|
Home > Archive > Radius Server > April 2005 > IAS, PEAP-MSCHAPv2, Windows XP Wireless can't authenticate !
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IAS, PEAP-MSCHAPv2, Windows XP Wireless can't authenticate !
|
|
| Laurent H. 2005-04-06, 7:53 am |
| Hello,
I'm having trouble to make my Wireless network work with IAS ans
PEAP-MSCHAPv2.
I made all the setup needed :
Active Directory
IAS Server with a correct certificate trusted by workstations
Wireless AP that support RADIUS (Linksys WAP54G)
My XP client try to authenticate but stay in that step for ever, and IAS
doest not complain about anything (nothing in event log and in radius log).
If I uncheck "use my logon credentials", It ask me for a credential :
- If I put good credentials, it do the same (Autenticating for ever), with
no error in IAS event log
- If I put whatever, IAS say that the username is not good and Windows XP
ask me for new credentials after some time
- If I put a good username and a bad password, IAS say that password is bad
and XP ask me for a new one.
Do you know what could be my problem ?
Regards,
Laurent
| |
| Thomas K 2005-04-06, 7:53 am |
| It seems like all components can talk. I think I've run into that problem
already.
You're sure XP trusts the CA that issue the server cert to IAS? That means
XP has the CA cert in its Trusted Root store
Also, did you explicitely trust the CA in the WZCSVC UI?
"Laurent H." <laurent.news@kally.net> wrote in message
news:4253ce1a$0$12226$626a14ce@news.free.fr...
> Hello,
>
> I'm having trouble to make my Wireless network work with IAS ans
> PEAP-MSCHAPv2.
>
> I made all the setup needed :
> Active Directory
> IAS Server with a correct certificate trusted by workstations
> Wireless AP that support RADIUS (Linksys WAP54G)
>
> My XP client try to authenticate but stay in that step for ever, and IAS
> doest not complain about anything (nothing in event log and in radius
log).
>
> If I uncheck "use my logon credentials", It ask me for a credential :
> - If I put good credentials, it do the same (Autenticating for ever),
with
> no error in IAS event log
> - If I put whatever, IAS say that the username is not good and Windows XP
> ask me for new credentials after some time
> - If I put a good username and a bad password, IAS say that password is
bad
> and XP ask me for a new one.
>
> Do you know what could be my problem ?
>
> Regards,
>
> Laurent
>
>
| |
| Laurent H. 2005-04-06, 7:53 am |
| "Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
4253d30b$0$44092$5fc3050@dreader2.news.tiscali.nl...
> It seems like all components can talk. I think I've run into that problem
> already.
>
> You're sure XP trusts the CA that issue the server cert to IAS? That means
> XP has the CA cert in its Trusted Root store
Hello, thanks for your response.
The Root CA is automatically added by active directory in the Trust root
store. If I open the Root CA certificate, it is shown valid and trusted.
> Also, did you explicitely trust the CA in the WZCSVC UI?
>
Sorry what WZCSVC UI mean ?
Regards,
Laurent
| |
| Thomas K 2005-04-06, 7:53 am |
| When you right click on a network connection & go into its properties you
have an authentication tab
Hits "properties" again
You'll see a section "Trusted Root certification Authorities"
Try to enforce CA trust there & see if it helps.
Cheerio,
/T
"Laurent H." <laurent.news@kally.net> wrote in message
news:4253d541$0$12190$626a14ce@news.free.fr...
> "Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
> 4253d30b$0$44092$5fc3050@dreader2.news.tiscali.nl...
problem[vbcol=seagreen]
means[vbcol=seagreen]
>
>
>
> Hello, thanks for your response.
> The Root CA is automatically added by active directory in the Trust root
> store. If I open the Root CA certificate, it is shown valid and trusted.
>
>
>
> Sorry what WZCSVC UI mean ?
>
> Regards,
>
> Laurent
>
>
| |
| Laurent H. 2005-04-06, 5:57 pm |
|
"Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
4253dc1b$0$44098$5fc3050@dreader2.news.tiscali.nl...
> When you right click on a network connection & go into its properties you
> have an authentication tab
> Hits "properties" again
> You'll see a section "Trusted Root certification Authorities"
> Try to enforce CA trust there & see if it helps.
>
> Cheerio,
>
> /T
Unfortunately it does not.
Someone had the same problem : the problem was that his IAS was multihomed
like mine. But even with only one IP on the server, I still have the
problem.
So I definitely doesn't known what I can do to make it work. Very strange,
it seems that it is pretty much simple... I activated tracing, and
everything seems good (success, done, ok, chalenge ok etc).
I tried a XP SP1 and XP SP2... Nothing...
Regards,
Laurent
| |
| Laurent H. 2005-04-07, 2:50 am |
|
"Laurent H." <laurent.news@kally.net>
> Hello,
>
> I'm having trouble to make my Wireless network work with IAS ans
> PEAP-MSCHAPv2.
>
> I made all the setup needed :
> Active Directory
> IAS Server with a correct certificate trusted by workstations
> Wireless AP that support RADIUS (Linksys WAP54G)
>
> My XP client try to authenticate but stay in that step for ever, and IAS
> doest not complain about anything (nothing in event log and in radius
> log).
>
> If I uncheck "use my logon credentials", It ask me for a credential :
> - If I put good credentials, it do the same (Autenticating for ever),
> with no error in IAS event log
> - If I put whatever, IAS say that the username is not good and Windows XP
> ask me for new credentials after some time
> - If I put a good username and a bad password, IAS say that password is
> bad and XP ask me for a new one.
>
> Do you know what could be my problem ?
>
> Regards,
>
> Laurent
>
It seems my linksys WAP54G have problems comminicating with IAS for some
reason. I saw a lot of people say that it work but they all use Windows 2003
IAS whereas I'm using w2k...
I tested 2 workstations (XP SP1 and XP SP2), I tested even Intel Pro Set
wireless client, the result is the same : with a false user identify, the
connexion is logged an rejected in IAS, with a correct identity, nothing
happen, XP client pass "Verifying identity" step but block on
"authenticating" for ever...
How can I see the dialog between the NAS (linksys and IAS) ?
Regards,
Laurent
| |
| Thomas K 2005-04-07, 7:49 am |
| Setup a network sniffer (I recommend ethereal) on IAS & capture UDP:1645 &
UDP:1812
http://www.ethereal.com/
Don't hesitate to post the capture file.
/T
> It seems my linksys WAP54G have problems comminicating with IAS for some
> reason. I saw a lot of people say that it work but they all use Windows
> 2003 IAS whereas I'm using w2k...
>
> I tested 2 workstations (XP SP1 and XP SP2), I tested even Intel Pro Set
> wireless client, the result is the same : with a false user identify, the
> connexion is logged an rejected in IAS, with a correct identity, nothing
> happen, XP client pass "Verifying identity" step but block on
> "authenticating" for ever...
>
> How can I see the dialog between the NAS (linksys and IAS) ?
>
> Regards,
>
> Laurent
| |
| Laurent H. 2005-04-07, 7:49 am |
|
"Thomas K" <thomas@kuborn.be>
> Setup a network sniffer (I recommend ethereal) on IAS & capture UDP:1645 &
> UDP:1812
> http://www.ethereal.com/
>
> Don't hesitate to post the capture file.
>
> /T
Thanks for the links,
Here is my capture file in etherreal format.
It make a loop with "RADIUS ACCESS REQUEST" (from the NAS), and "RADIUS
ACCESS CHALENGE" (from IAS).
I don't know what to deduce from that...
Regards,
Laurent
| |
| Laurent H. 2005-04-07, 7:49 am |
|
"Laurent H." <laurent.news@kally.net> a écrit dans le message de news:
4254fa86$1$12196$626a14ce@news.free.fr...
> Here is my capture file in etherreal format.
Sorry :
File is at http://www.kally.net/capt.cap
| |
| Thomas K 2005-04-07, 7:49 am |
| You could also get a capture on the XP machine
look for ether proto 0x888e (EAP)
"Laurent H." <laurent.news@kally.net> wrote in message
news:4254fb6d$0$12189$626a14ce@news.free.fr...
>
> "Laurent H." <laurent.news@kally.net> a écrit dans le message de news:
> 4254fa86$1$12196$626a14ce@news.free.fr...
>
> Sorry :
>
> File is at http://www.kally.net/capt.cap
>
>
| |
| Thomas K 2005-04-07, 7:49 am |
| The loop repeats every 30s which matches a dot1x timer in the dot1x state
machine
The authentication process seems to be broken after the
RADIUS/ACCESS/CHALLENGE message sent by IAS to the authenticator.
The authenticator is probably translating the RADIUS/ACCESS/CHALLENGE into
EAP/REQUEST.
A trace on the XP supplicant would help to see how XP is responding (if it
is at all... I doubt it is actually) the EAP/REQUEST matching the last
RADIUS/ACCESS/CHALLENGE
Cheers,
/T
"Laurent H." <laurent.news@kally.net> wrote in message
news:4254fb6d$0$12189$626a14ce@news.free.fr...
>
> "Laurent H." <laurent.news@kally.net> a écrit dans le message de news:
> 4254fa86$1$12196$626a14ce@news.free.fr...
>
> Sorry :
>
> File is at http://www.kally.net/capt.cap
>
>
| |
| Thomas K 2005-04-07, 7:49 am |
| You could, in the XP supplicant, disable "server certificate validation" &
see if that helps?
Cheers,
/T
"Thomas K" <thomas@kuborn.be> wrote in message
news:42550272$0$44074$5fc3050@dreader2.news.tiscali.nl...
> The loop repeats every 30s which matches a dot1x timer in the dot1x state
> machine
> The authentication process seems to be broken after the
> RADIUS/ACCESS/CHALLENGE message sent by IAS to the authenticator.
> The authenticator is probably translating the RADIUS/ACCESS/CHALLENGE into
> EAP/REQUEST.
>
> A trace on the XP supplicant would help to see how XP is responding (if it
> is at all... I doubt it is actually) the EAP/REQUEST matching the last
> RADIUS/ACCESS/CHALLENGE
>
> Cheers,
>
> /T
>
> "Laurent H." <laurent.news@kally.net> wrote in message
> news:4254fb6d$0$12189$626a14ce@news.free.fr...
>
>
| |
| Laurent H. 2005-04-07, 7:49 am |
|
"Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
4255035e$0$44080$5fc3050@dreader2.news.tiscali.nl...
> You could, in the XP supplicant, disable "server certificate validation" &
> see if that helps?
>
> Cheers,
>
> /T
No, that does not...
I try ethereal. It doesn't work on my XP SP2 machine. I try on the XP SP1
machine.
Regards,
Laurent
| |
| Laurent H. 2005-04-07, 7:49 am |
|
"Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
4255017b$0$44097$5fc3050@dreader2.news.tiscali.nl...
> You could also get a capture on the XP machine
> look for ether proto 0x888e (EAP)
>
>
http://www.kally.net/captxpsp1.cap
Many thanks.
| |
| Laurent H. 2005-04-07, 7:49 am |
|
"Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
42550272$0$44074$5fc3050@dreader2.news.tiscali.nl...
> The loop repeats every 30s which matches a dot1x timer in the dot1x state
> machine
> The authentication process seems to be broken after the
> RADIUS/ACCESS/CHALLENGE message sent by IAS to the authenticator.
> The authenticator is probably translating the RADIUS/ACCESS/CHALLENGE into
> EAP/REQUEST.
>
> A trace on the XP supplicant would help to see how XP is responding (if it
> is at all... I doubt it is actually) the EAP/REQUEST matching the last
> RADIUS/ACCESS/CHALLENGE
>
> Cheers,
>
> /T
The trace loop also every 30 second...
Also, I see some packets sent by IAS with "MS CHAP DOMAIN" of "\000LGL"
whereas my domain is LGLE. I find that strange...
Regards,
| |
| Thomas K 2005-04-07, 7:49 am |
| Weird ...
RADIUS communication breaks after RADIUS/CHALLENGE
EAP communication breaks after EAP/RESPONSE
When IAS sends RADIUS/CHALLENGE, AP should relay that as EAP/REQUEST to
supplicant
When supplicant sends EAP/RESPONSE, AP should relay that as RADIUS/REQUEST
to IAS
There is a loop because the supplicant initiates reauthentication by sending
an EAPOL/Start packet, 30seconds after that the supplicant has received no
packet after the last EAP/RESPONSE it sent...
I suspect something in the authenticator...that for some reason, it is not
relaying the EAP/RESPONSE to IAS ...
Anything you can see inside the authenticator?
/T
"Laurent H." <laurent.news@kally.net> wrote in message
news:42551c4a$0$12191$626a14ce@news.free.fr...
>
> "Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
> 42550272$0$44074$5fc3050@dreader2.news.tiscali.nl...
>
> The trace loop also every 30 second...
>
> Also, I see some packets sent by IAS with "MS CHAP DOMAIN" of "\000LGL"
> whereas my domain is LGLE. I find that strange...
>
> Regards,
>
>
| |
| Laurent H. 2005-04-07, 7:49 am |
| "Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
425529a9$0$44067$5fc3050@dreader2.news.tiscali.nl...
> Weird ...
>
> RADIUS communication breaks after RADIUS/CHALLENGE
> EAP communication breaks after EAP/RESPONSE
>
> When IAS sends RADIUS/CHALLENGE, AP should relay that as EAP/REQUEST to
> supplicant
> When supplicant sends EAP/RESPONSE, AP should relay that as RADIUS/REQUEST
> to IAS
>
> There is a loop because the supplicant initiates reauthentication by
> sending an EAPOL/Start packet, 30seconds after that the supplicant has
> received no packet after the last EAP/RESPONSE it sent...
>
> I suspect something in the authenticator...that for some reason, it is not
> relaying the EAP/RESPONSE to IAS ...
> Anything you can see inside the authenticator?
>
> /T
Unfortunatly no... It is the Linksys WAP54G. I saw lot of people using it
with Windows 2003 IAS. But no one with W2K IAS. And I found the same problem
there :
http://www.tech-archive.net/Archive...04-09/0082.html
I thing I will try to install a Windows 2003 IAS. But the problem is : I
have no Windows 2003 up.
I'm angry against Linksys !
Laurent
| |
| Thomas K 2005-04-07, 6:05 pm |
| You could also try to do EAP-TLS instead of PEAP?
"Laurent H." <laurent.news@kally.net> wrote in message
news:42552c3d$0$12187$626a14ce@news.free.fr...
> "Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
> 425529a9$0$44067$5fc3050@dreader2.news.tiscali.nl...
>
> Unfortunatly no... It is the Linksys WAP54G. I saw lot of people using it
> with Windows 2003 IAS. But no one with W2K IAS. And I found the same
> problem there :
> http://www.tech-archive.net/Archive...04-09/0082.html
>
> I thing I will try to install a Windows 2003 IAS. But the problem is : I
> have no Windows 2003 up.
>
> I'm angry against Linksys !
>
> Laurent
>
| |
| Laurent H. 2005-04-07, 6:05 pm |
|
"Thomas K" <thomas@kuborn.be> a écrit dans le message de news:
42553f8f$0$44074$5fc3050@dreader2.news.tiscali.nl...
> You could also try to do EAP-TLS instead of PEAP?
>
Even if it work, that's really not the purpose...
Anyway, many thanks for your help. I opened a support ticket with Linksys,
with all your informations, they may help me...
Regards,
Laurent
| |
| Laurent H. 2005-04-13, 8:03 am |
| "Laurent H." <laurent.news@kally.net> a écrit
> Hello,
>
> I'm having trouble to make my Wireless network work with IAS ans
> PEAP-MSCHAPv2.
>
> I made all the setup needed :
> Active Directory
> IAS Server with a correct certificate trusted by workstations
> Wireless AP that support RADIUS (Linksys WAP54G)
>
> My XP client try to authenticate but stay in that step for ever, and IAS
> doest not complain about anything (nothing in event log and in radius
> log).
>
> If I uncheck "use my logon credentials", It ask me for a credential :
> - If I put good credentials, it do the same (Autenticating for ever),
> with no error in IAS event log
> - If I put whatever, IAS say that the username is not good and Windows XP
> ask me for new credentials after some time
> - If I put a good username and a bad password, IAS say that password is
> bad and XP ask me for a new one.
>
> Do you know what could be my problem ?
>
> Regards,
>
> Laurent
Hello,
I successfully connected with a Windows 2003 IAS and Linksys WAP54G with EU
Firmware 2.08, using PEAP-CHAPv2.
Clients run Windows XP SP2 and SP1, with windows wireless profiles or Intel
Proset Wireless management software.
Linksys WAP54G and W2K IAS setup do not work (problem of EAP/CHAP
translation).
Linksys support is not able to solve this problem (no knowledge, silly
questions).
I found on Internet that some DLINK users have the reversed problem : W2K
IAS work and W2003 IAS does not.
Thanks Thomas K. for the diagnostics.
Regards,
Laurent H.
| |
| ysreenu 2005-04-13, 11:41 am |
| Hi Thomas and Laurent,
I am using win2k IAS server.
I am also facing the same problem. what was the solution
or hint that u guys have got. please share with me.
I am unable to break this authentication problem. my station
waits indefinitely in authentication process. but i did authenticate
with the same IAS server 1 month ago!
Regrads,
ysreenu
quote:
Originally posted by Thomas K
You could also get a capture on the XP machine
look for ether proto 0x888e (EAP)
"Laurent H." <laurent.news@kally.net> wrote in message
news:4254fb6d$0$12189$626a14ce@news.free.fr...
>
> "Laurent H." <laurent.news@kally.net> a écrit dans le message de news:
> 4254fa86$1$12196$626a14ce@news.free.fr...
>
> Sorry :
>
> File is at http://www.kally.net/capt.cap
>
>
|
|
|
|
|