Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Wireless 5508 802.1x Part 2

With stephens help I was able to get most of my Wireless 802.1x setup configured properly. I'm not having a problem with the client authenticating using user/pass credentials. I have a Wireless XP Client (testing with), which connects to a LWAP, which connects to a WLC 5508, and then Cisco ACS for authentication. I put in my user credentials of tylerp (test account) with the correct password but nothing happens, it just keeps asking me to enter in

credentials after a few seconds. I started Wireshark on my laptop and I can see the following.

Source

Cisco_1e:3a:8f

Destination

IntelCor_85:9e:46

Protocol

EAP

Information

Request, Identity [RFC3748]

It looks like it's asking the client for credentials but when I submit my credentials I dont see any response via wireshark. I'm not sure why that is.

I have included several photos from my WLC/ACS configuration. Any help would be great!

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Wireless 5508 802.1x Part 2

You need to use the rule based selection and not use NDG but ip address of the AAA client.  Since the NDG doesn't really work the way you think it would, it will always hit your first policy.  I have had the same issue and specifiying the ip address is the fix.

-Scott
*** Please rate helpful posts ***
77 REPLIES

Wireless 5508 802.1x Part 2

I'm also getting this error message on my WLC.

AAA Authentication Failure for UserName:tylerp User Type: WLAN USER

Sorry, I meant to add that in my previous post.

Wireless 5508 802.1x Part 2

Hi John,

Did you add the radius server to teh WLC and the WLAN itself with the shared secert and did you add the WLC to the radius server ?

Also on the monitor screen of the WLC hit statistic and then radius ... post a pix of what you see there...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Wireless 5508 802.1x Part 2

you can also run a debug client < mac address>

this will show you the interaction between the WLC and the AAA server.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Wireless 5508 802.1x Part 2

Yeah I added the radius server to the WLC and the WLAN. I also included the shared secret. I'll post a pic when I try to authenticate via 802.1x George, you'll just have to give me a few minutes. Stephen, would the mac address of the client by the WLC?

Wireless 5508 802.1x Part 2

yes, the mac address of the wireless NIC you are testing with

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Wireless 5508 802.1x Part 2

Also, what EAP are you using by chance ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Wireless 5508 802.1x Part 2

Well on the client I'm using PEAP. I'm really not sure how to see on the WLC.

Here is a picture of the monitor.

Wireless 5508 802.1x Part 2

(Cisco Controller) >debug client 001B77859E46

(Cisco Controller) >*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Sent Deauthenticate to mobile on BSSID b4:a4:e3:1e:3a:80 slot 1(caller 1x_auth_pae.c:2901)
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 6) in 10 seconds
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Disconnected state
*Dec 16 16:53:48.647: 00:1b:77:85:9e:46 Not sending EAP-Failure for STA 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Deleted mobile LWAPP rule on AP [b4:a4:e3:1e:3a:80]
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 Updated location for station old AP b4:a4:e3:1e:3a:80-1, new AP b4:a4:e3:1e:3a:80-0
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Initializing policy
*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Change state to AUTHCHECK (2) last state 8021X_REQD (3)

*Dec 16 16:53:48.890: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated

*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 0
*Dec 16 16:53:48.891: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated

*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.893: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Received EAPOL START from mobile 00:1b:77:85:9e:46
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 16:53:48.896: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 2)
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46
*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state

There you go Stephen....

Wireless 5508 802.1x Part 2

Looks like your supplicant isnt responding

*Dec 16 16:53:18.646: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)

*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 802.1x 'txWhen' Timer expired for station 00:1b:77:85:9e:46

*Dec 16 16:53:48.646: 00:1b:77:85:9e:46 Reached Max EAP-Identity Request retries (3) for STA 00:1b:77:85:9e:46

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Wireless 5508 802.1x Part 2

Ok, so I keep seeing the 'Sending Identity request to mobile message'

So it looks like the pc isn't responding.  So a couple of questions.

1.) the username you are using, is it the one you logged into the machine with?

2.) can you test with credentials you are able to login to the machine with?

If you are using WZC, the native windows supplicant, it tends to send the username/password combo you used to login to the machine, even when you tell it not to.  With IntelProset, you are able to set the username that the supplicant sends to the AAA.

You may also want to take a look at my doc on the EAP timers.

https://supportforums.cisco.com/docs/DOC-12110

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Wireless 5508 802.1x Part 2

Thanks for all the help guys. I'm using the default wireless client for XP Stephen. I noticed that in the wireshark logs Stephen, i sent the name of the user I logged on to, as the user/pass as credentials. It only did that though when I left the settings as default, which take the login/pass that you logged on to as credentials, when I choose to let the user provide the information, that's when I stopped seeing EAP-Reponse messages in my wireshark log. I'll give it a try with the IntelProset.

Wireless 5508 802.1x Part 2

AAA Authentication Failure for UserName:tylerp User Type: WLAN USER

I'm still getting the following error message even if I use the Intel Pro Wireless configuration utility.

Here is the updated debug from the WLC

-----------------------------------------------------------

isco Controller) >*Dec 16 16:54:18.847: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 3)
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 Adding mobile on LWAPP AP 08:1f:f3:e1:bb:40(0)
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 23) in 5 seconds
*Dec 16 21:02:20.050: 00:1b:77:85:9e:46 apfProcessProbeReq (apf_80211.c:4722) Changing state for mobile 00:1b:77:85:9e:46 on AP 08:1f:f3:e1:bb:40 from Idle to Probe

*Dec 16 21:02:20.053: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.077: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.077: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.081: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.105: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.108: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.133: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.134: 00:1b:77:85:9e:46 Scheduling deletion of Mobile Station:  (callerId: 24) in 5 seconds
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Association received from mobile on AP b4:a4:e3:1e:3a:80
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Applying site-specific IPv6 override for station 00:1b:77:85:9e:46 - vapId 1, site 'Sadowski', interface 'demsecureinternal'
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Applying IPv6 Interface Policy for station 00:1b:77:85:9e:46 - vlan 245, interface id 12, interface 'demsecureinternal'
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Processing RSN IE type 48, length 22 for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Received RSN IE with 0 PMKIDs from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [08:1f:f3:e1:bb:40]
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Updated location for station old AP 08:1f:f3:e1:bb:40-0, new AP b4:a4:e3:1e:3a:80-1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Initializing policy
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)

*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 AUTHCHECK (2) Change state to 8021X_REQD (3) last state 8021X_REQD (3)

*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 0.0.0.0 8021X_REQD (3) Plumbed mobile LWAPP rule on AP b4:a4:e3:1e:3a:80 vapId 1 apVapId 1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 apfPemAddUser2 (apf_policy.c:213) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Probe to Associated

*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Stopping deletion of Mobile Station: (callerId: 48)
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 Sending Assoc Response to station on BSSID b4:a4:e3:1e:3a:80 (status 0) Vap Id 1 Slot 1
*Dec 16 21:02:20.164: 00:1b:77:85:9e:46 apfProcessAssocReq (apf_80211.c:4389) Changing state for mobile 00:1b:77:85:9e:46 on AP b4:a4:e3:1e:3a:80 from Associated to Associated

*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 Station 00:1b:77:85:9e:46 setting dot1x reauth timeout = 1800
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Connecting state
*Dec 16 21:02:20.166: 00:1b:77:85:9e:46 Sending EAP-Request/Identity to mobile 00:1b:77:85:9e:46 (EAP Id 1)
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Username entry (tylerp) created for mobile
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Received Identity Response (count=1) from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 EAP State update from Connecting to Authenticating for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 dot1x - moving mobile 00:1b:77:85:9e:46 into Authenticating state
*Dec 16 21:02:22.041: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=69) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 WARNING: updated EAP-Identifer 1 ===> 69 for STA 00:1b:77:85:9e:46
*Dec 16 21:02:22.043: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 69)
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 69, EAP Type 3)
*Dec 16 21:02:22.044: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=70) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.045: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 70)
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 70, EAP Type 25)
*Dec 16 21:02:22.196: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=71) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.198: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 71)
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 71, EAP Type 25)
*Dec 16 21:02:22.200: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=72) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.203: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 72)
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 72, EAP Type 25)
*Dec 16 21:02:22.214: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=73) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.215: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP Id 73)
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Received EAPOL EAPPKT from mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Received EAP Response from mobile 00:1b:77:85:9e:46 (EAP Id 73, EAP Type 25)
*Dec 16 21:02:22.217: 00:1b:77:85:9e:46 Entering Backend Auth Response state for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Processing Access-Challenge for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Entering Backend Auth Req state (id=74) for mobile 00:1b:77:85:9e:46
*Dec 16 21:02:22.218: 00:1b:77:85:9e:46 Sending EAP Request from AAA to mobile 00:1b:77:85:9e:46 (EAP

Wireless 5508 802.1x Part 2

it looks like the 802.1x is at least progressing "Entering Backend Auth Req state"

What does the AAA server say in the logs?

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Wireless 5508 802.1x Part 2

Yeah, I'm assuming that means it's getting the response from the supplicant and starting to then ask the radius server which is Cisco ACS. Stephen, I have to go to work tomorrow for a little bit in the morning to take down some switches, I'm going to check out the ACS server while I'm in. Hopefully I can get you an answer tomorrow, if not monday morning for sure. Thanks again for all the help, both of you.

Wireless 5508 802.1x Part 2

According to the logs I got the following error message

-------------------------------------------------------------------------------

Authentication Failure Code Lookup

Description -> Selected Identity Source is DenyAccess

Resolution Steps -> Select a different Identity Source

Authentication Method - PEAP (EAP-MSCHAPv2)

ACS Username - tylerp

Radius Username - tylerp

Hall of Fame Super Silver

Wireless 5508 802.1x Part 2

John,

I noticed under your ACS Wireless Internal Access Policy, you have multiple items checked.  You should only check MSCHAPv2 and PEAP.  Also, if you are using user group, how is the Access Policy for Default Network Access.

Can you post a screen shot of both the default network access and the wireless internal.  I would like to see all the tabs for both including your policy.  Also can you screen shot the failed attempt in the monitor Authentication Radius Today.

-Scott
*** Please rate helpful posts ***

Wireless 5508 802.1x Part 2

I will on Monday Scott. Thanks for the help.

Hall of Fame Super Silver

Wireless 5508 802.1x Part 2

No problem... what you can do on Monday is also test using local eap on the wlc and se if that works.  At least that eliminated your client to the WLC and then most likeley its soething configured on your ACS.

-Scott
*** Please rate helpful posts ***

Re: Wireless 5508 802.1x Part 2

looking at that error, look at the ACS config. If its set to look at the database, make sure that user has the grant dialin permission allowed in AD.

Sent from Cisco Technical Support iPad App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Wireless 5508 802.1x Part 2

Hall of Fame Super Silver

Wireless 5508 802.1x Part 2

Your SecureWireless Access Service is disabled.  You need to create a new Service Selection Rule and point that to SecureWireless.  Iwould then use a rule based selection for your SecureWireless and choose your NDG or the NAS IP Address of your WLC and use your Deminternal for your Identity Source.

-Scott
*** Please rate helpful posts ***

Wireless 5508 802.1x Part 2

Thanks Scott, I'll try that out in a little bit and see how it goes. The otehr thing is, now that I have changed a few things and enabled hte SecureWireless Access Service it's asking for a certificate while trying to connect.

Hall of Fame Super Silver

Re: Wireless 5508 802.1x Part 2

The client is asking? Or the client (iPhone, iPad) is asking to validate the certificate.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Wireless 5508 802.1x Part 2

Just to clarify... It's a long thread:)

You are using wpa2/aes with PEAP MSChapv2 for authentication.

Did you install a 3rd party certificate or created a self signed certificate in ACS for 802.1x authentication.

The clients are configured for wpa2/aes PEAP.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Wireless 5508 802.1x Part 2

I did not install a 3rd party certificate, I have also not created a self signed certificate in ACS for 802.1x authentication. I do know where to do that and after researching how PEAP works, it seems as if it uses a certificate to secure authentication, is this correct?

Hall of Fame Super Silver

Re: Wireless 5508 802.1x Part 2

Yes that is correct. You need a server side certificat for peap.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Wireless 5508 802.1x Part 2

How do you get the client to trust the Cisco CA on the Cisco ACS itself. Considering I just created a self-signed certificate, I want the client to trust the CA on the Cisco ACS, do you have any idea how to do that? I've been trying to research just haven't found anything concrete yet.

Wireless 5508 802.1x Part 2

You would need to export the certificate from the ACS, then you could push the cert via a GPO.

To test though, you can uncheck the box in the supplicant that says "Validate Server Certificate" and see if you are able to gain access.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered

Wireless 5508 802.1x Part 2

I'm not sure why it says EAP-TLS, I haven't configured TLS anywhere..

2252
Views
20
Helpful
77
Replies
CreatePlease login to create content