Re: missing machine authentication - peap acs

lunestadr · ‎09-19-2006

Hi,

my setup is:

Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)

WLC 4402 ver 4.0.179.8

Aironet 1131 LWAPP

dell laptop with windows xp sp2 with peap auth (using win control of wlan card)

I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)

http://support.microsoft.com/kb/309448/en-us

I get these messages in the wlc log:

AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201

AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed

anyone who can point me in the right direction?

Is it a windows client problem or a WLC/ACS problem?

regards rolf

scottmac · ‎09-19-2006

Did you set up ACS for "Aironet" style RADIUS?

There's an option under "Network Config" | "AAA Clients" for what kind of RADIUS interface to present, you want "Cisco Aironet"

Check it out and let us know.

Scott

lunestadr · ‎09-19-2006

Hi,

I did have Cisco Airespace - not Cisco Aironet defined as aaa client in ACS for the wlc. Have now changed to Cisco Aironet and will check. What is the Airespace setting is supposed to be used for if not wlc?

Found this as a reference:

EAP Authentication with WLAN Controllers (WLC) Configuration Example:

"Define the controller as an AAA client on the ACS server. Click Network Configuration from the ACS GUI.

When the Network Configuration page appears define the name of the WLC, IP address, shared secret and authentication method (RADIUS Cisco Aironet or RADIUS Cisco IOS/PIX). Refer to the documentation from the manufacturer for other non-ACS authentication servers. "

regards rolf

lunestadr · ‎09-26-2006

Hi,

still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:

AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201

AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed

It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?

My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.

regards rolf

MICHAEL KIOK · ‎12-19-2006

Hi Rolf,

I encountered the same problem as you - machine authentication with PEAP stops working after some days or also weeks.

Did you find in the meantime a solution to this problem? Or how do you deal with this problem?

Please let me know !

Thank you !

Michael

zhenningx · ‎12-20-2006

Is your ACS server a member server in the AD? Did your AD domain controller rebooted recently? In ACS 4.0, I found that once the DC rebooted, the exactly happened with machine authentication. I have to reboot the ACS and the problem fixed. I opened a case with TAC and I was told it is a bug and will be fixed in ACS 4.1. I haven't upgrade ACS to 4.1.

Zhenning

lunestadr · ‎12-21-2006

Hi,

it is a documented bug that can be fixed with a bugfix. if you ask cisco tac you will get a new ntlib.dll

regards rolf

http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd52574&Submit=Search

Installation instructions for CSCsd52574_Global_Catalog_NTlib.dll are:

stop service CSAuth

save a backup of \bin\ntlib.dll

copy CSCsd52574_Global_Catalog_NTlib.dll to \bin\ntlib.dll

start service CSAuth

zhenningx · ‎12-21-2006

Anyone tried with 4.1? Did 4.1 fix this bug?