Yes, I am able to use PEAP with other wireless card. We are having problem with only the 3945 abg card, is it a compatibility issue or a driver issue?
Intel claims that the card will be compatible with Cisco's protocol. I have no problem with MAC authenthication through the ACS and a Guest account which does not require authenthication.
Yes, if you are using the Intel supplicant, you need to uncheck the box for "Disable EAP-FAST Enchancements" go to the next page, and you should have a "Roaming ID". In that box, put the name that ACS is expecting, then go back and re-uncheck the Enhancements box. Tell it ok, and try to connect.
can you give us a doc, that has some screen shots of the setup, of the supplicant?
I'm really a visual person.
You better check below link for the CCX v4 support list to determine your laptop is supporting CCX v4 or not.
Yes, The laptops that we have does support CCX v4. This is the link that shows some screenshot, and some suggestion for the fix....but it didnt do the work. http://support.intel.com/support/wireless/wlan/sb/cs-022331.htm
I have all the latest version of driver for the card.
>>>>>More feedback please>>>>>>
I suggest to work from the fresh that use the basic config, e.g. leap or eap-fast to test the compatibility first then try the peap.
It is hardly to say the problem is the AP or the laptop 3945ABG....
Thanks for everything everybody,,I think were going in circles here. The problem is not with the AP because all other wireless cards will authenthicate to the ACS and grabbing access through our AD. It is determine by Cisco TAC that this is a compatibility issues, which I knew was going to be the answer from TAC before I open up the case. If you guys are interested please see TAC case #603960185 (Laptops with Intel 3945abg wireless card will not authenthicate using PEAP). I'm surprise I we are the only ones that are reporting this problem since Intel 3945abg will be the major wireless card to be install in the next generation of PCs and Laptops being built. All comments and suggestions are still welcome.......thank you so much to all you guys that reply ....and to all the readers be ware........
Are you using the Intel client or letting Microsoft manage the connection? We've had better results with WPA1/2 and PEAP by uninstalling the Intel client and letting MS manage the connection. Although with the Intel 2915, I did not see the card sending CCX without the Intel client. In general we've had nothing but trouble out of the Intel cards. We have standardized on the Dell 1470/90 with the Broadcom chip. The roaming is better and does CCX4 with a driver only install using the MS wireless. I haven't tested the new 3945 series, but I believe the Cisco CB21 and the Dell/Broadcom 1470/90 are better choices.
Running XP-SP2 on the clients with the WPA2 patch and Fast reconnect patch. Running 188.8.131.52 on the WLC.
I prefer to use Microsoft, but with Intel's 3945 a setting has to be adjusted using the admin tools. Yes I also did use Microsoft to manage the Inel card. I also install Cisco CB21 in the PCMCIA slot and disable Inel card. But it didnt work right the the laptop. The connection keeps droping in and out. You are right about getting any other cards besides intel.....they suck big time with compatibility issues especially with cisco. I too never have problem with broacom/dell or cisco cb21. thanks for the reply .... at least i now know im not the only one out there
If you already tested CB21 but still not work and it is the problem only in this laptop. The final step is to use a clean MS windows w/o special tools, driver installed to test the hardware. If the problem still occur, I believe it is the compatiblity issue of the laptop.....
Today one of our staff came in with an IBM laptop with 3945abg card. IBM claims they have a fix for 802.1x + PEAP, of course that was a false claim also. I loaded their new supplement 4.12 to the laptop and try to connect. I got an authenthication fail.....now before you reply and say check your ACS or APs for the correct radius setting (i can authenthicate using other wireless besides 3945abg, we're beyond basic troubleshooting). Yes Jack , your right about the compatibility issues. I was just hoping that one of the vendor or Cisco could do something about it to push this issue forward and really test the darn card out before they claims compatibility issue. I open up a case with Cisco. Cisco gave up on me. To read more on the case please see prior thread for case #.......if any body out there that can get the Intel 3945abg card to work with 802.1x + PEAP authen using ms-chapv2 please. heeeeellllllpppppppp.
I am glad I found this thread. I have a fleet of IBM T60's all with the Intel 3945 card. We are attempting to use IBM Access Connections 4.12 as well. MS Hotfix for Peap authentication to 3rd party radius servers has been applied to laptops running WinXP SP2. We are using PEAP with MS CHAPv2 as well. WPA2 with AES. Backend consists of Aironet 1130AG's and Cisco ACS 3.3
I have discovered that I cannot connect with this card on the first attempt. However, if I have the laptop plugged into our network via an ethernet cable, and then attempt to make a wireless connection (yes, while the ethernet cable is plugged in), it will connect. I can then shut down the laptop and from that point on, I can make successful wireless connections with no problems.
Just like you, I am way past basic troubleshooting. I have tried using MS Wireless Config tool as well. No dice.
I have opened up a case with TAC and put them on notice. I get the same info you are getting. I have also spent a good deal of time with IBM today, and it was pretty positive. I have a case that has been elevagted to engineering to look at this further. It really stumped the guy I was working with, and agreed something was not quite right. Since the card is CCX v4 compatible, Intel should be able to modify the drivers so the OEM's can get them their customers.
Also, I have ordered another IBM Wireless A/B/G mini pci card that is offered by IBM for this laptop. It will be in tomorrow, I am going to remove the 3945 card, and install this card to do a validation that it will connect. After this, I will report back to IBM my findings. I suspect that this will wor (or at least I hope).
I will post back on this board my findings. If you find anything out on your end, please keep us posted.
Thanks, and I hope what I have shared helps somehow.
I too install Cisco's AIR-CB21AG-A-K9 card in the PCMCIA slot. The client authenticate but was not able to sustain the connection. It would drop every 5 to 10 minutes and ask for authentication. This is also with MS Hotfix for 802.1x. With this result, it also leads me to beleive that their may be a need for the software fix for the new 945 chipset in the new motherboard that comes with all this laptop. But if you can get better result with other cards please let me know. Thanks for the reply ....Now I know that im not the only one out there..
I have peap working with mschap-v2 using lenovo t60 laptops using the intel 3945 abg chipset. You have to use ibm access connections v4.11a. The ibm access connections changed the peap single sign-on in v4.12. I am using cisco 1242ag access points using 12.3.8-ja2 ios on the ap's. In version 4.12 of ibm access connections they are sending domain/login id which causes authentication problems on the radius server. We are using the free radius server on linux to authenticate our clients. We are trying to strip the domain from the login id so then we are able to authenticate the client with just the login id and password. The only way of i have gotten the client the to authenticate in v4.12 of access connections is fill in the userid and password with no domain.
Do you have a copy of 4.11a? I cannot find it on the IBM/Lenovo site, and they say they do not have it available now.
I would like to test with 4.11a and validate in my environment.
I would love to have a copy of the 4.11a supplement to test. I too cannot find that copy. There is no way that we can change our structure to not include domain. please send supplecant to email@example.com
The file size is a 11 megabytes and I only send a maximum size of 10 megabyte through our email server. Unless somebody has a ftp site i can upload it to.
I have created an ftp site for access. Send me an email address, and I can send you login info for upload.
Thank you for your help.
Intel just came out with a new release 10.5.1.57 version. I just finish testing it with Gateway's laptop. User authenthicate ok with Microsoft wireless connection but will not sustain connection. It will drop and reauthenthicate every 10-15 seconds. With Intel's supplecant the add profile was grayed out now we cant even add a user. I think intel's getting closer to solving the problem. If you guys have any new finding please post. I will test the new driver with an IBM T60 next and will post the result.
any update on your testing linhtasack? any update on your testing firstname.lastname@example.org? We are still trying to strip the domain from domain/username login id. No luck yet.
We finally got the domain stripped from domain/username login id. We can now authenticate using peap and mschap v2 with the windows username and password using v4.12 ibm access connections. This works with the ibm t60 with the intel 3945abg chipset.
I am still where I was at last week. Running AC 4.11a did not good.
Recap from last week...
I have discovered that I cannot connect with this card on the first attempt. However, if I have the laptop plugged into our network via an ethernet cable, and then attempt to make a wireless connection (yes, while the ethernet cable is plugged in), it will connect. I can then shut down the laptop and from that point on, I can make successful wireless connections with no problems
Have you tried adding your RADIUS server certificate as trusted manually before trying to connect to the wireless. It sounds to me that your domain Group Policy is taking care of that for you when you log with the wired connection.
I have been able to create a new user from wireless logon without validating the server certificate. When i try creating a new user with server certifacte validation i am not able to log on to the network. My radius server sees it as a bad certificate. With an existing user i am able to logon to the network with validating the server certifacte.
FIX FIX FIX
I know what is causing the client to not authenticate the users. It is due to roaming issue. The client drops in and out when trying to authenticate because the client tries to roam to other APs, You will see the connect and a drop. If you have multiple APs BROADCASTING the same SSID then the client will roam even though physical location is the same. I FIXED the ISSUE by TURNING OFF broacast on SSID that uses PEAP to prevent the client from roaming. I know this is a temperary fix but it will surfice until Intel gets a new driver out. Good luck to everybody.....and thank you so much to all of you that replies and listen.....
I've just posted in another thread about this, but I'm seeing a very similar issue (not exactly the same though).
The APs in this case are 1200 series IOS upgraded running 802.11b interfaces only. There are multiple SSIDs NONE of which are broadcasting.
We've got a few different client types. The Cisco CB21ABG cards are fine, as are the Intel 2200 and 7920 phones. It's only the 3945 that has a problem and it's running Intel's 10.5.1.68 driver which is the latest. I'm considering downgrading it to an older driver.
Basically, the adapter is just unreliable with its connection. It will connect, but over time it drops packets and lattency increases. If you reboot it, it works ok for a bit again. The 3945 is being configured through XP Zero, and doesn't have a problem when running WPA-PSK, only when WPA/TKIP/PEAP is used. Also, if you stick a CB21ABG (still under XP) in the same machine and disable the 3945, it's perfect.