Problem solve Get help with specific problems with your technologies, process and projects.

Advice on configuring 802.1X authentication

Our organization has a basic WLAN (3 aironet 350's.) Some users have 350 nics, but the majority have integrated third party nics embedded into their laptops. We also have a Cisco ACS server to which I want all the clients to authenticate to. The Cisco nics do this with no problem however; I cannot get the third-party nics to authenticate with the server. The clients all use the windows xp wireless support feature.

I have created the users on the ACS server using their MAC address as the user name and password and also set the AP up according to Cisco's documentation.

The XP wireless support software is set up to authenticate using peap. Please help!
The configuration of 802.1X authentication is not as simple as some people would like to think and there are many different implementations.

For the purposes of this answer I'm going to assume you have Windows XP on EVERY client and you are using PEAP on each laptop.

A good thing to know about PEAP is that there are two different implementations of PEAP:

  1. PEAP w/ CHAP – Used by Cisco and requires the Cisco ACU and CiscoSecure ACS
  2. PEAP w/ MS-CHAP v2 – Used by Microsoft and Incompatible with Cisco's ACU.

Also good things to know:

  • For ALL 802.1X implementations (PEAP, LEAP, EAP-TLS, etc) you need a card that supports 128bit WEP.
  • Not all 128bit WEP implementations are compatible with each other (please see my earlier postings explaining WEP), thus you may find that some cards simply will NOT work with some access points when you try and use 128bit WEP OR any type of 802.1X user authentication.

    Now, given that you're using cards of all different types you need to check that each card is compatible with the Cisco Access Points – try using a 128bit WEP key for testing here.

    After you've done that and they all work, you need to make sure that you have CiscoSecure ACS version 3.2. Only the recent release (3.2) supports the Microsoft version of PEAP. Any PEAP support prior to ACS 3.2 will be for Cisco PEAP only and will require Cisco cards with the Cisco ACU (version 6.0 or above) installed onto the laptops.

    Hopefully this has sent you in the right direction.

  • This was last published in August 2003

    Dig Deeper on Network Infrastructure

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.