Cisco Support Community
Community Member

PEAP with ACS 3.1 for "Port Based Network Access Control"


I'am try to Implement "Port Based Network Access Control" with PEAP (not with Wireless):


XP Client (PEAP & Ca)

Catalyst 2948G Version 7.4.3 (inkl. setup for 802.1x)

ACS 3.1 (with Server-Certificate & Radius IETF & External Databes LDAP config)

The ACS is logging the Request with this fault:

Message-Type: "Bad request from NAS"

Authen-Failure-Code: "Invalid message authenticator in EAP request"

Maybe some person have knowledge of this Message.....?



Community Member

Re: PEAP with ACS 3.1 for "Port Based Network Access Control"

I have been working on this as well. It turns out that Microsofts implementation changed from when cisco first set up the ACS 3.1 and now it will not work till ACS 3.2 comes out. There is not very much documentation on the Cisco website reguarding these problems but I ended up opening a case with TAC and found out I was doing everything right but the ACS and Microsoft were incompatable. From what I understand you can wait for ACS 3.2 (around May) or get an advanced copy of Windows 2003 server and run the Microsoft radius server and this should work. I have not tried the MS radius server. I am waiting for ACS 3.2. If you want to do some testing load the Cisco Aironet Client utility on your Client computer(I know you are not doing wireless). This will overwrite the MS parts of PEAP with the cisco peap and will work with ACS 3.1. The only drawback is you will have a 2 step login. This solution does not hook into the MS login so you have to login twice.

CreatePlease to create content