Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients
From: Sudhakar Pasupuleti [MSFT] (sudpas_at_online.microsoft.com)
Date: 02/16/05
- Next message: Sam Salhi [MSFT]: "Re: Wireless Authentication Problems Continue"
- Previous message: Bingo.G: "IAS Extension => Access-Challenge"
- In reply to: Velio Ivanov: "Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients"
- Next in thread: Velio Ivanov: "Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients"
- Reply: Velio Ivanov: "Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 15 Feb 2005 17:39:07 -0800
Velio Ivanov, is that all in the iassam.log. If so, that means server
processed the request and sent message for which it expects response. It
could be that packet some how did not reach the client or client decided to
not respond. To understand how PEAP processed the request, please paste
rastls.log and raschap.log from the server.
Also, please check rastls.log, raschap.log on the client side after enabling
tracing.
Thanks,
Sudhakar
"Velio Ivanov" <v.ivanov@cwn-berlin.com> wrote in message
news:OXcHRVCEFHA.2572@tk2msftngp13.phx.gbl...
> Hi there,
>
> We are trying to implement PEAP (MS-CHAP2) security authentication using
> IAS
> on
> Win 2003 (Enterprise Edition), Win XP clients and Cisco 1200 Aironet.
>
> On Win 2003 we have DNS, AD and CA and IAS (RADIUS). We don't use
> DHCP because our clients have public, static IPs.
>
> When we try to connect to network we are constantly stucked on
> Authentication
> process. There is no any log in Win 2003 Event Log - neither success, nor
> failure.
>
> We have enabled trace of RAS to get more information about, but it is
> still
> not
> clear what is wrong. It seems like IAS has authenticated the user and
> session has
> been created, but at that point authentication stucks.
>
> Any help will be greatly appriciated!
>
> Here is the some sequence from iassam log file (blank line between is for
> convenience):
>
> [3068] 02-11 10:55:20:109: NT-SAM Names handler received request with user
> identity adam.smith.
> [3068] 02-11 10:55:20:109: Prepending default domain.
> [3068] 02-11 10:55:20:109: NameMapper::prependDefaultDomain
> [3068] 02-11 10:55:20:109: SAM-Account-Name is "MyDomain\MyUser".
> [3068] 02-11 10:55:20:109: NT-SAM Authentication handler received request
> for MyDomain\MyUser.
> [3068] 02-11 10:55:20:109: Validating Windows account MyDomain\MyUser.
> [3068] 02-11 10:55:20:109: Sending LDAP search to MyComputer.MyDomain.com.
> [3068] 02-11 10:55:20:109: Successfully validated account.
> [3068] 02-11 10:55:20:109: NT-SAM EAP handler received request.
> [3068] 02-11 10:55:20:109: No State attribute present. Creating new
> session.
> [3068] 02-11 10:55:20:109: Allowed EAP type: 25
> [3068] 02-11 10:55:20:109: Successfully created new EAP session for user
> MyDomain\MyUser.
> [3068] 02-11 10:55:20:109: Setting max. packet length to 1396.
> [3068] 02-11 10:55:20:125: Processing output from EAP DLL.
> [3068] 02-11 10:55:20:125: Inserting outbound EAP-Message of length 6.
> [3068] 02-11 10:55:20:125: Issuing Access-Challenge.
>
> [396] 02-11 10:55:24:203: NT-SAM Names handler received request with user
> identity adam.smith.
> [396] 02-11 10:55:24:203: Prepending default domain.
> [396] 02-11 10:55:24:203: NameMapper::prependDefaultDomain
> [396] 02-11 10:55:24:203: SAM-Account-Name is "MyDomain\MyUser".
> [396] 02-11 10:55:24:203: NT-SAM Authentication handler received request
> for
> MyDomain\MyUser.
> [396] 02-11 10:55:24:203: Validating Windows account MyDomain\MyUser.
> [396] 02-11 10:55:24:203: Sending LDAP search to MyComputer.MyDomain.com.
> [396] 02-11 10:55:24:203: Successfully validated account.
> [396] 02-11 10:55:24:203: NT-SAM EAP handler received request.
> [396] 02-11 10:55:24:203: No State attribute present. Creating new
> session.
> [396] 02-11 10:55:24:203: Allowed EAP type: 25
> [396] 02-11 10:55:24:203: Successfully created new EAP session for user
> MyDomain\MyUser.
> [396] 02-11 10:55:24:203: Setting max. packet length to 1396.
> [396] 02-11 10:55:24:218: Processing output from EAP DLL.
> [396] 02-11 10:55:24:218: Inserting outbound EAP-Message of length 6.
> [396] 02-11 10:55:24:218: Issuing Access-Challenge.
>
> [3068] 02-11 10:55:28:359: NT-SAM Names handler received request with user
> identity adam.smith.
> [3068] 02-11 10:55:28:359: Prepending default domain.
> [3068] 02-11 10:55:28:359: NameMapper::prependDefaultDomain
> [3068] 02-11 10:55:28:359: SAM-Account-Name is "MyDomain\MyUser".
> [3068] 02-11 10:55:28:359: NT-SAM Authentication handler received request
> for MyDomain\MyUser.
> [3068] 02-11 10:55:28:359: Validating Windows account MyDomain\MyUser.
> [3068] 02-11 10:55:28:359: Sending LDAP search to MyComputer.MyDomain.com.
> [3068] 02-11 10:55:28:375: Successfully validated account.
> [3068] 02-11 10:55:28:375: NT-SAM EAP handler received request.
> [3068] 02-11 10:55:28:375: No State attribute present. Creating new
> session.
> [3068] 02-11 10:55:28:375: Allowed EAP type: 25
> [3068] 02-11 10:55:28:375: Successfully created new EAP session for user
> MyDomain\MyUser.
> [3068] 02-11 10:55:28:375: Setting max. packet length to 1396.
> [3068] 02-11 10:55:28:375: Processing output from EAP DLL.
> [3068] 02-11 10:55:28:375: Inserting outbound EAP-Message of length 6.
> [3068] 02-11 10:55:28:375: Issuing Access-Challenge.
>
>
- Next message: Sam Salhi [MSFT]: "Re: Wireless Authentication Problems Continue"
- Previous message: Bingo.G: "IAS Extension => Access-Challenge"
- In reply to: Velio Ivanov: "Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients"
- Next in thread: Velio Ivanov: "Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients"
- Reply: Velio Ivanov: "Re: Why IAS get stuck on authenticating PEAP (MS-CHAP2) clients"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
