Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1166
Views
0
Helpful
3
Replies

PEAP with 3504 and Microsoft NPS

drehstrom
Level 1
Level 1

‎08-12-2021 06:32 AM

Hi there,

I'm trying to set up an WLAN within our facility using 802.1x authentication using certificate based PEAP. Wireless Controller is a CISCO 3504, set to WPA2 with 802.1x. RADIUS is running by Microsoft NPS.

I configured clients, RADIUS, and WLC by miscellaneous manuals I found but it just doesn't work. In the NPS-log I see the request coming in a being processed by the RADIUS but failing because the request always comes with Authentication-Type 5 (EAP) instead of 11. So it seems the RADIUS is working correctly.

Now I'm all out of ideas where to look. I'm not even sure if it's a client or a WLC problem. I configured the client WLAN exactly as I did with the wired network (which is working great).

Any hint or help is appreciated...

0 Helpful
3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

‎08-12-2021 10:10 AM

Wired uses eap-tls typically as that is easier. If you are using PEAP, then maybe it’s your protocol configuration in radius that is the issue. PEAP you can use computer auth or user auth and you need to make sure you have that set. I would assume you have a different policy for wired and wireless. 

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎08-12-2021 10:12 AM

Take a look at this guide:

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

-Scott
*** Please rate helpful posts ***
0 Helpful

drehstrom
Level 1
Level 1
In response to Scott Fella

‎08-13-2021 12:06 AM

Hi Scott,

thanks for helping me out here. I already found the guide you suggest and followed it most of the way.

I do use different policies for wired and wireless but RADIUS isn't using either. I'm pretty sure that's because the request is coming in as EAP not PEAP. So RADIUS is using the last policy which is usually the "BLOCK ALL OTHERS". Thats exactly what the IAS-log says. As long as the WLC isn't changing the request it has to be a client problem. But I'm not sure about that. There are so many configuration items not mentioned within the guides I found (I'm probably using a newer firmware) that I'm unsure everything is set right.

Bye
Stephan

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card