Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

bug?? wlc, acs, peap & machine auth and intel wireless proset

customer has a wireless solution consisting of a AIR-WLC4402-50-K9 with software, several AIR-LAP1131AG-E-K9 Access Points , Cisco ACS 4.0, Windows 2003 Active Directory and a Microsoft CA.

WLC & ACS are configured for PEAP(MS-CHAPv2) plus machine authentication on acs.

on wlan-clients (mostly centrino-notebooks) this security solution configured with windows configuration service works AND user (both!) must successfully authenticate themselves against acs to gain access.

but with intel wireless proset-software version 11.1 it's enough to successfully authenticate as host OR user (not both!). this looks like a bug and is a really heavy security hole.

any ideas?

New Member

Re: bug?? wlc, acs, peap & machine auth and intel wireless prose

Microsoft PEAP clients also initiate machine authentication whenever a user logs off. This prepares the network connection for the next user login. Microsoft PEAP clients may also initiate machine authentication when a user has selected to shutdown or restart the computer rather than just logging off. Refer URL

New Member

Re: bug?? wlc, acs, peap & machine auth and intel wireless prose

ok...i think you don't understand my question. sorry, my english is not very good. :(

i have only a problem with the intel wlan-client ...not the ms-client! with the intel-client no user-authentication is required for gain access to the wlan. the log of acs is also very curious:

szenario: machine auth successful, user auth not successful (user not in ads-group)

intel client (the acs says "auth failed" but the client gain access):

03/04/2007,15:08:05,Authen failed,testuser,Default Group,(Default),External DB account restriction,,,%DOMAIN%\%USERNAME%,10.x.y.z,,%DOMAIN%\%USERNAME%,25,CISCO-PEAP,,WLC01,

here the same log-entry with the ms-client (acs says auth failed and the client gains NO access):

03/04/2007,15:14:00,Authen failed,testdomain\testuser,Default Group,(Default),External DB account restriction,,,testdomain\testuser,10.x.y.z,,,25,MS-PEAP,,WLC01,