PEAP authentication failed for wireless users
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 02:46 AM - edited 03-10-2019 09:45 PM
Dears
Hello
i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.
thanks
- Labels:
-
AAA

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 03:24 AM
Please check the old conversation on the same issue
supportforums.cisco.com/discussion/11428016/ssid-authentication-acs-5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 06:30 AM
Dear Mohanak
hi
i can see we have different issues, that gentleman has different issue i guess. let me explain you in details, that i'm doing only simple authentication.. as following :
1- i have added all devices by using IP range with subnet mask using tacacs and radius.. i couldn't add particular WLC ip addresses with Radius only because ACS doesn't accept overlapping.
2- i configure one user and select simple Network access Authorization profile "Permit all".
3- i configure Access service Radius
i got this error which i didn't understand what is root cause.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 06:32 AM
please note my WLC is Aruba
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 09:27 AM
Well that is the problem you need to replace Arube with Cisco :)
Can you click on the magnifying glass under the details column and post the screen shot from the new window with all of the details on the failure?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 10:00 AM
it is customer choice.. please find attached file
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 10:07 AM
I was joking about that :)
Couple of more questions:
1. Can you post a screen shot of the "Service Selection Rules"
2. Post screen shot of the "Identity" under "Wireless-Users"
3. Confirm that the wireless users are not hitting the "Device-Admin" rule that you have listed above
4. If you can post all of the details of the failed authentication. You are getting "access-reject" for some reason so you are not hitting the rule that you are trying to hit.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 10:50 AM
Dear Neno :) thanks for your support..
you are absolutely right.. i'm not hitting the access rule. even though i configured it to match wireless user group.. i notice the Devices admins are not hitting the rule but since i enabled Radius for device management as well, i can see many logs from them as failed also as radius.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 10:55 AM
this is for user as well
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 11:11 AM
It is probably a good idea to keep Device Management under TACACS+ and wireless access under Radius. From "acs-access-service01.jpg" screenshot we can see that your wireless rule is getting zero hits. Which again indicates that your wireless clients are hitting the default rule which is probably "deny access" The ACS rules look OK from the screen shots so the issue could be on the wireless side.
Can you:
1. Provide better/full capture from "acs-issue1_0.jpg" ? I need to see all steps and details
2. Confirm the wireless settings. More specifically that Radius/802.1x is configured
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 11:30 AM
Dear Neno
the customer has sent me this in aruba
aaa authentication dot1x "dot1xProfile"
termination eap-type eap-peap
termination inner-eap-type eap-mschapv2
aaa authentication-server radius "SERVER"
host x.x.x.x
key xxxx
nas-ip x.x.x.x
aaa server-group "RADIUS-GROUP"
auth-server “SERVER”
aaa profile "KSAU-JED-AAA-Profile"
authentication-dot1x "dot1xProfile"
dot1x-server-group "RADIUS-GROUP"
wlan virtual-ap "SSID-NAME"
aaa-profile "KSAU-JED-AAA-Profile"
ssid-profile "SSID-NAME"
vlan <VLAN ID>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2014 02:26 PM
Everything looks good (with my limited knowledge of Aruba). Unfortunately, I won't be much help here without getting my hands on the network :(
Perhaps someone else can come and chime in.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 02:13 AM
Dears
FYI.. i have solved the issue today.. basically the issue was that Cisco ACS doesn't have Aruba controllers dictionary by default. for specific-vendor dictionary, you need to download from vendor site and write down the values to ACS dictionary fields.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 02:25 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-03-2014 12:56 PM
thanks Neno .. by the way how to mark this thread is answered? sorry i'm not so familiar with these tools :)
