Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1071
Views
0
Helpful
4
Replies

PEAP & ACS & machine authentication

mattgraham
Level 1
Level 1

‎02-06-2008 01:41 PM - edited ‎07-03-2021 03:20 PM

OK, here's the issue :

Customer site - 1130 series LWAPP AP's, WLC 4400 series with 4.2 release, WCS with 4.2 release.

ACS SE 4.0 and a second ACS SE with 4.1

Windows XP clients using WZC, all settings for connecting to WLAN are set, and everything works fine as long as the user has logged onto the lappie previously using a wired connection.

Machine authentication not working. i.e. a user can't logon until they've previously logged on.

Nothing shows on ACS failed or passed attempts. All settings for PEAP machine authentication are setup as per Cisco docs on the ACS. Client end ok.

Tried a GPO to push MS 802.1x settings for EAPOL and Supplicant info to machines, but still no machine logon.

ACS using a self signed cert, option to validate server cert on XP wzc unchecked.

Can't see wood for trees now, bits of kit will start to leave the building via the window before much longer....

Please tell me we don't need to install certs on clients - through PEAP was server side only ? Surely ?

Help, someone, help...

Labels:
0 Helpful
4 Replies 4

mba-pd
Level 1
Level 1

‎02-08-2008 01:57 PM

You cannot use WCZ. You will have to use Cisco Secure Service client, this work on every wireless card or the client with the wireless card you have if they support this. I now Broadcom card support this if you have it. I will suggest use Cisco Sec Service client.

0 Helpful

wififofum
Level 4
Level 4

‎02-08-2008 05:28 PM

Matt,

What NIC and driver version? Has the system been joined to the machine domain via a wired connection?

It seems strange to me that WZC would not work. Are you using a driver-only install - no other card-specific supplicant running? Can they authentuate using regular PEAP MSCHAP - no machine auth?

0 Helpful

andrew.butterworth
Level 7
Level 7

‎02-09-2008 03:18 AM

This does work with Microsoft's EAP Supplicant as I have tested it in the lab and deployed it on a customer site. It was a while ago though....

I referred to this document on MS's site:

http://www.microsoft.com/technet/network/wifi/ed80211.mspx

Plus probably the same document you were using from CCO.

I also installed the two Microsoft Wireless updates for XP SP2 computers, however I am not 100% these were essential. The default supplicant behaviour worked OK as the AP's send EAP frames to the associated wireless clients which kick-starts the supplicant on the PC. I think the Wireless Profile needed to be on PC (SSID & its settings), however this can be pushed via GPO but if the machine has never been on the network (wired/wireless) you can get in a chicken-and-egg situation.

You don't need to use the Cisco supplicant.

HTH

Andy

0 Helpful

mattgraham
Level 1
Level 1
In response to andrew.butterworth

‎02-11-2008 01:33 AM

Cheers for all the replies.

I also installed hotfix x 2 for XP SP2 wireless / supplicant, it fixed an issue with fast roaming, where the client would drop a few pings, and either prompt for re-auth or show the credentials again.

However, the big fix - the customer had "inadvertantly" installed MS IAS on the DC that was hosting the remote agent for ACS.

Uninstalled IAS and happy days, everything works.

So in summary - WZC, PEAP, fast-reconnect, ACS SE all works.

Thought my marbles had been displaced, but all sane again now....

Thanks again for taking time to reply, much appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card