09-19-2006 01:33 PM - edited 07-04-2021 01:06 PM
Hi,
my setup is:
Cisco ACS 4.0 Release 4.0(1) Build 27 (with thawte certificate)
WLC 4402 ver 4.0.179.8
Aironet 1131 LWAPP
dell laptop with windows xp sp2 with peap auth (using win control of wlan card)
I experience problem with missing machine authentication even though I have enabled this in acs (Enable PEAP machine authentication). The regkey on the pc's are standard windows (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global with no value set = 0)
http://support.microsoft.com/kb/309448/en-us
I get these messages in the wlc log:
AUTH 14/09/2006 08:48:58 E 0143 2688 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
AUTH 14/09/2006 08:48:58 E 0376 3852 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
anyone who can point me in the right direction?
Is it a windows client problem or a WLC/ACS problem?
regards rolf
09-19-2006 06:33 PM
Did you set up ACS for "Aironet" style RADIUS?
There's an option under "Network Config" | "AAA Clients" for what kind of RADIUS interface to present, you want "Cisco Aironet"
Check it out and let us know.
Scott
09-19-2006 09:45 PM
Hi,
I did have Cisco Airespace - not Cisco Aironet defined as aaa client in ACS for the wlc. Have now changed to Cisco Aironet and will check. What is the Airespace setting is supposed to be used for if not wlc?
Found this as a reference:
EAP Authentication with WLAN Controllers (WLC) Configuration Example:
"Define the controller as an AAA client on the ACS server. Click Network Configuration from the ACS GUI.
When the Network Configuration page appears define the name of the WLC, IP address, shared secret and authentication method (RADIUS Cisco Aironet or RADIUS Cisco IOS/PIX). Refer to the documentation from the manufacturer for other non-ACS authentication servers. "
regards rolf
09-26-2006 11:43 AM
Hi,
still have problem with machine authentication that stops working after 3-4days. I narrowed this down to the Cisco ACS, as the only way to resolve this is to reboot the win2003 server running Cisco ACS. I did put en error in my first post, it's not the wlc log that reports this:
AUTH 26/09/2006 07:51:16 E 0143 0500 [PDE]: PdeAttributeSet::addAttribute: invalid attr type=201
AUTH 26/09/2006 07:51:16 E 0376 0132 External DB [NTAuthenDLL.dll]: MachineSPNToSAM: __DsCrackNames failed
It is the Csauth log on the ACS. Have anybody seen this error message and know what it refers to?
My problem now is that machine authentication works ok for some days, then stops and then the listed error messages starts coming in the csauth log.
regards rolf
12-19-2006 02:11 PM
Hi Rolf,
I encountered the same problem as you - machine authentication with PEAP stops working after some days or also weeks.
Did you find in the meantime a solution to this problem? Or how do you deal with this problem?
Please let me know !
Thank you !
Michael
12-20-2006 09:37 AM
Is your ACS server a member server in the AD? Did your AD domain controller rebooted recently? In ACS 4.0, I found that once the DC rebooted, the exactly happened with machine authentication. I have to reboot the ACS and the problem fixed. I opened a case with TAC and I was told it is a bug and will be fixed in ACS 4.1. I haven't upgrade ACS to 4.1.
Zhenning
12-21-2006 01:16 AM
Hi,
it is a documented bug that can be fixed with a bugfix. if you ask cisco tac you will get a new ntlib.dll
regards rolf
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsd52574&Submit=Search
Installation instructions for CSCsd52574_Global_Catalog_NTlib.dll are:
stop service CSAuth
save a backup of
copy CSCsd52574_Global_Catalog_NTlib.dll to
start service CSAuth
12-21-2006 06:34 AM
Anyone tried with 4.1? Did 4.1 fix this bug?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide