We have successfully configured a group of 1200 series access points to use PEAP. I have installed a puplic Thawte certificate on ACS and configured group policy in Active Directory to issue certificate and set wireless settings. All of this works great with XP. I am now trying a Dell Axim running Windows Mobile. This handheld uses the Odyssey client and has all the required PEAP settings. This device works fine if configured with LEAP. I am getting an error on ACS "EAP-TLS or PEAP authentication failed during SSL handshake" .Since this handhelp and OS is not a domain member how does the machine authentication take place? I have tried creating AD accounts that match the device name, I have tried creating local ACS users that match the device name and nothing seems to matter. I am also not clear how the handheld knows how to deal with the certificate from ACS. I purposely purchased and installed a certificate from a well known CA so that the trusted Roots would be in the handheld so we would not need to deal with importing Root certificates from our internal CA. Also I should say we are running ACS version 3.3 and the latest 1200AP firmware.
Any help appreciated.
Not sure if this option is present on the pocketpc version, but have you tried to tell odyssey not to check the server certificate?
I have tried checking and unchecking the "validate certificate box and neither works. I have read in a couple of places that this should be on so that is why I tried it.
It should be on if you want to be sure you are authenticating to the right server, but for that you have to import the server certificate in your vault, if you didn't that option should be unchecked.
When you are referring to the certificate being in my vault or needing to load it are you referring to the root certificate or the certificate that is installed on the ACS server. I tried to export this cert from the server but I get an error trying to install. I am confused because I am using PEAP and not EAP-TLS. I thought that no client side certs were required. Can you explain how this might be different on the PPC?
There is nothing different, if you check this option you need to import the server (not the root one) certificate in order for the client to validate it, exactly the same applies to a standard pc.
If you can't or simply you don't want to import the server certificate all you have to do is to uncheck the option, that way you don't need any certificate on the client.
Based on my experience, you cannot do device authentication with Windows Mobile. You need to create a username and password in ACS and do user authentication on the device.
For your SSL handshake error, it can be that you Windows Mobile has not enough processing to do the SSL. What key size do you use for your certificate ?
Have you also added the root certificate to the trusted root certificate list ?
I am mapping the usernames to a group in Active Directory and that works fine for all XP workstations just not for the PPC.
The length of the RSA key shows as 1024 bits. Also we are using a Thawte certificate from public CA that already is a known root in the PPC. Do I need to do anything different with this? Also is there any way in XP or the PPC to tell when a server side cert is used?
Just export your pesp cert n install it on youe wm5.0. it should work. login as domain/user name. hope this shotr note help
Well an update on this issue. I am not able to get the PPC to connect with WPA and TKIP. It either get's and SSL handshake or fails machine authentication. The only way I can get this to work is to add a local account in ACS and supply the ACS username and password to get it to authenticate.
I realize that the PPC or Windows mobile device cannot be a domain member therfor mapping to a machine name in Active Directory would be a challenge. Is there any way to get these devices to access a domain username and password? I have tried creating dummy domain account for the machine name but it does not seem to matter. I have also tried creating a dummy machine account in ACS but that does not work either. Does anybody have PPC or Windows Mobile devices authenticating using ACS and Active directory? Any help appreciated.
If it works with an ACS local username and password, it should work with a AD username and password too. You have to configure AD as external database in the ACS and do group mappings.
A AD user account should then be able to authenticate with its PPC by using his AD username and password.
There is a good doc on CCO explaining this in details.
We are running ACS 3.3 and do use it mapping to AD for VPN users and also XP clients. The issue is that since PPC or Windows mobile devices are not domain members it seems to fail the machine level authentication when passing your domain credentials. This is with cert manually installed on the client or not. I have read that the PPC or Mobile devices do not do machine authentication. The issue is that on ACS you tell it whether machine authentication is required and this is a global setting. I have tried creating a dummy AD computer account for the device but it does not seem to matter. It almost seems like the device name is not getting passed or that ACS or AD does not like what is being sent.
Why do you want to do machine authentication ?
Cfr my previous post, use user authentication and use a valid AD username and password to get access to the WLAN with the PPC.
We currently use LEAP and migrating to PEAP. It seems like the machine authentication adds another level of security. It works fine on XP Pro. If I could bypass machine auth for the PPC devices only I would. I am just confused as some people have said that they have PPC working with PEAP but then also say that it it does not use machine auth. I assumed that this meant it just bypassed the machine auth and used the user/AD auth. Not sure that if you are requiring machine auth in ACS that it will work for PPC devices.
Indeed, it's better to do machine authentication but as this is not supported on PPC, you don't have the choice.
Do you use machine access restriction (MAR) on the ACS ? If not, you can just do user authentication and not machine authentication.
PEAP works in both case.
I can confirm that PEAP auth with a Windows Mobile 5 PDA using the Oddessy client does work but on ly with user authentication. As previous posters have pointed out you can't create a machine account in the domain for a WM5 device. I've got this setup working both with purchased SSL certs and ACS self generated ones (purchased are better!) Always make sure the key length is 1024 bit, if you select 2048 bit it won't work.
So to close this issue you are saying that if you have Machine Authentication required in ACS that you will not be able to have PPC 2003 or Windows Mobile 5.0 device authenticate using PEAP using their Active Directory user account? So the only way around this is to disable the requirement within ACS for machine authentication or to have a local user account in ACS for the authenticating user of the PPC device? Correct? If that is the case then are there any thoughts on the risk of not requiring machine auth? I hate to give that up.
If you don't want to disable MAR, another option could be to use a different SSID for the PPC and for the Windows stations.
On the PPC SSID, you just do user authentication. On the Windows stations SSID, you just do machine authentication (user authentication is done by Windows). To prevent a windows station to use the SSID of the PPC, you can configure SSID restriction (http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml)