IAS authenticates using EAP-TLS but not PEAP-MSCHAPv2
- From: AndrewM <AndrewM@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 8 Aug 2006 16:17:02 -0700
Hi there,
I'm trying to set up a wireless test enviornment using WinXP Pro/SP2 client
& W2K SBS/SP4 Server. The Access point is a Linksys WAP54G set up to use WPA
with a Radius server.
Following all the white paper suggestions, I've got it to work with EAS-TLS
by installing the SBS server as a CA authority then installing the
appropriate certificaqtes. However I really want it to run using
PEAP-MSCHAPv2, so as to avoid domain users manually having to request
certificates. When I change the client and server profiles to reflect this I
get the following displayed in the event log:
User MYDOMAIN\myusername was denied access.
Fully-Qualified-User-Name = MYDOMAIN\myusername
NAS-IP-Address = 10.10.10.252
NAS-Identifier = 0016b6541398
Called-Station-Identifier = 0016b6541398
Calling-Station-Identifier = 00022d46178c
Client-Friendly-Name = LinkSys AP
Client-IP-Address = 10.10.10.252
NAS-Port-Type = 19
NAS-Port = 29
Policy-Name = Wireless Connections
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user
name or a bad password.
It's logging the correct username, so that's being received OK. I have a
simultaneous wired connection, so I know the Username & password are OK.
Since I've had this working with EAP-TLS (aka "Smart Card or other
Certificate"), then this shows all the certificates are OK. The only change I
made between the two configs was to set PEAP-MSCHAPv2 on both the client and
server.
Does anyone have any suggestions?
FWIW Here's the RASTLS log (I have others from both the client and server):
[4528] 15:11:29:938: EapPeapBegin
[3692] 15:11:29:954: EapPeapBegin
[3692] 15:11:29:970: PeapReadUserData
[4528] 15:11:29:970: PeapReadUserData
[3692] 15:11:29:970:
[4528] 15:11:29:970:
[3692] 15:11:29:970: EapTlsBegin(MYDOMAIN\myusername)
[4528] 15:11:29:970: EapTlsBegin(MYDOMAIN\myusername)
[3692] 15:11:29:970: State change to Initial
[4528] 15:11:29:970: State change to Initial
[3692] 15:11:29:970: EapTlsBegin: Detected PEAP authentication
[4528] 15:11:29:970: EapTlsBegin: Detected PEAP authentication
[3692] 15:11:29:970: MaxTLSMessageLength is now 16384
[4528] 15:11:29:970: MaxTLSMessageLength is now 16384
[3692] 15:11:29:970: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[4528] 15:11:29:970: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[3692] 15:11:29:970: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[4528] 15:11:29:970: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[3692] 15:11:29:970: The root cert will not be checked for revocation
[4528] 15:11:29:970: The root cert will not be checked for revocation
[3692] 15:11:29:970: The cert will be checked for revocation
[4528] 15:11:29:970: The cert will be checked for revocation
[3692] 15:11:29:970: EapPeapBegin done
[4528] 15:11:29:970: EapPeapBegin done
[3692] 15:11:29:970: EapPeapMakeMessage
[4528] 15:11:29:970: EapPeapMakeMessage
[4528] 15:11:29:970: EapPeapSMakeMessage
[3692] 15:11:29:970: EapPeapSMakeMessage
[4528] 15:11:29:970: PEAP:PEAP_STATE_INITIAL
[3692] 15:11:29:970: PEAP:PEAP_STATE_INITIAL
[4528] 15:11:29:970: EapTlsSMakeMessage
[3692] 15:11:29:970: EapTlsSMakeMessage
[4528] 15:11:29:970: EapTlsReset
[3692] 15:11:29:970: EapTlsReset
[4528] 15:11:29:970: State change to Initial
[3692] 15:11:29:970: State change to Initial
[4528] 15:11:29:970: GetCredentials
[3692] 15:11:29:970: GetCredentials
[4528] 15:11:29:970: Flag is Server and Store is local Machine
[3692] 15:11:29:970: Flag is Server and Store is local Machine
[4528] 15:11:29:970: GetCachedCredentials
[3692] 15:11:29:970: GetCachedCredentials
[4528] 15:11:29:970: PEAP GetCachedCredentials: Using cached credentials.
[4528] 15:11:29:970: BuildPacket
[3692] 15:11:29:970: PEAP GetCachedCredentials: Using cached credentials.
[4528] 15:11:29:970: << Sending Request (Code: 1) packet: Id: 1, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[3692] 15:11:29:970: BuildPacket
[4528] 15:11:29:970: State change to SentStart
[3692] 15:11:29:970: << Sending Request (Code: 1) packet: Id: 1, Length: 6,
Type: 13, TLS blob length: 0. Flags: S
[4528] 15:11:29:970: EapPeapSMakeMessage done
[3692] 15:11:29:970: State change to SentStart
[4528] 15:11:29:970: EapPeapMakeMessage done
[3692] 15:11:29:970: EapPeapSMakeMessage done
[3692] 15:11:29:970: EapPeapMakeMessage done
[4528] 15:11:29:970: EapPeapEnd
[4528] 15:11:29:970: EapTlsEnd
[4528] 15:11:29:970: EapTlsEnd(MYDOMAIN\myusername)
[4528] 15:11:29:970: EapPeapEnd done
[4528] 15:11:29:970: EapPeapEnd
[4528] 15:11:29:970: EapTlsEnd
[4528] 15:11:29:970: EapTlsEnd(MYDOMAIN\myusername)
[4528] 15:11:29:970: EapPeapEnd done
[2344] 15:11:30:001: EapPeapMakeMessage
[2344] 15:11:30:001: EapPeapSMakeMessage
[2344] 15:11:30:001: PEAP:PEAP_STATE_TLS_INPROGRESS
[2344] 15:11:30:001: EapTlsSMakeMessage
[2344] 15:11:30:001: MakeReplyMessage
[2344] 15:11:30:001: Reallocating input TLS blob buffer
[2344] 15:11:30:001: SecurityContextFunction
[2344] 15:11:30:001: AcceptSecurityContext returned 0x90312
[2344] 15:11:30:001: State change to SentHello
[2344] 15:11:30:001: BuildPacket
[2344] 15:11:30:001: << Sending Request (Code: 1) packet: Id: 2, Length:
1396, Type: 13, TLS blob length: 13062. Flags: LM
[2344] 15:11:30:001: EapPeapSMakeMessage done
[2344] 15:11:30:001: EapPeapMakeMessage done
[4528] 15:11:30:017: EapPeapMakeMessage
[4528] 15:11:30:017: EapPeapSMakeMessage
[4528] 15:11:30:017: PEAP:PEAP_STATE_TLS_INPROGRESS
[4528] 15:11:30:017: EapTlsSMakeMessage
[4528] 15:11:30:017: BuildPacket
[4528] 15:11:30:017: << Sending Request (Code: 1) packet: Id: 3, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[4528] 15:11:30:017: EapPeapSMakeMessage done
[4528] 15:11:30:032: EapPeapMakeMessage done
[2344] 15:11:30:048: EapPeapMakeMessage
[2344] 15:11:30:048: EapPeapSMakeMessage
[2344] 15:11:30:048: PEAP:PEAP_STATE_TLS_INPROGRESS
[2344] 15:11:30:048: EapTlsSMakeMessage
[2344] 15:11:30:048: BuildPacket
[2344] 15:11:30:048: << Sending Request (Code: 1) packet: Id: 4, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[2344] 15:11:30:048: EapPeapSMakeMessage done
[2344] 15:11:30:048: EapPeapMakeMessage done
[4528] 15:11:30:063: EapPeapMakeMessage
[4528] 15:11:30:063: EapPeapSMakeMessage
[4528] 15:11:30:063: PEAP:PEAP_STATE_TLS_INPROGRESS
[4528] 15:11:30:063: EapTlsSMakeMessage
[4528] 15:11:30:063: BuildPacket
[4528] 15:11:30:063: << Sending Request (Code: 1) packet: Id: 5, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[4528] 15:11:30:063: EapPeapSMakeMessage done
[4528] 15:11:30:063: EapPeapMakeMessage done
[2344] 15:11:30:063: EapPeapMakeMessage
[2344] 15:11:30:063: EapPeapSMakeMessage
[2344] 15:11:30:063: PEAP:PEAP_STATE_TLS_INPROGRESS
[2344] 15:11:30:063: EapTlsSMakeMessage
[2344] 15:11:30:063: BuildPacket
[2344] 15:11:30:063: << Sending Request (Code: 1) packet: Id: 6, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[2344] 15:11:30:063: EapPeapSMakeMessage done
[2344] 15:11:30:063: EapPeapMakeMessage done
[4528] 15:11:30:079: EapPeapMakeMessage
[4528] 15:11:30:079: EapPeapSMakeMessage
[4528] 15:11:30:079: PEAP:PEAP_STATE_TLS_INPROGRESS
[4528] 15:11:30:079: EapTlsSMakeMessage
[4528] 15:11:30:079: BuildPacket
[4528] 15:11:30:079: << Sending Request (Code: 1) packet: Id: 7, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[4528] 15:11:30:079: EapPeapSMakeMessage done
[4528] 15:11:30:079: EapPeapMakeMessage done
[2344] 15:11:30:095: EapPeapMakeMessage
[2344] 15:11:30:095: EapPeapSMakeMessage
[2344] 15:11:30:095: PEAP:PEAP_STATE_TLS_INPROGRESS
[2344] 15:11:30:095: EapTlsSMakeMessage
[2344] 15:11:30:095: BuildPacket
[2344] 15:11:30:095: << Sending Request (Code: 1) packet: Id: 8, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[2344] 15:11:30:095: EapPeapSMakeMessage done
[2344] 15:11:30:095: EapPeapMakeMessage done
[4528] 15:11:30:095: EapPeapMakeMessage
[4528] 15:11:30:095: EapPeapSMakeMessage
[4528] 15:11:30:095: PEAP:PEAP_STATE_TLS_INPROGRESS
[4528] 15:11:30:095: EapTlsSMakeMessage
[4528] 15:11:30:095: BuildPacket
[4528] 15:11:30:095: << Sending Request (Code: 1) packet: Id: 9, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[4528] 15:11:30:095: EapPeapSMakeMessage done
[4528] 15:11:30:095: EapPeapMakeMessage done
[2344] 15:11:30:110: EapPeapMakeMessage
[2344] 15:11:30:110: EapPeapSMakeMessage
[2344] 15:11:30:110: PEAP:PEAP_STATE_TLS_INPROGRESS
[2344] 15:11:30:110: EapTlsSMakeMessage
[2344] 15:11:30:110: BuildPacket
[2344] 15:11:30:110: << Sending Request (Code: 1) packet: Id: 10, Length:
1396, Type: 13, TLS blob length: 0. Flags: M
[2344] 15:11:30:110: EapPeapSMakeMessage done
[2344] 15:11:30:110: EapPeapMakeMessage done
[4528] 15:11:30:110: EapPeapMakeMessage
[4528] 15:11:30:110: EapPeapSMakeMessage
[4528] 15:11:30:110: PEAP:PEAP_STATE_TLS_INPROGRESS
[4528] 15:11:30:110: EapTlsSMakeMessage
[4528] 15:11:30:110: BuildPacket
[4528] 15:11:30:110: << Sending Request (Code: 1) packet: Id: 11, Length:
562, Type: 13, TLS blob length: 0. Flags:
[4528] 15:11:30:110: EapPeapSMakeMessage done
[4528] 15:11:30:110: EapPeapMakeMessage done
[2344] 15:11:30:142: EapPeapMakeMessage
[2344] 15:11:30:142: EapPeapSMakeMessage
[2344] 15:11:30:142: PEAP:PEAP_STATE_TLS_INPROGRESS
[2344] 15:11:30:142: EapTlsSMakeMessage
[2344] 15:11:30:142: MakeReplyMessage
[2344] 15:11:30:142: SecurityContextFunction
[2344] 15:11:30:142: AcceptSecurityContext returned 0x80090318
[2344] 15:11:30:142: State change to SentFinished. Error: 0x80090318
[2344] 15:11:30:142: Negotiation unsuccessful
[2344] 15:11:30:142: BuildPacket
[2344] 15:11:30:142: << Sending Failure (Code: 4) packet: Id: 12, Length: 4,
Type: 0, TLS blob length: 0. Flags:
[2344] 15:11:30:142: AuthResultCode = (-2146893032), bCode = (4)
[2344] 15:11:30:142: EapPeapSMakeMessage done
[2344] 15:11:30:142: EapPeapMakeMessage done
.
- Prev by Date: Can this be done? Wireless Access w/o the use if CERTs
- Next by Date: Re: Can this be done? Wireless Access w/o the use if CERTs
- Previous by thread: Can this be done? Wireless Access w/o the use if CERTs
- Next by thread: IAS EAP DLL problem?
- Index(es):
Relevant Pages
|
Loading
