AP - 1231 G
AUTHENTICATION SERVER - IAS (POINTED THE AP TO THE IAS)
AUTHENTICATION METHOD - Open Authentication with EAP
CLIENT - AIRONET a/b/g
3Com OfficeConnect 11g
my peap (mschapv2) is not working via the winxp utility and neither on ADU. with winxp, it really is not working. the username and password prompt keeps appearing but when i tried to enter the correct credentials it just goes back to a blank username and password login dialog. with the ADU, it works. but it keeps on disassociating.
does winxp peap (mschapv2), NOT THE ADU, works?
is there additional configuration i have to do, patches i have to install?
i didn't use certificates, do i have to when using mschapv2?
are certificates easier to install and more secure than just mschapv2?
Is Open Authentication meant for multi-vendor clients (EAP) and Network EAP is meant for cisco only, particulary LEAP?
Will WDS make it easier to configure and implement security for clients?
the same setup works perfectly with LEAP, and i had not one problem with it, it works the way it says on the cisco documents. but i have multi-vendor clients and with this, it went from easy to extremely complicated... Please help, any input is greatly appreciated. thanks
I'm guessing, but I believe you'd have to be using the AP's local RADIUS server for LEAP to work - MS IAS doesn't support LEAP.
You don't need certificates on the client for PEAP, only on the server providing the IAS service.
I've tried PEAP with Zero Wireless Config (the MS software), and it worked OK (Win2003 server running IAS). I've also used the same setup with EAP-TLS, but that would require certs on all of the clients.
Certificates are "more secure," in that only legitimate clients should have valid certs. They are also more administration intensive ... you can push the cert out with a Group Policy ... which make things marginally easier (depending on how well you know MS administration).
WDS won't make administration or implementation any easier - WDS primarliy is used to make roaming quicker and "seamless" - so the clients can roam (especially 802.11 phones) without the re-authentication delays (which would cause the phones to drop the call).
I configured my PEAP and EAP-TLS according to instructions in a Windows 2003 Administrator's Handbook ...if I can find the book I'll re-post with the ISBN. I'm pretty sure Cisco has a configuration Guide online, Micrisoft also has one (search for "Configure Cisco IAS" (no quotes) on the MS site.
Thanks, ScottMac! That clears away some of the cobwebs and i hope the sun will come out tomorrow for me.:) crsytal clear partic with certificates and WDS, but i am still confused with PEAP as to why it is not working considering I did exactly what I read on cisco documents and some microsoft articles. I probably missed some minor but very important configuration detail.
I will try to look for the "Configure Cisco IAS" (no qoutes, of course)
You are correct with my LEAP configuration, I did just used the Local (AP) Radius Server. But I have tried it as well via the ACSv3.3 and no problem with LEAP on that as well.
Another question,ScottMac, with LEAP, after powering ON my notebook (configured with LEAP, of course), before cached and non-cached users logon to the domain or even just the local computer, LEAP is doing all the association, authentication, and is able to get an IP address (considering a DHCP network it is). I have learned that PEAP doesn't do this (well, at least with my conifuration), but is there a way for PEAP to do all the AAA before a user can login. For users already cached in the local notebook, there is no problem, but for non-cached users, there seem to have problems with my PEAP configuration. I hope you can help me pinpoint my mistakes...
In the Cisco ADU configuration screens for PEAP (and probably some others) there should be a box for "machine authentication" .... so it verifies your pc/laptop initially instead of the username.
Check it out / try it and see if it woeks for you.
hello,ScottMac. Finally I got it working. PEAP is now working with non-cahced users. i can get AAA even before logging in. So cool after all I've been through. whew! that is....:)
Thanks for your help. Forum rules!!!
Oliver what registry settings are you refering to?
Also when you say AAA authenication before login. What does that mean? Does that mean machine authenication and if so does the ACS have a database locally or is the ACS referencing Active Directory by computer name? Thanks for clearing that up for me.
Check this settings:
Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode -- REG_DWORD
0: Disable IEEE 802.1X operation.
1: Inhibit transmission of EAPOL-Start and EAPOL-Logoff packets under all scenarios.
2: Include learning to determine when to initiate the transmission of EAPOL packets.
3: Compliant with IEEE 802.1X Specification.
Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode -- REG_DWORD
0: Machine authentication mode in Windows XP Client RTM. When a user logs in, if the
connection has already been authenticated with Machine credentials, the users
credentials are not used for authentication.
1: Machine authentication with re-authentication functionality. Whenever a user logs in,
802.1X authentication is performed using the users-credentials.
2: Machine authentication only Whenever a user logs in, it has no effect on the
connection. 802.1X authentication is performed using machine credentials only.
Maschine Authentication needs AD, it is possible to do it with the local database! Maschine Authentication (you will see entries like host\computer-name.domain.com) is based on kerberos and is dynamically exchanged between DomainPC and AD at the first connection.
Hope this helps