Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Quick TIPS for Troubleshooting PEAP Authentication Failure with ACS 5.1


[toc:faq]

Introduction

In this Document we will some quick Tips for Troubleshooting Wireless Authentication with ACS.

Configuration


Go to ACS > Monitoring and Reports, and click Launch Monitoring & Report Viewer.

acs51-peap-deployment-98.gif

A separate ACS window will open. Click Dashboard.

acs51-peap-deployment-99.gif

In the My Favorite Reports section, click Authentications – RADIUS – Today.

acs51-peap-deployment-100.gif

A log will show all RADIUS authentications as either Pass or Fail. Within a logged entry, click on the magnifying glass icon in the Details column.

acs51-peap-deployment-101.gif

The RADIUS Authentication Detail will provide much information about the logged attempts.

acs51-peap-deployment-102.gif

ACS Service Hit Count can provide an overview of attempts matching the rule(s) created in ACS. Go to ACS > Access Policies > Access Services, and click Service Selection Rules.

acs51-peap-deployment-103.gif

Quick TIPS for Troubleshooting PEAP Authentication Fails with ACS Server

When your client fails PEAP authentication with an ACS server, check if you find the NAS duplicated authentication attempterror message in the Failed attempts option under the Report and Activity menu of the ACS.

You might receive this error message when Microsoft Windows XP SP2 is installed on the client machine and Windows XP SP2 authenticates against a third party server other than a Microsoft IAS server. In particular, Cisco RADIUS server (ACS) uses a different method to calculate the Extensible Authentication Protocol Type:Length:Value format (EAP-TLV) ID than the method Windows XP uses. Microsoft has identified this as a defect in the XP SP2 supplicant.

For a Hotfix, contact Microsoft and refer to the article PEAP authentication is not successful when you connect to a third-party RADIUS server. The underlying issue is that on the client side, with windows utility, the Fast Reconnect option is disabled for PEAP by default. However, this option is enabled by default on the server side (ACS). In order to resolve this issue, uncheck the Fast Reconnect option on the ACS server (under Global System Options). Alternatively, you can enable the Fast Reconnect option on the client side to resolve the issue.

Perorm these steps in order to enable Fast Reconnect on the client that runs Windows XP using Windows Utility:-

  1. Go to Start > Settings > Control Panel.
  2. Double-click the Network Connections icon.
  3. Right-click the Wireless Network Connection icon, and then click Properties.
  4. Click the Wireless Networks tab.
  5. Choose the Use Windows to configure my wireless network settings option in order to enable windows to configure the client adapter.
  6. If you have already configured an SSID, choose the SSID and click Properties. If not, click New in order to add a new WLAN.
  7. Enter the SSID under the Association tab. Make sure that Network Authentication is Open and Data Encryption is set toWEP.
  8. Click Authentication.
  9. Choose the Enable IEEE 802.1x authentication for this network option.
  10. Choose PEAP as the EAP Type, and click Properties.
  11. Choose the Enable Fast Reconnect option at the bottom of the page.

More Information on Microsoft Hotfix

PEAP authentication is not successful when you connect to a third-party RADIUS server

Version history
Revision #:
1 of 1
Last update:
‎10-31-2011 04:25 AM
Updated by: