Cisco Support Community
Community Member

WPA2 enterprise, Can not authenticate with ACS

Hi, I am setting up WPA2 enterprise for wireless users with PEAP authentication, but can not get authentication server to authenticate them, and failed reason is generic "EAP-TLS or PEAP authentication failed during SSL handshake"

The AP I am using is 1240AG running 12.3(8)JA, Radius server is ACS 4.0, I don't have any problem to get dot1x with PEAP authentication working for wired access, and I have almost identical client side configuration for wired and wireless user.

From ACS's point of view, it should not be aware of any difference between wired and wireless user, but ACS log shows otherwise:

1)AP is connected to a cat4k switch, I suppose AP should be the authenticator for wireless users, but ACS "failed attempts" log for attempted wireless user shows that the NAS IP is cat4k in stead of AP, why?

2)I am using the same laptop for both wireless/wired testing, ACS "failed attempts" log shows that for wired user, it correctly interpreted cached domain\login name, but for failed wireless user, the user-name field is totally different, yet debug on AP clearly shows that correct domain\login has been received by AP.

Debug output on AP is attached, hope experts here can quickly identify the problem.

Community Member

Re: WPA2 enterprise, Can not authenticate with ACS

Got it working by adding radius server configuration under GUI generated configuration:

aaa group server radius your-AAA-group-name

server your-radius-server#1-IPaddress auth-port 1645 acct-port 1646

CreatePlease to create content