Cisco Support Community
Community Member

Problems using PEAP with IAS

I am trying to authenticate PEAP clients (W2K) for Cisco

1200 access points using IAS on Windows 2003. When the

initial RADIUS request packet is sent to the IAS it

includes the following information:



RADIUS: Code = 1 (Access-Request)

RADIUS: Identifier = 0

RADIUS: Length = 173

RADIUS: Authenticator =



RADIUS: Attributes follow

RADIUS: Attribute Type = 1

RADIUS: Attribute Length = 19

RADIUS: User-Name = "PEAP-0009B7F1111F"


RADIUS: Attribute Type = 26 (Vendor Specific)

RADIUS: Attribute Length = 25

RADIUS: Vendor ID = 9 (Cisco)

RADIUS: Attribute = 1 (minimum links)

RADIUS: Vendor Length = 19

RADIUS: Vendor Data =



RADIUS: Attribute Type = 6

RADIUS: Attribute Length = 139

The RADIUS response that is sent back from the IAS looks

like this:



RADIUS: Code = 3 (Access-Reject)

RADIUS: Identifier = 0

RADIUS: Length = 20

RADIUS: Authenticator =



RADIUS: No attributes


The event written to the event log by the IAS for the

above request is as follows:

User PEAP-0009B7F1111F was denied access.

Fully-Qualified-User-Name = BOUNCER\PEAP-0009B7F1111F

NAS-IP-Address =

NAS-Identifier = HOMEAP2

Called-Station-Identifer = 0009b7d1fe47

Calling-Station-Identifier = 0009b7f1111f

Client-friendly-Name = HOMEAP2

Client-IP-Address =

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 38

Proxy-Policy-Name = Use Windows authentication for all


Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = EAP

EAP-Type = <undetermined>

Reason-Code = 8

Reason = The specified user does not exist.

Based on the above event message, it appears that the IAS

is looking for user BOUNCER\PEAP-0009B7F1111F in the local

user database. This doesn't seem to make sense since in

the first phase of PEAP, the IAS should return an identity

request message to the access point and then establish a

TLS tunnel directly to the authenticating wireless

client. Once the tunnel has been established, then the

client should deliver the actual username/password

combination to the IAS for authentication. Does anyone

know how to fix this problem?



Re: Problems using PEAP with IAS

I thought Cisco does not support PEAP with IAS servers. was I wrong in my thinking so ??

Community Member

Re: Problems using PEAP with IAS

It does indeed work. I have setup 2 shops using IAS and 340's,350's, 1100's and 1200's. I used the ms-chap option. You create a server cert, configure the IAS server with the client (AP) and secret and configure the AP to point to the IAS server. On the client side I had to authenticate the workstation in order to get login scripts and policies to work. One problem we ran into was Native versus mixed modes in AD. You do not need to switch to native but in order for the machine to authenticate prior (meaning the machine is in the VPN group) you need to have the domain in Native mode as you can't grant dial in permission to the workstation. Once this is complete the machine logs in first allowing it to obtain an IP and giving the user time to authenticate. Keep in mind if the user does not succesfully authenticate the connection is terminated whether the computer authenticates or not. If you have any questions send me an email at and I will be happy to help.

Community Member

Re: Problems using PEAP with IAS

Can you provide us with a copy of your AP config? Here is a good link to setup Client, AP, and IAS for PEAP, just so you can verify all settings.

Community Member

Re: Problems using PEAP with IAS

Community Member

Re: Problems using PEAP with IAS

Not sure if you ever got your question answered, but in MS Active Directory you need to go t the Dial-in tab and set to allow access. If you need to do HOST based authentication, you need to call MS for a patch that allows you to see a Dial-in tab for computer accounts in AD, then change to allow access.


Community Member

Re: Problems using PEAP with IAS

It may be your NAS-Port-Type the setting for this on the latest IOS based 1200 AP is set to 16 I believe. In addition to this for Win 2003 IAS policy set up it puts that Nas-Port-type in automatically. You should remove this, that is comming right from Microsoft, it is known to cause problems. I hav ethe exact setup you are using except I am using XP clients. Also don't for get to set the EAP Client Timeout to something like 40 or so, this made all the difference in the world for me. It is under advanced security EAP authntication.

Good luck (I am still having problems)


Community Member

Re: Problems using PEAP with IAS

I have the same problem. When I use MS PEAP, it works fine. After I install ACU and use Cisco PEAP. The user name change to PEAP-XXXXXXXXX. Anyone know what's wrong?

CreatePlease to create content