Re: Radius Authentication using Window XP SP3

Tech-Archive recommends: Speed Up your PC by fixing your registry

Westcort <Ken2Lee@xxxxxxxxx> wrote in
news:56914648-b31d-4e35-bb78-d925bd68ec15@xxxxxxxxxxxxxxxxxxxxxxxxxxx:

On Jan 19, 4:15 pm, "James McIllece [MS]"
<james...@xxxxxxxxxxxxxxxxxxxx> wrote:
Westcort <Ken2...@xxxxxxxxx> wrote in news:6d016c43-b014-4533-9557-
1d51525f2...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx:



Hello
I am currently trying to build a test enviroment in order to
determine if 802.1x can be implemented on our network. I am
currently using a IAS server via Peap-MSChapv2, Window XP and a
Dell PC6224 switch. The problem I am currently having is that the
Window XP client cannot log on to the domain in order to
authenticate to the Radius and Domain Server. When trying to log on
Window XP tells me that it cannot find the domain. I have a
suspicious that it is because the domain user and password is not
passing to the radius server. But the weird thing is that if i try
to authenticate manually when i bypass the window logon screen I am
able to type in a domain password and be authenticated to the
network.

I have also gotten it to work when i force the port on the swith to
force authenticate and cache the logon settings for the user. When
i turn off force authentication that user can still log into window
XP and connect to our network.

Has anyone ran into an issue like this before? or know of a
solution to this problem?

Hi Ken --

Have you deployed a server certificate to the IAS server from a CA
that t
he
client computer trusts? If so, does the certificate meet the minimum
serv
er
certificate requirements? Do you have a remote access policy
configured t
o
use PEAP-MS-CHAP v2 with the server certificate selected?

Thanks for any information you can provide --

--
James McIllece, Microsoft

Please do not send email directly to this alias.  This is my online
acc
ount
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
right
s.

As the laptop is part of the same domain as the IAS the computer
should trust the CA.
I do have a remote access policy configured and attach the certificate
that the CA generate for the server.
For my EAP Types I have Secured Password (EAP-MSCHAP v2) and I also
have fast reconnect enable.
what other piece of information do you require?


Hi there --

Thanks very much for the information. It sounds like your server
certificate deployment is correct. Just to make sure, please open the
Certificates snap in on the client and see if the CA cert is in the Trusted
Root Certification Authorities certificate store.

Also ensure that the user account dial-in properties in Active Directory
are set to "Control access through remote access policy" or to "Allow
access."

This sounds like a switch configuration issue. If I understand you
correctly, you're saying that you can log onto the local computer rather
than the domain, but then connect to the domain through the switch anyhow,
bypassing RADIUS authentication. Normally with RADIUS authentication, the
switch should take authentication credentials, create an access request
message, and send the access request to the RADIUS/IAS server for
authentication and authorization.

So I would say double-check the switch settings to ensure that EAP
authentication is enabled, and that it is correctly configured with the
shared secret and IP address of your IAS server as the authenticating
server. There may be other settings that affect how your switch
communicates with IAS that should be configured as well, I don't know, not
familiar with the product.

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Quantcast