RE: 802.1x Authentication Fails

More Details:

The domain laptops like the one shown in this post have their wireless
configurations pushed to them via a GPO from the domain.


"Charlie" wrote:

Greetings,

I have a network that consists of:

ServerA (Win2k3 sp1, DC)
ServerB (Win2k3 sp1, IAS)

IAS has been running ok for about 1 year, properly authenticating domain
users using PEAP (not EAP-TLS). Recently users have been unable to get access
to the wireless network. From the System event log, here is a representative
set of entries showing the failure event(s):

Access request for user DOMAIN\testuser was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.4.5
NAS-Identifier = R042-00535
Called-Station-Identifier = 00-03-52-EB-25-70
Calling-Station-Identifier = 00-04-23-7F-48-3F
Client-Friendly-Name = CN3200
Client-IP-Address = 192.168.4.5
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 6
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the session
timed out.

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 20191
Date: 10/1/2006
Time: 10:10:38 AM
User: N/A
Computer: ServerB
Description:
Because the certificate that was configured for clients dialing in with
EAP-TLS was not found, a default certificate is being sent to user
domain\serverb$. Please go to the user's Remote Access Policy and configure
the Extensible Authentication Protocol (EAP).

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
mation, see Help and Support Center at

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 20168
Date: 10/1/2006
Time: 10:10:38 AM
User: N/A
Computer: SERVERB
Description:
Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property.


Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 10/1/2006
Time: 10:10:38 AM
User: N/A
Computer: SERVERB
Description:
Access request for user host/serverb.domain.org was discarded.
Fully-Qualified-User-Name = domain.org/Domain Laptops/testlaptop
NAS-IP-Address = 192.168.4.5
NAS-Identifier = R042-00535
Called-Station-Identifier = 00-03-52-EB-25-70
Calling-Station-Identifier = 00-04-23-7F-48-3F
Client-Friendly-Name = CN3200
Client-IP-Address = 192.168.4.5
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 6
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.


In addition, I set up tracing using "netsh ras set tracing * enabled" and
checked the tracing logs. Here is a sample of the entries there:


IASSAM.LOG
[4604] 10-01 10:20:18:058: Creating EAP session
[4604] 10-01 10:20:18:058: NT-SAM Names handler received request with user
identity host/testlaptop.domain.org.
[4604] 10-01 10:20:18:058: Successfully cracked username.
[4604] 10-01 10:20:18:058: SAM-Account-Name is " DOMAIN\TESTLAPTOP$".
[4604] 10-01 10:20:18:058: NT-SAM Authentication handler received request
for DOMAIN\TESTLAPTOP$.
[4604] 10-01 10:20:18:058: Validating Windows account DOMAIN\TESTLAPTOP$.
[4604] 10-01 10:20:18:058: Sending LDAP search to alnilan.northern-star.org.
[4604] 10-01 10:20:18:058: Successfully validated windows account.
[4604] 10-01 10:20:18:058: NT-SAM User Authorization handler received
request for NORTHERN-STAR\ALDEBARAN$.
[4604] 10-01 10:20:18:058: Using downlevel dial-in parameters.
[4604] 10-01 10:20:18:058: Sending LDAP search to alnilan.northern-star.org.
[4604] 10-01 10:20:18:058: Inserting attribute msNPAllowDialin.
[4604] 10-01 10:20:18:058: Successfully retrieved per-user attributes.
[4604] 10-01 10:20:18:058: Allowed EAP type: 25
[4604] 10-01 10:20:18:058: Setting max. packet length to 1492.
[4604] 10-01 10:20:18:074: RasEapMakeMessage failed: Cannot find object or
property.
[4604] 10-01 10:20:18:074: Caught COM exception: Cannot find object or
property.
[4068] 10-01 10:20:20:027: Session timed out

RASTLS.LOG
[4604] 10:20:18:058: EapPeapBegin
[4604] 10:20:18:058: PeapReadUserData
[4604] 10:20:18:058:
[4604] 10:20:18:058: EapTlsBegin(DOMAIN\TESTLAPTOP$)
[4604] 10:20:18:058: SetupMachineChangeNotification
[4604] 10:20:18:058: State change to Initial
[4604] 10:20:18:058: EapTlsBegin: Detected PEAP authentication
[4604] 10:20:18:058: MaxTLSMessageLength is now 16384
[4604] 10:20:18:058: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[4604] 10:20:18:058: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[4604] 10:20:18:058: The root cert will not be checked for revocation
[4604] 10:20:18:058: The cert will be checked for revocation
[4604] 10:20:18:058: EapPeapBegin done
[4604] 10:20:18:058: EapPeapMakeMessage
[4604] 10:20:18:058: EapPeapSMakeMessage
[4604] 10:20:18:058: PEAP:PEAP_STATE_INITIAL
[4604] 10:20:18:058: EapTlsSMakeMessage
[4604] 10:20:18:058: EapTlsReset
[4604] 10:20:18:058: State change to Initial
[4604] 10:20:18:058: GetCredentials
[4604] 10:20:18:058: Flag is Server and Store is local Machine
[4604] 10:20:18:058: GetCachedCredentials Flags = 0x4061
[4604] 10:20:18:074: Configured Certificate is archived most likely because
of autoenrollment. Going after the default cert
[4604] 10:20:18:074: GetCachedCredentials Flags = 0x4061
[4604] 10:20:18:074: GetDefaultMachineCert
[4604] 10:20:18:074: FCheckUsage
[4604] 10:20:18:074: FGetEKUUsage
[4604] 10:20:18:074: FCheckTimeValidity
[4604] 10:20:18:074: Non Time Valid Certificate was encountered
[4604] 10:20:18:074: FCheckUsage
[4604] 10:20:18:074: FGetEKUUsage
[4604] 10:20:18:074: FCheckUsage
[4604] 10:20:18:074: FGetEKUUsage
[4604] 10:20:18:074: No default machine certificates could be found
[4604] 10:20:18:074: EapPeapSMakeMessage done
[4604] 10:20:18:074: EapPeapMakeMessage done
[4604] 10:20:18:074: EapPeapEnd
[4604] 10:20:18:074: EapTlsEnd
[4604] 10:20:18:074: EapTlsEnd(domain\testlaptop$)
[4604] 10:20:18:074: EapPeapEnd done

Could anyone please advise as to how this might have come to pass and how I
can resolve it?

Thanks
.

Relevant Pages

  • 802.1x Authentication Fails
    ... ServerA ... Client-Friendly-Name = CN3200 ... Reason-Code = 96 ... Reason = The authentication request was not processed because the session ...
    (microsoft.public.internet.radius)
  • Re: IAS PEAP errors
    ... > Client-Friendly-Name = AP1 ... > Proxy-Policy-Name = Use Windows authentication for all users ... > Authentication Protocol Type cannot be processed by the server. ...
    (microsoft.public.internet.radius)
  • Re: Wireless Authentication Problems Continue
    ... Pretty much sounds like a mismatched shared secret ... > Authentication-Server = > Reason-Code = 97 ... > Reason = The authentication request was not processed because it contained> a Remote Authentication Dial-In User Service message that was not ...
    (microsoft.public.internet.radius)
  • RE: 802.1x Authentication Fails
    ... ServerB ... Access request for user DOMAIN\testuser was discarded. ... Client-Friendly-Name = CN3200 ... Reason = The authentication request was not processed because the ...
    (microsoft.public.internet.radius)
  • RADIUS/DC/DHCP - Not giving out IPs - [WP]
    ... Client-Friendly-Name = Access Point ... Proxy-Policy-Name = Use Windows authentication for all users ... also runs the DHCP server. ... It says no connectivity or limited connectivity. ...
    (microsoft.public.windows.server.active_directory)
Loading