Re: 802.1x Authentication fails after FW upgrade

Nevermind, we got an update from HP (debug release) which resolved the
issue.
We still don't know why 2.1.5 didn't work though.

"Johan Rydin" <j_rydin@xxxxxxxxxxx> wrote in message
news:e%23u2Yn55GHA.2208@xxxxxxxxxxxxxxxxxxxxxxx
Hi!

We have a wireless network with HP 420 Access Points. We're using PEAP
with computer certificates and clients are controlled by group polices.
Everything was working fine until I updated the firmware to 2.1.5. The
computers would not authenticate and I received the following error in the
eventlog.

Access request for user host/xxxx.domain.com was discarded.
Fully-Qualified-User-Name = domain.com/OU/OU/XXXX
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Identifier = MYHPAP
Called-Station-Identifier = 001234567890
Calling-Station-Identifier = 002345678901
Client-Friendly-Name = MYHPAP
Client-IP-Address = xxx.xxx.xxx.xxx
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 97
Reason = The authentication request was not processed because it contained
a Remote Authentication Dial-In User Service (RADIUS) message that was not
appropriate for the secure authentication transaction.

If I roll back to the previous firmware (2.1.2) it's working fine again,
however there are some new fixes and features in the new FW that I would
like to use.

The changelog specifies the following:
Authentication - An extra 8-byte data pad exists within first EAPOL Key
packet from the access point to a client during a WPA 4-way key exchange
process. (18-01177)

This is the most likely change to cause the problem.

Anyone experience the same problem or know how to resolve it?


Best regards,
Johan Rydin



.

Relevant Pages

  • Re: pine program and mail services with FC6 System
    ... protocols = imap imaps pop3 pop3s ... # Directory where authentication process places authentication UNIX sockets ... # chroot login process to the login_dir. ... # what most of your IMAP clients are. ...
    (Fedora)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.security)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.win2000.security)
  • Netlogon 5783
    ... For about there mounts I<m having small network problem, with clients, that ... The session setup to the Windows NT or Windows 2000 Domain Controller ... On DC1r there is Exchange 2000 server, witch is Exchange system manager is ... The failure code from authentication protocol Kerberos ...
    (microsoft.public.win2000.networking)
  • 802.1x Authentication fails after FW upgrade
    ... computer certificates and clients are controlled by group polices. ... Reason = The authentication request was not processed because it contained ... Authentication - An extra 8-byte data pad exists within first EAPOL Key ...
    (microsoft.public.internet.radius)
Loading