802.1X (PEAP) authentication issue

By robsimkins ·
Hi guys,

We're using PEAP for non-domain WLAN guests. This currently means they need to disable the "Validate Server Cert" option and their domain/machine name, username and PW are added to the local list on RADIUS.
"authenticate as computer when computer information is available" is unchecked.

On the RADIUS - PEAP config is for 480 min session and Fast Reconnect is enabled (also enabled on clients).

The users are dropping off and reassociating quite regularly but not at repetetive intervals - an auth failure log is generated by the RADIUS (ACS v4.0) "PEAP auth failed during SSL handshake", they then pass authentication a few seconds later.

2 questions:

1. Does anyone know what causes this behaviour to occur?

2. Does anyone know a method of debugging the 802.1X on the client side? (WZC is supplicant - AEGIS v3.7.4.0)

Thanks in advance,


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Similar issues occuring within AD based Radius setup on domain clients

by remy.boers In reply to 802.1X (PEAP) authenticat ...

Hi Rob,

I was on the lookout for a solution ragarding our troubles
with a recently implemented WLAN based on PEAP
authentication using a Radius platform. We have
implemented a Cisco based infrastructure using a WLAN
controller and several AP's

We have setup a Windows 2003 member server (2000
Domain) with Radius, which is to authenticate users in the
AD. This works, but after 40-80 minutes or so the clients
start to re-authenticate causing quite the traffic on the
network. The Radius Log shows enormous growth during
this traffic

When using a normal WPA-PSK setup to that same WLAN,
the clients seem to perform normal, so its the Radius
athentication that fails on an unkown point.

Since you have encountered similar problems with Radius-
PEAP, i launched this reply to your topic.

Did you manage to solve it?
What was the solution you applied?



Collapse -

Similar issues occuring within AD based Radius setup on domain clients

by msales In reply to Similar issues occuring w ...

run the following on the client machines.
netsh aaa set tracing * ena

This enables tracing on the local machine which logs all the EAP and WZCtracing logs into the C:\windows\system32\tracing folder.

Collapse -

Cant authticate to wlan with Cert enabled

by colin.laurie In reply to Similar issues occuring w ...

Hi, i hope somebody can suggest some way to resolve our issue.

We have started to deploy wlan with PEAP & passwords. We created a self signed ssl on the IAS server and exported that cert client machines.

Whenever we configure the wlan settings on the client to use a certificate the authentication will fail. If i choose to turn off the certificate option when i can connect the wlan. This used to work ok but i cant figure out what went wrong.

Any ideas anyone?



Collapse -

What APs are you using?

by robo_dev In reply to 802.1X (PEAP) authenticat ...

If they are Cisco, you can enable some very detailed logging in the APs themselves, then you can watch the auth failures that way...

Do you have multiple radius servers, or just one?

What are the clients doing from a power management standpoint and a DHCP standpoint?
Are the wifi adapters set to CAM mode?

If the users are going to sleep and/or getting new IP addresses, this may be an issue.....

Related Discussions

Related Forums