Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 3.2 local user database w/ Windows XP PEAP working w/ Aironet 1200 PEAP

I have configured Aironet1200 to work on PEAP mode and windows xp client to authentication using PEAP ms-chapv2. And the Windows xp user has been added to the user database of ACS. Then I tried to connect the Windows XP computer to the wireless network but didn't be succeed. (Windows XP has prompted a dialog box for entering username, password and domain name). The ACS fail attempted logged the following two message:

NAS duplicated authentication attempt

External DB account Restriction

And then I tried to add an external user database mapping with Windows NT group, but the User still cannot connect to wireless.

Any idea? Or Where I can ask for the meaning of the error generated by ACS?



Re: ACS 3.2 local user database w/ Windows XP PEAP working w/ Ai


You can (or have you) try one of this:

1. When Windows prompt for username/password/domain, leave the domain empty. At this point, user auth. will use ACS internal DB, so domain is not required.

2. For this option, ACS need to generate self cert (*.cer). Install this cert in client PC as well.

'System Configuration - ACS Certificate Setup'.

Cert subjetc : cn=

Cert file: c:\your_cert.cer

Private key file: c:\privatekey.pvk

Private key password:

Retype private key password:

Key length:

Digest to sign with: SHA1

Install generated cert:

For 'System Configuration - Global Authentication Setup', follow the guide in this url:

3. If you use external database mapping, make sure your ACS already joint your domain. Otherwise, it won't work. But you need to resolve your client auth via local AAA first before enabling this option.

For 'NAS duplicate authentication attempt', I have seen this message, which refers to client authentication attempt via AP that talk to more than 1 AAA/ACS (not sure related to your case).

Quick check:

In your ACS, enable IETF Radius Attribute [006] login & [007] Login.



CreatePlease login to create content