Re: 802.1X/EAP authentication issue with XP client

=?Utf-8?B?am9lQQ==?= <joeA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:471A486C-D1B1-4B64-8C4C-974B6109E2A7@xxxxxxxxxxxxx:

I zipped up and emailed the workstation and server netsh logs as
requested.

I also tried adjusting the IAS remote access policy framed MTU param
to a value of 1340 as suggested in IASOpsGuide. EAP authentication is
still failing, although I see a slight difference in the IASSAM log:
[2532] 14:45:56:241: Setting max. packet length to 1020.
[2532] 14:45:56:241: Setting max. packet length to 1340.
So it looks like I adjusted it up instead of down! This is a LAN
though, and looking at the traffic I'm not seeing fragmentation, and
all packets are being reported as < 512 octets in size.

- Joe


"James McIllece [MS]" wrote:

"James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx> wrote in
news:Xns983596AC6D711jamesmcionlinemicros@xxxxxxxxxxxxx:

=?Utf-8?B?am9lQQ==?= <joeA@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:A20AEA20-CE29-4484-8F1C-166DFE268225@xxxxxxxxxxxxx:

Hi..

I'm hoping someone can give me an idea about where to look next
with this issue!
Details below-->

Thanks!
Joe

I've got 17 XP clients authenticating fine using computer
certificates and EAP/802.1X with a 3Com switch and IAS. One
client, same scenario, is not getting a successful authentication.
I don't see anything I've been able to identify as bad in the
IASSAM or RASTLS traces. Also, there is nothing logged in the IAS
or system event logs. I see a UDP Access-Request packet going
from the client to IAS.. and an unkown RPC message type being
returned.

The strange thing with this client is that it had similar
authentication results when EAP was first implemented, and after
removing (revoking) its certificate and reissuing a new machine
certificate it successfully authenticated. After a few days, the
event log shows that it successfully authenticated this morning,
but at some point (it may have been rebooted) it came to be in its
current state.

snip <


Hi Joe --

I forwarded your question to the product team, and this is the
response I received:

"In order to get the full picture, we need to see the full set of
logs from the IAS server as well as netsh trace logs from the
client. It appears that the IAS server is responding with the
intention to use EAP-TLS, but then immediately resets (in the same
millisecond). It is possible that the client sent a negotiation for
an unsupported EAP method which was discarded silently. At any
rate, it appears to be a client-side issue especially since other
clients are authenticating successfully. Please request netsh logs
from the failing client as well."

So please email your logs to me at wsdocs@xxxxxxxxxxxxx and I will
forward them to the appropriate folks for analysis.

Thanks --




Another team member added the following info: "...something is
happening overtime to that certificate that renders it unusable. It
might be some sort of unhealthy growth in the Radius packet. Not
sure. Modifying the framed MTU might help in this issue. Lowering it
a little bit might just do the trick."

For information on changing the framed MTU, see the IAS Operations
Guide at
http://www.microsoft.com/downloads/details.aspx?FamilyID=27c432bf-5ed0
- 4763-8909-36e7c310ae3c&displaylang=en


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.



OK thanks Joe. I'll get back to you.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: 802.1X/EAP authentication issue with XP client
    ... I zipped up and emailed the workstation and server netsh logs as requested. ... certificates and EAP/802.1X with a 3Com switch and IAS. ... is not getting a successful authentication. ... I see a UDP Access-Request packet going from the client ...
    (microsoft.public.internet.radius)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: IAS to authenticate CISCO VPN traffic
    ... I ran the netsh ras set tracing iassam enabled, ... in the ias log file i still see the normal log details as follows.. ... I created a client within IAS called ... >> Within this profile Under authentication and encryption I have tried ...
    (microsoft.public.internet.radius)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... > IAS servers (do I need a separate certificate for the secondary IAS ... > of authentication since it involves just installing the certificate on ... between the AP and the client. ...
    (microsoft.public.internet.radius)
  • problem with 802.1x authenticating
    ... XP client running wzc ... Windows 2000 server using IAS for authentication and accounting. ... Have set up the IAS with a radius-client pointing to my access point. ... Have created a remote access policy "NAS-port-type" IEEE 802.11 OR ...
    (microsoft.public.internet.radius)
Loading