Is it worth joining Vision IAS

introduction

This document contains a configuration example for setting up Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) Version 2 authentication in a Cisco Unified Wireless network with the Microsoft Internet Authentication Service (IAS) as RADIUS Server.

requirements

conditions

It is assumed that the reader has a basic understanding of Windows 2003 installation and Cisco Controllers installation, as this document covers only the specific configurations that facilitate testing.

Note: This document is intended to give readers an example of the configuration required on the MS server for PEAP - MS CHAP Authentication. The Microsoft server configuration presented in this section was tested in the exercise and found to be normal. If you have problems configuring your Microsoft server, contact Microsoft for help. The Cisco TAC does not support Microsoft Windows server configuration.

For information on initial installation and configuration of the Cisco 4400 Series Controllers, see the Quick Start Guide: Cisco 4400 Series Wireless LAN Controllers.

For Microsoft Windows 2003 installation and configuration guides, see Install Windows Server 2003 R2.

Before you begin, install Microsoft Windows Server 2003 with the SP1 operating system on each server in the test lab and update all service packs. Install the controllers and lightweight access points (LAPs), and ensure that the latest software updates are configured.

Components used

The information in this document is based on the following software and hardware versions:

  • Cisco 4400 Series Controllers with Firmware Version 4.0

  • Cisco 1131 Lightweight Access Point Protocol (AP)

  • Windows 2003 Enterprise Server (SP1) with installed services of the Internet Authentication Service (IAS), Certificate Authority (CA), DHCP and Domain Name System (DNS)

  • Windows XP Professional with SP 2 (and updated Service Packs) and Cisco Aironet 802.11a / b / g Wireless Network Interface Card (NIC)

  • Aironet Desktop Utility Version 4.0

  • Cisco 3560 switch

The information in this document was produced by the devices in a specific laboratory environment. All devices used in this document started with an empty (standard) configuration. With your network up and running, make sure you understand the potential implications of a command.

Conventions

For more information about document conventions, see the Cisco Technical Tips Conventions.

PEAP overview

PEAP uses Transport Level Security (TLS) to create an encrypted channel between an authenticating PEAP client such as a wireless laptop and a PEAP authenticator such as Microsoft Internet Authentication Service (IAS) or a RADIUS server. PEAP does not specify an authentication method, but provides additional security for other EAP authentication protocols, such as: B. EAP-MSCHAPv2, which can be operated via the encrypted TLS channel provided by PEAP. The PEAP authentication process consists of two main phases:

PEAP phase 1: TLS-encrypted channel

The wireless client assigns itself to the access point. An IEEE 802.11-based link provides open system or shared key authentication before a secure connection is established between the client and the access point (LAP). After the IEEE 802.11-based assignment between client and access point has been successfully established, the TLS session is negotiated with the access point. After the authentication between the wireless client and the IAS server has been successfully completed, the TLS session is negotiated between them. The key derived in this negotiation is used to encrypt all subsequent communication.

PEAP phase 2: EAP authenticated communication

The EAP communication, which includes EAP negotiation, takes place within the TLS channel created by PEAP in the first phase of the PEAP authentication process. The IAS server authenticates the wireless client with EAP-MS-CHAP v2. The LAP and the controller only forward messages between the wireless client and the RADIUS server. WLC and LAP cannot decrypt these messages because it is not the TLS endpoint.

After taking the first PEAP step and creating the TLS channel between the IAS server and the 802.1X wireless client for a successful authentication attempt where the user provided valid password-based credentials using PEAP-MS-CHAP v2, the RADIUS message sequence:

  1. The IAS server sends an identity request message to the customer: EAP request / identity.

  2. The client responds with an Identity Response message: EAP Response / Identity.

  3. The IAS server sends an MS-CHAP v2 test message: EAP-Request / EAP-Type = EAP MS-CHAP-V2 (challenge)

  4. The client responds with an MS-CHAP v2 challenge and response: EAP-Response / EAP-Type = EAP-MS-CHAP-V2 (response)

  5. The IAS server sends back an MS-CHAP v2 success packet if the server has successfully authenticated the client: EAP-Request / EAP-Type = EAP-MS-CHAP-V2 (successful)

  6. The client responds with an MS-CHAP v2 success package if the client has successfully authenticated the server: EAP-Response / EAP-Type = EAP-MS-CHAP-V2 (successful)

  7. The IAS server sends an EAP-TLV indicating successful authentication.

  8. The client responds with an EAP-TLV status message.

  9. The server completes the authentication and sends an EAP-Success message in clear text. If VLANs are provided for client isolation, the VLAN attributes are included in this message.

Configure

This document contains an example of the configuration of PEAP MS-CHAP v2.

Note: Use the Command Lookup Tool (registered customers only) for more information about the commands used in this section.

Network diagram

The following network setup is used in this document:

In this configuration, a Microsoft Windows 2003 server performs the following roles:

  • Domain controller for the domain Wireless.com

  • DHCP / DNS server

  • Certificate Authority (CA) server

  • Active Directory - to manage the user database

  • Internet Authentication Service (IAS) - Authentication of wireless users

As shown, this server is connected to the wired network via a Layer 2 switch.

The wireless LAN controller (WLC) and the registered LAP are also connected to the network via the layer 2 switch.

Wireless clients C1 and C2 use Wi-Fi Protected Access 2 (WPA2) - PEAP MSCHAP v2 authentication to connect to the wireless network.

The aim is to configure the Microsoft 2003 server, the wireless LAN controller and the Light Weight AP for the authentication of the wireless clients with PEAP MSCHAP v2 authentication.

The next section explains how to configure the devices for this configuration.

Configurations

This section describes the configuration required to set up PEAP MS-CHAP v2 authentication in this WLAN:

  • Configure the Microsoft Windows 2003 server

  • Configure the Wireless LAN Controller (WLC) and the Light Weight APs.

  • Configure the wireless clients

Start by configuring the Microsoft Windows 2003 server.

Configure the Microsoft Windows 2003 server

Configure the Microsoft Windows 2003 server

As mentioned in the network setup section, use the Microsoft Windows 2003 server on the network to perform these functions.

  • Domain controller - for the domain Wireless

  • DHCP / DNS server

  • Certificate Authority (CA) server

  • Internet Authentication Service (IAS) - Authentication of wireless users

  • Active Directory - to manage the user database

Configure the Microsoft Windows 2003 server for these services. Start by configuring the Microsoft Windows 2003 server as a domain controller.

Configure the Microsoft Windows 2003 server as a domain controller

To configure the Microsoft Windows 2003 server as a domain controller, do the following:

  1. click on begin, click on To run, give dcpromo.exe, and then click OKto start the Active Directory installation wizard.

  2. click on Furtherto run the Active Directory installation wizard.

  3. To create a new domain, select the option Domain controller for a new domain.

  4. click on Furtherto create a new forest of domain trees.

  5. If DNS is not installed on the system, the wizard provides options for configuring DNS. Choose No, only install and configure DNS on this computer. click on Further.

  6. Enter the full DNS name for the new domain. In this example Wireless.com used and on Further click.

  7. Enter the NETBIOS name for the domain and click Further. In this example WIRELESS used.

  8. Select the database and log locations for the domain. click on Further.

  9. Choose a location for the Sysvol folder. click on Further.

  10. Select the default permissions for the users and groups. click on Further.

  11. Set the administrator password and click Further.

  12. click on Furtherto accept the domain options previously set.

  13. click on Completeto close the Active Directory installation wizard.

  14. Restart the server for the changes to take effect.

With this step you have configured the Microsoft Windows 2003 server as a domain controller and a new domain Wireless.com created. Then configure the DHCP services on the server.

Install and configure DHCP services on the Microsoft Windows 2003 server

The DHCP service on the Microsoft 2003 server is used to provide IP addresses to the wireless clients. To install and configure DHCP services on this server, do the following:

  1. In the Control Panel, click software.

  2. click on Add / Remove Windows Components.

  3. Choose Network services and click Details.

  4. Choose Dynamic Host Configuration Protocol (DHCP) off, and click on OK.

  5. click on Furtherto install the DHCP service.

  6. click on Completeto complete the installation.

  7. To configure DHCP services, click on Start> Programs> Administrative Tools and then on that DHCPSnap-in.

  8. Select the DHCP server - tsweb-lapt.wireless.com (in this example).

  9. click on action and then on Authorizeto authorize the DHCP service.

  10. Right-click in the console tree tsweb-lapt.wireless.com and then click New Scopeto define an IP address range for the wireless clients.

  11. On the Welcome page of the New Places Wizard, click Further.

  12. On the Scope Name page, enter the name of the DHCP scope. In this example, use DHCP clients as area names. click on Further.

  13. On the IP Address Range page, enter the starting and ending addresses for the range and click Next.

  14. On the Add Exclusions page, specify the IP address that you want to reserve / exclude from the DHCP scope. click on Further.

  15. On the Lease Duration page, mention the lease duration and click Further.

  16. On the Configure DHCP Options page, select Yes, configure DHCP option nowand click Further.

  17. If there is a default gateway router, enter the IP address of the gateway router on the Routers (Default Gateway) page and click Further.

  18. On the Domain Name and DNS Servers page, enter the name of the previously configured domain. Use in the example Wireless.com. Enter the IP address of the server. click on Add.

  19. click on Further.

  20. On the WINS Server page, click Further.

  21. On the Scope page, select the option Yes off, I want to activate the scope nowand click Next.

  22. When you have completed the New Scope Wizard, click Complete.

  23. In the DHCP snap-in window, check whether the created DHCP range is active.

After DHCP / DNS is enabled on the server, configure the server as a CA (Enterprise Certificate Authority) server.

Install and configure Microsoft Windows 2003 server as a Certificate Authority (CA) server

PEAP with EAP-MS-CHAPv2 validates the RADIUS server using the certificate on the server. In addition, the server certificate must be issued by a public certification authority (CA) that the client computer is familiar with (i.e. the public certification authority certificate already exists in the Trusted Root Certification Authority folder in the client computer's certificate store). In this example, you configure the Microsoft Windows 2003 server as a Certificate Authority (CA) that issues the certificate to the Internet Authentication Service (IAS).

To install and configure Certificate Services on the server, do the following:

  1. click In the Control Panel, click Add or Remove Programs.

  2. click on Add / Remove Windows Components.

  3. click on Certification services.

  4. click on Yes to the warning message. After Certificate Services is installed, the computer cannot be renamed, and the computer cannot join or be removed from a domain. Do you want to continue?

  5. Under Certificate Authority Type, select Enterprise Root CA.and click Next.

  6. Enter a name for the CA. In this example Wireless CA used. click on Further.

  7. A "Certificate Log" directory is created for the certificate database store. click on Further.

  8. If IIS is enabled, it must be stopped before continuing. click on OKto display the warning that IIS must be shut down. It will restart automatically after CA is installed.

  9. click on Completeto complete the installation of the certification authority services.

The next step is to install and configure the Internet Authentication Service on the Microsoft Windows 2003 server.

Connect clients to the domain

The next step is to connect the clients to the wired network and download the domain-specific information from the new domain. In other words, connect the clients to the domain. To do this, do the following:

  1. Connect the clients to the wired network using a straight Ethernet cable.

  2. Start the client and log in with the client's username / password.

  3. click on begin; click on To run; Give cmd aand click OK.

  4. At the command prompt, type ipconfigand click Enterto check that DHCP is working correctly and that the client has received an IP address from the DHCP server.

  5. To join the client to the domain, right-click Workplace, and choose Properties.

  6. Click the tab Computer name.

  7. click on To change.

  8. click on domain; Give wireless.com a. and click on OK.

  9. Give Username administrator and the password that corresponds to the domain the client is joining. (This is the administrator account in the Active Directory on the server.)

  10. click on OK.

  11. click on Yesto restart the computer.

  12. After the computer restarts, log in with the following information: Username = Administrator; Password = <Domain goodwill>; Domain = Wireless.

  13. Right click on Workplaceand click properties.

  14. Click the tab Computer nameto verify that you are on the Wireless.com domain.

  15. The next step is to check whether the client has received the CA certificate (trust) from the server.

  16. click on begin; click on To run; Give mmc aand click OK.

  17. click on file and then snap-in Add Remove.

  18. click on Add.

  19. Choose Certificate fromand click Add.

  20. Choose Computer accountand click Further.

  21. click on Completeto accept the local default computer.

  22. click on Shut down and then on OK.

  23. Expand of certificates (local computer); extension Trusted Root Certification Authorities; and click on Certificates. Look for it Wireless in the list.

  24. Repeat this procedure to add more clients to the domain.

Install the Internet Authentication Service on the Microsoft Windows 2003 server and request a certificate.

In this configuration, the Internet Authentication Service (IAS) is used as the RADIUS server to authenticate wireless clients with PEAP authentication.

Follow these steps to install and configure IAS on the server.

  1. In the Control Panel, click software.

  2. click on Add / Remove Windows Components.

  3. Choose Network services offand click Details.

  4. Choose Internet Authentication Service. click on OK; and click on Further.

  5. click on Completeto complete the IAS installation.

  6. The next step is to install the computer certificate of the Internet Authentication Service (IAS).

  7. click on begin; click on To run; Type mmc; and click on OK.

  8. On the File menu, click console, and then select Add / Remove Snap-in.

  9. click on Addto add a snap-in.

  10. Choose Certificates from the list of snap-ins and click Add.

  11. Choose Computer accountand click Further.

  12. Choose Local computer offand click Complete.

  13. click on Shut down and then on OK.

  14. Expand of certificates (local computer); Right click on Personal folder; Choose All tasks off, and urge you then a new certificate.

  15. Click the Certificate Request Wizard Further.

  16. Choose the Domain controllerCertificate template (if you are requesting a computer certificate on a server other than the data center, select one computerCertificate template) and click Further.

  17. Enter a name and description for the certificate.

  18. click on Completeto complete the Certification Request wizard.

Configure the Internet Authentication Service for PEAP-MS-CHAP v2 authentication

After you have installed and requested a certificate for the IAS, configure the IAS for authentication.

Proceed as follows:

  1. click on Start> Programs> Administrative Toolsand click the snap-in Internet Authentication Service.

  2. Right click on Internet Authentication Service (IAS), and then click Register the service in Active Directory.

  3. The dialog box Register Internet authentication service in Active Directory is displayed. click on OK. This enables IAS to authenticate users in the Active Directory.

  4. In the next dialog box, click OK.

  5. Add the wireless LAN controller as an AAA client on the MS IAS server.

  6. Right click on RADIUS clients, and choose New RADIUS client.

  7. Enter the name of the client (in this case WLC) and enter the IP address of the WLC. click on Further.

  8. On the next page, under Client Providers, select RADIUS standard. Enter the shared secret key. and click on Complete.

  9. Note that the WLC is added to the IAS as an AAA client.

  10. Create a remote access policy for the clients.

  11. To do this, right-click on Remote Access Policies, and choose New Remote Access Policy out.

  12. Enter a name for the remote access policy. Use the name in this example PEAP. Then click on Further.

  13. Select the policy attributes based on your needs. In this example, select Wireless off.

  14. Select on the next page user to apply this remote access policy to the user list.

  15. Select under Authentication Methods Protected EAP (PEAP) and click Configure.

  16. Select on the side Protected EAP Properties) from the Certificate Issued drop-down menu, select the appropriate certificate and click OK.

  17. Review the details of the remote access policy and click Complete.

  18. The remote access policy has been added to the list.

  19. Right-click the policy and click properties. Select under "When a connection request meets the specified conditions, the option "Grant remote access permission" out.

Adding users to the Active Directory

In this configuration, the user database is managed in the Active Directory.

To add users to the Active Directory database, do the following:

  1. In the Active Directory Users and Computers console view, right-click Users. click on New; and then click user.

  2. In the New Item - User dialog box, enter the wireless user name. In this example the name WirelessUser in the field First name and WirelessUser used in the Username field. click on Further.

  3. In the New Object - User dialog box, enter any password in the Password and Confirm Password fields. Uncheck the box User must change password at next loginand click Further.

  4. In the New Object - User dialog box, click Complete.

  5. Repeat steps 2 through 4 to create additional user accounts.

Allow wireless access to users

Proceed as follows:

  1. Click in the console tree Active Directory Users and Computers on the folder user. Right click on WirelessUser; click on properties; and then to the tab Dial in.

  2. Choose Allow accessand click OK.

Configure the wireless LAN controller and low-memory APs

Now configure the wireless devices for this configuration. This includes the configuration of the wireless LAN controllers, lightweight APs and wireless clients.

Configuring the WLC for RADIUS authentication via the MS IAS RADIUS server

First configure the WLC so that the MS IAS is used as the authentication server. The WLC must be configured to forward user credentials to an external RADIUS server. The external RADIUS server then validates the user credentials and allows access to the wireless clients. To do this, add on the side Security> RADIUS Authentication add the MS IAS server as a RADIUS server.

Proceed as follows:

  1. Choose security and RADIUS Authentication in the controller UI to display the RADIUS Authentication Servers page. Then click on Newto define a RADIUS server.

  2. Define the RADIUS server parameters on the page RADIUS Authentication Servers> New). These parameters include the IP address of the RADIUS server, the shared secret, the port number and the server status. The Network User and Management check boxes determine whether RADIUS-based authentication applies to administrative and network users. In this example MS IAS is used as the RADIUS server with the IP address 10.77.244.198.

  3. click on Take.

  4. The MS IAS server was added to the WLC as a radius server and can be used to authenticate wireless clients.

Configure WLAN for the clients

Configure the SSID (WLAN) that the wireless clients are connected to. For this example, create and name the SSID PEAP.

Define Layer 2 authentication as WPA2 so that the clients perform EAP-based authentication (in this case PEAP-MSCHAPv2) and use AES as the encryption mechanism. Keep all other values ​​in the default settings.

Note: This document binds the WLAN to the management interfaces. If your network has multiple VLANs, you can create a separate VLAN and bind it to the SSID. For more information on configuring VLANs on WLCs, see Configuration Example for VLANs on Wireless LAN Controllers.

Proceed as follows to configure a WLAN on the WLC:

  1. In the controller user interface, click WLANsto view the WLANs page. This page lists the WLANs that are available on the controller.

  2. Choose Newto create a new WLAN. Enter the WiFi ID and WiFi SSID for the WiFi and click Apply.

  3. As soon as you have created a new WLAN, the page WLAN> Edit for the new WLAN. On this page you can define various parameters for this WLAN, e.g. For example, general guidelines, RADIUS servers, security guidelines, and 802.1x parameters.

  4. Under General Guidelines, check the Admin statusto activate the WLAN. Activate if the access point should transmit the SSID in its beacon frames Broadcast SSID.

  5. Under Layer 2 Security, select WPA1 + WPA2 off. This activates WPA in the WLAN. Scroll down the page and select the WPA Policy. This example uses WPA2 and AES encryption. Select the appropriate RADIUS server from the drop-down menu under RADIUS Servers. In this example, use 10.77.244.198 (IP address of the MS IAS server). The other parameters can be changed depending on the requirements of the WiFi network.

  6. click on Take.

Configure the wireless clients

Configure the wireless clients for PEAP-MS CHAPv2 authentication

This example provides information on how to configure the wireless client using the Cisco Aironet Desktop Utility. Before configuring the client adapter, make sure that it is using the latest version of firmware and utility. For the latest version of firmware and utilities, see the Wireless Downloads page on Cisco.com.

To configure the Cisco Aironet 802.11 a / b / g Wireless Client Adapter with the ADU, do the following:

  1. Open the Aironet Desktop Utility.

  2. click on Profile management and then on Newto define a profile.

  3. On the General tab, enter the profile name and SSID. In this example, use the SSID that you configured on the WLC (PEAP).

  4. Select the Security tab. Choose WPA / WPA2 / CCKM. Under WPA / WPA2 / CCKM, enter EAP PEAP [EAP-MSCHAPv2] and click Configure.

  5. Choose Validate server certificateand select from the Trusted Root Certificate Authorities drop-down menu Wireless CA out.

  6. click on OKand activate the profile.

    Note: If you are using Protected EAP-Microsoft Challenge Handshake Authentication Protocol Version 2 (PEAP-MSCHAPv2) with Microsoft XP SP2 and the wireless card is managed by Microsoft Wireless Zero Configuration (WZC), you must apply Microsoft hotfix KB885453. This avoids several authentication problems associated with PEAP Fast Resume.

Review and troubleshooting

To check whether the configuration works as expected, activate the PEAP-MSCHAPv2 profile on the wireless client1.

As soon as the PEAP-MSCHAPv2 profile is activated on the ADU, the client carries out an open 802.11 authentication and then carries out a PEAP-MSCHAPv2 authentication. Here is an example of a successful PEAP-MSCHAPv2 authentication.

Use the debug commands to understand the order of events that occur.

The Output Interpreter Tool (registered customers only) (OIT) supports certain showCommands. Use the OIT to do an analysis of the Edition of the Command show.

These debug commands on the wireless LAN controller are useful.

  • debug dot1x events enable - How to configure debugging of 802.1x events

  • debug aaa events enable - How to configure debugging of AAA events

  • debug mac addr - To configure MAC debugging, use the debug mac command

  • debug dhcp message enable - To configure debugging of DHCP error messages

These are the sample outputs from the command debug dot1x event enable and debug client .

Enable debug dot1x events:

Tue Dec 18 06:58:45 2007: 00: 40: 96: ac: e6: 57 Received EAPOL START from mobile 00: 40: 96: ac: e6: 57 Tue Dec 18 06:58:45 2007: 00: 40: 96: ac: e6: 57 Sending EAP-Request / Identity to mobile 00: 40: 96: ac: e6: 57 (EAP Id 2) Tue Dec 18 06:58:45 2007: 00: 40: 96: ac: e6: 57 Received Identity Response (count = 2) from mobile 00: 40: 96: ac: e6: 57 Tue Dec 18 06:58:51 2007: 00: 40: 96: ac: e6: 57 Processing Access-Challenge for mobile 00: 40: 96: ac: e6: 57 Tue Dec 18 06:58:51 2007: 00: 40: 96: ac: e6: 57 Sending EAP Request from AAA to mobile 00: 40: 96: ac: e6: 57 (EAP Id 3) Tue Dec 18 06:58:51 2007: 00: 40: 96: ac: e6: 57 Received EAP Response from mobile 00: 40: 96: ac: e6: 57 (EAP Id 3, EAP Type 25)Processing Access-Accept for mobile 00: 40: 96: ac: e6: 57 Tue Dec 18 06:58:52 2007: 00: 40: 96: ac: e6: 57 Creating a new PMK Cache Entry for station 00: 40: 96: ac: e6: 57 (RSN 0) Tue Dec 18 06:58:52 2007: 00: 40: 96: ac: e6: 57 Sending EAP-Success to mobile 00: 40: 96: ac: e6: 57 (EAP Id 13) Tue Dec 18 06:58:52 2007: 00: 40: 96: ac: e6: 57 Sending default RC4 key to mobile 00: 40: 96: ac: e6: 57 Tue Dec 18 06:58:52 2007: 00: 40: 96: ac: e6: 57 Sending key mapping RC4 key to mobile 00: 40: 96: ac: e6: 57 Tue Dec 18 06:58:52 2007: 00: 40: 96: ac: e6: 57 Received Auth Success while in Authenticating state for mobile 00: 40: 96: ac: e6: 57

debug mac address :

Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Association received from mobile 00: 40: 96: ac: e6: 57 on AP 00: 0b: 85: 51: 5a: e0 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 STA: 00: 40: 96: ac: e6: 57 - rates (8): 12 18 24 36 48 72 96 108 0 0 0 0 0 0 0 0 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 RUN (20) Change state to START (0) Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 START (0) Initializing policy Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 START (0) Change state to AUTHCHECK (2) Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 AUTHCHECK (2) Change state to 8021X_REQD (3) Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 00: 0b: 85: 51: 5a: e0 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Changing state for mobile 00: 40: 96: ac: e6: 57 on AP 00: 0b: 85: 51: 5a: e0 from Associated to Associated Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Stopping deletion of Mobile Station: 00: 40: 96: ac: e6: 57 (callerId: 48) Wed Dec 19 02:31: 49 2007: 00: 40: 96: ac: e6: 57 Sending Assoc Response to station 00: 40: 96: ac: e6: 57 on BSSID 00: 0b: 85: 51: 5a: e0 (status 0) Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Changing state for mobile 00: 40: 96: ac: e6: 57 on AP 00: 0b: 85: 51: 5a: e0 from Associated to Associated Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 Removed NPU entry.Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 dot1x - moving mobile 00: 40: 96: ac: e6: 57 into Connecting state Wed Dec 19 02:31:49 2007: 00 : 40: 96: ac: e6: 57 Sending EAP- Request / Identity to mobile 00: 40: 96: ac: e6: 57 (EAP Id 1) Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Received EAPOL START from mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 EAP State update from Connecting to Authenticating for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 dot1x - moving mobile 00: 40: 96: ac: e6: 57 into Authenticating state Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Entering Backend Auth Response state for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:49 2007: 00 : 40: 96: ac: e6: 57 Processing Access-Challenge for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Entering backend Auth Req state (id = 3) for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Sending EAP Request from AAA to mobile 00: 40: 96: ac: e6: 57 (EAP Id 3) Wed Dec 19 02:31:49 2007: 00: 40: 96: ac: e6: 57 Received EAP Response from mobile 00: 40: 96: ac: e6: 57 (EAP Id 3, EAP Type 25)Sending EAP Request from AAA to mobile 00: 40: 96: ac: e6: 57 (EAP Id 11) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Received EAP Response from mobile 00: 40: 96: ac: e6: 57 (EAP Id 11, EAP Type 25) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Entering Backend Auth Response state for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:56 2007: 00 : 40: 96: ac: e6: 57 Processing Access-Accept for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Creating a new PMK Cache Entry for station 00: 40: 96: ac: e6: 57 (RSN 0) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Sending EAP-Success to mobile 00: 40: 96: ac: e6: 57 (EAP Id 12) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Sending default RC4 key to mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Sending key mapping RC4 key to mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00: 0b: 85: 51: 5a: e0 Wed Dec 19 02: 31:56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 L2AUTHCOMPLETE (4) Change state to RUN (20) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 RUN (20) Reached PLUMBFASTPATH: from line 4041 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 00: 0b: 85: 51: 5a: e0, slot 0, interface = 2 ACL Id = 255, Jumbo Frames = NO, 802.1P = 0, DSCP = 0, TokenID = 5006 Wed Dec 19 02:31: 56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 RUN (20) Card = 0 (slot 0), InHandle = 0x00000000, OutHandle = 0x00000000, npuCryptoFlag = 0x0000 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 10.77.244.218 RUN (20) Successfully plumbed mobile rule (ACL ID 255) Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 10.77. 244.218 RUN (20) Reached RETURN: from line 4041 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 Entering Backend Auth Success state (id = 12) for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:56 2007: 00:40:96: ac: e6: 57 Received Auth Success while in Authenticating state for mobile 00: 40: 96: ac: e6: 57 Wed Dec 19 02:31:56 2007: 00: 40: 96: ac: e6: 57 dot1x - moving mobile 00: 40: 96: ac: e6: 57 into Authenticated state

Note: When using the Microsoft supplicant to authenticate with a Cisco Secure ACS for PEAP authentication, the client may not authenticate successfully. Sometimes the first connection can be successfully authenticated, but subsequent authentication attempts with fast connections are unsuccessful. This is a known problem. The details of this issue and how to fix it can be found here.

Related information