisms.

PEAPv2 uses TLS to protect against rogue authenticators, protect

against various attacks on the confidentiality and integrity of the inner EAP method exchange and provide EAP peer identity privacy."


"As part of the TLS negotiation, the server presents a certificate to

the peer. The peer SHOULD verify the validity of the EAP server

certificate, and SHOULD also examine the EAP server name presented in

the certificate, in order to determine whether the EAP server can be

trusted."


http://tools.ietf.org/id/draft-josefsson-pppext-eap-tls-eap-10.txt


•PEAP uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication.


•PEAP uses TLS to encrypt all user-sensitive authentication information.


http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
ansalaza Fri, 02/13/2009 - 13:34
User Badges:
  • Cisco Employee,

Local PEAP authentication is not planned because it would require the management of certificates.


You require an External Radius Server to setup PEAP on your Aironet.

Correct Answer
ansalaza Fri, 02/13/2009 - 15:33
User Badges:
  • Cisco Employee,

PEAP makes it possible to authenticate wireless users without requiring them to have USER-Certificates, but we still require a ROOT Certificate.


Here are some more specific details about PEAP:

..."the Protected

Extensible Authentication Protocol (PEAP) Version 2, which provides

an encrypted and authenticated tunnel based on transport layer

security (TLS) that encapsulates EAP authentication mechanisms.

PEAPv2 uses TLS to protect against rogue authenticators, protect

against various attacks on the confidentiality and integrity of the inner EAP method exchange and provide EAP peer identity privacy."


"As part of the TLS negotiation, the server presents a certificate to

the peer. The peer SHOULD verify the validity of the EAP server

certificate, and SHOULD also examine the EAP server name presented in

the certificate, in order to determine whether the EAP server can be

trusted."


http://tools.ietf.org/id/draft-josefsson-pppext-eap-tls-eap-10.txt


•PEAP uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication.


•PEAP uses TLS to encrypt all user-sensitive authentication information.


http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638

Actions

This Discussion