Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
0
Helpful
4
Replies

MS PEAP supplicant easiest than ACU

cguedes
Level 1
Level 1

‎11-13-2004 12:27 PM - edited ‎07-04-2021 10:09 AM

On lab environment, I have a Windows XP SP2 using MS supplicant PEAP, a 350 NIC with Aironet client 802.11a-b-Wizard v14, an ACS V3.3 and an AP1100 with IOS release 122-15.XR2 altogether working fine.

I haven't had this configuration working using Cisco supplicant PEAP, even using the newest ACU version 6.4.05. Naturally, I took care uncheck "Use Windows to configure my wireless network settings" on

Windows XP Wireless Networks tab.

I read that PEAP on ACU correspond to check Host Based EAP (802.1x) and Dynamic WEP on Network Security tab. That was I did.

Debug shows the following messages:

Nov 13 19:47:41.010: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start

Nov 13 19:47:41.010: dot11_auth_dot1x_send_id_req_to_client: sending identity request for 000e.84c4.ed17

Nov 13 19:47:41.010: dot11_auth_dot1x_send_id_req_to_client: Started timer client_timeout 30 seconds

Nov 13 19:48:11.010: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 000e.84c4.ed17

Nov 13 19:48:11.010: dot11_auth_dot1x_send_client_fail: Authentication failed for 000e.84c4.ed17

Nov 13 19:48:11.010: %DOT11-7-AUTH_FAILED: Station 000e.84c4.ed17 Authentication failed

Could anyone give me a hand.

Thanks,

Carlos

Labels:
0 Helpful
4 Replies 4

dixho
Level 6
Level 6

‎11-13-2004 12:50 PM

It looks like that something wrong with the wireless adapter. After the AP receives an EAPOL start, the AP sends an identity request to the wireless client. However, the wireless client does not respond to the identity request.

One of the most common issue is that you need to enter a user name in the XP, but you fail to do so in 30 seconds.

0 Helpful

cguedes
Level 1
Level 1
In response to dixho

‎11-14-2004 07:01 AM

Ok, I need to enter a username, but unlike LEAP configuration, ACU didn't give us a chance to enter a username/password/domain on Network Security tab previously. So, I guess ACU should rely on machine credencial or open a screen asking for identity opportunely, like a successful windows XP PEAP supplicant does, but it doesn't occur. That is the point, no way to enter username.

Do you agree with me that ACU PEAP configuration is setuped checking "Host Based EAP (802.1x)" button,

and "Dynamic WEP" button on Network Security tab?

If so, why a login window doesn't show up?

Following the two cases; the debug messages of MS supplicant and ACU supplicant.

*** Here the MS supplicant:

Nov 14 13:59:04.948: dot11_auth_send_msg: sending data to requestor status 1

Nov 14 13:59:04.948: dot11_auth_send_msg: Sending EAPOL to requestor

Nov 14 13:59:04.949: dot11_auth_dot1x_send_id_req_to_client: Started timer client_timeout 30 seconds

*** That time I entered username/password/domain on login window

.Nov 14 13:59:11.325: dot11_auth_parse_client_pak: Received EAPOL packet from 000e.84c4.ed17

.Nov 14 13:59:11.325: EAPOL pak dump rx

.Nov 14 13:59:11.325: EAPOL Version: 0x1 type: 0x0 length: 0x001A

.Nov 14 13:59:11.325: EAP code: 0x2 id: 0x2 length: 0x001A type: 0x1

00E00EF0: 0100001A 0202001A 014D494E 48414341 .........MINHACA

00E00F00: 53415C62 65746F77 696E646F 7773 SA\betowindows

.Nov 14 13:59:11.326: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,CLIENT_REPLY) for 000e.84c4.ed17.Nov 14 13:59:11.326: dot11_auth_dot1x_send_response_to_server: Sending client 000e.84c4.ed17 data to server

***

*** Here the ACU supplicant debug:

***

Nov 14 14:09:10.849: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 000e.84c4.ed17

Nov 14 14:09:10.849: dot11_auth_dot1x_send_client_fail: Authentication failed for 000e.84c4.ed17

Nov 14 14:09:10.849: dot11_auth_send_msg: sending data to requestor status 0

Nov 14 14:09:10.849: dot11_auth_send_msg: client FAILED to authenticate 000e.84c4.ed17, node_type 64 for application 0x1

Nov 14 14:09:10.849: dot11_auth_delete_client_entry: 000e.84c4.ed17 is deleted for application 0x1

Nov 14 14:09:10.850: %DOT11-7-AUTH_FAILED: Station 000e.84c4.ed17 Authentication failed

Nov 14 14:09:11.010: dot11_auth_add_client_entry: Create new client 000e.84c4.ed17 for application 0x1

Nov 14 14:09:11.010: dot11_auth_initialize_client: 000e.84c4.ed17 is added to the client list for application

0x1

Nov 14 14:09:11.010: dot11_auth_add_client_entry: req->auth_type 4

Nov 14 14:09:11.010: dot11_auth_add_client_entry: auth_methods_inprocess: 2

Nov 14 14:09:11.010: dot11_auth_add_client_entry: eap list name: eap_methods

Nov 14 14:09:11.010: dot11_run_auth_methods: Start auth method EAP or LEAP

Nov 14 14:09:11.010: dot11_auth_dot1x_start: in the dot11_auth_dot1x_start

Nov 14 14:09:11.010: dot11_auth_dot1x_send_id_req_to_client: sending identity request for 000e.84c4.ed17

Nov 14 14:09:11.011: EAPOL pak dump tx

Nov 14 14:09:11.011: EAPOL Version: 0x1 type: 0x0 length: 0x0005

Nov 14 14:09:11.011: EAP code: 0x1 id: 0x1 length: 0x0005 type: 0x1

00E00B50: 01000005 01010005 01 .........

Nov 14 14:09:11.011: dot11_auth_send_msg: sending data to requestor status 1

Nov 14 14:09:11.011: dot11_auth_send_msg: Sending EAPOL to requestor

Nov 14 14:09:11.012: dot11_auth_dot1x_send_id_req_to_client: Started timer client_timeout 30 seconds

Nov 14 14:09:41.010: dot11_auth_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 000e.84c4.ed17

Nov 14 14:09:41.010: dot11_auth_dot1x_send_client_fail: Authentication failed for 000e.84c4.ed17

Thanks,

Carlos

0 Helpful

cguedes
Level 1
Level 1
In response to cguedes

‎11-14-2004 10:59 AM

I got ACU PEAP supplicant to work. It was through a workaround, in my opinion.

The way to accomplished that was check the box "Use Windows to configure my network settings" on Windows XP Wireless Network Connection at the same time as check box "Use Selected Profile" on ACU.

A important detail in this scheme is that doesn't matter which SSID is added on Wireless Network Connection. Indeed, we can add a dummy SSID just for setup the authentication method ("Enable IEEE 802.1x authentication for this network" and "Propected EAP (PEAP)") and choose a Certification Authority.

My conclusion is forget ACU for PEAP supplicant purposes and use MS XP PEAP supplicant because this one is more intuitive, precise and coherent than ACU.

I would like to hear from you what you think about it.

Thanks,

Carlos

0 Helpful

etmarcof
Level 3
Level 3

‎11-15-2004 03:09 PM

Hi Carlos,

I'm glad that you solve your Problem.

I'm trying to setup PEAP with MS supplicant XP SP2, AP 1100 with IOS 12.2(15)JA, ACS 3.2.3, NIC intel PRO 2200BG that is CCXv2.

I want machine and user authentication.

I'm having problems with changing of vlans ip address as user login and logoff

Have you experencied this kind of problems?

Thanks

BR

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card