PEAP XPsp1 AP1200 ACS3.1

pbrown · ‎01-24-2003

I can't get this combo working. Any assistance would be great.

ACS 3.1 with certs installed and PEAP / EAP-TLS enabled.

XP laptop with 350 PCMCIA card with newest firmware.

User database is Active Directory (RADIUS works for IOS and PIX okay)

AP1200 with 12.01T1 software.

AP configured for Accept Auth Type = Shared and Network EAP

Require EAP = Shared

What am I missing. Wireless works when all security is removed.

Thanks,

Patrick

derwin · ‎01-24-2003

If you run the eap diag 1 on the AP it will quickly show if it is the client card not sending the username password or the server rejecting the request

here is how to run the diag

http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350scg/ap35ch13.htm#1044224

If you find it is the server in the ACS docs there are plenty of details on how to debug the server, if it is the client then please double check the config

Most of the time it is the config on the ACS server

The link on the diag shows a working log on debug so you can see how far you make it through the process

pbrown · ‎01-27-2003

Here is a complete debug of a failed client. It looks like it's a problem with ACS but I can't find anything. Any thoughts?

2 days, 20:12:01 (Info): Station 0009b74aa66b Authenticated

Dot1x entry (SLA\RIcenhour,0009b74aa66b) is being deleted(Current Count=1)

2 days, 20:12:01 (Info): Station 0009b74aa66b Associated

Dot1X Authentication Entry (0009b74aa66b) is created (Current Count=2)

RADIUS: Sending EAP-Request/Identity(id=1) packet to client 0009b74aa66b

EAP: Received EAPOL-Start from client 0009b74aa66b

RADIUS: Sending EAP-Request/Identity(id=2) packet to client 0009b74aa66b

EAP: Received EAP-Response/Identity(id=2) packet from client 0009b74aa66b

EAP: Forwarding packet to RADIUS server

RADIUS: Received packet for client 0009b74aa66b

RADIUS: Received Challenge Request

RADIUS: Sending EAP-Request/EAP-LEAP(id=9) packet to client 0009b74aa66b

EAP: Received EAP-Response/Nak(id=9) packet from client 0009b74aa66b

EAP: Forwarding packet to RADIUS server

RADIUS: Received packet for client 0009b74aa66b

RADIUS: Received Challenge Request

RADIUS: Server's state attribute was saved

RADIUS: Sending EAP-Request/EAP-PEAP(id=18) packet to client 0009b74aa66b

EAP: Received EAP-Response/EAP-PEAP(id=18) packet from client 0009b74aa66b

EAP: Forwarding packet to RADIUS server

RADIUS: Received packet for client 0009b74aa66b

RADIUS: Received Challenge Request

RADIUS: Server's state attribute was saved

RADIUS: Appending EAP attribute value of length 255

RADIUS: Sending EAP-code=37/type=101(id=50) packet to client 0009b74aa66b

EAP: Received EAP-Response/EAP-PEAP(id=19) packet from client 0009b74aa66b

EAP: Forwarding packet to RADIUS server

RADIUS: Received packet for client 0009b74aa66b

RADIUS: Received Challenge Request

RADIUS: Server's state attribute was saved

RADIUS: Appending EAP attribute value of length 255

RADIUS: Appending EAP attribute value of length 251

RADIUS: Sending EAP-code=82/type=69(id=86) packet to client 0009b74aa66b

EAP: Received EAP-Response/EAP-PEAP(id=20) packet from client 0009b74aa66b

EAP: Forwarding packet to RADIUS server

RADIUS: Received packet for client 0009b74aa66b

RADIUS: Received Challenge Request

RADIUS: Server's state attribute was saved

RADIUS: Appending EAP attribute value of length 76

RADIUS: Sending EAP-code=0/type=44(id=232) packet to client 0009b74aa66b

EAP: Received EAP-Response/EAP-PEAP(id=21) packet from client 0009b74aa66b

EAP: Forwarding packet to RADIUS server

2 days, 20:12:17 (Warning): No EAP-Authentication response for Station 0009b74aa66b from server 10.1.40.50

Could not get a secondary Server Serving 802.1x function.

2 days, 20:12:17 (Info): Deauthenticating 0009b74aa66b, reason "Previous Authentication No Longer Valid"

derwin · ‎01-27-2003

Yes it does appear to be a server problem.

Please debug the radius server to see why it is failing.

Also on the client card which version of ACU NDIS and Frimware do you have, I would try the latest bundle if you do not already have this.

pbrown · ‎01-27-2003

How do I debug ACU? Is there a trace or dubug function. The web logs don't say much. ACU - Failed Attempts log has "NAS duplicated authentication attempt" repeated many times.

I'm running ACU 5.05, driver ver 8.3.05, and firmware ver 5.02.10.

Another symtom is that the machine with BSOD upon insertion of the 350 adapter.

Thanks,

Patrick

derwin · ‎01-27-2003

Patrick

Have you seen this link ?

http://www.cisco.com/warp/public/480/9.html

Please also see the documentation page there is a chapter on logging and also one on troubleshooting both will be usefull here

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs31/acsuser/index.htm

pbrown · ‎01-27-2003

Thanks,

That's a great link on debugging.

Here is the result of an auth attempt.

Request from host 10.1.40.22:1812 code=1, id=13, length=184 on port 1039

[001] User-Name value: SLA\pbrown

[026] Vendor-Specific vsa id: 9

[001] cisco-av-pair value: ssid=SLA

[004] NAS-IP-Address value: 10.1.40.22

[030] Called-Station-Id value: 000b5fbcbf65

[031] Calling-Station-Id value: 0009b74aa66b

[032] NAS-Identifier value: AP1200-bcbf65

[005] NAS-Port value: 37

[012] Framed-MTU value: 1400

[024] State value: CISCO-EAP-CHALLENGE=0.ffff

ffff.ff.4

[061] NAS-Port-Type value: 19

[006] Service-Type value: 1

[079] EAP-Message value: ......

[080] Message-Authenticator value: 51 E9 45 4A E8 9B 25 7C 06

20 86 58 09 F6 19 47

ExtensionPoint: Initiating scan of configured extension points...

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Aironet]

ExtensionPoint: [AironetEAP.DLL] Calling station attribute=0009b74aa66b

ExtensionPoint: [AironetEAP.DLL] NAS port attribute=37

ExtensionPoint: [AironetEAP.DLL] EAP attribute type=0 size=6

ExtensionPoint: [AironetEAP.DLL] EAP Attribute=02 93 00 06 19 00

ExtensionPoint: [AironetEAP.DLL] Requesting lock for mac 0009b74aa66b, LOCK COUN

T=1

ExtensionPoint: [AironetEAP.DLL] Currently 4 clients in list

ExtensionPoint: [AironetEAP.DLL] Expired client mac=0009b74aa66b busy, will remo

ve later

ExtensionPoint: [AironetEAP.DLL] Expired client mac=0009b74aa66b busy, will remo

ve later

ExtensionPoint: [AironetEAP.DLL] Expired client mac=0009b74aa66b busy, will remo

ve later

ExtensionPoint: [AironetEAP.DLL] Releasing lock for mac 0009b74aa66b, LOCK COUNT

=0

ExtensionPoint: [AironetEAP.dll->AuthenticationExtension] returned [1 - ignored]

ExtensionPoint: Calling [AuthenticationExtension] for Supplier [Cisco Generic EA

P]

ExtensionPoint: [GenericEAP.dll->AuthenticationExtension] returned [3 - reject]

ExtensionPoint: Start of Attribute Set

[079] EAP-Message value:

ExtensionPoint: End of Attribute Set

User:SLA\pbrown - Session no longer exists

Error -1047 authenticating SLA\pbrown - no NAS response sent

Any insight would be greatly appreciated.

Thanks

Patrick

derwin · ‎01-28-2003

Patrick,

I am far from an expert on the ACS sorry.

Couple of things to look at.

Can you ping the access point from the ACS server using 1500 byte packets ?? Make sure you can consistantly ping it.

You do have the AP configured as a NAS in the ACS ?? The NAS type is right ??

If these dont lead you to anything I think it is getting to the point where you would be best served by a TAC case. Please raise the case on the ACS server and include both of the debugs.