PEAP trouble
in [Cisco]
|
Prev: Cisco IOU
Next: logging level on asa
From: Roel B on 1 May 2006 09:15 Hi all, I've been busy for several days now, trying to make PEAP work. I think I'm almost there, just the last step is not happening. I'm trying to make PEAP verification work with RSA SecureID to secure my wireless lan. According to RSA's manual I should get (and i do get) a pop-up message which appears above the windows system tray : "Click here to select a certificate or other credentials for connection to the network MyWlan". When I click the message I should get a second pop-up saying : "Click here to process your logon information for the network MyWlan" . Instead of that second pop-up, I get nothing. When I debug my aironet 1200 access-point , i see the following happening when I click that first pop-up message: May 1 12:59:06.839: RADIUS: User-Name [1] 19 "PEAP-000AB7BB4705" May 1 12:59:06.839: RADIUS: Framed-MTU [12] 6 1400 May 1 12:59:06.839: RADIUS: Called-Station-Id [30] 16 "000d.edab.795e" May 1 12:59:06.839: RADIUS: Calling-Station-Id [31] 16 "000a.b7bb.4705" May 1 12:59:06.840: RADIUS: Service-Type [6] 6 Login [1] May 1 12:59:06.840: RADIUS: Message-Authenticato[80] 18 * May 1 12:59:06.840: RADIUS: EAP-Message [79] 24 May 1 12:59:06.840: RADIUS: 02 02 00 16 01 50 45 41 50 2D 30 30 30 41 42 37 [?????PEAP-000AB7] May 1 12:59:06.841: RADIUS: 42 42 34 37 30 35 [BB4705] May 1 12:59:06.841: RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19] May 1 12:59:06.841: RADIUS: NAS-Port [5] 6 3217 May 1 12:59:06.841: RADIUS: NAS-IP-Address [4] 6 10.13.33.6 May 1 12:59:11.888: RADIUS: no sg in radius-timers: ctx 0xC3EFC4 sg 0x0000 As you can see, somehow the system "makes up" my logon-credentials. This by choosing PEAP-+ MAC-Address as a username. I can't seem to find a way to provide logon-credentials by getting that second pop-up. Has anybody ever experienced this problem or does anybody have any ideas? Thanks in advance! Roel
From: Gary on 2 May 2006 15:02 Roel B wrote: > I've been busy for several days now, trying to make PEAP work. I think I'm > almost there, just the last step is not happening. > I'm trying to make PEAP verification work with RSA SecureID to secure my > wireless lan. Was PEAP authentication working prior to bringing SecurID in to the mix? Also, what Cisco gear are you using for APs, mgmt switch, etc.? I've set up Cisco/Airespace gear with PEAP and Microsoft IAS/RADIUS but my knowledge of other Cisco APs is limited. -Gary
From: Aaron Leonard on 3 May 2006 20:27 On Tue, 02 May 2006 12:02:29 -0700, Gary <garyd(a)efn.org.spamsux> wrote: ~ Roel B wrote: ~ ~ > I've been busy for several days now, trying to make PEAP work. I think I'm ~ > almost there, just the last step is not happening. ~ > I'm trying to make PEAP verification work with RSA SecureID to secure my ~ > wireless lan. ~ ~ Was PEAP authentication working prior to bringing SecurID in to the mix? ~ Also, what Cisco gear are you using for APs, mgmt switch, etc.? I've set ~ up Cisco/Airespace gear with PEAP and Microsoft IAS/RADIUS but my ~ knowledge of other Cisco APs is limited. ~ ~ -Gary Also: which PEAP supplicant are you using, and which PEAP flavor (PEAP-GTC or MS-PEAP?) As far as I know, MS-PEAP doesn't work with tokens. Aaron
From: BG on 4 May 2006 08:08 There is not much config needed on the AP for PEAP, I would look at logs (or sniff) on your auth server rather then trying to toubleshoot on your AP -Barry "Aaron Leonard" <Aaron(a)Cisco.COM> wrote in message news:0fii52tgs1dpb51qvm0vhqr5khb0665oou(a)4ax.com... > On Tue, 02 May 2006 12:02:29 -0700, Gary <garyd(a)efn.org.spamsux> wrote: > > ~ Roel B wrote: > ~ > ~ > I've been busy for several days now, trying to make PEAP work. I think > I'm > ~ > almost there, just the last step is not happening. > ~ > I'm trying to make PEAP verification work with RSA SecureID to secure > my > ~ > wireless lan. > ~ > ~ Was PEAP authentication working prior to bringing SecurID in to the mix? > ~ Also, what Cisco gear are you using for APs, mgmt switch, etc.? I've set > ~ up Cisco/Airespace gear with PEAP and Microsoft IAS/RADIUS but my > ~ knowledge of other Cisco APs is limited. > ~ > ~ -Gary > > Also: which PEAP supplicant are you using, and which PEAP flavor (PEAP-GTC > or MS-PEAP?) As far as I know, MS-PEAP doesn't work with tokens. > > Aaron
From: vin.mclellan on 5 May 2006 05:51
I'm not savvy enough about PEAP to plumb your problem, but -- looking ahead -- you might want to review RSA's PEAP-POTP protocol (Protected OTPs) which has some nice advantages: two-way authentication, key distribution, OTP authentication, and armor against even Active MitM attacks like the "Evil Twin" lure of a masquerading WiFi AP. I don't recall what the IETF status of this RFC is, but RSA (for which I am a consultant) recently announced that EAP-POTP would be fully supported in its new 6.1 Authentication Manager and the appropriate RSA Authentication Agents. You can check out EAP-POTP on the RSA Labs website: <http://www.rsasecurity.com/rsalabs/node.asp?id=2820>. Hope this is helpful. _Vin |