cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
742
Views
0
Helpful
4
Replies

PEAP Login Slow w/ Errors

meditz
Level 1
Level 1

Hi,

I was curious if the PEAP users of the Cisco forum (MS or Cisco PEAP) could state their login process, the amount of time it takes to authenticate, and if the error logs below are normal.

I have set up both the MS and Cisco versions and the Cisco is still taking approx. 2 minutes to login. The MS is using the ctl-alt-dlt credentials and takes about 1 min. and 20 seconds to authenticate. Our LEAP test environment authenticates the quickest at around 30 seconds using ctl-alt-dlt credentials.

Patches applied to XP stations are:

826942 - Wireless Rollup Patch

822725 - Spec. Rqst to MS for Slow Wireless Auth.

815485 - WPA Patch

We are testing both the Cisco PEAP and MS PEAP version using WPA and TKIP on a Cisco AP350 running IOS 12.2(13)JA1.

When using the Cisco PEAP version, the AP log shows 6 entries per login (5 fails, 1 success):

Dec 24 18:15:17.348: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed

Dec 24 18:15:21.310: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed

Dec 24 18:15:24.684: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed

Dec 24 18:15:28.086: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed

Dec 24 18:15:31.455: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed

Dec 24 18:15:44.979: %DOT11-6-ASSOC: Interface Dot11Radio0, Station ITDISGNBO14 000a.b7bb.02fb Reassociated KEY_MGMT[WPA]

When using the MS PEAP version, the AP log shows 2 entries per login (1 fail, 1 success):

Dec 24 18:26:20.557: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed

Dec 24 18:26:21.674: %DOT11-6-ASSOC: Interface Dot11Radio0, Station ITDISGNBO14 000a.b7bb.02fb Reassociated KEY_MGMT[WPA]

Both versions are working (eventually) after the long login's. ACS doesn't show any failed authentications in the log. It is logging the successes just fine. The ACS is 3.2 w/ a server certificate installed and the clients setup to trust the CA.

Any feedback is appreciated.

Thanks,

4 Replies 4

b.tay
Level 1
Level 1

Assuming you are using the microsoft supplicant with (PEAP+MSCHAPv2), different phases of authentication as follows :

1st Authentication ==> Wireless Open/Shared Key Authentication

(transparent to user - activated by the wireless supplicant automatically)

2nd Authentication ==> 802.1x PEAP "computer account" authentication

(transparent to user - activated by wireless supplicant and enabling "authenticated when computer information")

3rd Authentication ==> "computer logon process" authentication to domain controller/active directory

(transparent to user - activated by Windows 2000 / XP)

4th Authentication ==> "user logon process" authentication to domain controller/active directory

(transparent to user - activated by Windows 2000 / XP)

5th Authentication ==> 802.1x PEAP "domain account" authentication

(transparent to user - activated by wireless supplicant and enabling wireless supplicant for PEAP,use my windows username and password)

seems like you are having problems with the 5th authentication. did you try :

http://support.microsoft.com/default.aspx?scid=kb;en-us;829116

http://support.microsoft.com/default.aspx?scid=kb;en-us;823731

i am wondering whether the problem is with TCP/IP OR 802.1x

Regards

marcbutler
Level 1
Level 1

Well, as far as the ACS reporting failures, just make sure that you have turned on failed authentication logging.

For the PEAP login, I see similar issues with time of login at times with a client we have installed a similar scenario for. However, often it will authenticate and give me an IP address within moments. I take it that you are using XP with SP1 installed and the Cisco PEAP supplicant? This is the only way I was able to get it to work at all.

Hope you get this fixed.

Marc

mcvosi
Level 1
Level 1

I'm seeing the same problem as you, but I'm not seeing the same ratio of unsuccessful authentications as you. My clients eventually authenticate, but it does take a while...

I'm also not using the 822725 fix. How did you obtain this?

Edit: My AP happens to be an AP1200.

822725 can be obtained from MS by opening a case w/ them. I actually think it is included in the wireless rollup hotfix:

http://support.microsoft.com/?kbid=826942

I am having the same symtoms using AP1200's and 350's running 12.2(13)JA1.

Cisco Tac came back w/ this:

Cisco PEAP Debug:

AP requested for EAP identity

*Mar 5 02:31:11.113: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e

AP recieves a response but the username field is empty

*Mar 5 02:31:23.906: RADIUS: User-Name [1] 2 ""

AP sends challenge to client

*Mar 5 02:31:24.066: RADIUS: Received from id 21646/150 166.107.125.78:1812, Access-Challenge, len 1093

Client never responds, the authentication timesout after 30 seconds. *Mar 5 02:31:54.177: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0007.0eb8.d37e

Authentication restarts, but no response again after 30 seconds. *Mar 5 02:31:54.417: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e *Mar 5 02:31:54.417: dot11_dot1x_client_send_eapol: sending eapol to client 0007.0eb8.d37e *Mar 5 02:32:24.417: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0007.0eb8.d37e

Authentication restart over again with another timeout

*Mar 5 02:32:30.679: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e *Mar 5 02:32:30.679: dot11_dot1x_client_send_eapol: sending eapol to client 0007.0eb8.d37e *Mar 5 02:33:00.678: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0007.0eb8.d37e

It's been almost two minutes, finally we get a response with correct identity. *Mar 5 02:33:00.947: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e *Mar 5 02:33:00.947: dot11_dot1x_client_send_eapol: sending eapol to client 0007.0eb8.d37e *Mar 5 02:33:03.460: dot11_dot1x_parse_client_pak: Received EAPOL packet from 0007.0eb8.d37e, type 0

****

*Mar 5 02:33:03.464: RADIUS: User-Name [1] 19 "PEAP-00070EB8D37E"

Authentication eventually passes within 15 to 20 seconds.

*Mar 5 02:33:13.898: dot11_dot1x_handshake_pass: Handshake pass for 0007.0eb8.d37e

Similar problem is observed on the Microsoft PEAP debugs with several timeouts as well which is a known issue with Microsoft Windows XP.

Review Cisco Networking for a $25 gift card