PEAP problem

Discussion in 'Wireless Networking' started by rwickberg, May 30, 2005.

  1. rwickberg

    rwickberg Guest

    Somewhere on the 'net I found instructions on setting up 802.1x
    authentication with a 2000 server and XP clients, using EAP-TLS. I
    followed them, they worked fine, no problems. Installed IAS and
    certificate services on the server, configured the wireless access
    point (a linksys WRT54G), issued self signed certs to the client and
    the server, configured the client for wireless, and bam, it connects.

    Then I thought, what a pain it will be to issue certs to all the
    clients. All I should have to do is change the profile in IAS, change
    the settings on the client, to both use PEAP-MSCHAP2, and that should
    work, too, right? wrong. When I try to connect, I get prompted to
    enter a username/pw/domain ( cleared the flag that says use the windows
    login settings). I do that, and it sits there forever trying to
    connect. Ethereal traces on the ethernet show that the RADIUS server
    never issues an accept, it just keeps sending out more challenges.
    Why? what's failing here, and how do I fix it?

    The problem is not that the username and pw are invalid, if you use an
    invalid user, you are quickly prompted at the client to try another
    password. So the server seems happy with the username/pw.

    Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
    what other info can I look at to help figure this out?
     
    rwickberg, May 30, 2005
    #1
    1. Advertising

  2. rwickberg

    S. Pidgorny Guest

    What is in the RADIUS logs and in the system event log on the RADIUS server?

    (and reboot everything and tyry again)

    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-

    "rwickberg" <> wrote in message
    news:...
    > Somewhere on the 'net I found instructions on setting up 802.1x
    > authentication with a 2000 server and XP clients, using EAP-TLS. I
    > followed them, they worked fine, no problems. Installed IAS and
    > certificate services on the server, configured the wireless access
    > point (a linksys WRT54G), issued self signed certs to the client and
    > the server, configured the client for wireless, and bam, it connects.
    >
    > Then I thought, what a pain it will be to issue certs to all the
    > clients. All I should have to do is change the profile in IAS, change
    > the settings on the client, to both use PEAP-MSCHAP2, and that should
    > work, too, right? wrong. When I try to connect, I get prompted to
    > enter a username/pw/domain ( cleared the flag that says use the windows
    > login settings). I do that, and it sits there forever trying to
    > connect. Ethereal traces on the ethernet show that the RADIUS server
    > never issues an accept, it just keeps sending out more challenges.
    > Why? what's failing here, and how do I fix it?
    >
    > The problem is not that the username and pw are invalid, if you use an
    > invalid user, you are quickly prompted at the client to try another
    > password. So the server seems happy with the username/pw.
    >
    > Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
    > what other info can I look at to help figure this out?
    >
     
    S. Pidgorny, Jun 1, 2005
    #2
    1. Advertising

  3. There could be many problems here. I would make sure that you are not
    hitting a known issue that was fixed in XPSP2. Many changes were made and
    many improvements; there is more feedback given to the user as well.
    If the password were wrong the client would re-prompt you to enter your
    credentials. So something else is occuring.

    I believe that the client is NAKing the server's request to do EAP-TLS.
    Please double check that PEAP-MSCHAPv2 is highest on the list for this type
    of Access Policy. As a precaution, remove all of the other Access Policies,
    as it is likely that, if there are others, the wrong one is being selected
    and consequently the wrong EAP type is being used.

    If this does not work, please also delete this wireless network
    configuration entry from the "Preferred Network" list in the Wireless
    adapter settings and create a new connection entry for this network,
    selecting PEAP-MSCHAPv2. Please not that by default the logon credentials
    will be used, which in this case should correspond to domain accounts.

    --
    Brian Wehrle

    Software Test Engineer/Wireless Networking
    Microsoft Corp.


    "S. Pidgorny <MVP>" <> wrote in message
    news:...
    > What is in the RADIUS logs and in the system event log on the RADIUS
    > server?
    >
    > (and reboot everything and tyry again)
    >
    > --
    > Svyatoslav Pidgorny, MS MVP - Security, MCSE
    > -= F1 is the key =-
    >
    > "rwickberg" <> wrote in message
    > news:...
    >> Somewhere on the 'net I found instructions on setting up 802.1x
    >> authentication with a 2000 server and XP clients, using EAP-TLS. I
    >> followed them, they worked fine, no problems. Installed IAS and
    >> certificate services on the server, configured the wireless access
    >> point (a linksys WRT54G), issued self signed certs to the client and
    >> the server, configured the client for wireless, and bam, it connects.
    >>
    >> Then I thought, what a pain it will be to issue certs to all the
    >> clients. All I should have to do is change the profile in IAS, change
    >> the settings on the client, to both use PEAP-MSCHAP2, and that should
    >> work, too, right? wrong. When I try to connect, I get prompted to
    >> enter a username/pw/domain ( cleared the flag that says use the windows
    >> login settings). I do that, and it sits there forever trying to
    >> connect. Ethereal traces on the ethernet show that the RADIUS server
    >> never issues an accept, it just keeps sending out more challenges.
    >> Why? what's failing here, and how do I fix it?
    >>
    >> The problem is not that the username and pw are invalid, if you use an
    >> invalid user, you are quickly prompted at the client to try another
    >> password. So the server seems happy with the username/pw.
    >>
    >> Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
    >> what other info can I look at to help figure this out?
    >>

    >
    >
     
    Brian Wehrle [MSFT], Jun 3, 2005
    #3
  4. rwickberg

    rwickberg Guest

    The problem turned out to be the one described in Mirosoft Knowledge
    base article 837020, which unfortunately makes no reference whatsoever
    to PEAP, which is why my initial attempts to search the Microsoft
    knowledge base was unsuccessful. So I had to call Microsoft and get
    the hotfix. I wish to hell MS would get these fixes into the update
    channel faster, they've had 6 months since this article was published
    to get this regression tested.
     
    rwickberg, Jun 11, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. jester
    Replies:
    1
    Views:
    1,834
    Vivek
    Dec 20, 2005
  2. Replies:
    1
    Views:
    620
  3. Replies:
    0
    Views:
    357
  4. Replies:
    0
    Views:
    430
  5. =?Utf-8?B?RGVsb24=?=

    How to uninstall Cisco PEAP supplicant to use XP default PEAP

    =?Utf-8?B?RGVsb24=?=, May 25, 2007, in forum: Wireless Networking
    Replies:
    0
    Views:
    1,022
    =?Utf-8?B?RGVsb24=?=
    May 25, 2007
Loading...

Share This Page