Re: PEAP Authentication Fails

What is your radius server? Microsoft IAS? IAS server definitly has a
checkbox for fast reconnect. Please do check that.

However, I suspect that this is the issue, because if the IAS server doesn't
allow fast reconnect, it should fall back to a full authentication.

Your EAPOL log clears show that "disconnect", and when they disconnect, they
will call PEAP to end the session. The EAPOL and RASTLS logs confirm each
other regarding this. The disconnect may not be caused by wireless
connectivity issue, though.

If you use IAS serer, you can post the server side RASTLS log, and please
also provide the event log (each PEAP authentication request should generate
an event log, unless for some reason it terminated before the event log is
generated, which is a rare case).


--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm.

Please do not send e-mail directly to this alias.
This alias is for newsgroup purposes only.
====================================
"Erik Tamminga" <thisiskept@xxxxxxxxxxx> wrote in message
news:dbadsv$8fq$1@xxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi Wei,
>
> The laptop is positioned only 3-4 meters from the accesspoint (Cisco
> Aironet 1100). We have a user on an other location using an other Aironet
> 1100 using the same config and radius server. So I doubt is't a wireless
> connectivity issue. I'll look into the fast-reconnect thing. To my
> understanding this is optional, to the supplicant to decide wether to use
> it or not. The supplicant is the standard Windows 2000-SP4/XP-SP2
> supplicant.
>
> I'll get back with more logs / details.
>
> Erik
>
> "Wei Zheng [MSFT]" <weizheng@xxxxxxxxxxxxxxxxxxxx> wrote in message
> news:uI6XtXZiFHA.576@xxxxxxxxxxxxxxxxxxxxxxx
>> Hi, Erik:
>>
>> It appeared to me that the supplicant decided to disconnect. From PEAP's
>> point of view, everything runs fine. This is what I found from the end of
>> the EAPOL log:
>> --------------------------------------------------------------------------------------------
>> [1268] 16:11:02: Information: LocalMac:[00-0B-FD-60-5D-06]
>> RemoteMac:[00-02-8A-21-12-C2] SSID:[airborne]
>> Message: [EAPOL State Transition: [AUTHENTICATING] to [AUTHENTICATING] ]
>> Details[EAP-Identity:[STARREN\etamminga]
>> State:[AUTHENTICATING]
>> Authentication type:[User]
>> Authentication mode:[1]
>> EAP-Type:[25]
>> Fail count:[0]
>> ]
>> [2096] 16:11:03: Information: LocalMac:[00-0B-FD-60-5D-06]
>> RemoteMac:[00-00-00-00-00-00] SSID:[]
>> Message: [EAPOL State Transition: [LOGOFF] to [DISCONNECTED] ]
>> Details[EAP-Identity:[(null)]
>> State:[LOGOFF]
>> Authentication type:[Guest]
>> Authentication mode:[1]
>> EAP-Type:[25]
>> Fail count:[0]
>> ]
>> [2236] 16:11:04: Information: LocalMac:[00-0B-FD-60-5D-06]
>> RemoteMac:[00-00-00-00-00-00] SSID:[]
>> Message: [EAPOL State Transition: [LOGOFF] to [DISCONNECTED] ]
>> Details[EAP-Identity:[(null)]
>> State:[LOGOFF]
>> Authentication type:[Guest]
>> Authentication mode:[1]
>> EAP-Type:[25]
>> Fail count:[0]
>> ]
>> --------------------------------------------------------------------------------------------
>>
>> And this is what I found from the end of rastls log:
>> --------------------------------------------------------------------------------------------
>> [1268] 16:11:02:248: TLS session fast reconnected
>> [1268] 16:11:02:248: PeapCheckCookie
>> [1268] 16:11:02:248: CreatePEAPTLVStatusMessage
>> [1268] 16:11:02:248: PeapEncryptTunnelData
>> [1268] 16:11:02:248: PeapEncryptTunnelData completed with status 0x0
>> [1268] 16:11:02:248: EapPeapCMakeMessage done
>> [1268] 16:11:02:248: EapPeapMakeMessage done
>> [2100] 16:11:02:638: EapPeapEnd
>> [2100] 16:11:02:638: EapTlsEnd
>> [2100] 16:11:02:638: EapTlsEnd(starren\etamminga)
>> [2100] 16:11:02:638: EapPeapEnd done
>> --------------------------------------------------------------------------------------------
>>
>> You were trying to do a fast reconnect here.
>>
>> First try to see if both server and client are configured to allow fast
>> reconnect. If this is the case, then I strongly suspect that there is
>> something wrong with the connection instead of PEAP authentication. Look
>> at EAPOL log, it says "disconnected" and the remote mac is all 0. And for
>> RasTls log, after "TLS session fast reconnected", it expected a
>> success/failure packet but it never received. (Because if it does, the
>> logs will show it). Instead, EapPeapEnd is called by the supplicant. I
>> think it is because the connection is disconected so the supplicant
>> called EapPeapEnd.
>>
>> Let me know if you know more help.
>>
>> If you want to get more information from EAPOL log, you may want to ask
>> this newgroup:
>> microsoft.public.windows.networking.wireless
>>
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights. Use of included script samples are subject to the terms specified
>> at http://www.microsoft.com/info/cpyright.htm.
>>
>> Please do not send e-mail directly to this alias.
>> This alias is for newsgroup purposes only.
>> ====================================
>> "msnews.microsoft.com" <kire@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:eqnyxYvhFHA.2916@xxxxxxxxxxxxxxxxxxxxxxx
>>> Hi,
>>>
>>> We use a Cisco environment with Windows 2000 Clients (+ 802.1x
>>> supplicant).
>>> The supplicant authenticates to our ACS radius server which ACS accepts.
>>> We see that the client states to be "authenticated".
>>> Now, 1-3 seconds later, the client starts reauthentication which our ACS
>>> accepts again, but the client does not.
>>>
>>> I've enabled "netsh ras set tracing * en" on the client which resulted
>>> in
>>> the following output (see weblink)
>>>
>>> Can anybody tell me what's going on and why we've got these failures?
>>>
>>> Regards,
>>>
>>> Erik Tamminga
>>> etamminga@xxxxxxxxxxx
>>>
>>> See http://www.etamminga.nl/8021x for the netsh generated log files.
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: WLAN authentication sometimes fail
    ... But what I did was to disable server authentication in the client settings. ... My IAS server has two certificates installed, one wildcard certificate from a trusted root and one from our internal CA. ... The PEAP settings on the IAS server were set to use the wildcard certificate and my laptop had both installed as trusted root CAs. ... I have set up a wireless network in our office. ...
    (microsoft.public.internet.radius)
  • Re: Authenticate a machine to radius?
    ... Installing a wireless network card in the PC makes it a wireless client, ... not a RADIUS server, RADIUS proxy, or wireless AP/RADIUS client. ... Make sure the shared secrets on the AP and the IAS server match. ...
    (microsoft.public.internet.radius)
  • Re: Radius Server authenticate wih SAM
    ... SAM account authentication ... If the IAS server is Joined to a domain and you still want to do SAM ...
    (microsoft.public.internet.radius)
  • EAP-TLS / Radius & AD
    ... What exactly happens between the Radius server & Active Directory as far as ... the supplicant challenges the authentication server to see if the ... authentication server is who it claims to be (to see if it has the private ...
    (microsoft.public.internet.radius)
  • Re: Two "differrent" Radius Server for ISA
    ... You could use the new capability of Windows Server 2003's Internet ... Authentication Service to forward requests for another realm to a different ... IAS server. ...
    (microsoft.public.isa.enterprise)
Loading