08-03-2005 11:35 PM - edited 07-04-2021 11:00 AM
Hi,
my wireless infrastructure is currently still based on LEAP and WEP, therefore I am in the process of migrating towards PEAP and WPA.
During the testing in the lab I have encountered some problems with the client side when i use the Intel Centrino PROSet utility.
This is my setup:
Cisco 350 & 1231G AP with IOS version c350-k9w7-mx.122-15.JA and c1200-k9w7-mx.122-15.JA
Cisco ACS server 3.3(1) Build 16
Dell D600 with Intel Centrino 2200BG and PROSet version 9.0.2
Windows XP laptop running SP1
Windows XP laptop running SP2
I have generated a Self-Signed certificate on the ACS and imported the CA on my XP laptop so that it appears amongst the other CAs and configured the ACS to support MS-CHAP-V2 and GTC PEAP.
If I configure the wireless adapter via the XP client I have no problems with PEAP MS-CHAP-V2 with SP1 (some problems with stability with SP2) but when I create a profile using PEAP I associate to the AP but get the following error message on the ACS: EAP-TLS or PEAP authentication failed during SSL handshake.
When I use the XP client i am able to authenticate therefore I think it is safe to say that the certificate created by the ACS is working.
I have tried to search on the Net any issues related to PEAP with the Intel PROSet but i have had no luck. Do you have any tips on how to get it working?
Thank you
Ciao
Cristiano
08-04-2005 02:56 AM
What a coincidence! I have recently been testing exactly the same thing, and I think Im getting the same (if not a very similar) issue to you! As it happens, Ive just logged a TAC case to try and work out whats going on. In summary the issue is that Intel ProSet adapters (in my case Ive tried 2100 and 2200) running the latest Intel utilities for both, dont seem to like establishing the tunnel when running PEAP (in my case without machine auth). They will run under the ProSet utility using EAP-FAST or LEAP (which dont look at the cert). I know this isnt Ciscos problem (being an Intel card), but I did ask Intel about this and they were a bit useless. I advised that I remembered there is a way under ACS to run a fairly big debug that tells you what phase of the tunnel establishment is failing, but I cant remember exactly how you run it up! Ive logged the TAC case to find out how you run the debug. Ill let you know if I get any constructive feedback. In my case, it would be nice to get the Intel software working as it does interrupt the XP ginas quite well (or at least seems to from what I could test), which means you can run without machine auth and get all domain logging on stuff working 100% (i.e. things such as domain driven password changes will still work as will first time machine logins (no cached profiles)).
IF ANYBODY ELSE HAS GOT THESE INTEL CARDS RUNNING PEAP TO ACS 3.3 SUCCESFULLY, AND TIPS WOULD BE GRATEFULLY RECEIVED!
08-04-2005 03:22 AM
We have the Intel Proset working with Cisco ACS v3.3.3 and PEAP. I had to use the Intel Proset Utility, it wouldn't work with the XP Zero Wireless Configuration. I am using v9.0.2.0 of the Proset utility on Windows XP sp2. I guess for us the key was to use the utility and not the XP configuration.
Let me know if you need more details and I can post my config.
08-04-2005 04:07 AM
Hi,as I mentioned in opening this issue, I also use the Intel PROSet utility tool, but without success, meanwhile when I enable XP Zero Wireless Config it works!! Have you generated the certificate via the tool on the ACS or have you purchased it via a CA authority?
It would be great if you could post your configs so that I can compare them with my setup.
What IOS are you running?
Thanks
Cristiano
09-30-2005 02:58 AM
Hi,
It's a long time since I last posted on this but I've had a lot on, but I got around to some more testing. With the Pro-Set software, I finally got it working, and doing two main things made a difference. For some reason (can't imagine why), it didn't like my Cisco CB21AG adapter being inserted at the same time. In addition, after creating the profiles, it seems to work better after rebooting. I'd suggest anyone having difficulties look for any apps running on the same machine that might interfere. I've attached the profile for the adapter that worked for me.
HOWEVER, and here is the BIG HOWEVER. The intel software's main drawback seems to be that it needs to use a static username and password for most EAP types. This means that if you ever force your users to change there passwords, you can't do it dynamically on the Pro-Set software (not that I can find), and that sucks. Therefore I have ditched the Intel software entirely in favour of other options!
08-19-2005 05:32 AM
Normally when I have problems with cards I remove all the utilities a nd use only the Windows driver and that seems to work fine. The Windows dirver must belong to the Windows compatibility list. Some time ago I had some trouble with the 2200BG which I solved removing the Intel utility.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide