PEAP/MS-CHAPV2 Machine Authentication
- From: Mike Bean <MikeBean@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 May 2006 15:01:02 -0700
Trying to get IAS on 2003 server to authenticate a machine via PEAP/MS-CHAPV2
and contacting Active Directory seems to be broken. Domain server is Windows
2000 mixed with a name of lucentradius.com and a pre-2000 name of LCP. Do I
need to manipulate user-name to get IAS to work? I've been bang my head for a
couple of days trying to get this to work. Supplicant is Windows XP, IAS is
on different machine than DC, user authentication works but appears to take
two AD requests. Any help would be appreciated.
Mike
I get the following in the Event Log:
Access request for user host/xp-dev-lap3.lucentradius.com was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 135.140.160.50
NAS-Identifier = cisco350
Called-Station-Identifier = 0008.2130.f4c1
Calling-Station-Identifier = 0007.eb31.766d
Client-Friendly-Name = cedar
Client-IP-Address = 135.140.160.15
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 291
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 4
Reason = The Active Directory global catalog cannot be accessed.
This is what I see in IASSAM.LOG (includes two machine failures and one
successful user auth):
[980] 05-22 14:23:30:647: DsCrackNames failed: The specified domain either
does not exist or could not be contacted.
[980] 05-22 14:23:30:647: Caught COM exception: The system cannot open the
file.
[2744] 05-22 14:23:39:790: Creating EAP session
[2744] 05-22 14:23:39:790: NT-SAM Names handler received request with user
identity host/xp-dev-lap3.lucentradius.com.
[2744] 05-22 14:23:39:800: DsCrackNames failed: The specified domain either
does not exist or could not be contacted.
[2744] 05-22 14:23:39:800: Caught COM exception: The system cannot open the
file.
[980] 05-22 14:23:49:795: Creating EAP session
[980] 05-22 14:23:49:795: NT-SAM Names handler received request with user
identity host/xp-dev-lap3.lucentradius.com.
[980] 05-22 14:23:49:805: DsCrackNames failed: The specified domain either
does not exist or could not be contacted.
[980] 05-22 14:23:49:805: Caught COM exception: The system cannot open the
file.
[2744] 05-22 14:24:00:481: Creating EAP session
[2744] 05-22 14:24:00:481: NT-SAM Names handler received request with user
identity authnt.
[2744] 05-22 14:24:00:481: Prepending default domain.
[2744] 05-22 14:24:00:481: NameMapper::prependDefaultDomain
[2744] 05-22 14:24:00:481: SAM-Account-Name is "LCP\authnt".
[2744] 05-22 14:24:00:481: NT-SAM Authentication handler received request
for LCP\authnt.
[2744] 05-22 14:24:00:481: Validating Windows account LCP\authnt.
[2744] 05-22 14:24:00:481: Sending LDAP search to sprague.lucentradius.com.
[2744] 05-22 14:24:00:481: LDAP ERROR in ldap_search_ext_sW. Code = 81
[2744] 05-22 14:24:00:481: Extended error string: (null)
[2744] 05-22 14:24:00:481: Retrying LDAP search.
[2744] 05-22 14:24:00:491: Opening LDAP connection to
sprague.lucentradius.com.
[2744] 05-22 14:24:00:491: The registry value DisableLdapEncryption does not
exist. Using default 0
[2744] 05-22 14:24:00:491: Trying to set LDAP encryption = 1
[2744] 05-22 14:24:00:721: LDAP connect succeeded.
[2744] 05-22 14:24:00:721: Sending LDAP search to sprague.lucentradius.com.
[2744] 05-22 14:24:00:731: Successfully validated windows account.
[2744] 05-22 14:24:00:731: NT-SAM User Authorization handler received
request for LCP\authnt.
[2744] 05-22 14:24:00:731: Using downlevel dial-in parameters.
[2744] 05-22 14:24:00:731: Sending LDAP search to sprague.lucentradius.com.
[2744] 05-22 14:24:00:731: Inserting attribute msNPAllowDialin.
[2744] 05-22 14:24:00:731: Successfully retrieved per-user attributes.
[2744] 05-22 14:24:00:731: Allowed EAP type: 25
[2744] 05-22 14:24:00:731: Setting max. packet length to 1396.
[2744] 05-22 14:24:00:731: Processing output from EAP DLL.
[2744] 05-22 14:24:00:731: EAPACTION_Send
[2744] 05-22 14:24:00:731: Inserting outbound EAP-Message of length 6.
[2744] 05-22 14:24:00:731: Issuing Access-Challenge.
[2744] 05-22 14:24:00:731: Saving the response
[980] 05-22 14:24:00:751: Successfully retrieved existing session
[980] 05-22 14:24:00:751: Injecting the profile
[980] 05-22 14:24:00:751: Processing output from EAP DLL.
[980] 05-22 14:24:00:751: EAPACTION_Send
[980] 05-22 14:24:00:751: Inserting outbound EAP-Message of length 1396.
[980] 05-22 14:24:00:751: Issuing Access-Challenge.
[980] 05-22 14:24:00:751: Saving the response
[2744] 05-22 14:24:00:821: Successfully retrieved existing session
[2744] 05-22 14:24:00:821: Injecting the profile
[2744] 05-22 14:24:00:821: Processing output from EAP DLL.
[2744] 05-22 14:24:00:821: EAPACTION_Send
[2744] 05-22 14:24:00:821: Inserting outbound EAP-Message of length 1396.
[2744] 05-22 14:24:00:821: Issuing Access-Challenge.
[2744] 05-22 14:24:00:821: Saving the response
[2744] 05-22 14:24:00:841: Successfully retrieved existing session
[2744] 05-22 14:24:00:841: Injecting the profile
[2744] 05-22 14:24:00:841: Processing output from EAP DLL.
[2744] 05-22 14:24:00:841: EAPACTION_Send
[2744] 05-22 14:24:00:841: Inserting outbound EAP-Message of length 1396.
[2744] 05-22 14:24:00:841: Issuing Access-Challenge.
[2744] 05-22 14:24:00:841: Saving the response
[2744] 05-22 14:24:00:861: Successfully retrieved existing session
[2744] 05-22 14:24:00:861: Injecting the profile
[2744] 05-22 14:24:00:861: Processing output from EAP DLL.
[2744] 05-22 14:24:00:861: EAPACTION_Send
[2744] 05-22 14:24:00:861: Inserting outbound EAP-Message of length 627.
[2744] 05-22 14:24:00:861: Issuing Access-Challenge.
[2744] 05-22 14:24:00:861: Saving the response
[2744] 05-22 14:24:00:882: Successfully retrieved existing session
[2744] 05-22 14:24:00:882: Injecting the profile
[2744] 05-22 14:24:00:892: Processing output from EAP DLL.
[2744] 05-22 14:24:00:892: EAPACTION_Send
[2744] 05-22 14:24:00:892: Inserting outbound EAP-Message of length 53.
[2744] 05-22 14:24:00:892: Issuing Access-Challenge.
[2744] 05-22 14:24:00:892: Saving the response
[980] 05-22 14:24:00:912: Successfully retrieved existing session
[980] 05-22 14:24:00:912: Injecting the profile
[980] 05-22 14:24:00:912: Processing output from EAP DLL.
[980] 05-22 14:24:00:912: EAPACTION_Send
[980] 05-22 14:24:00:912: Inserting outbound EAP-Message of length 28.
[980] 05-22 14:24:00:912: Issuing Access-Challenge.
[980] 05-22 14:24:00:912: Saving the response
[980] 05-22 14:24:00:922: Successfully retrieved existing session
[980] 05-22 14:24:00:922: Injecting the profile
[980] 05-22 14:24:00:922: Processing output from EAP DLL.
[980] 05-22 14:24:00:922: EAPACTION_Send
[980] 05-22 14:24:00:922: Inserting outbound EAP-Message of length 54.
[980] 05-22 14:24:00:922: Issuing Access-Challenge.
[980] 05-22 14:24:00:922: Saving the response
[2744] 05-22 14:24:00:942: Successfully retrieved existing session
[2744] 05-22 14:24:00:942: Injecting the profile
[2744] 05-22 14:24:00:952: Processing output from EAP DLL.
[2744] 05-22 14:24:00:952: EAPACTION_Send
[2744] 05-22 14:24:00:952: Inserting outbound EAP-Message of length 74.
[2744] 05-22 14:24:00:952: Issuing Access-Challenge.
[2744] 05-22 14:24:00:952: Saving the response
[980] 05-22 14:24:00:962: Successfully retrieved existing session
[980] 05-22 14:24:00:962: Injecting the profile
[980] 05-22 14:24:00:972: Processing output from EAP DLL.
[980] 05-22 14:24:00:972: EAPACTION_IndicateTLV
[980] 05-22 14:24:00:972: Translating attributes returned by EAP DLL.
[980] 05-22 14:24:00:972: Inserting attribute 8102
[980] 05-22 14:24:00:972: Processing output from EAP DLL.
[980] 05-22 14:24:00:972: EAPACTION_Send
[980] 05-22 14:24:00:972: Inserting outbound EAP-Message of length 38.
[980] 05-22 14:24:00:972: Issuing Access-Challenge.
[980] 05-22 14:24:00:972: Saving the response
[980] 05-22 14:24:00:982: Successfully retrieved existing session
[980] 05-22 14:24:00:982: Injecting the profile
[980] 05-22 14:24:00:982: Processing output from EAP DLL.
[980] 05-22 14:24:00:982: EAPACTION_Done
[980] 05-22 14:24:00:982: Translating attributes returned by EAP DLL.
[980] 05-22 14:24:00:982: Inserting attribute 4120
[980] 05-22 14:24:00:982: Inserting attribute 4145
[980] 05-22 14:24:00:982: Inserting attribute 8100
[980] 05-22 14:24:00:982: Inserting attribute 8099
[980] 05-22 14:24:00:982: Inserting attribute 4140
[980] 05-22 14:24:00:982: Inserting attribute 4141
[980] 05-22 14:24:00:982: EAP authentication succeeded.
[980] 05-22 14:24:00:982: Inserting outbound EAP-Message of length 4.
[980] 05-22 14:24:00:982: Saving the response
.
- Prev by Date: Re: Referrals to another domain
- Next by Date: Cisco and IAS (Radius) - SBS 2003
- Previous by thread: Has anyone deployed eap-tls?
- Next by thread: Cisco and IAS (Radius) - SBS 2003
- Index(es):
Relevant Pages
|
