Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PEAP authentication failed for wireless users

Dears

Hello

 

i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.

 

thanks 

15 REPLIES
Cisco Employee

Please check the old

Please check the old conversation on the same issue

 

supportforums.cisco.com/discussion/11428016/ssid-authentication-acs-5

New Member

Dear Mohanakhii can see we

Dear Mohanak

hi

i can see we have different issues, that gentleman has different issue i guess. let me explain you in details, that i'm doing only simple authentication.. as following :

1- i have added all devices by using IP range with subnet mask using tacacs and radius.. i couldn't add particular WLC ip addresses with Radius only because ACS doesn't accept overlapping.

2- i configure one user and select simple Network access Authorization profile "Permit all". 

3- i configure Access service Radius 

 

i got this error which i didn't understand what is root cause. 

 

New Member

please note my WLC is Aruba 

please note my WLC is Aruba 

Cisco Employee

Well that is the problem you

Well that is the problem you need to replace Arube with Cisco :) 

Can you click on the magnifying glass under the details column and post the screen shot from the new window with all of the details on the failure?

Thank you for rating helpful posts!
New Member

it is customer choice..

it is customer choice.. please find attached file

Cisco Employee

I was joking about that :

I was joking about that :)

Couple of more questions:

1. Can you post a screen shot of the "Service Selection Rules"

2. Post screen shot of the "Identity" under "Wireless-Users"

3. Confirm that the wireless users are not hitting the "Device-Admin" rule that you have listed above

4. If you can post all of the details of the failed authentication. You are getting "access-reject" for some reason so you are not hitting the rule that you are trying to hit. 

Thank you for rating helpful posts!
New Member

Dear Neno :) thanks for your

Dear Neno :) thanks for your support..

you are absolutely right.. i'm not hitting the access rule. even though i configured it to match wireless user group.. i notice the Devices admins are not hitting the rule but since i enabled Radius for device management as well, i can see many logs from them as failed also as radius. 

 

New Member

this is for user as well

this is for user as well

Cisco Employee

It is probably a good idea to

It is probably a good idea to keep Device Management under TACACS+ and wireless access under Radius. From "acs-access-service01.jpg" screenshot we can see that your wireless rule is getting zero hits. Which again indicates that your wireless clients are hitting the default rule which is probably "deny access" The ACS rules look OK from the screen shots so the issue could be on the wireless side. 

Can you:

1. Provide better/full capture from "acs-issue1_0.jpg" ? I need to see all steps and details

2. Confirm the wireless settings. More specifically that Radius/802.1x is configured 

Thank you for rating helpful posts!
New Member

Dear Nenothe customer has

Dear Neno

the customer has sent me this in aruba

aaa authentication dot1x "dot1xProfile"     
   termination eap-type eap-peap                                                                                                                                                                                                                                             
   termination inner-eap-type eap-mschapv2       

aaa authentication-server radius "SERVER"
   host x.x.x.x
   key xxxx
   nas-ip x.x.x.x

aaa server-group "RADIUS-GROUP"
  auth-server “SERVER”
  
aaa profile "KSAU-JED-AAA-Profile"
   authentication-dot1x "dot1xProfile"
   dot1x-server-group "RADIUS-GROUP"


      
wlan virtual-ap "SSID-NAME"
   aaa-profile "KSAU-JED-AAA-Profile"
   ssid-profile "SSID-NAME"
   vlan <VLAN ID>
   

Cisco Employee

Everything looks good (with

Everything looks good (with my limited knowledge of Aruba). Unfortunately, I won't be much help here without getting my hands on the network :(

Perhaps someone else can come and chime in.

Thank you for rating helpful posts!
New Member

Dears FYI.. i have solved the

Dears 

FYI.. i have solved the issue today.. basically the issue was that Cisco ACS doesn't have Aruba controllers dictionary by default. for specific-vendor dictionary, you need to download from vendor site and write down the values to ACS dictionary fields. 

Cisco Employee

Oh good catch! I am so used

Oh good catch! I am so used to working with Cisco gear that I did not even think about it. :) Thank you for sharing the solution! (+5) from me. You should probably mark the thread as "answered/resolved too :)
Thank you for rating helpful posts!
New Member

thanks Neno .. by the way how

thanks Neno .. by the way how to mark this thread is answered? sorry i'm not so familiar with these tools :)

Cisco Employee

No problem. Please take a

No problem. Please take a look at:

https://supportforums.cisco.com/community/5781/support-community-help

Thank you for rating helpful posts!
112
Views
5
Helpful
15
Replies
CreatePlease to create content