Re: PEAP authentication with Windows 2003 unreliable

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mudit Goel [MSFT] (mgoel_at_online.microsoft.com)
Date: 04/23/04 

Date: Fri, 23 Apr 2004 13:45:57 -0700

Hi Brian -

Are you using wireless authentication or wired?

The particular behavior that you are seeing is related to a bug which gets
exposed in certain cases. One such situation is when you have fast reconnect
enabled. The very first time a user tries to authenticate after a reboot,
since there is no state, fast reconnect fails. However it does not
automatically fall back to full authentication unless another authentication
is attempted. Probably in your case the AP does not try to reauthenticate
until a couple of minutes later.

This has been identified as a bug and there will be a fix for this bug in
xpsp2 and server sp1.

I am not really sure as to what mitigation technique I can suggest - as that
depends on your AP and patches on the client. For instance, in your case,
this bug was probably exposed by a wireless patch installed on top of xpsp1.

Thanks,
Mudit 

-- 
__________________________________________________________
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________________________________
"Brian" <anonymous@discussions.microsoft.com> wrote in message
news:15D6CCF2-57D0-4FB3-AE6B-1075658BD193@microsoft.com...
> Hello,
>
> I am running a Windows 2003 DC with CA and IAS installed.   I have
configured autoenrollment through group policies and everything seems to be
configured properly.  I have 2 test PC's (Windows XP SP1) and a number of
test users all with Allow Remote Access on the Dial in Tab.
>
> The problem is that very frequently authentiction isn't successful.  It is
with no particular user or computer and eventually after the user logs on
and authentication is unsuccessful the user successfully authenticates after
a couple of minutes.  I do notice this error in the rastls log.
>
> "[3224] 16:43:39:937: Error getting cookie for a reconnected session.
Failing auth"
>
> Thanks for any help.
>
> - Brian
>
>

Relevant Pages

  • Re: SSH Auth Failure?
    ... There are a couple of bug reports of this in bugzilla, but no coments from redhat so far. ... I do not understand why the login process should take longer time than usual. ... As for the log messages, ... But the bogus authentication failure message is wrong in either case. ...
    (RedHat)
  • "Local" and "Remote" considered insufficient
    ... These types of discrepancies in terminology happen fairly often. ... to include the amount of "authentication" required, ... vs. remote terminology for a while. ... When an FTP bug is exploitable by "authenticated" users, ...
    (Vuln-Dev)
  • "Local" and "Remote" considered insufficient
    ... These types of discrepancies in terminology happen fairly often. ... to include the amount of "authentication" required, ... vs. remote terminology for a while. ... When an FTP bug is exploitable by "authenticated" users, ...
    (Bugtraq)
  • Re: [PATCH] Staging: wlan-ng: fixed multiple styling issues in prism2sta.c This is a patch to th
    ... You introduced a bug here. ... ** an authentication request when the station is already authenticated. ... More majordomo info at http://vger.kernel.org/majordomo-info.html ... Please read the FAQ at http://www.tux.org/lkml/ ...
    (Linux-Kernel)
  • info from Active Directory on ASP page
    ... User logs on to the network on a WinXP client with standard username / ... If the site on IIS is set to use Windows Authentication and Anonymous access ... usually fails on starred line with 'error 80090332 The security context ...
    (microsoft.public.inetserver.asp.db)