cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4668
Views
5
Helpful
15
Replies

PEAP authentication failed for wireless users

Wailess84
Level 1
Level 1

Dears

Hello

 

i'm receiving this error when i'm trying to authenticate wireless users using PEAP MSCHAPv2. can anyone please support me.

 

thanks 

15 Replies 15

mohanak
Cisco Employee
Cisco Employee

Please check the old conversation on the same issue

 

supportforums.cisco.com/discussion/11428016/ssid-authentication-acs-5

Dear Mohanak

hi

i can see we have different issues, that gentleman has different issue i guess. let me explain you in details, that i'm doing only simple authentication.. as following :

1- i have added all devices by using IP range with subnet mask using tacacs and radius.. i couldn't add particular WLC ip addresses with Radius only because ACS doesn't accept overlapping.

2- i configure one user and select simple Network access Authorization profile "Permit all". 

3- i configure Access service Radius 

 

i got this error which i didn't understand what is root cause. 

 

please note my WLC is Aruba 

Well that is the problem you need to replace Arube with Cisco :) 

Can you click on the magnifying glass under the details column and post the screen shot from the new window with all of the details on the failure?

Thank you for rating helpful posts!

it is customer choice.. please find attached file

I was joking about that :)

Couple of more questions:

1. Can you post a screen shot of the "Service Selection Rules"

2. Post screen shot of the "Identity" under "Wireless-Users"

3. Confirm that the wireless users are not hitting the "Device-Admin" rule that you have listed above

4. If you can post all of the details of the failed authentication. You are getting "access-reject" for some reason so you are not hitting the rule that you are trying to hit. 

Thank you for rating helpful posts!

Dear Neno :) thanks for your support..

you are absolutely right.. i'm not hitting the access rule. even though i configured it to match wireless user group.. i notice the Devices admins are not hitting the rule but since i enabled Radius for device management as well, i can see many logs from them as failed also as radius. 

 

this is for user as well

It is probably a good idea to keep Device Management under TACACS+ and wireless access under Radius. From "acs-access-service01.jpg" screenshot we can see that your wireless rule is getting zero hits. Which again indicates that your wireless clients are hitting the default rule which is probably "deny access" The ACS rules look OK from the screen shots so the issue could be on the wireless side. 

Can you:

1. Provide better/full capture from "acs-issue1_0.jpg" ? I need to see all steps and details

2. Confirm the wireless settings. More specifically that Radius/802.1x is configured 

Thank you for rating helpful posts!

Dear Neno

the customer has sent me this in aruba

aaa authentication dot1x "dot1xProfile"     
   termination eap-type eap-peap                                                                                                                                                                                                                                             
   termination inner-eap-type eap-mschapv2       

aaa authentication-server radius "SERVER"
   host x.x.x.x
   key xxxx
   nas-ip x.x.x.x

aaa server-group "RADIUS-GROUP"
  auth-server “SERVER”
  
aaa profile "KSAU-JED-AAA-Profile"
   authentication-dot1x "dot1xProfile"
   dot1x-server-group "RADIUS-GROUP"


      
wlan virtual-ap "SSID-NAME"
   aaa-profile "KSAU-JED-AAA-Profile"
   ssid-profile "SSID-NAME"
   vlan <VLAN ID>
   

Everything looks good (with my limited knowledge of Aruba). Unfortunately, I won't be much help here without getting my hands on the network :(

Perhaps someone else can come and chime in.

Thank you for rating helpful posts!

Dears 

FYI.. i have solved the issue today.. basically the issue was that Cisco ACS doesn't have Aruba controllers dictionary by default. for specific-vendor dictionary, you need to download from vendor site and write down the values to ACS dictionary fields. 

Oh good catch! I am so used to working with Cisco gear that I did not even think about it. :) Thank you for sharing the solution! (+5) from me. You should probably mark the thread as "answered/resolved too :)
Thank you for rating helpful posts!

thanks Neno .. by the way how to mark this thread is answered? sorry i'm not so familiar with these tools :)