RE: 802.1x Authentication Fails
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 04 Oct 2006 12:33:50 -0700
=?Utf-8?B?Q2hhcmxpZQ==?= <Charlie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:A5F4C969-BD80-40EE-9400-43A9CD75C323@xxxxxxxxxxxxx:
More Details:
The domain laptops like the one shown in this post have their wireless
configurations pushed to them via a GPO from the domain.
"Charlie" wrote:
Greetings,
I have a network that consists of:
ServerA (Win2k3 sp1, DC)
ServerB (Win2k3 sp1, IAS)
IAS has been running ok for about 1 year, properly authenticating
domain users using PEAP (not EAP-TLS). Recently users have been
unable to get access to the wireless network. From the System event
log, here is a representative set of entries showing the failure
event(s):
Access request for user DOMAIN\testuser was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.4.5
NAS-Identifier = R042-00535
Called-Station-Identifier = 00-03-52-EB-25-70
Calling-Station-Identifier = 00-04-23-7F-48-3F
Client-Friendly-Name = CN3200
Client-IP-Address = 192.168.4.5
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 6
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the
session
timed out.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 20191
Date: 10/1/2006
Time: 10:10:38 AM
User: N/A
Computer: ServerB
Description:
Because the certificate that was configured for clients dialing in
with EAP-TLS was not found, a default certificate is being sent to
user domain\serverb$. Please go to the user's Remote Access Policy
and configure the Extensible Authentication Protocol (EAP).
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
mation, see Help and Support Center at
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 20168
Date: 10/1/2006
Time: 10:10:38 AM
User: N/A
Computer: SERVERB
Description:
Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property.
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 10/1/2006
Time: 10:10:38 AM
User: N/A
Computer: SERVERB
Description:
Access request for user host/serverb.domain.org was discarded.
Fully-Qualified-User-Name = domain.org/Domain Laptops/testlaptop
NAS-IP-Address = 192.168.4.5
NAS-Identifier = R042-00535
Called-Station-Identifier = 00-03-52-EB-25-70
Calling-Station-Identifier = 00-04-23-7F-48-3F
Client-Friendly-Name = CN3200
Client-IP-Address = 192.168.4.5
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 6
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client
configuration.
In addition, I set up tracing using "netsh ras set tracing * enabled"
and checked the tracing logs. Here is a sample of the entries there:
IASSAM.LOG
[4604] 10-01 10:20:18:058: Creating EAP session
[4604] 10-01 10:20:18:058: NT-SAM Names handler received request with
user identity host/testlaptop.domain.org.
[4604] 10-01 10:20:18:058: Successfully cracked username.
[4604] 10-01 10:20:18:058: SAM-Account-Name is " DOMAIN\TESTLAPTOP$".
[4604] 10-01 10:20:18:058: NT-SAM Authentication handler received
request for DOMAIN\TESTLAPTOP$.
[4604] 10-01 10:20:18:058: Validating Windows account
DOMAIN\TESTLAPTOP$. [4604] 10-01 10:20:18:058: Sending LDAP search to
alnilan.northern-star.org. [4604] 10-01 10:20:18:058: Successfully
validated windows account. [4604] 10-01 10:20:18:058: NT-SAM User
Authorization handler received request for NORTHERN-STAR\ALDEBARAN$.
[4604] 10-01 10:20:18:058: Using downlevel dial-in parameters.
[4604] 10-01 10:20:18:058: Sending LDAP search to
alnilan.northern-star.org. [4604] 10-01 10:20:18:058: Inserting
attribute msNPAllowDialin. [4604] 10-01 10:20:18:058: Successfully
retrieved per-user attributes. [4604] 10-01 10:20:18:058: Allowed EAP
type: 25 [4604] 10-01 10:20:18:058: Setting max. packet length to
1492. [4604] 10-01 10:20:18:074: RasEapMakeMessage failed: Cannot
find object or property.
[4604] 10-01 10:20:18:074: Caught COM exception: Cannot find object
or property.
[4068] 10-01 10:20:20:027: Session timed out
RASTLS.LOG
[4604] 10:20:18:058: EapPeapBegin
[4604] 10:20:18:058: PeapReadUserData
[4604] 10:20:18:058:
[4604] 10:20:18:058: EapTlsBegin(DOMAIN\TESTLAPTOP$)
[4604] 10:20:18:058: SetupMachineChangeNotification
[4604] 10:20:18:058: State change to Initial
[4604] 10:20:18:058: EapTlsBegin: Detected PEAP authentication
[4604] 10:20:18:058: MaxTLSMessageLength is now 16384
[4604] 10:20:18:058: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[4604] 10:20:18:058: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[4604] 10:20:18:058: The root cert will not be checked for revocation
[4604] 10:20:18:058: The cert will be checked for revocation
[4604] 10:20:18:058: EapPeapBegin done
[4604] 10:20:18:058: EapPeapMakeMessage
[4604] 10:20:18:058: EapPeapSMakeMessage
[4604] 10:20:18:058: PEAP:PEAP_STATE_INITIAL
[4604] 10:20:18:058: EapTlsSMakeMessage
[4604] 10:20:18:058: EapTlsReset
[4604] 10:20:18:058: State change to Initial
[4604] 10:20:18:058: GetCredentials
[4604] 10:20:18:058: Flag is Server and Store is local Machine
[4604] 10:20:18:058: GetCachedCredentials Flags = 0x4061
[4604] 10:20:18:074: Configured Certificate is archived most likely
because of autoenrollment. Going after the default cert
[4604] 10:20:18:074: GetCachedCredentials Flags = 0x4061
[4604] 10:20:18:074: GetDefaultMachineCert
[4604] 10:20:18:074: FCheckUsage
[4604] 10:20:18:074: FGetEKUUsage
[4604] 10:20:18:074: FCheckTimeValidity
[4604] 10:20:18:074: Non Time Valid Certificate was encountered
[4604] 10:20:18:074: FCheckUsage
[4604] 10:20:18:074: FGetEKUUsage
[4604] 10:20:18:074: FCheckUsage
[4604] 10:20:18:074: FGetEKUUsage
[4604] 10:20:18:074: No default machine certificates could be found
[4604] 10:20:18:074: EapPeapSMakeMessage done
[4604] 10:20:18:074: EapPeapMakeMessage done
[4604] 10:20:18:074: EapPeapEnd
[4604] 10:20:18:074: EapTlsEnd
[4604] 10:20:18:074: EapTlsEnd(domain\testlaptop$)
[4604] 10:20:18:074: EapPeapEnd done
Could anyone please advise as to how this might have come to pass and
how I can resolve it?
Thanks
Hi again Charlie --
I queried the product team about this and they feel the server certificate
has expired, which is causing the problem that the clients cannot
authenticate the IAS server during PEAP authentication. Here are comments
from the team:
Looking at all the errors below, it seems that IAS server's certificate is
expired and was archived. I'd suggest deleting the (expired/archived) IAS
server certificate and getting a new one.
Error in IASAM.log:
[4604] 10-01 10:20:18:074: RasEapMakeMessage failed: Cannot find object or
property.
Error in RASTLS.log:
[4604] 10:20:18:074: Configured Certificate is archived most likely because
of autoenrollment. Going after the default cert
Errors in event viewer:
Computer: ServerB
Description:
Because the certificate that was configured for clients dialing in with
EAP-TLS was not found, a default certificate is being sent to user
domain\serverb$. Please go to the user's Remote Access Policy and configure
the Extensible Authentication Protocol (EAP).
Computer: SERVERB
Description:
Could not retrieve the Remote Access Server's certificate due to the
following error: Cannot find object or property.
Also see this KB:
822406 Clients Cannot Authenticate with a Server After You Obtain a New
Certificate to Replace an Expired Certificate on the Server
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- RE: 802.1x Authentication Fails
- From: Charlie
- RE: 802.1x Authentication Fails
- References:
- 802.1x Authentication Fails
- From: Charlie
- RE: 802.1x Authentication Fails
- From: Charlie
- 802.1x Authentication Fails
- Prev by Date: 802.1x Authentication fails after FW upgrade
- Next by Date: Wireless and IAS on windows 2003
- Previous by thread: RE: 802.1x Authentication Fails
- Next by thread: RE: 802.1x Authentication Fails
- Index(es):
Relevant Pages
|
