Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PEAP /MSCHAP V2

Hi All, i have PEAP with MSCHAPV2 setup, my windows supplicant can authenticate to ACS with our without the Validate certificate tick enabled.

I read that certificates are optional with PEAP and mandatory in EAP-TLS

Can some pl confirm the above.

Thanks in adv

  • Wireless IP Voice and Video
4 REPLIES
Hall of Fame Super Red

Re: PEAP /MSCHAP V2

Hi Satish,

Here is a good doc that confirms this (Look at Chart#1);

RADIUS server certificate required:

Cisco LEAP - No

Cisco EAP-FAST- No

Microsoft PEAP/MS-CHAPv2- Yes

Cisco PEAP (EAP-GTC)- Yes

Microsoft EAP-TLS- Yes

--------------------------------------

Client certificate required:

Cisco LEAP - No

Cisco EAP-FAST- No

Microsoft PEAP/MS-CHAPv2- No

Cisco PEAP (EAP-GTC)- No

Microsoft EAP-TLS- Yes

---------------------------------------

From this good doc;

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_configuration_guide09186a008046dc81.html

Hope this helps!

Rob

Please remember to rate helpful posts.....

"May your heart always be joyful And may your song always be sung May you stay forever young " - Dylan
New Member

Re: PEAP /MSCHAP V2

This is not entirely correct. PEAP does require a certificate, but on the server side only. The clients do not require a cert. In EAP-TLS, however, the client does need to verify the server cert. You can GOOGLE your question or try Microsoft's TechNet. There is a good article on setting up PEAP from scratch with Win2k3 server, look on TechNet for it. Also, look at the chart found here:

http://www.oreillynet.com/pub/a/wireless/2002/10/17/peap.html -

you will come across the part where you create a server-side cert. You will then be taken through the client config that shows validation of the cert is not required.

Hope that helps.

Scott

New Member

Re: PEAP /MSCHAP V2

Hi Scott, i am with you i installed a Cert on our ACS and that bit is fine, what i dont get is does the windows supplicant need a cert installed on the client machine ??cuz the tick for validate certificate is of no use, as the clients can connect with or without it

New Member

Re: PEAP /MSCHAP V2

Satish -

You are correct in that the certificate is not needed on the client. Just uncheck the "Validate Server..." part. As for it still not working without validating server, have you checked your RADIUS/IAS logs? Are you seeing any logged attempts? In addition, is your AP set up as a RADIUS client under IAS with correct shared secret? You also need to configure your SSID with the following:

Open with EAP

Network with No Addition

Encryption Mandatory WPA

Then, under the encryption manager, for Cipher select TKIP.

Be sure and also define a default EAP server, which is your RADIUS/IAS server. Make certain your shared secret keys are correct.

You can obtain the following document which walks you through a lot of this stuff on a Win2K3 Server at the following address:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en

Hope this helps.

Regards,

Scott

377
Views
0
Helpful
4
Replies
This widget could not be displayed.