RE: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2

Lora,

Another two things I would look at are the debugs from the WLC for AAA authentication and that you've loaded a trusted certificate on the ACS box. Then make sure the clients are set to validate to that certificate on the PEAP properties of the Authentication tab.

One more thing to check, assuming the SSID isn't in guest mode, SP3 added a really nifty checkbox (unchecked by default) under the Association tab, Connect even if this network is not broadcasting. Make sure that's checked as well.

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Alexei Monastyrnyi
Sent: Wednesday, July 22, 2009 6:11 AM
To: Lora Ganeva
Cc: ccielab_at_groupstudy.com
Subject: Re: 802.1x with ACS 5.0 and WLC PEAP/MSCHAPv2

Hey Lora.

I haven't seen ACS 5 live but from what you have told us, this shouldn't
be a version-specific issue.

I'd check the following:
- if there is a port mismatch on WLC vs ACS, i.e. 1645 vs 1812 or the
other way around.
- if you block those ports somewhere in between.
- if your WLC IP address is AAA client for ACS with correct shared secret.
- if your logging for failed attempts is configured correctly on ACS (it
is all right by default)

I'd also try to download some RADIUS authentication test tool, plenty of
them, just google for one.

HTH,
A.

Lora Ganeva wrote:
> Dear experts,
>
>
>
> I am facing problems with the following setup:
>
>
>
> Cisco WLC with light weight APs and the latest ACS 5.0.
>
> I am trying to put a successful PEAP session, but for some reason RADIUS
> requests are sent from the WLC towards the ACS, but there is no response
> from the Radius. One additional problem with troubleshooting is the fact
> that my ACS fails to log this communication. The ACS is trial and I
> cannot contact the TAC for support. Do you have any experience in
> scenarios like this?
>
> Clients are windows XP SP3 computers with all the Microsoft settings and
> hotfixes applied, incl. registry settings, etc.
>
>
>
> Any help will be appreciated,
>
>
>
> Thanks in advance,
>
> Lora
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jul 22 2009 - 07:04:01 ART