Re: EAP Failure when trying to submit user credentials to IAS on W2k3 over TLS through PEAP -MSCHAPv2
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 04 Jan 2007 13:56:33 -0800
"Novice" <selvaganeshv@xxxxxxxxx> wrote in
news:1166446538.163680.13850@xxxxxxxxxxxxxxxxxxxxxxxxxxx:
Hi,
We are trying out an implementation of PEAP-MSCHAP v2 (password) with
the TLS implementation of OpenSSL 0.9.7a.The client runs on a Linux box
and the IAS server runs on a W2K3 SP1 machine.
We are able to successfully establish the TLS session and proceed with
phase 2 of PEAP by sending a blank PEAP message,to which the server
responds with a PEAP Identity challenge request,the client responds
with a PEAP identity response ,the server returns with a PEAP Identity
response challenge for which the client responds with a PEAP EAP
Identity challenge response.The server returns a EAP failure with the
MSCHAPv2 error string E=691,R=1...........
We are passing a valid user name(we tried with and without domain name)
and a valid MD4 hash of the password,complying the MSCHAPv2 RFC.
Is there any way to diagnose the cause of the authentication failure in
the server(bad username or bad hash of the password,permission issues
etc.)?
The IAS logs dont say anything more than just "Authenticate user".
We have set the "Allow LM authentication" flag in the registry to zero
(0).
The Linux machine is not part of the domain to which the W2K3 machine
is the PDC.
Can anybody throw some light on something what we might be missing?
PEAP provides mutual authentication, which means that the client computer
must have the CA certificate in the Trusted Root Certification Authorities
certificate store on client computers -- I don't know whether this
certificate store exists on Linux clients. If it does, though, the CA
certificate must be there in order for the client to trust the IAS server
certificate that IAS sends to the client as proof of identity.
Domain member Windows clients receive this CA certificate automatically
when Group Policy is refreshed. For non-domain members, the certificate
must be added to each client computer manually, either by using the CA Web
enrollment tool and requesting the cert or by importing the cert from
floppy or CD.
For more information, see the topic "Network access authentication and
certificates" in Windows Server 2003 IAS or VPN Help, or on the web at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9d8b61c9-a870-4627-a8f2-148625fd7fba.mspx.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Prev by Date: Re: ias clients
- Next by Date: Cisco wireless configuration change to IAS
- Previous by thread: Re: IAS and Novell e direcrory?
- Next by thread: Cisco wireless configuration change to IAS
- Index(es):
Relevant Pages
|
Loading
