EAP and RADIUS continuous re-authentication

andy-gerace · ‎05-02-2005

I have an environment with three(3) Aironet 1200 AP's, Cisco 7920 wireless phones (about 12 of them) and about 100 notebooks (IBM T30's T40's and T42's). I have ACS 3.2 with RADIUS set up to allow EAP authentication. The phones only support LEAP, most of the notebooks support LEAP, some of the notebooks only support PEAP. The majority of the phones will authenticate when powered on and stay authenticated for the day - until that cycle is repeated. There are a couple of phones (all phones are in the same physical area) that will show re-authentication all day long. If I look at the ACS Passed Authentication logs, there will be 60 or so authentications from the phones.

The computers seem to do the same thing with the PEAP authentication. The wireless cards are Intel Pro 2100 wireless cards and according to Intel, I have all of the latest drivers/firmware, etc. I have one machine with a Cisco wireless card and it works with PEAP for as long as I have it connected. The others just drop and pick up the connection over and over again.

AP info:

System Software Version: IOS (tm) C1200 Software (C1200-K9W7-M)

Product/Model Number: AIR-AP1230B-A-K9

System Software Filename: c1200-k9w7-tar.122-13.JA3

System Software Version: 12.2(13)JA3

Bootloader Version: 12.2(8)JA

Just to eliminate some of the obvious - I have turned off 2 of the 3 AP's in the building to make sure it wasn't some sort of interference from the other AP's and the connections still dropped and re-authenticated. Any ideas??? Thanks.

thomas.chen · ‎05-06-2005

The document Configuring Aironet with CiscoSecure NT has more information on configuring EAP, PEAP for Aironet with ACS.

http://www.cisco.com/en/US/products/hw/wireless/ps458/products_white_paper09186a00800b3d27.shtml

andy-gerace · ‎05-06-2005

I have see that document. I have it set up, and it does work...most of the time. It's just that - for example on the Intel Pro wireless, with LEAP the ACS reports show that I have authenticated 8 times in the past 15 minutes. Everytime it authenticates, the connection is dropped. So if a user is downloading a large file and the computer re-authenticates, the download is stopped.

Any other ideas?

bm_5789 · ‎05-07-2005

I also have the problem of constant "Re-key" and "Authen OK" for my wireless clients. It does not happen to all of the clients. I have my key rotation and session-timeout set for a specified time and still the clients are re-keyed and re-authenticated every 2 or 3 minutes.

I'm using AP 1200 with G radios, cisco g clients configured for leap and mac authentication with acs 3.3.

Whats's really bad is that the clients are located in surgery suites so its critical that service is not interrupted.

Any ideas?????

andy-gerace · ‎05-13-2005

I was able to get the PC's to authenticate only one time and stay authenticated with the new version of code: 12.3(4)JA.

The problem now is that the "local" certificate that I had set up doesn't seem to be working. I am wanting to use a CA that is on a Windows 2003 server, but the documents that I have about Cert setup are all written for 2000 server. It appears to be a bit different. Can anybody point me in the right direction for certificate setup for Server 2003? Thanks.

jeffkelso · ‎07-18-2005

I couldn't get my Windows 2003 Certs to work either. I just let the ACS issue its on Cert and it's worked fine ever since.

lathian · ‎07-19-2005

Can you share your solution on how to fix PC's authenticationn? I have the same problem as yours.

This guideline is for CA on 2003, not sure if it is the one you are looking for.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3739848a-6a56-4984-a403-8e2f16314eb8.mspx

Thanks

andy-gerace · ‎07-20-2005

To solve the problem:

I installed the latest version of software for the Access points. This seemed to solve the disconnect problem. I had wanted to use a "Root CA" for the PEAP cert. but could not get that to work on the Server 2003 that is our root CA. The server that runs ACS is a Windows 2000 box, so I just set up a local cert on the 2000 box for PEAP. It has been working fine ever since. I have even upgraded all AP's to 802.11g and didn't experience any problems. The version of code that I am using on the AP's is:

System Software Filename: c1200-k9w7-tar.123-4.JA

System Software Version: 12.3(4)JA

Bootloader Version: 12.2(8)JA

I hope that helps. Oh - another thing is that I updated all of the drivers for the wireless NIC's, but I am not sure if that has anything to do with it or not. It could very well just be coincidental...

andy-gerace · ‎07-20-2005

Oh - another thing - I DISABLED "Fast Reconnect" on ACS that seemed to take care of the phone bit.

For the phones I also updated to the latest firmware - CMTERM_7920.4.0-01-09

lathian · ‎07-20-2005

Thanks for the reply. What wireless card version do you use? I am using Intel Pro/wireless 2200BG ver 9.0.1.9. How do you turn off Fast Reconnect on ACS?

Thanks Andy

andy-gerace · ‎07-21-2005

Wireless cards are Intel Pro/Wireless 2100. I don't know the version off the top of my head, and I have a different computer now.

To disable PEAP fast reconnect on ACS:

System Configuration -> Global Authentication Setup -> Then under PEAP there is a checkbox to "Enable Fast Reconnect" - I have that UN-checked.

Also, on the AP's I have heard that "Aironet Extensions" should be disabled. Mine were that way all along, but apparently others have said that to be the root of their problems.

On AP: Network Interfaces -> your wireless radio -> then about 3/4 of the way down is Aironet Extensions - I have mine set to disabled.

I hope this helps! I know that I was so frustrated when it wouldn't work I was ready to stick with WEP alone and call it good...