Re: Need description of a working MS PEAP clientto air-1100AP an

matthewsj · ‎11-24-2004

I currently have a working WPA-Leap setup working using a 350 client.The 1100 Access point is running 12-2-15-xr2 firmware. Authentications work with ACS 3.3.1 from the local database or a windows NT database. I have followed all the tips online for configuring PEAP on the radio, ACS and cisco clients. I would like to use dell truemobile 1400 equiped laptops with XPsp2 and the MS PEAP chapv2 supplicant. I enable debugging on the access point and it never shows a peap session even starting. A description of a working mixed client base MS-PEAP setup would be helpful.

dixho · ‎11-26-2004

What debugs do you enable? Can you post the debugs?

As far as I know, we only support one 802.1x type per SSID. I have tried to use the same SSID for different 802.1x types, it works for me though.

matthewsj · ‎11-29-2004

I am using one dot1x type per ssid. LEAP and MS-PEAP both use open EAP and network EAP. My cisco 350client using a WPA LEAP setup authenticates fine through the ACS to an Active directory user. I think this indicates that beyond the access point things are working correctly. PEAP and Chap ver2 are enabled on the ACS and the timeout is set for 120seconds. I am using 1645, and 46 for the radius server. I use these debug commands

debug radius authentication

debug dot11 aaa authenticator process

debug dot11 aaa authenticator state-machine

I see the 350 card debugs fine

My dell true mobile 1400 with the latest drivers using the XPsp2 Peap client, does not show up in the debug log. The access point gui shows the client trying, but nothing in the debug logs.

The problem may be with the client not starting the dot1x process. I'm not sure what to try next. Should I just abandon the flaky MS-XPsp2 supplicant?

dixho · ‎12-01-2004

Please use a test AP to run the following debugs:

debug dot dot 0 trace print xmt rcv

Based on my experience, there are a couple of possibilities:

1. WPA is enable on the AP, but not on the wireless client. Or WPA is enable on the wireless client and not on the AP.

2. You only configure "authentication network-eap" under the SSID, but not "authentication open eap" Cisco wireless clients use "authentication network-ap" and non-Cisco clients use "authentication open eap."

I know that I jump to conclusion. Post the debug will tell us more.

matthewsj · ‎12-07-2004

Here are the debug posts you requested. I did disable WPA and have enabled mandatory WEP on this SSID. Open with WEP key provided automatic with dot1x MSCHAPv2 selected, and no machine authorization.

debug dot dot 0 trace print xmt rcv

debug radius authentication

debug dot11 aaa authenticator process

debug dot11 aaa authenticator state-machine

Log Buffer (4096 bytes):

B8D3675 r 1 25 130- B000 13A 000E83600690 00904B1BFE44 000E83600690 35F0 auth

algorithm 0

sequence 1

status 0

221 - 0 10 18 1 0

B96B69E t 1 - B000 2800 00904B1BFE44 000E83600690 000E83600690 7680 auth

algorithm 0

sequence 2

status 0

dixho · ‎12-07-2004

Please post the whole log please. The above messages only tell me that the wireless client sends out an association request to the AP. The AP responds with an association response. As the status = 0, it means that there is no problem.

The wireless client should then send out an association request, and the AP should send out association response. Then, 802.1x authentication should start.

Need description of a working MS PEAP clientto air-1100AP and ACS