cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1562
Views
5
Helpful
6
Replies
michelbijnsdorp
Beginner

does WLC 5508 (7.2) support PEAP to MS radius?

Hi,

I'm running version  7.2.111.3 on my WLC 5508 and I try to figure out how I can set PEAP towards my configurerd Radius servers.

On my Local EAP profile I can specify PEAP, but how is it default configurerd when you just specify the radius servers on the "WLANs > Edit Test > security > AAA servers tab ?

The MS radius logs tell me that it is EAP and not PEAP, so the questions is does the WLC support Microsoft: Protected EAP ???

Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 AAA EAP Packet created request = 0x1bd4647c.. !!!! -> should be AAA PEAP ???

*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.279: 24:77:03:07:75:28 Sending EAP Attribute (code=2, length=35, id=2) for mobile 24:77:03:07:75:28
*Dot1x_NW_MsgTask_0: Oct 10 11:02:27.280: 24:77:03:07:75:28 [BE-req] Radius  EAP/Local WLAN 3.

Thanks in advance,

Michel

6 REPLIES 6
pavelsh_ucs
Beginner

Just configure your radius servers on Security tab

Then choose these radius servers on WLANs > Edit Security - Level2.

That's it.

If you confiure radius servers in the GLOBAL config make sure Network User is check boxed. Or, if you add the Radius server under the WLAN, Network User isnt needed in the global.

As for PEAP. Yea, PEAP-MSCHAPV2 is support, PEAP-GTC is not.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Mike, When external AAA is in use don't worry about the EAP type config on WLC, it is wireless client and AAA server going to negotiate the requirements based on the client request and enabled/configured EAP security on AAA.

http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml

George, network user needs to be there irrespective of Radius server ip added per WLAN or not.

I tested this last week and It didn't need to be checked .. Still worked with it unchecked. In fact I opened a Tac case about local account as well, it was part of my testing ..

I agree I should be marked ..

Any ideas why it's not working like it should in our lab ? Try it on your end ..

I'm going to test it again here ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

you're right +5. looks like it sort of gives more granular selection/priority, if we don't want to use any AAA from global when all the configured AAA on WLAN failed then it will be useful.

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html

Step 16

Select the

Network User

check box to enable network user authentication (or accounting), or unselect it to disable this feature. The default value is selected. If you enable this feature, this entry is considered the RADIUS authentication (or accounting) server for network users. If you did not configure a RADIUS server entry on the WLAN, you must enable this option for network users.

Excellent .. Not losing my mind and thanks for checking ..


Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Create
Recognize Your Peers
Content for Community-Ad