12-24-2003 10:35 AM - edited 07-04-2021 09:14 AM
Hi,
I was curious if the PEAP users of the Cisco forum (MS or Cisco PEAP) could state their login process, the amount of time it takes to authenticate, and if the error logs below are normal.
I have set up both the MS and Cisco versions and the Cisco is still taking approx. 2 minutes to login. The MS is using the ctl-alt-dlt credentials and takes about 1 min. and 20 seconds to authenticate. Our LEAP test environment authenticates the quickest at around 30 seconds using ctl-alt-dlt credentials.
Patches applied to XP stations are:
826942 - Wireless Rollup Patch
822725 - Spec. Rqst to MS for Slow Wireless Auth.
815485 - WPA Patch
We are testing both the Cisco PEAP and MS PEAP version using WPA and TKIP on a Cisco AP350 running IOS 12.2(13)JA1.
When using the Cisco PEAP version, the AP log shows 6 entries per login (5 fails, 1 success):
Dec 24 18:15:17.348: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed
Dec 24 18:15:21.310: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed
Dec 24 18:15:24.684: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed
Dec 24 18:15:28.086: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed
Dec 24 18:15:31.455: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed
Dec 24 18:15:44.979: %DOT11-6-ASSOC: Interface Dot11Radio0, Station ITDISGNBO14 000a.b7bb.02fb Reassociated KEY_MGMT[WPA]
When using the MS PEAP version, the AP log shows 2 entries per login (1 fail, 1 success):
Dec 24 18:26:20.557: %DOT11-7-AUTH_FAILED: Station 000a.b7bb.02fb Authentication failed
Dec 24 18:26:21.674: %DOT11-6-ASSOC: Interface Dot11Radio0, Station ITDISGNBO14 000a.b7bb.02fb Reassociated KEY_MGMT[WPA]
Both versions are working (eventually) after the long login's. ACS doesn't show any failed authentications in the log. It is logging the successes just fine. The ACS is 3.2 w/ a server certificate installed and the clients setup to trust the CA.
Any feedback is appreciated.
Thanks,
12-26-2003 07:48 AM
Assuming you are using the microsoft supplicant with (PEAP+MSCHAPv2), different phases of authentication as follows :
1st Authentication ==> Wireless Open/Shared Key Authentication
(transparent to user - activated by the wireless supplicant automatically)
2nd Authentication ==> 802.1x PEAP "computer account" authentication
(transparent to user - activated by wireless supplicant and enabling "authenticated when computer information")
3rd Authentication ==> "computer logon process" authentication to domain controller/active directory
(transparent to user - activated by Windows 2000 / XP)
4th Authentication ==> "user logon process" authentication to domain controller/active directory
(transparent to user - activated by Windows 2000 / XP)
5th Authentication ==> 802.1x PEAP "domain account" authentication
(transparent to user - activated by wireless supplicant and enabling wireless supplicant for PEAP,use my windows username and password)
seems like you are having problems with the 5th authentication. did you try :
http://support.microsoft.com/default.aspx?scid=kb;en-us;829116
http://support.microsoft.com/default.aspx?scid=kb;en-us;823731
i am wondering whether the problem is with TCP/IP OR 802.1x
Regards
01-13-2004 01:51 AM
Well, as far as the ACS reporting failures, just make sure that you have turned on failed authentication logging.
For the PEAP login, I see similar issues with time of login at times with a client we have installed a similar scenario for. However, often it will authenticate and give me an IP address within moments. I take it that you are using XP with SP1 installed and the Cisco PEAP supplicant? This is the only way I was able to get it to work at all.
Hope you get this fixed.
Marc
01-13-2004 08:37 AM
I'm seeing the same problem as you, but I'm not seeing the same ratio of unsuccessful authentications as you. My clients eventually authenticate, but it does take a while...
I'm also not using the 822725 fix. How did you obtain this?
Edit: My AP happens to be an AP1200.
01-14-2004 08:54 AM
822725 can be obtained from MS by opening a case w/ them. I actually think it is included in the wireless rollup hotfix:
http://support.microsoft.com/?kbid=826942
I am having the same symtoms using AP1200's and 350's running 12.2(13)JA1.
Cisco Tac came back w/ this:
Cisco PEAP Debug:
AP requested for EAP identity
*Mar 5 02:31:11.113: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e
AP recieves a response but the username field is empty
*Mar 5 02:31:23.906: RADIUS: User-Name [1] 2 ""
AP sends challenge to client
*Mar 5 02:31:24.066: RADIUS: Received from id 21646/150 166.107.125.78:1812, Access-Challenge, len 1093
Client never responds, the authentication timesout after 30 seconds. *Mar 5 02:31:54.177: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0007.0eb8.d37e
Authentication restarts, but no response again after 30 seconds. *Mar 5 02:31:54.417: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e *Mar 5 02:31:54.417: dot11_dot1x_client_send_eapol: sending eapol to client 0007.0eb8.d37e *Mar 5 02:32:24.417: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0007.0eb8.d37e
Authentication restart over again with another timeout
*Mar 5 02:32:30.679: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e *Mar 5 02:32:30.679: dot11_dot1x_client_send_eapol: sending eapol to client 0007.0eb8.d37e *Mar 5 02:33:00.678: dot11_dot1x_run_rfsm: Executing Action(CLIENT_WAIT,TIMEOUT) for 0007.0eb8.d37e
It's been almost two minutes, finally we get a response with correct identity. *Mar 5 02:33:00.947: dot11_dot1x_send_id_req_to_client: sending identity request for 0007.0eb8.d37e *Mar 5 02:33:00.947: dot11_dot1x_client_send_eapol: sending eapol to client 0007.0eb8.d37e *Mar 5 02:33:03.460: dot11_dot1x_parse_client_pak: Received EAPOL packet from 0007.0eb8.d37e, type 0
****
*Mar 5 02:33:03.464: RADIUS: User-Name [1] 19 "PEAP-00070EB8D37E"
Authentication eventually passes within 15 to 20 seconds.
*Mar 5 02:33:13.898: dot11_dot1x_handshake_pass: Handshake pass for 0007.0eb8.d37e
Similar problem is observed on the Microsoft PEAP debugs with several timeouts as well which is a known issue with Microsoft Windows XP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide