cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1882
Views
0
Helpful
0
Comments
TCC_2
Level 10
Level 10

 

 

Introduction

PEAP-GTC does not work with external token server over WLC

Core Issue

Funk Odyssey and Cisco ADU PEAP-GTC clients successfully authenticate with an Airespace controller running 3.0 or 3.1 software if using a static password, but not when authenticating through a one-time password to a token server.

Resolution

This problem is documented in Cisco bug ID CSCsb64519.

Funk Odyssey and Cisco ADU PEAP-GTC clients are seen successfully
to authenticate with an Airespace controller running 3.0 or 3.1 software
if using a static password, but not when authenticating via a one-time
password to a token server.

The resolution of this issue will be done via an implementation of four
new CLI configuration options under "config advanced eap":

identity-request-timeout Configures EAP-Identity-Request Timeout in seconds.
identity-request-retries Configures EAP-Identity-Request Max Retries.
request-timeout Configures EAP-Request Timeout in seconds.
request-retries Configures EAP-Request Max Retries.

The default values for these options are as shown below. These values
were chosen to retain as default the controller's current behavior:

(Cisco Controller) >show advanced eap

EAP-Identity-Request Timeout (seconds)........... 1
EAP-Identity-Request Max Retries................. 20
EAP-Request Timeout (seconds).................... 1
EAP-Request Max Retries.......................... 2
Known Fixed Releases: 
3.2(78.0)
3.1(105.)

To resolve the issue, upgrade the controller to the latest version. The upgrade can be done through the GUI or the CLI, as shown:

transfer download serverip
transfer download filename
transfer download datatype code
transfer download path /
transfer download start

To download the latest controller code, refer  to Software Center (Downloads) Wireless Software.

More Information

Cisco Aironet Client Utility Installation and Configuration

Cisco Aironet Client Utility (ACU) software version 5.05 or later includes Cisco PEAP (EAP-GTC) supplicant functionality within the client software. When using ACU version 5.0x for PEAP, you must manually upgrade the client adapter drivers and firmware. For the required driver and software versions, refer to the "Prerequisites" section.

Note All bundled Cisco client adapter software (InstallWizard version 1.0 and later) automatically upgrade the driver and firmware upon installation.

Note The PEAP supplicant option must be selected from the InstallWizard upon initial installation.
When you are using non-Cisco EAP supplicants with PEAP authentication, such as Microsoft 802.1X EAP-MSCHAP v2 in Windows XP Service Pack 1, only the appropriate client driver and software must be installed, because the authentication is handled by the EAP supplicant software incorporated into the operating system. The ACU can still be installed and used for diagnostics, statistics, or both, but the client adapter must be configured using the Microsoft (or other) utility.

All versions of the ACU after version 5.05 includes support for several EAP types including LEAP, EAP-TLS, and types that operate over EAP-TLS, such as EAP-TTLS and PEAP. Refer to the Cisco Aironet Client Utility Release Notes for additional information.

Problem Type

No connectivity

Products

WLAN adapters (wireless card) / ACU (Aironet Client Utility)

Wireless LAN Controllers

Security Options

LEAP / RADIUS

PEAP

Topology

LWAPP network

SW Features

Lightweight Access Point Protocol (LWAPP)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: