PEAP Authentication Issue

mredel · ‎03-07-2005

I'm Using Cisco ACS and Windows 2K Domain to authenticate Windows XP users connecting to a 1200AP with two SSIDs. I can get PEAP to authenticate only when using the Cisco PEAP supplicant installed (the Microsoft provided supplicant just does not work), and only when both the "Authenticate as Computer when Computer information is Available" and "Validate Server Certificate" boxes are NOT selected using the WinXP wireless config. This is contradictory to the Cisco provided instructions I used:

http://www.cisco.com/warp/public/480/acs-peap.pdf

I am not using Cisco ACU or ACM. Enviroment details:

WinXP clients w/ SP2-driver dated

AP1200 IOS ver 12.2(15)XR2 - Using (2) SSIDs, one fully open, no encryption. The other using PEAP and WPA/TKIP Mandatory

ACS version 3.2(2)

Win2K domain with a Win2K cert server

A bit more background on the certificates.We are not using Domain Integrated or Entreprise certs in our environment and have just a Stand Alone Root CA. The clients obtain their certs manually through the web interface and this works just fine.

A few questions I have are:

1. Why can't I authenticate using just the Windows supplicant?

2. What is the purpose of the "Authenticate as Computer when Computer Information Available" and

"Validate Server Certificate" options?

3. Can PEAP work with OSX 10.3?

4. Lastly, I understood the process of PEAP to only utilize server side certs (those installed on ACS). Whay are the clients required to install the certs?

mmellet · ‎03-11-2005

Answering partially your second question, 'Authenticate as Computer when Computer Information Available' is required to enable machine authentication and the same has to be enabled on the ACS server also.