12-16-2011 08:04 AM - edited 07-03-2021 09:15 PM
With stephens help I was able to get most of my Wireless 802.1x setup configured properly. I'm not having a problem with the client authenticating using user/pass credentials. I have a Wireless XP Client (testing with), which connects to a LWAP, which connects to a WLC 5508, and then Cisco ACS for authentication. I put in my user credentials of tylerp (test account) with the correct password but nothing happens, it just keeps asking me to enter in
credentials after a few seconds. I started Wireshark on my laptop and I can see the following.
Source
Cisco_1e:3a:8f
Destination
IntelCor_85:9e:46
Protocol
EAP
Information
Request, Identity [RFC3748]
It looks like it's asking the client for credentials but when I submit my credentials I dont see any response via wireshark. I'm not sure why that is.
I have included several photos from my WLC/ACS configuration. Any help would be great!
Solved! Go to Solution.
12-17-2011 07:21 AM
According to the logs I got the following error message
-------------------------------------------------------------------------------
Authentication Failure Code Lookup
Description -> Selected Identity Source is DenyAccess
Resolution Steps -> Select a different Identity Source
Authentication Method - PEAP (EAP-MSCHAPv2)
ACS Username - tylerp
Radius Username - tylerp
12-17-2011 08:05 AM
John,
I noticed under your ACS Wireless Internal Access Policy, you have multiple items checked. You should only check MSCHAPv2 and PEAP. Also, if you are using user group, how is the Access Policy for Default Network Access.
Can you post a screen shot of both the default network access and the wireless internal. I would like to see all the tabs for both including your policy. Also can you screen shot the failed attempt in the monitor Authentication Radius Today.
12-17-2011 08:17 AM
I will on Monday Scott. Thanks for the help.
12-17-2011 08:20 AM
No problem... what you can do on Monday is also test using local eap on the wlc and se if that works. At least that eliminated your client to the WLC and then most likeley its soething configured on your ACS.
12-17-2011 08:48 AM
looking at that error, look at the ACS config. If its set to look at the database, make sure that user has the grant dialin permission allowed in AD.
Sent from Cisco Technical Support iPad App
12-19-2011 08:54 AM
12-19-2011 03:52 PM
Your SecureWireless Access Service is disabled. You need to create a new Service Selection Rule and point that to SecureWireless. Iwould then use a rule based selection for your SecureWireless and choose your NDG or the NAS IP Address of your WLC and use your Deminternal for your Identity Source.
12-20-2011 05:03 AM
Thanks Scott, I'll try that out in a little bit and see how it goes. The otehr thing is, now that I have changed a few things and enabled hte SecureWireless Access Service it's asking for a certificate while trying to connect.
12-20-2011 05:06 AM
The client is asking? Or the client (iPhone, iPad) is asking to validate the certificate.
Thanks,
Scott Fella
Sent from my iPhone
12-20-2011 05:09 AM
Just to clarify... It's a long thread:)
You are using wpa2/aes with PEAP MSChapv2 for authentication.
Did you install a 3rd party certificate or created a self signed certificate in ACS for 802.1x authentication.
The clients are configured for wpa2/aes PEAP.
Sent from Cisco Technical Support iPhone App
12-20-2011 06:02 AM
I did not install a 3rd party certificate, I have also not created a self signed certificate in ACS for 802.1x authentication. I do know where to do that and after researching how PEAP works, it seems as if it uses a certificate to secure authentication, is this correct?
12-20-2011 06:32 AM
Yes that is correct. You need a server side certificat for peap.
Thanks,
Scott Fella
Sent from my iPhone
12-20-2011 07:25 AM
How do you get the client to trust the Cisco CA on the Cisco ACS itself. Considering I just created a self-signed certificate, I want the client to trust the CA on the Cisco ACS, do you have any idea how to do that? I've been trying to research just haven't found anything concrete yet.
12-20-2011 07:30 AM
You would need to export the certificate from the ACS, then you could push the cert via a GPO.
To test though, you can uncheck the box in the supplicant that says "Validate Server Certificate" and see if you are able to gain access.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-20-2011 08:10 AM
I'm not sure why it says EAP-TLS, I haven't configured TLS anywhere..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: