VPN with ISA 2004 Radius/IAS PEAP problem
- From: "b---burnett@xxxxxxxxxxxxxxxx" <bburnett@xxxxxxxxx>
- Date: 30 Dec 2005 22:48:18 -0800
I've setup a standalone ISA 2004 sp1 server. I also have a standalone
IAS server and Certificate Services Server. All are running windows
2003 sp1 with latest hotfixes. I've configured ISA to authenticate via
Radius to IAS. IAS is in standalone mode and uses the local machine
SAM to authenticate username and password.
When I attempt to VPN using the Windows XP sp2 vpn client I get:
Access was denied because the username and/or password was invalid on
the domain.
I've created both the server and client certificates using MS RSA
SChannel provider, and verified that the client has a private key and
trusts my standalone CA.
Can anyone figure out what I've missed?
On the server I see two event log messages:
User xxx was denied access.
Fully-Qualified-User-Name = server\xxx
NAS-IP-Address = 127.0.0.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 192.168.0.100
Client-Friendly-Name = server
Client-IP-Address = 10.0.0.1
NAS-Port-Type = Virtual
NAS-Port = 6
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = VPN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible
Authentication Protocol (EAP) Type cannot be processed by the server.
The second server event log message:
The user xxx has connected and failed to authenticate on port VPN5-4.
The line has been disconnected.
I turned tracing on and this is my resulting IASSAM.LOG:
[248] 12-31 00:35:04:562: Creating EAP session
[248] 12-31 00:35:04:562: NT-SAM Names handler received request with
user identity xxx.
[248] 12-31 00:35:04:562: Prepending default domain.
[248] 12-31 00:35:04:562: NameMapper::prependDefaultDomain
[248] 12-31 00:35:04:562: SAM-Account-Name is "domain\xxx".
[248] 12-31 00:35:04:562: NT-SAM Authentication handler received
request for domain\xxx.
[248] 12-31 00:35:04:562: Validating Windows account domain\xxx.
[248] 12-31 00:35:04:562: Using downlevel APIs to validate account.
[248] 12-31 00:35:04:562: Using cached SAM connection to local account
domain.
[248] 12-31 00:35:04:562: Successfully validated windows account.
[248] 12-31 00:35:04:562: NT-SAM User Authorization handler received
request for domain\xxx.
[248] 12-31 00:35:04:562: Using NT5 local user parameters.
[248] 12-31 00:35:04:562: Using cached SAM connection to local account
domain.
[248] 12-31 00:35:04:562: Inserting attribute msNPAllowDialin.
[248] 12-31 00:35:04:562: Successfully retrieved per-user attributes.
[248] 12-31 00:35:04:562: Allowed EAP type: 25
[248] 12-31 00:35:04:562: Setting max. packet length to 1396.
[248] 12-31 00:35:04:562: Processing output from EAP DLL.
[248] 12-31 00:35:04:562: EAPACTION_Send
[248] 12-31 00:35:04:562: Inserting outbound EAP-Message of length 6.
[248] 12-31 00:35:04:562: Issuing Access-Challenge.
[248] 12-31 00:35:04:562: Invoking AuthorizationDLLs
[248] 12-31 00:35:04:562: Invoking extension vpnplgin.dll
[248] 12-31 00:35:04:562: RadiusExtensionProcess2 returned 0
[248] 12-31 00:35:04:562: Saving the response
[792] 12-31 00:35:04:578: Successfully retrieved existing session
[792] 12-31 00:35:04:578: EAP NAK; proposed type = 13
[792] 12-31 00:35:04:578: EAP negotiation failed; no types remaining.
[792] 12-31 00:35:04:578: Injecting the profile
[792] 12-31 00:35:04:578: EAP negotiation failed. Rejecting user.
[792] 12-31 00:35:04:578: Invoking AuthorizationDLLs
[792] 12-31 00:35:04:578: Invoking extension vpnplgin.dll
[792] 12-31 00:35:04:578: RadiusExtensionProcess2 returned 0
[792] 12-31 00:35:04:578: Saving the response
My RASCTL.log:
[248] 00:35:04:562: EapPeapBegin
[248] 00:35:04:562: PeapReadUserData
[248] 00:35:04:562:
[248] 00:35:04:562: EapTlsBegin(domain\xxx)
[248] 00:35:04:562: SetupMachineChangeNotification
[248] 00:35:04:562: State change to Initial
[248] 00:35:04:562: EapTlsBegin: Detected PEAP authentication
[248] 00:35:04:562: MaxTLSMessageLength is now 16384
[248] 00:35:04:562: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[248] 00:35:04:562: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[248] 00:35:04:562: The root cert will not be checked for revocation
[248] 00:35:04:562: The cert will be checked for revocation
[248] 00:35:04:562: EapPeapBegin done
[248] 00:35:04:562: EapPeapMakeMessage
[248] 00:35:04:562: EapPeapSMakeMessage
[248] 00:35:04:562: PEAP:PEAP_STATE_INITIAL
[248] 00:35:04:562: EapTlsSMakeMessage
[248] 00:35:04:562: EapTlsReset
[248] 00:35:04:562: State change to Initial
[248] 00:35:04:562: GetCredentials
[248] 00:35:04:562: Flag is Server and Store is local Machine
[248] 00:35:04:562: GetCachedCredentials Flags = 0x4061
[248] 00:35:04:562: GetCachedCredentials: Using Cached Credentials
[248] 00:35:04:562: GetCachedCredentials: Hash of the cert in the cache
is
<hidden>
[248] 00:35:04:562: BuildPacket
[248] 00:35:04:562: << Sending Request (Code: 1) packet: Id: 5, Length:
6, Type: 13, TLS blob length: 0. Flags: S
[248] 00:35:04:562: State change to SentStart
[248] 00:35:04:562: EapPeapSMakeMessage done
[248] 00:35:04:562: EapPeapMakeMessage done
.
- Prev by Date: TTLS compared to PEAP. What is the difference?
- Previous by thread: TTLS compared to PEAP. What is the difference?
- Index(es):
Relevant Pages
|
