Many thx guys,

So with a clear head this morning and thx for the links, I have extracted exactly what I need to do and will re-attempt.

Will update all soon, and here is the ACS "Appliance" extracted info.

Thx to all, as always, what a group of people we have here!!!

Thx

Ken

Doc looks good. Let us know if you get it to work or not.

Hi, Fella and Ben,

Excellent stuff. took the peap stuff and tool out the appliance only details and it all worked.

Its all about not double clicking on the private key stuff when installing the cert and a couple of other little funnies as described in the red notes.

Many thx to all of you :)

Now just have to get it all working and client authenticated to the ACS. One thing at a time :))

Kind regards,

Ken

Well that is good news. Yeah.... one thing at a time.

thx mate, now just investigating why the windows laptop says a message

"Windows was unable to find a certificate to log you on to the network"

On a packet capture, I see the WLC send an EAP identity request packet (many times) but no EAP idenetity response packet from the client.

Gotta be a cert issue on the laptop and me and the windows boys are working on this bit.

Thern, once this is done, Im assume that the client/acs via the WLC will attempts to form an SSL/TLS tunnel and hand off the CN/SAN/Binary comparison to the ACS for authentication.

This is good fun, and feels like a blog of the progress :)

I will keep updated and thx for the help.

Cheers

Ken

So, As I mentioned earlier, the laptop is receiving a eap-identity-request from the WLC but is not generating an eap-identity-response packet.

So looks odds on that the laptop is not doing sommat it should. Its gotta be certs right?

So looking at the windows XP debugs for eapol, we get the following (please look at last line)

[1424] 15:49:07:437: ElEapMakeMessage entered

[1424] 15:49:07:437: ElParseIdentityString: DisplayString =

[1424] 15:49:07:437: ElParseIdentityString: LocalIdString = networkid=TestWLAN,nasid=MY-WLC,portid=29

[1424] 15:49:07:437: ElParseIdentityString: LocalIdString Length = 44

[1424] 15:49:07:437: ElParseIdentityString: NetworkID Size = 7

[1424] 15:49:07:437: Got NetworkId = TestWLAN

[1424] 15:49:07:437: Got NASId = MY-WLC

[1424] 15:49:07:437: ElParseIdentityString: For PortId, length = 2

[1424] 15:49:07:437: Got PortId = 29

[1424] 15:49:07:437: ElParseIdentityString: End of String reached

[1424] 15:49:07:437: ElParseIdentityString: Out of while loop

[1424] 15:49:07:437: ElParseIdentityString: Out of while loop: NO ERROR

[1424] 15:49:07:437: ElParseIdentityString: Calling NLARegister_802_1X with params {network windows id xxx.xx.xx.} and networkid=TestWLAN,nasid=MY-WLC,portid=29

[1424] 15:49:07:437: NLARegister_802_1X: Entered

[1424] 15:49:07:437: NLARegister_802_1X: g_hNLA_LPC_Port != NULL

[1424] 15:49:07:437: NLARegister_802_1X: Completed with status = 0

[1424] 15:49:07:437: ElParseIdentityString: Returned after calling NLARegister_802_1X

[1424] 15:49:07:437: ElGetIdentity: Userlogged, Prev !Machine auth

[1424] 15:49:07:437: ElGetIdentity: Userlogged,

[1424] 15:49:07:437: ElGetUserIdentity entered

[1424] 15:49:07:437: ElGetEapUserInfo: Error in RegOpenKeyEx for base key, 2

[1424] 15:49:07:437: ElGetCustomAuthData: SSIDLen=<6>, EapTypeId=<13>, Offset=<52/106>, dwAuthData=<42>

[1424] 15:49:07:437: ElGetCustomAuthData: SSIDLen=<6>, EapTypeId=<13>, Offset=<52/106>, dwAuthData=<42>

[1424] 15:49:07:437: ElGetUserIdentityOptimized: Error in calling GetIdentity = 798

[1424] 15:49:07:437: Identity: Couldnt find a certificate

So, we have loaded the certs into the following places

Certificates - Current User

- Personal

- Intermediate CAs

- Trusted root CAs

Did it in all variations, even putting all certs in all directories, but alas, nowt coming out :(

Any ideas chums? Arsenal are playing soon, so better go and drink beer and watch the gunners :)

PS, look at the attached MS Docs. I will go thru these, but is excellent information on the MS DIAGS.

http://technet.microsoft.com/en-us/library/bb457018.aspx

Many thx

Ken

How are you configuring the client for peap?

http://articles.techrepublic.com.com/5100-10878_11-6148574.html

Hi Fella and all :)

Arsenal drew 1-1 BTW :(

We are running windows XP SP (version "who knows") Will find out. This windows stuff is all a bit confusing :)

So,

We have the following only currently (for phase one of the testing)

Wifi LT ------ LWAP ------ WLC ------- ACS (appliance) ------- Romote Agent ------ AD DC

At the moment, we are just using the internal DB on the ACS rather than using the remote AD DB to keep things simple. Get that working first and then progress onto the AD auth buit.

We are using EAP-TLS and on the ACS all three comparison types are enabled and all certs are loaded.

The WLC sends the EAP-Identity packet to the wifi LT but the wifi LT does not send a response, so not even a packet gets to the ACS.

Please see Phase 2 for where we are stopping.

(I hope this doc helps people)

Let me know if you can be of further assistance.

Kind regards,

Ken

Did you install a cert on the laptop?