Trying to do EAP-TLS, and going no where fast.
- From: ostiguy@xxxxxxxxx
- Date: 29 Jan 2007 12:33:12 -0800
Running IAS on a win2k3 DC. Wireless access point is a Cisco 1242AG.
The host is XP SP2, with registry settings so that only computer
certs are being checked. Host is an OU that gets certs autoenrolled.
Host has a cert. DC has a cert.
The problem: the host attempts to authenticate forever.
IAS: no IAS logs at all, even though all settings are cranked up.
Nothing in the system event log, other than service restarts, and when
I had the shared key mismatch.
IASRAD.log:
[6208] 01-29 15:20:09:176: message authenticator Attribute added to
out-bound RADIUS packet
[6208] 01-29 15:20:09:176: Message Authenticator Attribute set in out
UDP buffer
These get thrown constantly when the host is attempting to
authenticate - about every second.
This is all that is thrown when the service restarts
8128] 01-29 14:40:33:417: Suspending Radius component...
[8128] 01-29 14:40:33:417: Worker thread active:2
[7532] 01-29 14:40:33:417: Worker Thread exiting as packet processing
is not enabled
[3844] 01-29 14:40:33:449: Worker Thread exiting as packet processing
is not enabled
[8128] 01-29 14:40:33:480: Radius component suspended.
[8128] 01-29 14:40:33:480: Shutting down Radius Component...
[8128] 01-29 14:40:33:480: Radius component shutdown completed
[7220] 01-29 14:40:39:245: Initializing Radius component....
[7072] 01-29 14:40:39:245: Resolved Client:192.168.10.99, to IP
address:3232238179l
[7220] 01-29 14:40:39:245: Radius component initialized.
[7220] 01-29 14:40:39:245: Suspending Radius component...
[2976] 01-29 14:40:39:245: Worker Thread exiting as packet processing
is not enabled
[7220] 01-29 14:40:39:245: Worker thread active:2
[7072] 01-29 14:40:39:245: Worker Thread exiting as packet processing
is not enabled
[7220] 01-29 14:40:39:308: Radius component suspended.
[7220] 01-29 14:40:39:370: Resuming Radius component...
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1812
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1645
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1813
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1646
[7220] 01-29 14:40:39:370: Radius componend resumed.
IASSAM.LOG
[7072] 01-29 15:27:35:764: NT-SAM Names handler received request with
user identity host/99yfhz0.TA.onaro.com.
[7072] 01-29 15:27:35:796: Successfully cracked username.
[7072] 01-29 15:27:35:796: SAM-Account-Name is "DOMAIN\HOSTNAME$".
[7072] 01-29 15:27:35:796: NT-SAM Authentication handler received
request for DOMAIN\HOSTNAME$
[7072] 01-29 15:27:35:796: Validating Windows account DOMAIN\HOSTNAME
$.
[7072] 01-29 15:27:35:796: Sending LDAP search to dc.domain.org
[7072] 01-29 15:27:35:796: Successfully validated windows account.
[7072] 01-29 15:27:35:796: Allowed EAP type: 13
[7072] 01-29 15:27:35:796: Setting max. packet length to 1396.
[7072] 01-29 15:27:35:796: Processing output from EAP DLL.
[7072] 01-29 15:27:35:796: EAPACTION_Send
[7072] 01-29 15:27:35:796: Inserting outbound EAP-Message of length 6.
[7072] 01-29 15:27:35:796: Issuing Access-Challenge.
[7072] 01-29 15:27:35:796: Saving the response
[6208] 01-29 15:27:35:811: Successfully retrieved existing session
[6208] 01-29 15:27:35:811: Injecting the profile
[6208] 01-29 15:27:35:811: Processing output from EAP DLL.
[6208] 01-29 15:27:35:811: EAPACTION_Send
[6208] 01-29 15:27:35:811: Inserting outbound EAP-Message of length
1396.
[6208] 01-29 15:27:35:811: Issuing Access-Challenge.
[6208] 01-29 15:27:35:811: Saving the response
[7072] 01-29 15:27:36:717: Successfully retrieved existing session
[7072] 01-29 15:27:36:717: Injecting the profile
[7072] 01-29 15:27:36:717: Processing output from EAP DLL.
[7072] 01-29 15:27:36:717: EAPACTION_Send
[7072] 01-29 15:27:36:717: Inserting outbound EAP-Message of length
1396.
[7072] 01-29 15:27:36:717: Issuing Access-Challenge.
[7072] 01-29 15:27:36:717: Saving the response
[6208] 01-29 15:27:37:827: Successfully retrieved existing session
[6208] 01-29 15:27:37:827: Injecting the profile
[6208] 01-29 15:27:37:827: Processing output from EAP DLL.
[6208] 01-29 15:27:37:827: EAPACTION_Send
[6208] 01-29 15:27:37:827: Inserting outbound EAP-Message of length
1396.
[6208] 01-29 15:27:37:827: Issuing Access-Challenge.
[6208] 01-29 15:27:37:827: Saving the response
[7072] 01-29 15:27:39:452: Successfully retrieved existing session
[7072] 01-29 15:27:39:452: Injecting the profile
[7072] 01-29 15:27:39:452: Processing output from EAP DLL.
[7072] 01-29 15:27:39:452: EAPACTION_Send
[7072] 01-29 15:27:39:452: Inserting outbound EAP-Message of length
659.
[7072] 01-29 15:27:39:452: Issuing Access-Challenge.
[7072] 01-29 15:27:39:452: Saving the response
That sequence gets repeated, about ever 15 seconds.
That packet captures correlate : the AP sends some RADIUS packets to
the IAS. The IAS spews back some info, that seems to contain the
details of all the trusted root and intermediate cert authorities the
DC knows off. The AP retried. The IAS box spews back. Two ships
passing at sea.
Any thoughts would be appreciated
ostiguy
.
- Follow-Ups:
- Re: Trying to do EAP-TLS, and going no where fast.
- From: James McIllece [MS]
- Re: Trying to do EAP-TLS, and going no where fast.
- Prev by Date: How to unregister IAS in AD?
- Next by Date: credential cache
- Previous by thread: How to unregister IAS in AD?
- Next by thread: Re: Trying to do EAP-TLS, and going no where fast.
- Index(es):
Relevant Pages
|
