cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10131
Views
0
Helpful
16
Replies

Windows XP & 7 fail authentication to ACS 5.3

Greetings

Here is the scenario

previously using freeradius and no issues existed with windows clients connecting to the wireless.

The SSID has wpa/wpa2, 802.1x authentication

Installed ACS 5.3

configured Store for LDAP - we don't use AD so don't recommend it

allowing PEAP-GTC as PEAP-MSCHAP2 is unsupported

uploaded a valid sign Certificate for our organization to be used for EAP

all MAC clients work and most mobile devices, user receives the cert and click accept and then they are prompted for Username and Password

However all  windows clients XPSP2, XPSP3, Windows 7 fail to connect

first error was

Windows was unable to find a certificate on local machine to use to validate network.

I would expect that the acs would provide the cert like the MAC devices at this point, that doesn't seem to be the case.

I exported the cert from acs and imported into the XPSP3 machine and placed it into Trusted Root CA

I tried almost every store listed as well.

After the import

The error is unable to connect to network.

ACS reports

While trying to negotiate a TLS handshake with the client, ACS received  an unexpected TLS alert message. This might be due to the supplicant not  trusting the ACS server certificate for some reason. ACS treated the  unexpected message as a sign that the client rejected the tunnel  establishment.

It also lists the username as the organization in the Cert and PEAP(null)

for the windows client I have

auth as WPA2

Data Encryption as AES

on the Authentication tab

EAP type > Protected EAP

authenticate as computer unchecked

authenticate as guest unchecked

under EAP properties button

Validate server cert - checked

Trusted Root CA - the organizations cert - checked

do not prompt user - unchecked

select auth method - smart card or other cert - selected - since mschapv2 is not supported for the ldap store

clicked configure

use a certificate on this computer - checked

use simple cert selection - checked

Validate server cert - checked

Trusted Root CA - checked the org cert

use different user - unchecked

enable fast reconnect - unchecked

What I would like to see

The user selects the ssid > is prompted to accept cert from acs > accepts > user is prompted for their ldap login creds > user is authenticated

Any insight would be greatly appreciated

15004  Matched rule

15012  Selected Access Service - RBLDAP Network Access

11507  Extracted EAP-Response/Identity

12300  Prepared EAP-Request proposing PEAP with challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12302  Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated

12318  Successfully negotiated PEAP version 0

12800  Extracted first TLS record; TLS handshake started.

12805  Extracted TLS ClientHello message.

12806  Prepared TLS ServerHello message.

12807  Prepared TLS Certificate message.

12810  Prepared TLS ServerDone message.

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12318  Successfully negotiated PEAP version 0

12812  Extracted TLS ClientKeyExchange message.

12804  Extracted TLS Finished message.

12801  Prepared TLS ChangeCipherSpec message.

12802  Prepared TLS Finished message.

12816  TLS handshake succeeded.

12310  PEAP full handshake finished successfully

12305  Prepared EAP-Request with another PEAP challenge

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12304  Extracted EAP-Response containing PEAP challenge-response

12511  Unexpectedly received TLS alert message; treating as a rejection by the client

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject

16 Replies 16

Greetings

Just a follow up.

I am still working out the CA solution

but in the mean time:

So it was recommended that I give the cisco secure mobility client a go.

So I installed NAM and local policy editor on win xp sp3

I created a profile for the wireless network using PEAP-GTC

not many examples around so I tried to figure it out.

Got the profile installed because after reboot it auto selects the correct SSID and attempts to login.

I have restricted the cisco anyconnect to PEAP EAP-GTC and It tells the ACS it wants to use MSCHAPV2

Have I misconfigured the profile? am I missing something?

The issue now is authentication fails

error

12750 Failed to negotiate EAP for inner method because EAP-MSCHAP not allowed under PEAP configuration in Access Service.

The supplicant of the client sent an EAP-Response/NAK packet rejecting  the EAP-based protocol previously proposed for the inner method, and  requesting to use EAP-MSCHAP instead. However, EAP-MSCHAP is not allowed  under PEAP configuration in the Allowed Protocols section of the  relevant Access Service.

Ok got it working with the anyconnect and NAM.

had to NAM the profile configuration.xml and place it in the NAM profile folder and install the NAM from scratch.

this info helped

https://supportforums.cisco.com/docs/DOC-23117