07-09-2003 08:22 AM - edited 07-04-2021 08:50 AM
We are evaluating the best way to secure our wireless networks and have decided that PEAP looks like the best bet. I have a test setup using Secure ACS as the radius server, a 1200 AP w/ 12.2(11)JA IOS, and an XP laptop w/ an Aironet 350 card.
I have been unable to get PEAP to work using the Cisco supplicant or the MS supplicant. LEAP works fine.
There is a CA setup and the ACS server has the server cert installed.
ACS is enabled for PEAP.
Here is a debug of the unseccessful PEAP authentication process if that will help.
Jul 9 10:51:41: dot11_aaa_dot1x_start: in the dot11_aaa_dot1x_start
Jul 9 10:51:41: dot11_dot1x_run_rfsm: Executing Action(INIT,EAP_START) for 000b
.fde1.5ccd
Jul 9 10:51:41: dot11_dot1x_send_id_req_to_client: sending identity request for
000b.fde1.5ccd
Jul 9 10:51:41: dot11_dot1x_client_send_eapol: sending eapol to client 000b.fde
1.5ccd
Jul 9 10:51:43: dot11_dot1x_distribute_bkey: Updating Group Key: vlan=0, index=
1, len=13
Jul 9 10:51:43: dot11_dot1x_distribute_bkey: Multicast key distributed to 0 cli
ents
Jul 9 10:51:51: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for
000b.fde1.5ccd
Jul 9 10:51:51: dot11_dot1x_send_response_to_client: Respond not sent to client
!
Jul 9 10:51:51: dot11_dot1x_send_client_fail: Authentication failed for 000b.fd
e1.5ccd
Jul 9 10:51:51.820 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica
tion failed
Jul 9 10:51:53: dot11_dot1x_distribute_bkey: Updating Group Key: vlan=0, index=
2, len=13
Jul 9 10:51:53: dot11_dot1x_distribute_bkey: Multicast key distributed to 0 cli
ents
Jul 9 10:51:57: dot11_aaa_dot1x_start: in the dot11_aaa_dot1x_start
Jul 9 10:51:57: dot11_dot1x_run_rfsm: Executing Action(INIT,EAP_START) for 000b
.fde1.5ccd
Jul 9 10:51:57: dot11_dot1x_send_id_req_to_client: sending identity request for
000b.fde1.5ccd
Jul 9 10:51:57: dot11_dot1x_client_send_eapol: sending eapol to client 000b.fde
1.5ccd
Jul 9 10:52:07.245 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica
tion failed
Jul 9 10:52:22.709 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica
tion failed
Jul 9 10:52:38.134 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica
tion failed
Does anyone have any idea or guidance on how best to get PEAP working?
Thanks......
07-14-2003 10:24 PM
Your client is NOT correctly configured for EAP as it is not answering the EAPOL identity request
Jul 9 10:51:57: dot11_dot1x_send_id_req_to_client: sending identity request for
000b.fde1.5ccd
Jul 9 10:51:57: dot11_dot1x_client_send_eapol: sending eapol to client 000b.fde
1.5ccd
Jul 9 10:52:07.245 EDT: %DOT11-7-AUTH_FAILED: Station 000b.fde1.5ccd Authentica
tion failed
07-15-2003 11:40 AM
For the MS supplicant, under the PEAP properties page have you tried to uncheck the 'Validate Server certificate' box ??
07-16-2003 03:24 AM
Thanks for the responses. I figured it out myself - it was a certificate trust issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: