|
Home > Archive > Radius Server > October 2004 > PEAP re-authentication problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
PEAP re-authentication problems
|
|
| Michiel 2004-10-05, 5:57 pm |
| Hi,
I've implemented the "Securing Wireless LANs with PEAP and Passwords"
solution from MS with a cisco AP1200 in a test environment but I'm
having some problems with re-authentication. Both the AP1200 and CB20A
wireless adapter use the latest drivers and firmware. Client is an XP
SP2 machine.
The laptop first authenticates as it should, but if it needs to
re-authenticate they cannot get back on the network. To get back on I
need to reboot the laptop.
On the IAS server I see these events in the event log:
Machine authentication:
User host/WIFILT.WIFISEC.LOCAL was granted access.
Fully-Qualified-User-Name = WIFISEC\WIFILT$
NAS-IP-Address = 10.60.59.111
NAS-Identifier = ap
Client-Friendly-Name = AP
Client-IP-Address = 10.60.59.111
Calling-Station-Identifier = 000d.edb5.926f
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 8
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow Wireless LAN Access
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
User authentication:
User WIFISEC\Administrator was granted access.
Fully-Qualified-User-Name = WIFISEC\Administrator
NAS-IP-Address = 10.60.59.111
NAS-Identifier = ap
Client-Friendly-Name = AP
Client-IP-Address = 10.60.59.111
Calling-Station-Identifier = 000d.edb5.926f
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 8
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow Wireless LAN Access
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
When I try to re-authenticate I get one user error:
User host/WIFILT.WIFISEC.LOCAL was denied access.
Fully-Qualified-User-Name = WIFISEC\Administrator
NAS-IP-Address = 10.60.59.111
NAS-Identifier = ap
Called-Station-Identifier = 000c.8573.197e
Calling-Station-Identifier = 000d.edb5.926f
Client-Friendly-Name = AP
Client-IP-Address = 10.60.59.111
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 10
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the
Extensible Authentication Protocol (EAP) Type cannot be processed by
the server.
And after that multiple machine authentication errors:
User host/WIFILT.WIFISEC.LOCAL was denied access.
Fully-Qualified-User-Name = WIFISEC\WIFILT$
NAS-IP-Address = 10.60.59.111
NAS-Identifier = ap
Called-Station-Identifier = 000c.8573.197e
Calling-Station-Identifier = 000d.edb5.926f
Client-Friendly-Name = AP
Client-IP-Address = 10.60.59.111
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 11
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Allow Wireless LAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the
Extensible Authentication Protocol (EAP) Type cannot be processed by
the server.
What am I doing wrong???
Kind Regards, Michiel
| |
| James McIllece [MS] 2004-10-05, 5:57 pm |
| michielboterenbrood@hotmail.com (Michiel) wrote in
news:3818ca7d.0410050546.626cc1df@posting.google.com:
> Hi,
>
> I've implemented the "Securing Wireless LANs with PEAP and Passwords"
> solution from MS with a cisco AP1200 in a test environment but I'm
> having some problems with re-authentication. Both the AP1200 and CB20A
> wireless adapter use the latest drivers and firmware. Client is an XP
> SP2 machine.
>
> The laptop first authenticates as it should, but if it needs to
> re-authenticate they cannot get back on the network. To get back on I
> need to reboot the laptop.
>
> On the IAS server I see these events in the event log:
>
> Machine authentication:
>
> User host/WIFILT.WIFISEC.LOCAL was granted access.
> Fully-Qualified-User-Name = WIFISEC\WIFILT$
> NAS-IP-Address = 10.60.59.111
> NAS-Identifier = ap
> Client-Friendly-Name = AP
> Client-IP-Address = 10.60.59.111
> Calling-Station-Identifier = 000d.edb5.926f
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 8
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Allow Wireless LAN Access
> Authentication-Type = PEAP
> EAP-Type = Secured password (EAP-MSCHAP v2)
>
> User authentication:
>
> User WIFISEC\Administrator was granted access.
> Fully-Qualified-User-Name = WIFISEC\Administrator
> NAS-IP-Address = 10.60.59.111
> NAS-Identifier = ap
> Client-Friendly-Name = AP
> Client-IP-Address = 10.60.59.111
> Calling-Station-Identifier = 000d.edb5.926f
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 8
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Allow Wireless LAN Access
> Authentication-Type = PEAP
> EAP-Type = Secured password (EAP-MSCHAP v2)
>
> When I try to re-authenticate I get one user error:
>
> User host/WIFILT.WIFISEC.LOCAL was denied access.
> Fully-Qualified-User-Name = WIFISEC\Administrator
> NAS-IP-Address = 10.60.59.111
> NAS-Identifier = ap
> Called-Station-Identifier = 000c.8573.197e
> Calling-Station-Identifier = 000d.edb5.926f
> Client-Friendly-Name = AP
> Client-IP-Address = 10.60.59.111
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 10
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Allow Wireless LAN Access
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 22
> Reason = The client could not be authenticated because the
> Extensible Authentication Protocol (EAP) Type cannot be processed by
> the server.
>
> And after that multiple machine authentication errors:
>
> User host/WIFILT.WIFISEC.LOCAL was denied access.
> Fully-Qualified-User-Name = WIFISEC\WIFILT$
> NAS-IP-Address = 10.60.59.111
> NAS-Identifier = ap
> Called-Station-Identifier = 000c.8573.197e
> Calling-Station-Identifier = 000d.edb5.926f
> Client-Friendly-Name = AP
> Client-IP-Address = 10.60.59.111
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 11
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Allow Wireless LAN Access
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 22
> Reason = The client could not be authenticated because the
> Extensible Authentication Protocol (EAP) Type cannot be processed by
> the server.
>
> What am I doing wrong???
>
> Kind Regards, Michiel
>
Hi Michiel --
Make sure that "Enable Fast Reconnect" is checked in IAS remote access
policies on the authentication tab (you need to drill down into certificate
properties to find this setting.) Verify that the IAS server has a valid
certificate selected also. Your server cert must meet the minimum server
cert requirements in the Help topic "Network access authentication and
certificates" in Windows Server 2003 IAS or VPN Help, or on the web at
http://www.microsoft.com/resources/.../2003/standard/
proddocs/en-
us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
ocs/en-us/sag_VPN_und15.asp.
A more comprehensive resource against which you can verify all of your
settings is the whitepaper "Enterprise Deployment of Secure 802.11 Networks
Using Microsoft Windows" at
http://www.microsoft.com/windowsser...s/default.mspx.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Michiel 2004-10-06, 2:51 am |
| Hi James,
Thanks for your response,
In another thread you replied to I sort of found the same problem:
http://groups.google.com/groups?hl=...internet.radius
Could this be the same problem?
The problem is the EAP type I think, the successfull attempts have
this EAP Type:
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
And the failed attempts this one:
Authentication-Type = EAP
EAP-Type = <undetermined>
How do I tell winXP and/or the AP to always use the PEAP
authentication type???
Regards, Michiel
"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message news:< Xns957970709DDA2jamesmcionlinemicros@207
.46.248.16>...
> michielboterenbrood@hotmail.com (Michiel) wrote in
> news:3818ca7d.0410050546.626cc1df@posting.google.com:
>
>
> Hi Michiel --
>
> Make sure that "Enable Fast Reconnect" is checked in IAS remote access
> policies on the authentication tab (you need to drill down into certificate
> properties to find this setting.) Verify that the IAS server has a valid
> certificate selected also. Your server cert must meet the minimum server
> cert requirements in the Help topic "Network access authentication and
> certificates" in Windows Server 2003 IAS or VPN Help, or on the web at
> http://www.microsoft.com/resources/.../2003/standard/
> proddocs/en-
> us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/prodd
> ocs/en-us/sag_VPN_und15.asp.
>
> A more comprehensive resource against which you can verify all of your
> settings is the whitepaper "Enterprise Deployment of Secure 802.11 Networks
> Using Microsoft Windows" at
> http://www.microsoft.com/windowsser...s/default.mspx.
| |
| James McIllece [MS] 2004-10-07, 5:49 pm |
| michielboterenbrood@hotmail.com (Michiel) wrote in
news:3818ca7d.0410060013.459e0d05@posting.google.com:
> Hi James,
>
> Thanks for your response,
>
> In another thread you replied to I sort of found the same problem:
> http://groups.google.com/groups?hl=...596C5D501Bjames
> mcionlinemicros%40207.46.248.16&prev=/groups%3Fhl%3Den%26lr%3D%26group%
> 3Dmicrosoft.public.internet.radius
>
> Could this be the same problem?
>
> The problem is the EAP type I think, the successfull attempts have
> this EAP Type:
> Authentication-Type = PEAP
> EAP-Type = Secured password (EAP-MSCHAP v2)
>
> And the failed attempts this one:
> Authentication-Type = EAP
> EAP-Type = <undetermined>
>
> How do I tell winXP and/or the AP to always use the PEAP
> authentication type???
>
> Regards, Michiel
>
>
>snip<
You should be able to configure the AP to require EAP, but I don't know if
you can specify PEAP on an AP, I guess it depends on the AP.
But for IAS it is easy to require PEAP -- just make sure that on the
profile of the remote access policy the Authentication tab has NO
authentication methods selected (none of the check boxes should be
checked).
Then click on the EAP Methods button to verify your configuration of PEAP.
That's all there is to it.
As for the related post, I am not sure if it's related. :-) I guess it is
possible if you are using a cisco NAS.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Michiel 2004-10-11, 2:47 am |
| Hi James,
I think the AP is configured correctly (according to cisco docs), how
do I configure IAS to accept the failed EAP authentication attempts??
Regards, Michiel
"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message news:< Xns957B7322984ADjamesmcionlinemicros@207
.46.248.16>...
> michielboterenbrood@hotmail.com (Michiel) wrote in
> news:3818ca7d.0410060013.459e0d05@posting.google.com:
>
>
> You should be able to configure the AP to require EAP, but I don't know if
> you can specify PEAP on an AP, I guess it depends on the AP.
>
> But for IAS it is easy to require PEAP -- just make sure that on the
> profile of the remote access policy the Authentication tab has NO
> authentication methods selected (none of the check boxes should be
> checked).
>
> Then click on the EAP Methods button to verify your configuration of PEAP.
> That's all there is to it.
>
> As for the related post, I am not sure if it's related. :-) I guess it is
> possible if you are using a cisco NAS.
| |
| James McIllece [MS] 2004-10-15, 9:25 pm |
| michielboterenbrood@hotmail.com (Michiel) wrote in
news:3818ca7d.0410110006.708f0401@posting.google.com:
> Hi James,
>
> I think the AP is configured correctly (according to cisco docs), how
> do I configure IAS to accept the failed EAP authentication attempts??
>
> Regards, Michiel
>
> "James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> news:< Xns957B7322984ADjamesmcionlinemicros@207
.46.248.16>...
>
There are two things that will help here:
rastls.log (peap logs) and raschap.log (mschapv2 logs).
You can generate them by typing the following at a command line:
NETSH RAS SET TRACING RASTLS ENABLE
NETSH RAS SET TRACING RASCHAP ENABLE
The logs will be generated in %WINDIR%\tracing
That will really help in tracking this down.
You can post the logs in this newsgroup or you can email them to
wsdocs@nospam-online.microsoft.com and I will get them (remove the nospam
segment of the address, of course).
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
|
|
|