02-13-2009 12:08 PM - edited 03-10-2019 04:20 PM
I'm trying to set up a RADIUS server and PEAP on a CISCO ARI-AP1242AG-A-K9 and I am getting an Authentication failed message in the event log.
First I see RADIUS Server 10.209.128.61:1645,1646 is not responding.
Then I see RADIUS Server 10.209.128.61:1645,1646 has returned.
Then I get the "Station <MAC address> authentication failed" message.
The association tab shows the client state as "association processing"
The clients are a Silex MX-560 and a windows XP SP2 HP laptop with a intel PRO/Wireless 3945ABG internal network card.
I've been able to get the Silex to work using LEAP, but no luck at all on either with PEAP.
Can anyone help me?
Thanks!
Solved! Go to Solution.
02-13-2009 03:33 PM
PEAP makes it possible to authenticate wireless users without requiring them to have USER-Certificates, but we still require a ROOT Certificate.
Here are some more specific details about PEAP:
..."the Protected
Extensible Authentication Protocol (PEAP) Version 2, which provides
an encrypted and authenticated tunnel based on transport layer
security (TLS) that encapsulates EAP authentication mechanisms.
PEAPv2 uses TLS to protect against rogue authenticators, protect
against various attacks on the confidentiality and integrity of the inner EAP method exchange and provide EAP peer identity privacy."
"As part of the TLS negotiation, the server presents a certificate to
the peer. The peer SHOULD verify the validity of the EAP server
certificate, and SHOULD also examine the EAP server name presented in
the certificate, in order to determine whether the EAP server can be
trusted."
http://tools.ietf.org/id/draft-josefsson-pppext-eap-tls-eap-10.txt
â¢PEAP uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication.
â¢PEAP uses TLS to encrypt all user-sensitive authentication information.
http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638
02-13-2009 01:34 PM
Local PEAP authentication is not planned because it would require the management of certificates.
You require an External Radius Server to setup PEAP on your Aironet.
02-13-2009 02:51 PM
I was afraid you would say that...
Is it even possible to run PEAP without a certificate only using a username and password?
02-13-2009 03:33 PM
PEAP makes it possible to authenticate wireless users without requiring them to have USER-Certificates, but we still require a ROOT Certificate.
Here are some more specific details about PEAP:
..."the Protected
Extensible Authentication Protocol (PEAP) Version 2, which provides
an encrypted and authenticated tunnel based on transport layer
security (TLS) that encapsulates EAP authentication mechanisms.
PEAPv2 uses TLS to protect against rogue authenticators, protect
against various attacks on the confidentiality and integrity of the inner EAP method exchange and provide EAP peer identity privacy."
"As part of the TLS negotiation, the server presents a certificate to
the peer. The peer SHOULD verify the validity of the EAP server
certificate, and SHOULD also examine the EAP server name presented in
the certificate, in order to determine whether the EAP server can be
trusted."
http://tools.ietf.org/id/draft-josefsson-pppext-eap-tls-eap-10.txt
â¢PEAP uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication.
â¢PEAP uses TLS to encrypt all user-sensitive authentication information.
http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide