Re: Trying to do EAP-TLS, and going no where fast.

---

• From: ostiguy@xxxxxxxxx
• Date: 1 Feb 2007 14:37:06 -0800

---

On Jan 31, 3:00 pm, "James McIllece [MS]"
<james...@xxxxxxxxxxxxxxxxxxxx> wrote:

osti...@xxxxxxxxx wrote innews:1170102792.356701.26740@xxxxxxxxxxxxxxxxxxxxxxxxxxx:

Running IAS on a win2k3 DC. Wireless access point is a Cisco 1242AG.
The host is XP SP2, with registry settings so that only computer
certs are being checked. Host is an OU that gets certs autoenrolled.
Host has a cert. DC has a cert.

The problem: the host attempts to authenticate forever.

IAS: no IAS logs at all, even though all settings are cranked up.
Nothing in the system event log, other than service restarts, and when
I had the shared key mismatch.

IASRAD.log:
[6208] 01-29 15:20:09:176: message authenticator Attribute added to
out-bound RADIUS packet
[6208] 01-29 15:20:09:176: Message Authenticator Attribute set in out
UDP buffer

These get thrown constantly when the host is attempting to
authenticate - about every second.

This is all that is thrown when the service restarts

8128] 01-29 14:40:33:417: Suspending Radius component...
[8128] 01-29 14:40:33:417: Worker thread active:2
[7532] 01-29 14:40:33:417: Worker Thread exiting as packet processing
is not enabled
[3844] 01-29 14:40:33:449: Worker Thread exiting as packet processing
is not enabled
[8128] 01-29 14:40:33:480: Radius component suspended.
[8128] 01-29 14:40:33:480: Shutting down Radius Component...
[8128] 01-29 14:40:33:480: Radius component shutdown completed
[7220] 01-29 14:40:39:245: Initializing Radius component....
[7072] 01-29 14:40:39:245: Resolved Client:192.168.10.99, to IP
address:3232238179l
[7220] 01-29 14:40:39:245: Radius component initialized.
[7220] 01-29 14:40:39:245: Suspending Radius component...
[2976] 01-29 14:40:39:245: Worker Thread exiting as packet processing
is not enabled
[7220] 01-29 14:40:39:245: Worker thread active:2
[7072] 01-29 14:40:39:245: Worker Thread exiting as packet processing
is not enabled
[7220] 01-29 14:40:39:308: Radius component suspended.
[7220] 01-29 14:40:39:370: Resuming Radius component...
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1812
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1645
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1813
[7220] 01-29 14:40:39:370: RADIUS Server starting to listen on
0.0.0.0:1646
[7220] 01-29 14:40:39:370: Radius componend resumed.

IASSAM.LOG

[7072] 01-29 15:27:35:764: NT-SAM Names handler received request with
user identity host/99yfhz0.TA.onaro.com.
[7072] 01-29 15:27:35:796: Successfully cracked username.
[7072] 01-29 15:27:35:796: SAM-Account-Name is "DOMAIN\HOSTNAME$".
[7072] 01-29 15:27:35:796: NT-SAM Authentication handler received
request for DOMAIN\HOSTNAME$
[7072] 01-29 15:27:35:796: Validating Windows account DOMAIN\HOSTNAME
$.
[7072] 01-29 15:27:35:796: Sending LDAP search to dc.domain.org
[7072] 01-29 15:27:35:796: Successfully validated windows account.
[7072] 01-29 15:27:35:796: Allowed EAP type: 13
[7072] 01-29 15:27:35:796: Setting max. packet length to 1396.
[7072] 01-29 15:27:35:796: Processing output from EAP DLL.
[7072] 01-29 15:27:35:796: EAPACTION_Send
[7072] 01-29 15:27:35:796: Inserting outbound EAP-Message of length 6.
[7072] 01-29 15:27:35:796: Issuing Access-Challenge.
[7072] 01-29 15:27:35:796: Saving the response
[6208] 01-29 15:27:35:811: Successfully retrieved existing session
[6208] 01-29 15:27:35:811: Injecting the profile
[6208] 01-29 15:27:35:811: Processing output from EAP DLL.
[6208] 01-29 15:27:35:811: EAPACTION_Send
[6208] 01-29 15:27:35:811: Inserting outbound EAP-Message of length
1396.
[6208] 01-29 15:27:35:811: Issuing Access-Challenge.
[6208] 01-29 15:27:35:811: Saving the response
[7072] 01-29 15:27:36:717: Successfully retrieved existing session
[7072] 01-29 15:27:36:717: Injecting the profile
[7072] 01-29 15:27:36:717: Processing output from EAP DLL.
[7072] 01-29 15:27:36:717: EAPACTION_Send
[7072] 01-29 15:27:36:717: Inserting outbound EAP-Message of length
1396.
[7072] 01-29 15:27:36:717: Issuing Access-Challenge.
[7072] 01-29 15:27:36:717: Saving the response
[6208] 01-29 15:27:37:827: Successfully retrieved existing session
[6208] 01-29 15:27:37:827: Injecting the profile
[6208] 01-29 15:27:37:827: Processing output from EAP DLL.
[6208] 01-29 15:27:37:827: EAPACTION_Send
[6208] 01-29 15:27:37:827: Inserting outbound EAP-Message of length
1396.
[6208] 01-29 15:27:37:827: Issuing Access-Challenge.
[6208] 01-29 15:27:37:827: Saving the response
[7072] 01-29 15:27:39:452: Successfully retrieved existing session
[7072] 01-29 15:27:39:452: Injecting the profile
[7072] 01-29 15:27:39:452: Processing output from EAP DLL.
[7072] 01-29 15:27:39:452: EAPACTION_Send
[7072] 01-29 15:27:39:452: Inserting outbound EAP-Message of length
659.
[7072] 01-29 15:27:39:452: Issuing Access-Challenge.
[7072] 01-29 15:27:39:452: Saving the response

That sequence gets repeated, about ever 15 seconds.

That packet captures correlate : the AP sends some RADIUS packets to
the IAS. The IAS spews back some info, that seems to contain the
details of all the trusted root and intermediate cert authorities the
DC knows off. The AP retried. The IAS box spews back. Two ships
passing at sea.

Any thoughts would be appreciated

ostiguy

Hi there --

I pinged the IAS product team about this, and they have provided the
following information/requested the following information.

Please provide the following:

-- netsh tracing logs
-- Netmon packet capture of the traffic
-- logging from the client could be helpful if you are using the built-in
supplicant.
-- Do you have SP1 installed on the server?

One team member also suggested that you can perform a test by disabling
"Validate server certificate" on clients.

If you want to send the requested information to me, I will forward it to
the product team for analysis. You can send the data to wsdocs@-nospam-
microsoft.com.

Thanks --

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Did y'all get my email with the attachments to the wsdocs@ address?

My IAS service is capable of authorizations - I was able to set up a
dell ethernet switch in conjunction with it, and it will do PEAP MS
CHAP v2 or certs with it vs IAS. It also does not do EAP-TLS (similar
behavior to the Cisco, where requests occur until the device gives up)
- nothing gets logged here in the system log.

Matt




.

---

• Prev by Date: Re: Trying to do EAP-TLS, and going no where fast.
• Next by Date: Re: Trying to do EAP-TLS, and going no where fast.
• Previous by thread: Re: Trying to do EAP-TLS, and going no where fast.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Wireless Radius Clients ... IAS with EAP-TLS in Windows Server 2003. ... computer certs on the client. ... (microsoft.public.windows.server.networking) Re: Trying to do EAP-TLS, and going no where fast. ... Host is an OU that gets certs autoenrolled. ... The IAS spews back some info, ... I pinged the IAS product team about this, ... (microsoft.public.internet.radius) Questions on Certificates ... I've been trying to upgrade my wireless network from PSK to Radius ... and GP using IAS and CA. ... I have a ton of certs in my CA. Can I remove ... (microsoft.public.windows.server.sbs) Re: IAS EAP (PEAP) ... I created the certs and now when I goto Remote Access Policy ... in IAS to configure the EAP (PEAP) It tells me that it can't find the cert. ... (microsoft.public.internet.radius)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet  > microsoft.public.internet.radius  > 2007-02