IAS PEAP/MSCHAPv2 with Cisco 1200 Access Point - Help!
Posted on 2007-11-26
I am trying to migrate from WEP to WPA and have setup a test environment where I am trying to use WPA/PEAP/MSCHAPv2 encryption/authentication using the following:
- Cisco 1200 Access Points
- Windows 2003 IAS
- Windows XP SP2 Clients
Setup is as follows:
- Cisco 1200 Access Point
Encryption : ciphers + tkip
Authentication : open+EAP
Key Management : wpa
RADIUS Server : IP configured with key
- IAS on Windows 2003
Policy Conditions: Domain Users, Domain Computers (No specific conditions for authenticaion type)
Authentication Tab: EAP -> Protected EAP
Encryption Tab: MPPE 128 bit
Advanced : Service-Type RADIUS Standard Framed
- Windows XP SP2
At the moment I am using the Dell config to try and connect to my SSID. I have tried all sorts of encryption and authentication schemes:
WPA/Auto and PEAP/MSCHAPv2
WPA/Auto and TTLS/MSCHAPv2
WPA/Auto and TLS/MSCHAPv2
801.2x and PEAP/MSCHAPv2
authentication requests are reaching the IAS server and when using WPA/Auto and TTLS/MSCHAPv2 I get the following error in the SYSTEM log:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
User NAME1 was denied access.
Fully-Qualified-User-Name = domain.com/UK/Users/Name1
NAS-IP-Address = 10.2.2.1
NAS-Identifier = <not present>
Client-Friendly-Name = 1200-Test
Client-IP-Address = 10.1.1.2
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 646
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = jllwireless-dubai
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I have turned on both IAS and RRAS tracing and the following exerts seems useful:
 11-26 16:37:19:534: Successfully validated windows account.
 11-26 16:37:19:534: Allowed EAP type: 25
 11-26 16:37:19:924: EAP NAK; proposed type = 21
 11-26 16:37:19:924: EAP negotiation failed; no types remaining.
 11-26 16:37:19:924: Injecting the profile
 11-26 16:37:19:924: EAP negotiation failed. Rejecting user.
My IAS server has a verisign purchased WLAN SSL certificate and the IAS server has been registered within AD.
If anyone can help me with the setup I would appreciate it.