Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
4
Helpful
3
Replies

Using PEAP getting "Authentication Failed" in the Event Log

Go to solution
jnakken
Level 1
Level 1

‎02-13-2009 12:08 PM - edited ‎03-10-2019 04:20 PM

I'm trying to set up a RADIUS server and PEAP on a CISCO ARI-AP1242AG-A-K9 and I am getting an Authentication failed message in the event log.

First I see RADIUS Server 10.209.128.61:1645,1646 is not responding.

Then I see RADIUS Server 10.209.128.61:1645,1646 has returned.

Then I get the "Station <MAC address> authentication failed" message.

The association tab shows the client state as "association processing"

The clients are a Silex MX-560 and a windows XP SP2 HP laptop with a intel PRO/Wireless 3945ABG internal network card.

I've been able to get the Silex to work using LEAP, but no luck at all on either with PEAP.

Can anyone help me?

Thanks!

Labels:
Preview file
4 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ansalaza
Level 1
Level 1
In response to jnakken

‎02-13-2009 03:33 PM

PEAP makes it possible to authenticate wireless users without requiring them to have USER-Certificates, but we still require a ROOT Certificate.

Here are some more specific details about PEAP:

..."the Protected

Extensible Authentication Protocol (PEAP) Version 2, which provides

an encrypted and authenticated tunnel based on transport layer

security (TLS) that encapsulates EAP authentication mechanisms.

PEAPv2 uses TLS to protect against rogue authenticators, protect

against various attacks on the confidentiality and integrity of the inner EAP method exchange and provide EAP peer identity privacy."

"As part of the TLS negotiation, the server presents a certificate to

the peer. The peer SHOULD verify the validity of the EAP server

certificate, and SHOULD also examine the EAP server name presented in

the certificate, in order to determine whether the EAP server can be

trusted."

http://tools.ietf.org/id/draft-josefsson-pppext-eap-tls-eap-10.txt

•PEAP uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication.

•PEAP uses TLS to encrypt all user-sensitive authentication information.

http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ansalaza
Level 1
Level 1

‎02-13-2009 01:34 PM

Local PEAP authentication is not planned because it would require the management of certificates.

You require an External Radius Server to setup PEAP on your Aironet.

Go to solution
jnakken
Level 1
Level 1
In response to ansalaza

‎02-13-2009 02:51 PM

I was afraid you would say that...

Is it even possible to run PEAP without a certificate only using a username and password?

0 Helpful

Go to solution
ansalaza
Level 1
Level 1
In response to jnakken

‎02-13-2009 03:33 PM

PEAP makes it possible to authenticate wireless users without requiring them to have USER-Certificates, but we still require a ROOT Certificate.

Here are some more specific details about PEAP:

..."the Protected

Extensible Authentication Protocol (PEAP) Version 2, which provides

an encrypted and authenticated tunnel based on transport layer

security (TLS) that encapsulates EAP authentication mechanisms.

PEAPv2 uses TLS to protect against rogue authenticators, protect

against various attacks on the confidentiality and integrity of the inner EAP method exchange and provide EAP peer identity privacy."

"As part of the TLS negotiation, the server presents a certificate to

the peer. The peer SHOULD verify the validity of the EAP server

certificate, and SHOULD also examine the EAP server name presented in

the certificate, in order to determine whether the EAP server can be

trusted."

http://tools.ietf.org/id/draft-josefsson-pppext-eap-tls-eap-10.txt

•PEAP uses server-side Public-Key Infrastructure (PKI)-based digital certification authentication.

•PEAP uses TLS to encrypt all user-sensitive authentication information.

http://www.cisco.com/en/US/docs/wireless/technology/peap/technical/reference/PEAP_D.html#wp998638

0 Helpful
Customers Also Viewed These Support Documents