Windows XP & 7 fail authentication to ACS 5.3 - Page 2

Andrew MacTaggart · ‎08-27-2012

Greetings

Here is the scenario

previously using freeradius and no issues existed with windows clients connecting to the wireless.

The SSID has wpa/wpa2, 802.1x authentication

Installed ACS 5.3

configured Store for LDAP - we don't use AD so don't recommend it

allowing PEAP-GTC as PEAP-MSCHAP2 is unsupported

uploaded a valid sign Certificate for our organization to be used for EAP

all MAC clients work and most mobile devices, user receives the cert and click accept and then they are prompted for Username and Password

However all windows clients XPSP2, XPSP3, Windows 7 fail to connect

first error was

Windows was unable to find a certificate on local machine to use to validate network.

I would expect that the acs would provide the cert like the MAC devices at this point, that doesn't seem to be the case.

I exported the cert from acs and imported into the XPSP3 machine and placed it into Trusted Root CA

I tried almost every store listed as well.

After the import

The error is unable to connect to network.

ACS reports

While trying to negotiate a TLS handshake with the client, ACS received an unexpected TLS alert message. This might be due to the supplicant not trusting the ACS server certificate for some reason. ACS treated the unexpected message as a sign that the client rejected the tunnel establishment.

It also lists the username as the organization in the Cert and PEAP(null)

for the windows client I have

auth as WPA2

Data Encryption as AES

on the Authentication tab

EAP type > Protected EAP

authenticate as computer unchecked

authenticate as guest unchecked

under EAP properties button

Validate server cert - checked

Trusted Root CA - the organizations cert - checked

do not prompt user - unchecked

select auth method - smart card or other cert - selected - since mschapv2 is not supported for the ldap store

clicked configure

use a certificate on this computer - checked

use simple cert selection - checked

Validate server cert - checked

Trusted Root CA - checked the org cert

use different user - unchecked

enable fast reconnect - unchecked

What I would like to see

The user selects the ssid > is prompted to accept cert from acs > accepts > user is prompted for their ldap login creds > user is authenticated

Any insight would be greatly appreciated

15004 Matched rule

15012 Selected Access Service - RBLDAP Network Access

11507 Extracted EAP-Response/Identity

12300 Prepared EAP-Request proposing PEAP with challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12302 Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318 Successfully negotiated PEAP version 0

12800 Extracted first TLS record; TLS handshake started.

12805 Extracted TLS ClientHello message.

12806 Prepared TLS ServerHello message.

12807 Prepared TLS Certificate message.

12810 Prepared TLS ServerDone message.

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12318 Successfully negotiated PEAP version 0

12812 Extracted TLS ClientKeyExchange message.

12804 Extracted TLS Finished message.

12801 Prepared TLS ChangeCipherSpec message.

12802 Prepared TLS Finished message.

12816 TLS handshake succeeded.

12310 PEAP full handshake finished successfully

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

11001 Received RADIUS Access-Request

11018 RADIUS is re-using an existing session

12304 Extracted EAP-Response containing PEAP challenge-response

12511 Unexpectedly received TLS alert message; treating as a rejection by the client

11504 Prepared EAP-Failure

11003 Returned RADIUS Access-Reject

Andrew MacTaggart · ‎09-05-2012

Greetings

Just a follow up.

I am still working out the CA solution

but in the mean time:

So it was recommended that I give the cisco secure mobility client a go.

So I installed NAM and local policy editor on win xp sp3

I created a profile for the wireless network using PEAP-GTC

not many examples around so I tried to figure it out.

Got the profile installed because after reboot it auto selects the correct SSID and attempts to login.

I have restricted the cisco anyconnect to PEAP EAP-GTC and It tells the ACS it wants to use MSCHAPV2

Have I misconfigured the profile? am I missing something?

The issue now is authentication fails

error

12750 Failed to negotiate EAP for inner method because EAP-MSCHAP not allowed under PEAP configuration in Access Service.

The supplicant of the client sent an EAP-Response/NAK packet rejecting the EAP-based protocol previously proposed for the inner method, and requesting to use EAP-MSCHAP instead. However, EAP-MSCHAP is not allowed under PEAP configuration in the Allowed Protocols section of the relevant Access Service.

Andrew MacTaggart · ‎09-09-2012

Ok got it working with the anyconnect and NAM.

had to NAM the profile configuration.xml and place it in the NAM profile folder and install the NAM from scratch.

this info helped

https://supportforums.cisco.com/docs/DOC-23117