RE: 802.1x, Computers, Wired Security



I think part of the problem is that I was trying to use PEAP with MSCHAPv2.
From what I've read this won't work for computer auth. From what I understand
I should be using EAP-TLS for computer and user auth. Is this correct?

I have changed my IAS policy to use EAP-TLS and have also configured the
client to use EAP-TLS. The good thing is that I can auth with a user cert
using EAP-TLS no problem, but the computer auth is still failing. Yes the the
service is started and set to automatic. I have a computer cert and here is
the error message on the IAS server...

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: IAS
Description:
User host/laptoptest.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\LAPTOPTEST$
NAS-IP-Address = 192.168.73.2
NAS-Identifier = CORE2
Called-Station-Identifier = 00-17-08-cc-2f-00
Calling-Station-Identifier = 00-17-a4-d7-6b-45
Client-Friendly-Name = CORE2
Client-IP-Address = 192.168.73.2
NAS-Port-Type = Ethernet
NAS-Port = 93
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL file.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....


Here is the error on the client....

Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15514
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: LAPTOPTEST
Description:
Wired 802.1X Authentication failed.

Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet Scheduler
Miniport
Interface GUID: {66cf62ec-9e70-44a2-b29a-fbe95796c647}
Peer Address: 001708CC2F00
Local Address: 0017A4D76B45
Connection ID: 0x00000004
Identity: host/laptoptest.domain.com
User: -
Domain: -
Reason: 327685
Reason Text: The authentication failed because there is a problem with the
user account

Error Code: 1078067472


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.




"Miles Li [MSFT]" wrote:



Hello,

From the description, you can authenticate the computer to the network
successfully with the Open1X supplicant by hardcode the user credentials.
However, you still failed to enter the network with the the Windows XP SP3
supplicant.

In Windows XP SP3, wired 802.1x service have separated from the wireless
service and created a new Dot3Svc (Wired AutoConfig service). By default
this service is set as a manual start as opposed to being automatic. In
the 802.1x deployed wired network, the client will not connect to the
network because of the absence of the service. So please make sure that
Wired AutoConfig service is set to Automatic before you restart the server.

Information needed:
=================
To the further investigation of the issue, you can capture the network
traffic when the clients attempt to authenticate with IAS server and send
it to me at <tfwst@xxxxxxxxxxxxx>.

You can get the NetMon3.1 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en


For your reference:

Changes to the 802.1X-based wired network connection settings in Windows XP
Service Pack 3
http://support.microsoft.com/kb/949984

You cannot connect to an 802.1X wired network after you upgrade to Windows
XP Service Pack 3
http://support.microsoft.com/kb/953650

A Windows XP-based wired client computer will not obtain a valid IP address
from a guest VLAN or from an "Authentication failed-VLAN"
http://support.microsoft.com/kb/931856


Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.



Relevant Pages

  • RE: Printing from Win9x clients stops
    ... Open Server Management. ... then right-click the name of the computer running Windows Small Business ... >From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • RE: Wireless Security Notes and Findings (from this list and other places)
    ... There are two general areas of wireless security: Authentication and ... authentication standard that works with wireless networks. ... client computer runs a client program to connect to the network with a ...
    (Security-Basics)
  • RE: Printing from Win9x clients stops
    ... The printers with 9x drivers on the server appeared automatically in the ... > then right-click the name of the computer running Windows Small Business ... > From the client computer: ... The Select Network Component Type ...
    (microsoft.public.windows.server.sbs)
  • Re: Group Policy access denided
    ... Group Policy processing aborted. ... DFS client to make a connection. ... File and Printer sharing, netbios, etc) and firewalled the external network ... NT or Windows 2000 to Windows 2003 Server. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: SecuRemote Client and Netfilter NAT
    ... I am not sure about this as I am unfamiliar with the aforementioned client, ... > box is NAT'ing the internal network using iptables 1.2.6a. ... > a packet analysis revealed that UDP 259 was needed for authentication. ...
    (Security-Basics)