ACS - PEAP authentication twice not working?

Discussion in 'Cisco' started by Bob, Feb 16, 2005.

  1. Bob

    Bob Guest

    Does anyone else have this problem? I use ACS 3.3 and have a Verisign
    certificate to authenticate PEAP sessions through my Aironet 1200's to
    Windows XP users. All users have no problems authenticating the
    *first* time Windows is booted up. Wireless works fine, authenticates
    via Radius to ACS, etc. However, the second time they need to
    authenticate, for instance - disabling the wireless adapter and
    re-enabling it - never works. The status gets stuck (in Windows) at
    saying "Attempting to Authenticate".

    Does anyone else have any problems with PEAP, Aironets and ACS?

    -Bob
     
    Bob, Feb 16, 2005
    #1
    1. Advertising

  2. On Tue, 15 Feb 2005 19:13:03 -0500, Bob <> wrote:

    ~ Does anyone else have this problem? I use ACS 3.3 and have a Verisign
    ~ certificate to authenticate PEAP sessions through my Aironet 1200's to
    ~ Windows XP users. All users have no problems authenticating the
    ~ *first* time Windows is booted up. Wireless works fine, authenticates
    ~ via Radius to ACS, etc. However, the second time they need to
    ~ authenticate, for instance - disabling the wireless adapter and
    ~ re-enabling it - never works. The status gets stuck (in Windows) at
    ~ saying "Attempting to Authenticate".
    ~
    ~ Does anyone else have any problems with PEAP, Aironets and ACS?
    ~
    ~ -Bob

    Is it the case that this problem afflicts XP users who are using
    SP2 but not XP users who are using earlier versions?

    If so, then this sounds like a known Windows bug. See Cisco
    DDTS CSCef50870, "PEAP reauthentication fails with XP SP2 supplicant,
    ACS" (which DDTS is junked as this is a bug in Microsoft not
    Cisco code) and Microsoft article 885453 which will point you
    to a hotfix tht will resolve this problem.

    Aaron
     
    Aaron Leonard, Feb 17, 2005
    #2
    1. Advertising

  3. Bob

    Rob Guest

    It doesn't matter if its SP1 or SP2, but I will look into that hotfix.

    I assume then, this does not happen to your XP clients at all?

    -Bob


    On Thu, 17 Feb 2005 08:46:17 -0800, Aaron Leonard <>
    wrote:

    >On Tue, 15 Feb 2005 19:13:03 -0500, Bob <> wrote:
    >
    >~ Does anyone else have this problem? I use ACS 3.3 and have a Verisign
    >~ certificate to authenticate PEAP sessions through my Aironet 1200's to
    >~ Windows XP users. All users have no problems authenticating the
    >~ *first* time Windows is booted up. Wireless works fine, authenticates
    >~ via Radius to ACS, etc. However, the second time they need to
    >~ authenticate, for instance - disabling the wireless adapter and
    >~ re-enabling it - never works. The status gets stuck (in Windows) at
    >~ saying "Attempting to Authenticate".
    >~
    >~ Does anyone else have any problems with PEAP, Aironets and ACS?
    >~
    >~ -Bob
    >
    >Is it the case that this problem afflicts XP users who are using
    >SP2 but not XP users who are using earlier versions?
    >
    >If so, then this sounds like a known Windows bug. See Cisco
    >DDTS CSCef50870, "PEAP reauthentication fails with XP SP2 supplicant,
    >ACS" (which DDTS is junked as this is a bug in Microsoft not
    >Cisco code) and Microsoft article 885453 which will point you
    >to a hotfix tht will resolve this problem.
    >
    >Aaron
     
    Rob, Feb 17, 2005
    #3
  4. Bob

    kellasse Guest

    Bob
    I am new to this forum, but I found your post because I am havin
    this very same issue. Have you gotten your problem resolved. I a
    working with a CISCO TAC engineer now. He also found the sam
    problem for me that was suggested by someone else on this post. I a
    only running clients with windows XP sp1 though
    My email is , please send me an email
    We run 1200 aps, IOS v12.2(15)XR2, windows xp on IBM t41's with buil
    in mini pci wireless adapters from CISCO. We are also running CISC
    ACS V3.3 for authetication
    -kar
     
    kellasse, Feb 23, 2005
    #4
  5. Bob

    Uli Link Guest

    kellasse schrieb:

    > My email is , please send me an email.
    > We run 1200 aps, IOS v12.2(15)XR2, windows xp on IBM t41's with built
    > in mini pci wireless adapters from CISCO. We are also running CISCO
    > ACS V3.3 for authetication.


    Is the Wireless Zero configuration service disabled and you're using ACU
    to configure the card?

    For Aironet cards I strongly recommends *against* the M$ supplicant.
    Atheros cards come with a Meetinghouse supplicant (even Cisco's
    CB21ag!!!), Funk Software's Odyssey works *much* better than M$ supplicant.

    When installing the Cisco ACU, you can create a profile or select "use
    another application".
    Cisco's PEAP is a slightly different flavour than M$' PEAP.
    Cisco's PEAP (as you're using ACS) needs that PEAP support from ACU is
    installed.

    When PEAP sets up the TLS tunnel before the credentials are sent, the
    supplicant *can* check the certificate of the RADIUS. The cetrificate
    chain has to be installed or this (recommended) check has to be disabled.

    HTH, never had a problem with PEAP since VxWorks 11.23T

    --
    Uli

    These opinions are mine. All found typos are yours.
     
    Uli Link, Feb 23, 2005
    #5
  6. Bob

    kellasse Guest

    Hello
    We actually ran the CISCO ACU with Leap for 3 year. Pretty solid
    except our end users across the US hate it. They love the wireles
    client with XP and as a wireless administrator I have to agree. Th
    client actually shows you wireless networks and shows the use
    whether they need to have a WEP key or not. With the ACU, yo
    obviously have to create profiles. (Plus the install and uninstal
    of the ACU/ADU is not SMS friendly)
    Thanks for the update. Nice to hear from others
    To answer your other questions
    1) yes, the wireless network service is started and checked (us
    windows to configure my wireless settings
    2) we are using cisco 350 pc cards, mini pci cards, and now Inte
    centrino
    The cisco 350 PC cards do not have this sympton
    The built in mini pci cards (intel and cisco) do have this sympton

    -kar
     
    kellasse, Feb 25, 2005
    #6
  7. Bob

    Bob Guest

    I found it is a known Microsoft bug in Windows XP. There is a post
    SP2 hotfix for it. KB885453.

    Thanks for your reply though.

    -Bob



    On Fri, 25 Feb 2005 02:07:44 -0600,
    -spam.invalid (kellasse) wrote:

    >Hello,
    > We actually ran the CISCO ACU with Leap for 3 year. Pretty solid,
    >except our end users across the US hate it. They love the wireless
    >client with XP and as a wireless administrator I have to agree. The
    >client actually shows you wireless networks and shows the user
    >whether they need to have a WEP key or not. With the ACU, you
    >obviously have to create profiles. (Plus the install and uninstall
    >of the ACU/ADU is not SMS friendly).
    > Thanks for the update. Nice to hear from others.
    > To answer your other questions.
    >1) yes, the wireless network service is started and checked (use
    >windows to configure my wireless settings)
    >2) we are using cisco 350 pc cards, mini pci cards, and now Intel
    >centrino.
    >The cisco 350 PC cards do not have this sympton.
    >The built in mini pci cards (intel and cisco) do have this sympton.
    >
    >-karl
     
    Bob, Feb 25, 2005
    #7
  8. Bob

    Rob Guest

    Yes, its a Microsoft issue. See my post later (earlier?) in this
    thread. Windows XP SP2 with a hotfix solves it.

    I had the exact same issue as you. IBM T41's, 1200 Aironets,
    12.2(15)XR2 and ACS v3.3(2).

    -Bob



    On Wed, 23 Feb 2005 02:10:23 -0600,
    -spam.invalid (kellasse) wrote:

    >Bob,
    > I am new to this forum, but I found your post because I am having
    >this very same issue. Have you gotten your problem resolved. I am
    >working with a CISCO TAC engineer now. He also found the same
    >problem for me that was suggested by someone else on this post. I am
    >only running clients with windows XP sp1 though.
    > My email is , please send me an email.
    >We run 1200 aps, IOS v12.2(15)XR2, windows xp on IBM t41's with built
    >in mini pci wireless adapters from CISCO. We are also running CISCO
    >ACS V3.3 for authetication.
    >-karl
     
    Rob, Feb 27, 2005
    #8
  9. Bob

    kellasse Guest

    Bob
    Thanks for the update. I found a test laptop, (t42) with a centrin
    card Mini pci and applied sp2 + the hotfix. It seemed fix ou
    problem. It still doesn't connect really fast, but much mor
    consistant. I usually miss about 10-12 pings after I turn the radi
    back on (IBM Function+F5)
    Before it used to take up to 1 minute

    -kar
     
    kellasse, Mar 5, 2005
    #9
  10. Bob

    Rob Guest

    Considering that most of my company's new laptops are going to be T41
    or T42's, I'm making the patch mandatory along with SP2 shortly. I'm
    tired of hearing about the "wireless network" being broken.

    I guess this is what happens when we live on the bleeding edge.

    Bob



    On Sat, 05 Mar 2005 02:06:36 -0600,
    -spam.invalid (kellasse) wrote:

    >Bob,
    > Thanks for the update. I found a test laptop, (t42) with a centrino
    >card Mini pci and applied sp2 + the hotfix. It seemed fix our
    >problem. It still doesn't connect really fast, but much more
    >consistant. I usually miss about 10-12 pings after I turn the radio
    >back on (IBM Function+F5).
    >Before it used to take up to 1 minute.
    >
    >-karl
     
    Rob, Mar 5, 2005
    #10
  11. Bob

    kellasse Guest

    Hello
    another followup question
    We were having a wierd problem with our CISCO APs with IBM T42 wit
    Intel centrino cards. When we boot up, lots of times our laptop
    would hang and not get an IP address
    We found a parameter on the CISCO access points that seems to fi
    our problem. It is a dot11 holdoff-time 1. When this is set to 60
    (which seems to be the default). The clients hang and hang and hang.
    CISCO TAC says this shouldn't affect anything if the client is actin
    normally, but when this value is high authentication just doesn'
    work. when we change this to 1 or 2 seconds, it works just fine.
    CISCO doesn't want to even look into the problem saying that this i
    a client issue. So we tried this with a G-linksys PC card. Sam
    problem.
    So to make a long story short, we just changed all the APs so th
    value is 1 (second) and have not pushed the issue any further.
    This value doesn't seem to have any affect on a CISCO pc card o
    mini pc built in, but every other vendors card doesn't work
    -Kar
     
    kellasse, Aug 9, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Turrekens Jurgen
    Replies:
    0
    Views:
    472
    Turrekens Jurgen
    Jun 17, 2004
  2. jester
    Replies:
    1
    Views:
    1,818
    Vivek
    Dec 20, 2005
  3. ruchi
    Replies:
    0
    Views:
    711
    ruchi
    May 9, 2006
  4. Replies:
    1
    Views:
    757
    Thrill5
    Feb 6, 2007
  5. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    974
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
Loading...

Share This Page