Cisco G 1231, MS-Chap v2, PEAP
Hello-
Does anyone have an example configuration to configure PEAP and MS-Chap v2 on a Cisco 1231 G? RADIUS and certificate is the Windows 2003 Active Directory - 10.0.0.2 DC
SSID - myTestWLAN
Any help or pointers would be greatly appreciated.
Thank you much in advance.
Following links will be useful:
I hope this helps.
Concerning
Rohit
Tags: Cisco Wireless
Similar Questions
-
ISE 1.3 authentication problem (error 12321 PEAP has not SSL/TLS)
Hi all
I have this error when authenticating on the wifi (on the cisco ISE 1.3)
12321 PEAP doesn't have SSL/TLS handshake, because the customer rejected the local certificate ISE.
I have a cluster of two VM. I also have a local certificate for both and Quovadis.
If anyone has any advice, docs or anything else that might help, thank you.
Concerning
Eric
Hi Eric, this error message indicates that the client attempting to authenticate does NOT approve the CA that signed the certificate to your servers from ISE. You use a self-signed certificate or do you have a public certificate from a public CA such as VeriSign, GoDaddy, etc.?
Thank you for evaluating useful messages!
-
Authentication PEAP with Cisco ACS 5.3 and Lotus Notes DB
Hello
I want to authenticate clients wireless against the name of user/passwords stored in a lotus notes database.
Network: PEAP SSID-> Accesspoint-> controller-> ACS 5.3 WLAN 4404-> Notes DB
Is this possible?
I can connect to the attributes and ldap groups and query. but when I try to authenticate a user, I always get an error "object not found in the identity store.
Bind test succeeds (> 100 groups and > 100 subjects.)
EAP MSCHAP v2 is not taken in charge with LDAP by ACS
You can use EAP GTC
You should a begging utility that supports PEAP (EAP-GTC)
such as ADU, Intel Proset, CSSC Cisco AnyConnect,... you can google for a list of applicants
Open the new thread for cause of Apple
------------------------------------------------------------------
Be sure to note the correct answers and report this thread as answered
-
Someone knows where you load the certificate for PEAP CA if you use ISE as radius server?
Hello George,.
Refer to:
Adding a certificate authority certificate
http://www.Cisco.com/en/us/partner/docs/security/ISE/1.0.4/user_guide/ise10_man_cert.html#wp1053515
Step 1 Choose Administration > system > certificates.
Step 2 Navigation pane of the operations of certificate on the left, click certificate authority certificates.
The certificate authority certificates page appears.
Step 3 Click Add.
I hope this helps.
Kind regards.
-
I use ACS 5.3.0.40.8 with GANYMEDE + maintenance device AAA and RADIUS maintenance the Cisco Wireless to access user AD environment. How can I implement 802. 1 x with the current implementation of RADIUS with users without distracting current thread or am I prevented due to the EAP - GTC used with PEAP via RADIUS?
Sent by Cisco Support technique iPad App
In general the EAP type is determined by the supplicant and the server
so if you have configured for EAP TLS and client cable configured wireless client
for PEAP MSCHAP v2, you shouldn't have any problems if you have access
RADIUS service and handling the two types of active EAP and identity
political as well as the authorization is right to the same target and the level of access.
See you soon
-------------------------------------------------------------------------------------------------------------------------
Please don't forget to rate correct answers
-
All, Hy
you have the following problem:
Convert a Cisco 1231 with (used light update tool
C1200 - rcvk9w8 - tar.124 - 21A .JA2 .tar). it worked, but now the AP issn can't join the wlc:
AP with MAC 00:11:22:33.44:55 (AIR-AP1231G-E-K9) is unknown.
* spamApTask0: 18:26:44.598 Oct 02: 00:13:c4:e7:ad:c5 connection find DTLS delete AP (172:16:22:11 / 19157)
* spamApTask0: 18:26:44.598 Oct 02: 00:13:c4:e7:ad:c5 disconnect Ctrl-Capwap-DTLS session 0x14f3b038 for AP (172:16:22:11 / 19157)
* spamApTask0: 18:26:44.598 Oct 02: 00:13:c4:e7:ad:c5 CAPWAP State: Dtls shoot
* spamApTask0: 18:26:44.598 Oct 02: 00:13:c4:e7:ad:c5 DTLS keys for deleted successfully for AP 172.16.22.11 control plan
* spamApTask0: 18:26:44.599 Oct 02: State 00:13:c4:e7:ad:c5 machine Manager: failed to process the msg = 3 State = 0 172.16.22.11:19157 type
* spamApTask0: 18:26:44.599 Oct 02: 00:13:c4:e7:ad:c5 impossible to analyze packets 172.16.22.11:19157 CAPWAP
* spamApTask0: 18:26:44.599 Oct 02: DTLS closed connection events receivedserver 00:13:c4:e7:ad:c5 (172:16:22:5 / 5246) client (172:16:22:11 / 19157)
* spamApTask0: 18:26:44.599 Oct 02: 00:13:c4:e7:ad:c5 entry exists for AP (172:16:22:11 / 19157)
* spamApTask0: 18:26:44.605 Oct 02: 00:13:c4:e7:ad:c5 entry no. AP exist in the temporary database for 172.16.22.11:19157
(* spamApTask0: 18:26:44.606 Oct 02: 00:13:c4:e7:ad:c5 throw no - ClientHello Handshake or DTLS encrypted package to 172.16.22.11:19157) since DTLS session is not established
No idea here? Thanks in advance!
What code of the controller, you're on? 1200 is not supported after 7.0 code...
Older aps, the year 1200 did not come with microphones. An SSC is created, you are sure that the SSC is enabled in the wlc and you have the SSC on the controller?
http://www.Cisco.com/en/us/products/ps6366/products_configuration_example09186a00806a426c.shtml
__________________________________________________________________________________________
"Satisfaction does not come to know the solution, it is to know why." - Rosalind Franklin -
All,
My employer uses a local wireless network with Cisco PEAP authentication, and sometimes I use my Lenovo ideapad S10-2 in the office.
XP driver had no problem with it, I used it for awhile. Recently, I have upgraded the computer to Windows 7 32 bit and realized that the Wireless LAN driver from the Lenovo Web site offers NO of Cisco PEAP option-> FAIL.
After some research, I found the latest driver for the Broadcom chipset (4315?) which is the 5.100.249.2 version. This driver works fine now and I can connect to the WLAN again.
Questions: Why is the driver so old-fashioned Lenovo Web site? Why the Lenovo nor Broadcom offers this driver on its website? Is it really necessary to launch investigations into the internet to find the latest driver?
However, the problem is solved, but I thought I share this information. I don't think I'm the only person who connects to a WLAN using Cisco PEAP authentication.
Well, I guess it's as if it was so. At least it now can be found in the forum if someone looking for him.
-
Renew the certificate in Cisco ACS for PEAP authentication
Hi, we installed in laptops wireless customer a certificate created by Cisco ACS to authenticate, but its about to expire.
How can I do to renew the certificate whithout affecting users.
(1) Yes, we can generate a new cert but install the latter.
(2) install generated new cert on the client.
(3) install the new cert in ACS.
Good plan and will probably work.
Kind regards
~ JG
Note the useful messages
-
Cisco ISE - eap-peap and eap - tls
Hello
Does anyone have an example of a policy of ISE, where from a WLC authentication requests can be processed by TLS and PEAP?
I don't seem to get that working, I however do the accident of ISE application with my config that is not the idea.
If peap uses this identity source, if tls uses 'this profile of authentication certificate '.
THX
Don't need to do in politics
Can create a sequence identity and understand that it contains a certificate OmniPass profile and identity store
Administration > identity management > identity Source sequences
Can then select and define the Certfiicate authentication profile for OmniPass based certificate and a list of authentication search
-
PEAP EAP/TLS, PORTEGE with WinXP sp2 Tablet Edition problem
We have: Rev AiroNet350 Cisco with WPA - EAP: Freeradius with EAP/TLS and PEAP, tablet PC PORTEGE with WinXP sp2 configuration.
This problem discribed in http://wiki.freeradius.org/index.php/FAQ#PEAP_Doesn.27t_Work
Perhaps to solve this problem we need a fix (http://support.microsoft.com/kb/885453/en-us), but microsoft support said to contact the laptop manufacturer.
Can someone help me with this problem?Hmmm I m not an expert in this area, but it seems that the MS OS update is necessary. (I hope)
The preinstalled Windows operating system is a simple OEM version and generally all updates should be possible. However, if MS guys told you to communicate with the manufacture of the laptop, you can contact the maintainer authorized Toshiba in your country for details.But I studied a bit on the net and found this site useful:
http://SearchNetworking.TechTarget.com/originalContent/0, 289142, sid7_gci945257, 00.html1. 802. 1 X is based on communication between your router and a RADIUS authentication server. If you use WEP, WPA or WPA2 with dynamic keys, 802. 1 X debugging following tips may be useful:
a. reintroduce the same RADIUS secret in your wireless router and the RADIUS server.
b. configure your RADIUS server to accept the request of the RADIUS of the IP address of your router.
c. use ping to check the accessibility of router-server.
d. package watch LAN account to verify that RADIUS and answers queries are fluid.
e. use an Analyzer like Ethereal Ethernet to watch RADIUS success/failure messages.
f. for XP SP2, turn on Wzctrace.log by typing "command netsh ras set followed * activated.2 if RADIUS is flowing but are rejected requests for access, you may have a problem of incompatibility or credential X Extensible Authentication Protocol (EAP) 802.1. This setting depends on Type EAP. For example, if your RADIUS server requires EAP - TLS, then select 'Card chip or other certificate' of your adapter wireless network properties / authentication Panel. If your RADIUS server requires PEAP, then select "Protected EAP" of the adapter. If your RADIUS server requires EAP-TTLS, then you will need a third-party wireless like AEGIS or in Odyssey client.
Make sure that this specific EAP properties match for your adapter and the server, including the server CA certificate root trust Server domain name (optional but must match when it is specified) and the customer (EAP-MSCHAPv2, EAP - GTC) authentication method. When you use PEAP, use the control panel to 'Configure' CHAP to prevent Windows from automatically re-use of your connection. -
Cisco ACS secure 5.3 allowing foreigners on ACS local domain server domain accounts
All the
My company has recently acquired another company
Each company has its own domain and controllers
The problem:
Executives of the absorbed company sometimes come to the main site for meetings using their own laptops
configured for their own areas. This caused problems of authentication wireless with Windows 7 machines.
The domain account when you connect is forcing the dispatch of the password, the name of domain user and the foreign domain
The need:
We need to somehow add foreign domain as the source of authentication on the local ACS authentication attempt with our wireless controllers is allowed.Give advice on how this could be achieved.
Hello Steve,.
Concerning the behavior that you experience with ACS to be able to authenticate users against the foreign domain is completely expected and you will only be able to authenticate by entering the user name and domain name.
The only option to join the ACS for a foreign domain is LDAP configuration and in this way, you will be able to join the AEC directly with this area, however, there are several limitations on the supported protocols when you use LDAP as you can see from the following link, then you want to see if he would be available as an option for you or not depending on the Protocol that you use (which I suppose is it PEAP / MSchapv2) as you mentioned that users will type the identifying information, so it does it does not for you):
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/cisco_secure_access_contro...
Excerpt from the link:
Authentication Protocol EAP no B-4-table and user database compatibility
Identity storePAP/ASCIIMSCHAPv1/MSCHAPv2CHAPACS
Yes
Yes
Yes
Windows AD
Yes
Yes
NO.
LDAP
Yes
NO.
NO.
RSA identity store
Yes
NO.
NO.
Identity of DEPARTMENT store
Yes
NO.
NO.
Table B-5specifies the EAP authentication protocol support.
Authentication Protocol EAP compatibility of database user and table B-5
Identity storeEAP - MD5PEAP-EAP-MSCHAPv2EAP-FAST MSCHAPv2PEAP-GTCEAP-FAST-GTCACS
Yes
Yes3
Yes
Yes
Yes
Yes
Yes
Windows AD
NO.
Yes
Yes
Yes
Yes
Yes
Yes
LDAP
NO.
Yes
Yes
NO.
NO.
Yes
Yes
RSA identity store
NO.
NO.
NO.
NO.
NO.
Yes
Yes
Identity of DEPARTMENT store
NO.
NO.
NO.
NO.
NO.
Yes
Yes
Note: Please mark it as answered as appropriate.
-
AD instead of LDAP for MS-Chap on the 4.2 CASE
I intend to use the Protocol LDAP with GBA for wireless encryption, but I discovered that LDAP does not work with MS-Chap so now I have to use AD, or is it a mwy use LDAP. I'm not a server guy, how can I configure to use the PEAP Protocol, MS-CHAP uses ad?
Thank you
Mike
Please see this link that explains the integration of GBA with AD.
Protocol EAP authentication and user database compatibility
http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/ACS32/User02/o.htm#wp623530
Kind regards
~ JG
Note the useful messages
-
Questions about unknown software in the new laptop (3 modules Cisco)
Hello, (6c01ev of HP Pavilion DV6 Notebook PC - Windows 7 Home Premium 64-bit)
I just informed me on 3 programs which are fitted with all the programs that came from the factory.,.
and I don't know how necessary are to my duties to my laptop.
Here are the 3 programs, which are the same company.
1) cisco EAP-FAST Module
2) cisco LEAP Module
3) cisco PEAP ModuleAll I want to know is...
(A) these programs are necessary for the functionality of my laptop?
(if I uninstall it, will I problem?)
(B) with my laptop witch device these programs are linked?
Thank you very much for your help
Hello:
If you have a network Atheros wireless card in your laptop computer, these programs have been installed by the Atheros wireless driver.
They are probably not necessary for standard wireless connections.
I had to actually uninstall a Dell ST PC Tablet, because they didn't allow the tablet to connect to my home network.
No one will be able to tell you what impact they will have on your particular situation.
If you have an Atheros wireless adapter and you decide to uninstall these 3 possibilities of use, and something goes wrong on you, then simply reinstall the Atheros driver and these applications must be reinstalled.
-
iPhone and Secure Wireless - PEAP
We recently deployed a new wireless infrastructure using 4404 WLC and 1131 Access Points. We have 2 WLAN, a secure using RADIUS (Microsoft IAS on Win2K3) and PEAP. The other access to public comments using the authorization of web WLC.
We discovered that iPhones and iPod touches are able to connect to the WLAN secure with only their powers of AD. They are then invited to accept the certificate and granted access to the WIFI secure.
Our field machines require the certificate be installed via Group Policy, so I'm not sure how Apple devices are pulling down from the cert.
Does anyone have any suggestions on how to do to block this behavior? We would like that these devices use only access visitor web-auth.
The solution has been added in the below mentioned document: -.
https://supportforums.Cisco.com/docs/doc-21756
This should help:
-
Cisco 877 - works only with apple devices
Hi all
I hope someone can help me with a problem I have with my adsl 877 router.
A little history:
I installed it like my router to the internet, which is connected to a Linksys WRT54GL Wireless access point.
My windows & Linux devices/computers cell phones all work fine on this configuration and connect without problem
However, all my devices apple, phones and ipads work fully. I can get to google and a handful of pages, but not the store games or facebook etc (my daughter thinks it's the end of the world - without FB and instagram)
If I go out Cisco and put a Thompson router, everything works fine. so I guess something with the Cisco config.
Here is the config that I use on the router
Pointers would be most appreciated.
ddhrouter #sh run
Building configuration...Current configuration: 2292 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname ddhrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 mysecret
!
No aaa new-model
!
!
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.1.1
!
dhcp CISCODHCP IP pool
network 192.168.1.0 255.255.255.0
212.50.160.100 DNS server 213.249.130.100 8.8.8.8
default router 192.168.1.1
!
!
name of the IP-server 212.50.160.100
name of the IP-server 213.249.130.100
8.8.8.8 IP name-server
!
!
username privilege 15 password 0 mysecret cisco
!
!
Archives
The config log
hidekeys
!
!
ATM0 interface
Description * interface adsl *.
MTU 1452
no ip address
load-interval 30
No atm ilmi-keepalive
PVC 1/50
UBR 288
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description * local lan *.
IP 192.168.1.1 255.255.255.0
IP nat inside
IP virtual-reassembly
Hold-queue 100 on
!
interface Dialer0
no ip address
!
interface Dialer10
Description * interface dialer adsl *.
the negotiated IP address
IP mtu 1482
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
PPP chap hostname myusername
PPP chap password 0 mypassword
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer10
!
no ip address of the http server
no ip http secure server
IP http max-connections 4
IP http timeout policy inactive 600 life 86400 request 10000
the IP nat inside source 1 list overload of the Dialer10 interface
!
TerminalAccess extended IP access list
permit tcp host 192.168.1.0 any eq telnet
permit tcp any any eq 22
refuse TCP a whole
no_telnet extended IP access list
TCP refuse any any eq telnet
!
Note access-list 1 INSIDE_IF = Ethernet0
Remark SDM_ACL category of access list 1 = 2
access-list 1 permit from 192.0.0.0 0.255.255.255
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any echo response
Dialer-list 1 ip protocol allow
!
!
!
control plan
!
!
Line con 0
password password
no activation of the modem
line to 0
line vty 0 4
access-class TerminalAccess in
password password
opening of session
!
max-task-time 5000 Planner
endddhrouter #.
all I am after is a standard configuration for my router. allow an out - deny all.
Thanks in advance.
Dave
I don't see a reason why the Apple devices in particular would have a problem, but I would add 'ip tcp adjust-mss 1442' in your interface to Dialer10 to see if that helps you. You're dealing with a connection with a low MTU and this will cause problems with packages that do not fragment, such as HTTPS.
Maybe you are looking for
-
Opening of new tab by clicking on the link
Out of the blue, firefox suddenly began to open links from Google and Yahoo search engines in a new tab instead of going directly from the original tab. I tried to type the control and shift keys, restart firefox, then by restarting the computer (to
-
Looking for a 1700-400 Satellite XP drivers
Hello I work with a satellite opportunity toshiba 1700-400, and I have no CD for her. There is however no XP driver not found on the support pages. Only win 2000 and me. Does anyone know where I might be able to get these drivers? see you soon
-
Problem - edges of digital triggering slows down during the fast rotations
Hi all. I have problem to understand. I want to measure the pressure with two strain gages on 90 degrees (NI 9237 half bridge II) and I engine with metal plate on it with 52 teeth (gear) to measure on each tooth of the strain. For the rotation, I use
-
Failed to load a backup disk after replacing the hard drive.
Until I replaced the hard drive, I backed up everything on a disc using the Vista backup program. Now I am trying to get at the way it has been, but I don't know how. Help?
-
HELP! @ I got locked out of my laptop with a password that appears immediately at startup. nothing works to get around, cannot enter bios setup or change your startup. 3 tries, then "System Halt" appears. I even tried to change the hard drive to