Questions

PEAP authentication failed

+
0 Votes
Locked

PEAP authentication failed

info
Hello,


Thank you for the excellent Ultimate wireless security guide but I've no success with it ;-)

To make tests, I'm using an new Aironet 1242 and a Cisco pci wireless card.

I usually use and configure Cisco devices and I know the Win2k3 domain environnement.

In the debugs on the access-point, I see "station authentication failed". And what I find that it's also strange is the fact that nothing appears in the event viewer of the Win2k3 server (I'm sure of the communication between the ap and the server of course).

An idea ?

Thank you,

Alain
  • +
    0 Votes
    kjell.braten

    Hi, I am rolling out a solution with exactly the same unit (1242G) and experience the same problem. "station authentication failed". And nothing shows in the log files for ias or any other place on the 2003 server. If you found a solution please point me in the right direction here, i am banging my head into the wall....

    Kjell

    +
    0 Votes
    JZaveri

    Hi,
    With reference to your posting regarding the Authication failure on 1242AG, I was just wondering if you had any luck with it because I'm facing exactly the same problem and have had no luck in finding a solution. Any tips would be highly appreciated.

    Thanks,

    Juzar

    +
    0 Votes
    Leo

    I need more than just authentication failed from you. What is your setup like? DHCP? any other routers in between the wireless and the Radius server. If so, make sure the correct ports are open for authentication and accounting. or is it a direct connection to the server?
    are you broadcasting the SSID? Are you using a certificate? If so is it installed on the client computers? There are many reasons for authentication errors.

    +
    0 Votes
    JZaveri

    Thank you for your response.
    Intentions are to use a CA certificate for PEAP authentication. Following is what I have done so far:
    1) Installed Microsoft CA
    2) Created root/server certificates
    3) Ensured that the certificates are replicated to my servers (Domain Controllers)
    4) Installed IAS on my DCs
    5) Configured a profile to use PEAP as the authentication.
    6) Added the Cisco AP in IAS to act as a Radius Client.
    7) Configured the "Radius Server" on my Cisco 1241 Access point (setup shared secret, etc.)
    Ensured that the certificates are deployed to the workstations.

    The above configuration has been done to establish wireless connectivity for a wireless client.

    Additionally:
    1) SSID is not broadcasted
    2) There are no routers between the AP and the Radius Server.
    3) DHCP is used for the client PCs

    Thank you once again for your time and assistance.

    Juzar Zaveri

    +
    0 Votes
    Leo

    Believe it or not. My setup would not work either untill i broadcasted the ssid on the ap. I dont realy care about broadcasting the ssid because it does not pose a security risk. And it if you hide it, it can still be sniffed out by software so it does not matter. That might just do it.
    Good luck. By the way, did you configure a Wifi policy for your environment. Not that it's mandatory but it makes it easy to deploy to clients on the domain. Make sure windows in managing the wifi on the computer and not third party software.
    Dont overlook the obviouse, make sure wireless zero config service in turned on.

    Good luck.
    Leo

    +
    0 Votes
    Leo

    Hi,
    I also read the guide several times now. I used to only use WEP so I wanted to look for a better way to secure my AP's with minimal user interaction required. Needless to say I cant get this PEAP to work. Maybe you can give me some suggestions becuase I dont even get any attemps logged into the Cisco AP event viewer. I'm pretty sure the problem lies in the AP config because the server side is was pretty easy to setup. I dont feel like there is anything happening between the AP and the windows2k3 RADIUS server. Do you know if I have to open any ports on the windows firewall?

    Thanks,
    Leo
    any suggestions would be appreciated.

    +
    0 Votes
    robo_dev

    And I bet you can do the same in the newer hardware. It takes a bit of time to configure, but on the screen where you setup logging, you can allocate memory to do packet capture, then do a total sniffer-like packet capture in the AP.

    This is invaluable when troubleshooting authentication problems. I used it years ago to show an (arrogant) server admin that the FTP problem was HIS server being misconfigured, not my WLAN APs.

    +
    0 Votes
    dmmchowdary

    Hi, I have same problem. I think its the Win2k3. I used WPA authentication. Followed the guide but no luck. Do anyone have an answer
    Cheers,
    Maddy

    +
    0 Votes
    seanferd

    ?

    Edit: Maybe you could bug George Ou over ar ZDNet about this. Who knows?

    +
    0 Votes
    Leo

    Your Windows 2K3 RADIUS server, system event log should show the error if the wireless router is setup correctly.
    I would disable any firewall just to help determine the real cause.

  • +
    0 Votes
    kjell.braten

    Hi, I am rolling out a solution with exactly the same unit (1242G) and experience the same problem. "station authentication failed". And nothing shows in the log files for ias or any other place on the 2003 server. If you found a solution please point me in the right direction here, i am banging my head into the wall....

    Kjell

    +
    0 Votes
    JZaveri

    Hi,
    With reference to your posting regarding the Authication failure on 1242AG, I was just wondering if you had any luck with it because I'm facing exactly the same problem and have had no luck in finding a solution. Any tips would be highly appreciated.

    Thanks,

    Juzar

    +
    0 Votes
    Leo

    I need more than just authentication failed from you. What is your setup like? DHCP? any other routers in between the wireless and the Radius server. If so, make sure the correct ports are open for authentication and accounting. or is it a direct connection to the server?
    are you broadcasting the SSID? Are you using a certificate? If so is it installed on the client computers? There are many reasons for authentication errors.

    +
    0 Votes
    JZaveri

    Thank you for your response.
    Intentions are to use a CA certificate for PEAP authentication. Following is what I have done so far:
    1) Installed Microsoft CA
    2) Created root/server certificates
    3) Ensured that the certificates are replicated to my servers (Domain Controllers)
    4) Installed IAS on my DCs
    5) Configured a profile to use PEAP as the authentication.
    6) Added the Cisco AP in IAS to act as a Radius Client.
    7) Configured the "Radius Server" on my Cisco 1241 Access point (setup shared secret, etc.)
    Ensured that the certificates are deployed to the workstations.

    The above configuration has been done to establish wireless connectivity for a wireless client.

    Additionally:
    1) SSID is not broadcasted
    2) There are no routers between the AP and the Radius Server.
    3) DHCP is used for the client PCs

    Thank you once again for your time and assistance.

    Juzar Zaveri

    +
    0 Votes
    Leo

    Believe it or not. My setup would not work either untill i broadcasted the ssid on the ap. I dont realy care about broadcasting the ssid because it does not pose a security risk. And it if you hide it, it can still be sniffed out by software so it does not matter. That might just do it.
    Good luck. By the way, did you configure a Wifi policy for your environment. Not that it's mandatory but it makes it easy to deploy to clients on the domain. Make sure windows in managing the wifi on the computer and not third party software.
    Dont overlook the obviouse, make sure wireless zero config service in turned on.

    Good luck.
    Leo

    +
    0 Votes
    Leo

    Hi,
    I also read the guide several times now. I used to only use WEP so I wanted to look for a better way to secure my AP's with minimal user interaction required. Needless to say I cant get this PEAP to work. Maybe you can give me some suggestions becuase I dont even get any attemps logged into the Cisco AP event viewer. I'm pretty sure the problem lies in the AP config because the server side is was pretty easy to setup. I dont feel like there is anything happening between the AP and the windows2k3 RADIUS server. Do you know if I have to open any ports on the windows firewall?

    Thanks,
    Leo
    any suggestions would be appreciated.

    +
    0 Votes
    robo_dev

    And I bet you can do the same in the newer hardware. It takes a bit of time to configure, but on the screen where you setup logging, you can allocate memory to do packet capture, then do a total sniffer-like packet capture in the AP.

    This is invaluable when troubleshooting authentication problems. I used it years ago to show an (arrogant) server admin that the FTP problem was HIS server being misconfigured, not my WLAN APs.

    +
    0 Votes
    dmmchowdary

    Hi, I have same problem. I think its the Win2k3. I used WPA authentication. Followed the guide but no luck. Do anyone have an answer
    Cheers,
    Maddy

    +
    0 Votes
    seanferd

    ?

    Edit: Maybe you could bug George Ou over ar ZDNet about this. Who knows?

    +
    0 Votes
    Leo

    Your Windows 2K3 RADIUS server, system event log should show the error if the wireless router is setup correctly.
    I would disable any firewall just to help determine the real cause.