Need help with PEAP using Cisco ACS 3.2 and Windows Username and password

r.nair · ‎12-02-2003

I have a AP1200 with 12.0(2) T1 image. It is configured to authenticate using EAP. The client used is Cisco ACU version 6.2 on Windows 2000. The RADIUS server used is Cisco ACS 3.2, configured to use Active Directory as the external database. LEAP is working fine in this configuration. However PEAP is not working.

The Root Certificate is installed in both ACS server and the client. A server certificate is also installed in ACS server. When the client is configured to use PEAP using username and password, the following message pops up on the client machine.

"PEAP failed initialization, status = -16 error code = -2146885628. Please make sure that PEAP is installed correctly and Trusted Root Certificate Authority certificate is installed correctly."

The debug messages seen in AP is as follows:

ADIUS: Sending EAP-Request/Identity(id=29) packet to client WLCLIENT

00b517b0: 01 00 00 34 01 1d * ..4..*

00b517c0: 00 34 01 00 6e 65 74 77 6f 72 6b 69 64 3d 63 6f *.4..networkid=co*

00b517d0: 72 6c 69 61 6e 74 2c 6e 61 73 69 64 3d 63 6f 72 *rliant,nasid=cor*

00b517e0: 6c 69 61 6e 74 31 32 30 30 2c 70 6f 72 74 69 64 *liant1200,portid*

00b517f0: 3d 30 *=0..............*

EAP: Received EAP-Response/Identity(id=29) packet from client WLCLIENT

00b4b1a0: 01 00 * .*

00b4b1b0: 00 16 02 1d 00 16 01 50 45 41 50 2d 30 30 30 42 *.......PEAP-000B*

00b4b1c0: 42 45 35 33 35 39 43 43 *BE5359CC........*

EAP: Forwarding packet to RADIUS server

0088d550: 01 59 00 d4 a4 c0 6a d1 * Y....j.*

0088d560: 54 e6 52 be fd 80 42 68 e1 f1 24 7e 01 13 50 45 *T.R...Bh..$~..PE*

0088d570: 41 50 2d 30 30 30 42 42 45 35 33 35 39 43 43 1a *AP-000BBE5359CC.*

0088d580: 15 00 00 00 09 01 0f 73 73 69 64 3d 63 6f 72 6c *.......ssid=corl*

0088d590: 69 61 6e 74 04 06 0a 01 01 82 1e 0e 30 30 30 62 *iant........000b*

0088d5a0: 66 64 36 33 61 65 36 34 1f 0e 30 30 30 62 62 65 *fd63ae64..000bbe*

0088d5b0: 35 33 35 39 63 63 20 0e 63 6f 72 6c 69 61 6e 74 *5359cc .corliant*

0088d5c0: 31 32 30 30 05 06 00 00 00 25 0c 06 00 00 05 78 *1200.....%.....x*

0088d5d0: 18 26 43 49 53 43 4f 2d 45 41 50 2d 43 48 41 4c *.&CISCO-EAP-CHAL*

0088d5e0: 4c 45 4e 47 45 3d 30 2e 66 66 66 66 66 66 66 66 *LENGE=0.ffffffff*

0088d5f0: 2e 31 36 62 2e 31 3d 06 00 00 00 13 06 06 00 00 *.16b.1=.........*

0088d600: 00 08 4f 18 02 1d 00 16 01 50 45 41 50 2d 30 30 *..O......PEAP-00*

0088d610: 30 42 42 45 35 33 35 39 43 43 50 12 49 08 3d be *0BBE5359CCP.I.=.*

0088d620: c1 6e c2 f2 e3 8a 1d 73 c8 22 23 a5 *.n.....s."#.....*

RADIUS: Received packet for client WLCLIENT

0088ed30: 0b 59 00 49 78 ca d5 c9 * Y.Ix...*

0088ed40: 0b a7 90 5e 43 10 5f a8 26 d9 5d eb 4f 23 01 0e *...^C._.&.].O#..*

0088ed50: 00 21 11 01 00 08 75 86 dc 13 20 7b cc 21 50 45 *.!....u... {.!PE*

0088ed60: 41 50 2d 30 30 30 42 42 45 35 33 35 39 43 43 50 *AP-000BBE5359CCP*

0088ed70: 12 76 88 bc 9a 3f 9a 5e 60 b9 c5 ca e1 bf 7a 2e *.v...?.^`.....z.*

0088ed80: 7c *|...............*

RADIUS: Received Challenge Request

RADIUS: Sending EAP-Request/EAP-LEAP(id=14) packet to client WLCLIENT

00b517b0: 01 00 00 21 01 0e * ..!..*

00b517c0: 00 21 11 01 00 08 75 86 dc 13 20 7b cc 21 50 45 *.!....u... {.!PE*

00b517d0: 41 50 2d 30 30 30 42 42 45 35 33 35 39 43 43 *AP-000BBE5359CC.*

EAP: Received EAP-Response/Nak(id=14) packet from client WLCLIENT

00b599b0: 01 00 00 06 02 0e 00 06 03 19 * .........*

EAP: Forwarding packet to RADIUS server

0088d550: 01 5a 00 9e 4a 8f 5c f8 * Z..J.\.*

0088d560: 1b 10 92 f1 d9 2a 52 9b 24 e6 31 39 01 13 50 45 *.....*R.$.19..PE*

0088d570: 41 50 2d 30 30 30 42 42 45 35 33 35 39 43 43 1a *AP-000BBE5359CC.*

0088d580: 15 00 00 00 09 01 0f 73 73 69 64 3d 63 6f 72 6c *.......ssid=corl*

0088d590: 69 61 6e 74 04 06 0a 01 01 82 1e 0e 30 30 30 62 *iant........000b*

0088d5a0: 66 64 36 33 61 65 36 34 1f 0e 30 30 30 62 62 65 *fd63ae64..000bbe*

0088d5b0: 35 33 35 39 63 63 20 0e 63 6f 72 6c 69 61 6e 74 *5359cc .corliant*

0088d5c0: 31 32 30 30 05 06 00 00 00 25 0c 06 00 00 05 78 *1200.....%.....x*

0088d5d0: 3d 06 00 00 00 13 06 06 00 00 00 08 4f 08 02 0e *=...........O...*

0088d5e0: 00 06 03 19 50 12 78 85 71 f8 23 2a 78 be 42 4a *....P.x.q.#*x.BJ*

0088d5f0: 8d 26 8b c7 17 1e *.&..............*

RADIUS: Received packet for client WLCLIENT

0088ed30: 0b 5a 00 54 7e 67 d4 84 * Z.T~g..*

0088ed40: 90 50 11 35 16 4f b2 2d 67 98 ef e3 4f 08 01 7e *.P.5.O.-g...O..~*

0088ed50: 00 06 19 21 18 26 43 49 53 43 4f 2d 45 41 50 2d *...!.&CISCO-EAP-*

0088ed60: 43 48 41 4c 4c 45 4e 47 45 3d 30 2e 66 66 66 66 *CHALLENGE=0.ffff*

0088ed70: 66 66 66 66 2e 31 36 65 2e 31 50 12 88 9e 7f f5 *ffff.16e.1P.....*

0088ed80: 26 5b 60 bd f5 c5 f2 49 84 8d 3c 2e *&[`....I..<.....*

RADIUS: Received Challenge Request

RADIUS: Server's state attribute was saved

RADIUS: Sending EAP-Request/EAP-PEAP(id=126) packet to client WLCLIENT

00b517b0: 01 00 00 06 01 7e * ....~*

00b517c0: 00 06 19 21 "

Does anyone have a clue as to what is happening here? Any help would be welcome.

Regards

mchin345 · ‎12-08-2003

Check the following details one of which could be the reason

1. Certificate corruption

2. No root CA certificate installed on client and "Validate Server Certificate" is enabled on

client.

also, if ACS is installed on a member server you want to make sure that a local user on the member

server has the proper rights and permissions.

r.nair · ‎12-08-2003

I did reinstall the Certificate many times, but it is working only with native Windows XP SP1 client and not with Windows 2000 or Cisco ACU.

The ACS permissions were checked and found to be in order.