Re: PEAP/Cisco ACS keeps reauthenticating

lnorrie · ‎11-12-2004

Hi,

I have the follwing setup: Cisco ACS using extrnal NT Servers as databases to map NT groups to Cisco Secure Groups. The ACS is currently authenticating with all but one group maping fine. The problem I have is with our Cisco 1100 Series Access points. Now when using LEAP I see users picking up a DHCP address and authenticating fine using their NT user accounts. However we are looking to use PEAP (due to not all users...some third party not having the Aironet ACU). Now when I go to use PEAP the Wireless LAN cards makes their association with the access point fine, then the standard static password entry pops up. After user credentails have been entered the ACU monitor notifies me of a successful authentication (which I can see on our ACS) however the WLAN client does not Pick up a DHCP address and after 5 seconds the Static password prompts me to reauthenticate(ACU reads that is is starting authentication again). I was wondering if there is a blindingly obvious reason why I can get this setup to work with LEAP but not PEAP. Sorry if the info is very thin I've just started working in this new environment.

Cheers,

dixho · ‎11-12-2004

What kind of PEAP do you use? (PEAP-GTC or PEAP MS-CHAP v2).

I wonder if you can go to the ACS and find out the fail attempts log. There are just too many reason why it does not work. I need more information to narrow down the root cause.

lnorrie · ‎11-15-2004

Hi using PEAP MS-CHAP v2

Now this is the interseting thing the ACS shows that I have passed authentication but as mentoned the enter static password screen reapeears again every four seconds and I don't pick up an address by DHCP.

See log below:

12/11/2004 15:42:08 Authen OK MFLNET\zrossbr Staff Wireless 0011.2093.b929 415 10.1.120.8 ..

12/11/2004 15:42:05 Authen OK MFLNET\zrossbr Staff Wireless 0011.2093.b929 414 10.1.120.8 ..

12/11/2004 15:42:01 Authen OK MFLNET\zrossbr Staff Wireless 0011.2093.b929 413 10.1.120.8

Cheers.