cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6856
Views
20
Helpful
77
Replies

Wireless 5508 802.1x Part 2

JohnTylerPearce
Level 7
Level 7

With stephens help I was able to get most of my Wireless 802.1x setup configured properly. I'm not having a problem with the client authenticating using user/pass credentials. I have a Wireless XP Client (testing with), which connects to a LWAP, which connects to a WLC 5508, and then Cisco ACS for authentication. I put in my user credentials of tylerp (test account) with the correct password but nothing happens, it just keeps asking me to enter in

credentials after a few seconds. I started Wireshark on my laptop and I can see the following.

Source

Cisco_1e:3a:8f

Destination

IntelCor_85:9e:46

Protocol

EAP

Information

Request, Identity [RFC3748]

It looks like it's asking the client for credentials but when I submit my credentials I dont see any response via wireshark. I'm not sure why that is.

I have included several photos from my WLC/ACS configuration. Any help would be great!

77 Replies 77

According to the logs I got the following error message

-------------------------------------------------------------------------------

Authentication Failure Code Lookup

Description -> Selected Identity Source is DenyAccess

Resolution Steps -> Select a different Identity Source

Authentication Method - PEAP (EAP-MSCHAPv2)

ACS Username - tylerp

Radius Username - tylerp

John,

I noticed under your ACS Wireless Internal Access Policy, you have multiple items checked.  You should only check MSCHAPv2 and PEAP.  Also, if you are using user group, how is the Access Policy for Default Network Access.

Can you post a screen shot of both the default network access and the wireless internal.  I would like to see all the tabs for both including your policy.  Also can you screen shot the failed attempt in the monitor Authentication Radius Today.

-Scott
*** Please rate helpful posts ***

I will on Monday Scott. Thanks for the help.

No problem... what you can do on Monday is also test using local eap on the wlc and se if that works.  At least that eliminated your client to the WLC and then most likeley its soething configured on your ACS.

-Scott
*** Please rate helpful posts ***

Stephen Rodriguez
Cisco Employee
Cisco Employee

looking at that error, look at the ACS config. If its set to look at the database, make sure that user has the grant dialin permission allowed in AD.

Sent from Cisco Technical Support iPad App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Your SecureWireless Access Service is disabled.  You need to create a new Service Selection Rule and point that to SecureWireless.  Iwould then use a rule based selection for your SecureWireless and choose your NDG or the NAS IP Address of your WLC and use your Deminternal for your Identity Source.

-Scott
*** Please rate helpful posts ***

Thanks Scott, I'll try that out in a little bit and see how it goes. The otehr thing is, now that I have changed a few things and enabled hte SecureWireless Access Service it's asking for a certificate while trying to connect.

The client is asking? Or the client (iPhone, iPad) is asking to validate the certificate.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Just to clarify... It's a long thread:)

You are using wpa2/aes with PEAP MSChapv2 for authentication.

Did you install a 3rd party certificate or created a self signed certificate in ACS for 802.1x authentication.

The clients are configured for wpa2/aes PEAP.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I did not install a 3rd party certificate, I have also not created a self signed certificate in ACS for 802.1x authentication. I do know where to do that and after researching how PEAP works, it seems as if it uses a certificate to secure authentication, is this correct?

Yes that is correct. You need a server side certificat for peap.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

How do you get the client to trust the Cisco CA on the Cisco ACS itself. Considering I just created a self-signed certificate, I want the client to trust the CA on the Cisco ACS, do you have any idea how to do that? I've been trying to research just haven't found anything concrete yet.

You would need to export the certificate from the ACS, then you could push the cert via a GPO.

To test though, you can uncheck the box in the supplicant that says "Validate Server Certificate" and see if you are able to gain access.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

I'm not sure why it says EAP-TLS, I haven't configured TLS anywhere..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: