Refer to the exhibit. An engineer deployed a Cisco WLC using local EAP. Users who are configured for EAP-PEAP cannot connect to the network. Based on the local EAP debug on the controller provided, why is the client unable to connect?
A.
The client is failing to accept certificate.
B.
The Cisco WLC is configured for the incorrect date.
C.
The Cisco WLC local EAP profile is misconfigured.
User is configured for PEAP authentication. WLC starts EAP-FAST context (Line 3). -> EAP Profile on the WLC needs to be corrected to use PEAP. So C should be correct.
A. The client is failing to accept the certificate.
Explanation:
EAP-PEAP Authentication:
EAP-PEAP (Protected Extensible Authentication Protocol) relies on a server certificate to establish a secure TLS tunnel for authentication. If the client cannot validate or accept the server certificate, the authentication process will fail.
Debug Output Analysis:
The debug output shows the EAP-FAST process, but it does not indicate any issues with the EAP profile configuration or user credentials.
The absence of errors related to invalid credentials or misconfiguration suggests that the issue lies with the certificate exchange between the client and the server.
Common Causes for Certificate Issues:
The server certificate may be self-signed or issued by an untrusted Certificate Authority (CA), causing the client to reject it.
The client may not have the necessary root CA certificate installed to validate the server certificate.
The server certificate may be expired or have an incorrect Common Name (CN) or Subject Alternative Name (SAN).
Why the Other Options Are Incorrect:
B. The Cisco WLC is configured for the incorrect date:
While an incorrect date on the WLC could cause certificate validation issues, this scenario is less common and would typically affect all clients, not just those using EAP-PEAP.
C. The Cisco WLC local EAP profile is misconfigured:
The debug output does not indicate any misconfiguration in the EAP profile. If the profile were misconfigured, the debug logs would likely show errors related to the EAP method or parameters.
D. The user is using invalid credentials:
The debug output does not show any authentication failures related to invalid credentials. If the credentials were incorrect, the logs would indicate a failure during the authentication phase.
I say answer provided is correct, A
The local Eap policy can include Eap-Fast and PEAP, but the debug output is barking about the ciphersuite. Using Local EAP the certificate has to be on the controller and the client. The controller offers its options, but the client has to accept one. See Cisco doc:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215026-local-eap-authentication-on-catalyst-980.html#toc-hId--396697388
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
HOT2012
Highly Voted 2 years, 9 months agoCaradum
Highly Voted 2 years, 1 month agorrahim
Most Recent 1 week agorrahim
1 week agoGumpy1
3 months, 3 weeks agoahmedshahas
8 months, 4 weeks agoahmedshahas
8 months, 4 weeks ago