Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP & ACS & machine authentication

OK, here's the issue :

Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.

ACS SE 4.0 and a second ACS SE with 4.1

Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.

Machine authentication not working. i.e. a user can't logon until they've previously logged on.

Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.

Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.

ACS using a self signed cert, option to validate server cert on XP wzc unchecked.

Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....

Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?

Help, someone, help...

4 REPLIES
New Member

Re: PEAP & ACS & machine authentication

You cannot use WCZ. You will have to use Cisco Secure Service client, this work on every wireless card or the client with the wireless card you have if they support this. I now Broadcom card support this if you have it. I will suggest use Cisco Sec Service client.

Bronze

Re: PEAP & ACS & machine authentication

Matt,

What NIC and driver version? Has the system been joined to the machine domain via a wired connection?

It seems strange to me that WZC would not work. Are you using a driver-only install - no other card-specific supplicant running? Can they authentuate using regular PEAP MSCHAP - no machine auth?

Re: PEAP & ACS & machine authentication

This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....

I referred to this document on MS's site:

http://www.microsoft.com/technet/network/wifi/ed80211.mspx

Plus probably the same document you were using from CCO.

I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.

You don't need to use the Cisco supplicant.

HTH

Andy

New Member

Re: PEAP & ACS & machine authentication

Cheers for all the replies.

I also installed hotfix x 2 for XP SP2 wireless / supplicant, it fixed an issue with fast roaming, where the client would drop a few pings, and either prompt for re-auth or show the credentials again.

However, the big fix - the customer had "inadvertantly" installed MS IAS on the DC that was hosting the remote agent for ACS.

Uninstalled IAS and happy days, everything works.

So in summary - WZC, PEAP, fast-reconnect, ACS SE all works.

Thought my marbles had been displaced, but all sane again now....

Thanks again for taking time to reply, much appreciated.

448
Views
0
Helpful
4
Replies
CreatePlease to create content