Re: Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k

From: "Roly Dee" <RolyDee@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 15 Jun 2005 11:49:13 -0700

Hi James

Thanks for replying! I will answer your last question first.

PKI is done in-house, using a test root CA. IAS has a valid cert from the
CA, and clients have the root CA cert installed in the Local Computer Trusted
Root store. The PKI setup is validated by the fact that users are able to
authenticate using PEAP MS-ChapV2 without any issue.

Regarding the Event Log, there are no entries regarding the machine
authentication. This confused me a bit, but after a bit of searching, I
enabled the IASSAM log and noticed that the IAS challenge seemed to go
unanswered at a certain point.

I have included a section of the log below (SP-TSG-L2941 is the machine
name; ADP-ES.CO.UK is our NT4 domain name) I have also included a snippet
after this which shows entries for a user account that completes EAP
authentication.

Have you got any pointers to find out what the attributes being 'inserted'
are? Are they RADIUS attributes?

Thanks again

[1380] 18:40:25:771: NT-SAM Names handler received request with user
identity host/SP-TSG-L2941.
[1380] 18:40:25:771: Stripped realm: ADP-ES.CO.UK\SP-TSG-L2941$
[1380] 18:40:25:771: Username is already an NT4 account name.
[1380] 18:40:25:771: SAM-Account-Name is "ADP-ES.CO.UK\SP-TSG-L2941$".
[1380] 18:40:25:771: NT-SAM Authentication handler received request for
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:25:771: No SAM credentials found. Checking account restrictions
and computing groups manually.
[1380] 18:40:25:771: DS not installed for domain ADP-ES.CO.UK.
[1380] 18:40:25:771: Using downlevel APIs to process account.
[1380] 18:40:25:771: Using cached SAM connection.
[1380] 18:40:25:781: Successfully processed account.
[1380] 18:40:25:781: NT-SAM EAP handler received request.
[1380] 18:40:25:781: No State attribute present. Creating new session.
[1380] 18:40:25:781: Successfully created new session for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:25:791: Setting max. packet length to 1396.
[1380] 18:40:25:791: Processing output from EAP DLL.
[1380] 18:40:25:791: Inserting outbound EAP-Message of length 6.
[1380] 18:40:25:791: Issuing Access-Challenge.
[1820] 18:40:25:921: NT-SAM EAP handler received request.
[1820] 18:40:25:921: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1820] 18:40:25:931: Processing output from EAP DLL.
[1820] 18:40:25:931: Inserting outbound EAP-Message of length 1396.
[1820] 18:40:25:931: Issuing Access-Challenge.
[1380] 18:40:25:931: NT-SAM EAP handler received request.
[1380] 18:40:25:931: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:25:941: Processing output from EAP DLL.
[1380] 18:40:25:941: Inserting outbound EAP-Message of length 1396.
[1380] 18:40:25:941: Issuing Access-Challenge.
[1820] 18:40:25:951: NT-SAM EAP handler received request.
[1820] 18:40:25:951: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1820] 18:40:25:951: Processing output from EAP DLL.
[1820] 18:40:25:951: Inserting outbound EAP-Message of length 1396.
[1820] 18:40:25:951: Issuing Access-Challenge.
[1380] 18:40:25:951: NT-SAM EAP handler received request.
[1380] 18:40:25:951: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:25:951: Processing output from EAP DLL.
[1380] 18:40:25:951: Inserting outbound EAP-Message of length 1396.
[1380] 18:40:25:951: Issuing Access-Challenge.
[1820] 18:40:25:961: NT-SAM EAP handler received request.
[1820] 18:40:25:961: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1820] 18:40:25:961: Processing output from EAP DLL.
[1820] 18:40:25:961: Inserting outbound EAP-Message of length 1396.
[1820] 18:40:25:961: Issuing Access-Challenge.
[1380] 18:40:25:971: NT-SAM EAP handler received request.
[1380] 18:40:25:971: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:25:971: Processing output from EAP DLL.
[1380] 18:40:25:971: Inserting outbound EAP-Message of length 1396.
[1380] 18:40:25:971: Issuing Access-Challenge.
[1820] 18:40:25:981: NT-SAM EAP handler received request.
[1820] 18:40:25:981: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1820] 18:40:25:981: Processing output from EAP DLL.
[1820] 18:40:25:981: Inserting outbound EAP-Message of length 1396.
[1820] 18:40:25:981: Issuing Access-Challenge.
[1380] 18:40:25:991: NT-SAM EAP handler received request.
[1380] 18:40:25:991: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:25:991: Processing output from EAP DLL.
[1380] 18:40:25:991: Inserting outbound EAP-Message of length 1051.
[1380] 18:40:25:991: Issuing Access-Challenge.
[1820] 18:40:26:001: NT-SAM EAP handler received request.
[1820] 18:40:26:001: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1820] 18:40:26:011: Processing output from EAP DLL.
[1820] 18:40:26:011: Inserting outbound EAP-Message of length 53.
[1820] 18:40:26:011: Issuing Access-Challenge.
[1380] 18:40:26:011: NT-SAM EAP handler received request.
[1380] 18:40:26:011: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:26:021: Processing output from EAP DLL.
[1380] 18:40:26:021: Inserting outbound EAP-Message of length 28.
[1380] 18:40:26:021: Issuing Access-Challenge.
[1820] 18:40:26:021: NT-SAM EAP handler received request.
[1820] 18:40:26:021: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1820] 18:40:26:031: Processing output from EAP DLL.
[1820] 18:40:26:031: Inserting outbound EAP-Message of length 56.
[1820] 18:40:26:031: Issuing Access-Challenge.
[1380] 18:40:26:031: NT-SAM EAP handler received request.
[1380] 18:40:26:031: Successfully retrieved session state for user
ADP-ES.CO.UK\SP-TSG-L2941$.
[1380] 18:40:26:041: Processing output from EAP DLL.
[1380] 18:40:26:041: Translating attributes returned by EAP DLL.
[1380] 18:40:26:041: Inserting attribute 1
[1380] 18:40:26:041: Inserting attribute 26
[1380] 18:40:26:041: Inserting attribute 26
[1380] 18:40:26:041: Inserting outbound EAP-Message of length 80.
[1380] 18:40:26:041: Issuing Access-Challenge.

No further response for machine authentication. For user authentication,
same entries in the log, followed by this:

[632] 18:55:21:413: NT-SAM EAP handler received request.
[632] 18:55:21:413: Successfully retrieved session state for user
ADP-ES.CO.UK\rs5189.
[632] 18:55:21:413: Processing output from EAP DLL.
[632] 18:55:21:413: Translating attributes returned by EAP DLL.
[632] 18:55:21:413: Inserting attribute 26
[632] 18:55:21:413: Inserting attribute 26
[632] 18:55:21:413: Inserting attribute 26
[632] 18:55:21:413: Inserting attribute 26
[632] 18:55:21:413: Inserting outbound EAP-Message of length 38.
[632] 18:55:21:413: Issuing Access-Challenge.
[632] 18:55:21:413: NT-SAM EAP handler received request.
[632] 18:55:21:413: Successfully retrieved session state for user
ADP-ES.CO.UK\rs5189.
[632] 18:55:21:413: Processing output from EAP DLL.
[632] 18:55:21:413: Inserting outbound EAP-Message of length 4.
[632] 18:55:21:413: Translating attributes returned by EAP DLL.
[632] 18:55:21:413: Inserting attribute 26
[632] 18:55:21:413: Inserting attribute 26
[632] 18:55:21:413: EAP authentication succeeded.

"James McIllece [MS]" wrote:
>
> Hi there --
>
> What kinds of IAS messages are being recorded in the event log?
>
> Also, do you have clients configured to validate the server certificate?
> Did you deploy a PKI or are you using a Verisign or other cert?
>
> Thanks for any additional info you can provide.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
.

Follow-Ups:
- Re: Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k
  - From: James McIllece [MS]

References:
- Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k
  - From: Roly Dee
- Re: Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k
  - From: James McIllece [MS]

Prev by Date: Re: Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k
Next by Date: Re: ISA with Cisco 1200 ap
Previous by thread: Re: Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k
Next by thread: Re: Authenticate Computer account using PEAP MS-CHAPv2 on IAS 2k
Index(es):
- Date
- Thread

Relevant Pages

PEAP authentication failure
... I've installed Certificate Services on my IAS box - it's a DMZ server ... I've got the Server Authentication cert ... installed in the local machine store and IAS is seeing the cert. ... On the client-side I've got the CA's cert install in the trusted root ...
(microsoft.public.internet.radius)
Re: Mobile 2003 Radius authentication requirements
... > So where does the cert com from "using TLS"? ... I implemented 802.1x RADIUS> authentication on my domain and did not have a CA installed. ... So you are saying that IAS creates its own> Certificate ...
(microsoft.public.internet.radius)
Remote access policy and certificate problem
... W2K3 server, W2K3 AD native mode. ... Cert server available as enterprise root. ... the certs from the server running IAS, ... be found that can be used with this extensible authentication protocol. ...
(microsoft.public.internet.radius)
IAS and EAP-TLS - Event log message (client cannot authenticate)
... running own CA (with own server identification root ... certificate installed), IAS, DHCP and DNS to support a sub ... RADIUS- shared secrets match between IAS and AP. ... Authentication: Open ...
(microsoft.public.internet.radius)
Re: Logon Window Appears on siblings of authenticated directories
... Windows Auth, and a physical directory under root. ... authentication when my user identity was recognized on the machine -- which ... when virtual directories and authentication are ...
(microsoft.public.inetserver.iis)