W're using a Cisco Wireless client adaptor with the latest ACU version fully installed and configured my client for PEAP. I also configured the Windows XP network settings appropriately.
The RADIUS we are using is a Cisco ACS 3.2.1. We used a Microsoft certificate for the server that we issued ourselves.
Without configuring security, the client can associate with the AP, but when we enable PEAP and I open the ACU status screan, the client associates with the AP, but canot authenticate successfully. Status hangs on 'autenticating'. I don't see any traffic to the RADIUS server.
Many things could be wrong unfortunately, so I'll list a few that I've had to trudge through in the hopes they help:
1) You're using ports 1646/1645 for RADIUS. Those are the older ports. Newer servers use 1812 (I think 1813 for accounting, I'd have to verify). Ensure your server is listening on 1645 as you have defined or you wont get any authentication.
2) Turn on dot11 debugging. The nice thing about new IOS APs is they give you the ability to see if you're even hearing your client. I'm still learning to use this tool but I use "debug dot11 aaa dot1x all" to see who's talking and when. The output is of course cryptic, but it's nice to see the output.
3) Lastly, once you're talking to the RADIUS server, use it's logs to determine the output error. I've found that with PEAP, depending on the client I use (I use a FUNK radius server, and FUNK Odysee Clients - thank you Cisco for ignore CF form factor wireless cards for 4 years ;p), the inner authentication protocal version 1 or 2 is the complaint from the RADIUS server.
I just opened a TAC case on this one whereby I have already installed the latest client, made sure PEAP is installed, had the latest WAP image, network security setup on the ACU as per the documentation to select the "host base EAP(802.1x) and select dynamic wep, then turned on debug options on the WAP to see the communication between the client and the WAP:
debug radius authentication
debug dot11 aaa dot1x process
debug dot11 aaa dot1x state-machine
Guess what... there is no communication between the client and the wap for authentication. You can see association and even get an ip address from dhcp but...
The advise as per the TAC engineer is to put in a Static WEP key for now and you should get the communication going. They have already noticed this on some calls and have not seen a bug case # assigned to it. They will be working a fix on the next release. Once you do that you should see the Raduis and 802.1x communication going on.
After doing this I can then concentrate on why I am not getting PEAP authenticated on our Funk Radius EE Server v4.7.
The other thing...remove the "authentication network-eap eap_methods" when you are doing PEAP. You enable that for LEAP so you have to create a different vlan for that.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...