|
Home > Archive > Radius Server > September 2006 > WLAN authentication sometimes fail
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
WLAN authentication sometimes fail
|
|
| waldo6@yahoo.com 2006-09-20, 1:28 pm |
| I have a problem that I have been struggling with for many days now. I have
set up a wireless network in our office. The configuration looks like this:
* 1 cisco Aironet 1242 accesspoint
WPA/TKIP
Authenticating with a RADIUS server (IAS) on the same subnet
* 1 Windows Server 2003 R2, Domain Controller and running IAS
Access policy set up using the wizard for wireless access to all within
a specific group
Enabled authentication for MS-CHAP v2 and EAP method PEAP
Selected a valid SSL-wildcard-cert for the server under PEAP-settings
and added EAP-MSCHAP v2 as "EAP Type"
All encryption methods accepted except "No encryption"
* 1 Windows XP SP2 that is not a member of the domain. Wireless configuration,
WPA, TKIP, PEAP and unchecked "use windows default logon"
I set up a connection using Windows Wireless configuration and it works,
I get a pop-up bubble asking for credentials and I can log in. Then I try
to add another user to AD and add it to the group "Wireless users" but he
cannot connect. The IAS log says :
User DOMAIN\johndoe was denied access.
Fully-Qualified-User-Name = DOMAIN.local/MyOu/John Doe
NAS-IP-Address = 192.168.128.210
NAS-Identifier = br01
Called-Station-Identifier = 0014.1b60.8740
Calling-Station-Identifier = 0013.cea3.072f
Client-Friendly-Name = br01
Client-IP-Address = 192.168.128.210
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 516
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless intranet access
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name
or incorrect password was used.
This user can log in to a computer in the domain so there's nothing wrong
with his account. He cannot connect using the wireless connection on my computer,
which worked before with my user, and he cannot connect on another computer.
And a very annoying thing is that I cannot use my normal user to connect
once I have tried to connect with the newly created user account.
And while I'm working on this mess I have a colleague that can connect and
another that cannot connect.
It feels like the problem lies on the IAS-side because my PC can connect
with one user but not the other one. All requests go to the IAS server and
gets either accepted or rejected. All "invalid" rejections seems to have
the same Reason as above, which is not true. The username exists and the
password is correct.
Any help would be very much appreciated.
/Linus
| |
| FenderAxe 2006-09-21, 7:29 pm |
| waldo6@yahoo.com wrote in
news:a9f8649163318c8aad3516bf76a@news.microsoft.com:
> I have a problem that I have been struggling with for many days now. I
> have set up a wireless network in our office. The configuration looks
> like this:
>
> * 1 cisco Aironet 1242 accesspoint
> WPA/TKIP
> Authenticating with a RADIUS server (IAS) on the same subnet
>
> * 1 Windows Server 2003 R2, Domain Controller and running IAS
> Access policy set up using the wizard for wireless access to all
> within
> a specific group
> Enabled authentication for MS-CHAP v2 and EAP method PEAP
> Selected a valid SSL-wildcard-cert for the server under
> PEAP-settings
> and added EAP-MSCHAP v2 as "EAP Type"
> All encryption methods accepted except "No encryption"
>
> * 1 Windows XP SP2 that is not a member of the domain. Wireless
> configuration, WPA, TKIP, PEAP and unchecked "use windows default
> logon"
>
> I set up a connection using Windows Wireless configuration and it
> works, I get a pop-up bubble asking for credentials and I can log in.
> Then I try to add another user to AD and add it to the group "Wireless
> users" but he cannot connect. The IAS log says :
>
> User DOMAIN\johndoe was denied access.
> Fully-Qualified-User-Name = DOMAIN.local/MyOu/John Doe
> NAS-IP-Address = 192.168.128.210
> NAS-Identifier = br01
> Called-Station-Identifier = 0014.1b60.8740
> Calling-Station-Identifier = 0013.cea3.072f
> Client-Friendly-Name = br01
> Client-IP-Address = 192.168.128.210
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 516
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Wireless intranet access
> Authentication-Type = PEAP
> EAP-Type = <undetermined>
> Reason-Code = 16
> Reason = Authentication was not successful because an unknown user
> name
> or incorrect password was used.
>
> This user can log in to a computer in the domain so there's nothing
> wrong with his account. He cannot connect using the wireless
> connection on my computer, which worked before with my user, and he
> cannot connect on another computer. And a very annoying thing is that
> I cannot use my normal user to connect once I have tried to connect
> with the newly created user account.
>
> And while I'm working on this mess I have a colleague that can connect
> and another that cannot connect.
>
> It feels like the problem lies on the IAS-side because my PC can
> connect with one user but not the other one. All requests go to the
> IAS server and gets either accepted or rejected. All "invalid"
> rejections seems to have the same Reason as above, which is not true.
> The username exists and the password is correct.
>
> Any help would be very much appreciated.
>
> /Linus
>
>
The CA cert has to be on the laptop in the Local computer and Current User
cert store -- TRCA folder. Plug the laptops into the wire to get the CA
cert first, then use them wireless. You probably don't have the CA cert on
the laptops so when clients try to authenticate the IAS server with the IAS
server cert they can't.
Try that and report back, k?
| |
|
| Thanks for you reply,
It seems like it is working now. But what I did was to disable server authentication
in the client settings.
My IAS server has two certificates installed, one wildcard certificate from
a trusted root and one from our internal CA. The PEAP settings on the IAS
server were set to use the wildcard certificate and my laptop had both installed
as trusted root CAs.
What I did now was to uncheck "Validate server certificate" on my laptop
and now it seems to work both with my own account and a newly created domain
account.
Any thoughts on this?
/Linus
> waldo6@yahoo.com wrote in
> news:a9f8649163318c8aad3516bf76a@news.microsoft.com:
> The CA cert has to be on the laptop in the Local computer and Current
> User cert store -- TRCA folder. Plug the laptops into the wire to get
> the CA cert first, then use them wireless. You probably don't have the
> CA cert on the laptops so when clients try to authenticate the IAS
> server with the IAS server cert they can't.
>
> Try that and report back, k?
>
| |
| FenderAxe 2006-09-26, 1:21 pm |
| Linus <linus@rotselleri.com> wrote in
news:a9f8649172fa8c8ac504290954c@news.microsoft.com:
> Thanks for you reply,
>
> It seems like it is working now. But what I did was to disable server
> authentication in the client settings.
>
> My IAS server has two certificates installed, one wildcard certificate
> from a trusted root and one from our internal CA. The PEAP settings on
> the IAS server were set to use the wildcard certificate and my laptop
> had both installed as trusted root CAs.
>
> What I did now was to uncheck "Validate server certificate" on my
> laptop and now it seems to work both with my own account and a newly
> created domain account.
>
> Any thoughts on this?
>
> /Linus
>
Hi again --
Thanks for the add'l info.
Disabling server auth is a big security hole, so since you have gone to all
this trouble to set it all up this is one last step that is worthwhile, I
think, getting server auth to work.
I don't know what a wildcard cert is.
But the server cert from your CA -- look up in the Help the minimum server
cert settings and make sure the IAS server cert matches those. Network
access authentication is the topic, it's in IAS help.
The settings are pretty specific, like "Subject name can't be blank" or
something like that. Can't recall right now but it's in the IAS help file.
If clients won't trust the IAS server it's one of two thingstthat I know of
-- the CA cert is not in the TRCA store or the server cert is misconfigured
somehow.
FA
|
|
|
|
|