Re: PEAP Authentication Fails

From: "Wei Zheng [MSFT]" <weizheng@xxxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Jul 2005 16:35:45 -0700

Hi, Erik:

It appeared to me that the supplicant decided to disconnect. From PEAP's
point of view, everything runs fine. This is what I found from the end of
the EAPOL log:
--------------------------------------------------------------------------------------------
[1268] 16:11:02: Information: LocalMac:[00-0B-FD-60-5D-06]
RemoteMac:[00-02-8A-21-12-C2] SSID:[airborne]
Message: [EAPOL State Transition: [AUTHENTICATING] to [AUTHENTICATING] ]
Details[EAP-Identity:[STARREN\etamminga]
State:[AUTHENTICATING]
Authentication type:[User]
Authentication mode:[1]
EAP-Type:[25]
Fail count:[0]
]
[2096] 16:11:03: Information: LocalMac:[00-0B-FD-60-5D-06]
RemoteMac:[00-00-00-00-00-00] SSID:[]
Message: [EAPOL State Transition: [LOGOFF] to [DISCONNECTED] ]
Details[EAP-Identity:[(null)]
State:[LOGOFF]
Authentication type:[Guest]
Authentication mode:[1]
EAP-Type:[25]
Fail count:[0]
]
[2236] 16:11:04: Information: LocalMac:[00-0B-FD-60-5D-06]
RemoteMac:[00-00-00-00-00-00] SSID:[]
Message: [EAPOL State Transition: [LOGOFF] to [DISCONNECTED] ]
Details[EAP-Identity:[(null)]
State:[LOGOFF]
Authentication type:[Guest]
Authentication mode:[1]
EAP-Type:[25]
Fail count:[0]
]
--------------------------------------------------------------------------------------------

And this is what I found from the end of rastls log:
--------------------------------------------------------------------------------------------
[1268] 16:11:02:248: TLS session fast reconnected
[1268] 16:11:02:248: PeapCheckCookie
[1268] 16:11:02:248: CreatePEAPTLVStatusMessage
[1268] 16:11:02:248: PeapEncryptTunnelData
[1268] 16:11:02:248: PeapEncryptTunnelData completed with status 0x0
[1268] 16:11:02:248: EapPeapCMakeMessage done
[1268] 16:11:02:248: EapPeapMakeMessage done
[2100] 16:11:02:638: EapPeapEnd
[2100] 16:11:02:638: EapTlsEnd
[2100] 16:11:02:638: EapTlsEnd(starren\etamminga)
[2100] 16:11:02:638: EapPeapEnd done
--------------------------------------------------------------------------------------------

You were trying to do a fast reconnect here.

First try to see if both server and client are configured to allow fast
reconnect. If this is the case, then I strongly suspect that there is
something wrong with the connection instead of PEAP authentication. Look at
EAPOL log, it says "disconnected" and the remote mac is all 0. And for
RasTls log, after "TLS session fast reconnected", it expected a
success/failure packet but it never received. (Because if it does, the logs
will show it). Instead, EapPeapEnd is called by the supplicant. I think it
is because the connection is disconected so the supplicant called
EapPeapEnd.

Let me know if you know more help.

If you want to get more information from EAPOL log, you may want to ask this
newgroup:
microsoft.public.windows.networking.wireless

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.

Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"msnews.microsoft.com" <kire@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eqnyxYvhFHA.2916@xxxxxxxxxxxxxxxxxxxxxxx
> Hi,
>
> We use a Cisco environment with Windows 2000 Clients (+ 802.1x
> supplicant).
> The supplicant authenticates to our ACS radius server which ACS accepts.
> We see that the client states to be "authenticated".
> Now, 1-3 seconds later, the client starts reauthentication which our ACS
> accepts again, but the client does not.
>
> I've enabled "netsh ras set tracing * en" on the client which resulted in
> the following output (see weblink)
>
> Can anybody tell me what's going on and why we've got these failures?
>
> Regards,
>
> Erik Tamminga
> etamminga@xxxxxxxxxxx
>
> See http://www.etamminga.nl/8021x for the netsh generated log files.
>

.

Follow-Ups:
- Re: PEAP Authentication Fails
  - From: Erik Tamminga

References:
- PEAP Authentication Fails
  - From: msnews.microsoft.com

Prev by Date: Re: IAS configuration for authenticating passport 8600
Next by Date: Re: PEAP Authentication Fails
Previous by thread: PEAP Authentication Fails
Next by thread: Re: PEAP Authentication Fails
Index(es):
- Date
- Thread

Relevant Pages

Re: Restrict Clients to Machine Authentication
... This is what happens for a authentication when a user is logged in: ... The supplicant will get the impersonation token for the user, ... The authentication method will use that token to ... Write your own authentication method, which support machine auth even ...
(microsoft.public.internet.radius)
Re: MAC Authentication With IAS (RADIUS) And Active Directory
... authenticate wireless clients with MAC Authentication using IAS ... show that users are being granted access to the network. ... My understanding is that the wireless supplicant attempts a connection ...
(microsoft.public.windows.server.networking)
RE: User accounts getting locked out frequently
... Disconnect all networks drives, ... Outlook client also looks for authentication. ... We speculate that there must be some background processes (ie: ...
(microsoft.public.windows.server.general)
Identify a disconnected session
... session closing the telnet program on windows. ... When they disconnect at the login prompt, ... When they disconnect after to authentication process is executed, ...
(comp.unix.aix)
Re: Account lockout - Disconnected Terminal Server Session
... disconnected TS sessions will lock you out... ... so I am assuming that even in disconnect mode from ... > there must be some authentication occuring... ...
(microsoft.public.win2000.security)