Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP ????

I have the follow scenary

- a w2k3 server with IAS radius server, CA server and AD server

- a wxp , the client

- and a cisco 2950 (sh run output attached)

And i'm using PEAP with MSCHAPv2.

I have two question to solve...

1 ) How make to the user logon at first time ? how he get the certificate ? I have to authorize port on switch and log with the user to he get certificate on machine ?

After this, the authentication process works.

2 )When a user logged on client , executes loggof, the connection on switch isn't closed.

The EAP session continues until the switch executes the re authentication

So, when a user logoff from radius client, the port on switch continues active, and if other user logon machine, the user will


Re: PEAP ????

With PEAP, the client does not get a certificate; the certificate is only on the server side.

EAP-TLS uses client-side certs (and server-side certs)

Until you can register your server/CA with the client, you'll probably need to uncheck the box in the client setup that says " Verify Server Certificate."

Good Luck


New Member

Re: PEAP ????


New Member

Re: PEAP ????

Ok ScottMac, I will try this !

New Member

Re: PEAP ????


ref : Question 1

i tried this...but it isn't working

the first logon, i have to turn off the 802.1x on switch port.

I think that the client xp doesn't can build a certificate on server at first time.



New Member

Re: PEAP ????

ref : Question 1

it's working now..

i created a auth-fail vlan and guest vlan, also i set this on switch port.

and that ad server is on vlan 10, so when the xp not connect, or is starting the S.O. the switch put port on vlan 10 (guest and fail vlan's), when the user try logon first time...the machine found the ad server and logon ad server....

so, i only have to set the timers..because the switch is very slow to authorize the ports...

and about question 2 ?

Anybody have any idea ?