|
windows
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
PEAP problemauthentication with a 2000 server and XP clients, using EAP-TLS. I followed them, they worked fine, no problems. Installed IAS and certificate services on the server, configured the wireless access point (a linksys WRT54G), issued self signed certs to the client and the server, configured the client for wireless, and bam, it connects. Then I thought, what a pain it will be to issue certs to all the clients. All I should have to do is change the profile in IAS, change the settings on the client, to both use PEAP-MSCHAP2, and that should work, too, right? wrong. When I try to connect, I get prompted to enter a username/pw/domain ( cleared the flag that says use the windows login settings). I do that, and it sits there forever trying to connect. Ethereal traces on the ethernet show that the RADIUS server never issues an accept, it just keeps sending out more challenges. Why? what's failing here, and how do I fix it? The problem is not that the username and pw are invalid, if you use an invalid user, you are quickly prompted at the client to try another password. So the server seems happy with the username/pw. Anyone have any idea why EAP-TLS would work and PEAP in this setup, or what other info can I look at to help figure this out? What is in the RADIUS logs and in the system event log on the RADIUS server?
(and reboot everything and tyry again) -- Show quoteHide quoteSvyatoslav Pidgorny, MS MVP - Security, MCSE -= F1 is the key =- "rwickberg" <rwickb***@gmail.com> wrote in message news:1117418496.575808.85640@g14g2000cwa.googlegroups.com... > Somewhere on the 'net I found instructions on setting up 802.1x > authentication with a 2000 server and XP clients, using EAP-TLS. I > followed them, they worked fine, no problems. Installed IAS and > certificate services on the server, configured the wireless access > point (a linksys WRT54G), issued self signed certs to the client and > the server, configured the client for wireless, and bam, it connects. > > Then I thought, what a pain it will be to issue certs to all the > clients. All I should have to do is change the profile in IAS, change > the settings on the client, to both use PEAP-MSCHAP2, and that should > work, too, right? wrong. When I try to connect, I get prompted to > enter a username/pw/domain ( cleared the flag that says use the windows > login settings). I do that, and it sits there forever trying to > connect. Ethereal traces on the ethernet show that the RADIUS server > never issues an accept, it just keeps sending out more challenges. > Why? what's failing here, and how do I fix it? > > The problem is not that the username and pw are invalid, if you use an > invalid user, you are quickly prompted at the client to try another > password. So the server seems happy with the username/pw. > > Anyone have any idea why EAP-TLS would work and PEAP in this setup, or > what other info can I look at to help figure this out? > There could be many problems here. I would make sure that you are not
hitting a known issue that was fixed in XPSP2. Many changes were made and many improvements; there is more feedback given to the user as well. If the password were wrong the client would re-prompt you to enter your credentials. So something else is occuring. I believe that the client is NAKing the server's request to do EAP-TLS. Please double check that PEAP-MSCHAPv2 is highest on the list for this type of Access Policy. As a precaution, remove all of the other Access Policies, as it is likely that, if there are others, the wrong one is being selected and consequently the wrong EAP type is being used. If this does not work, please also delete this wireless network configuration entry from the "Preferred Network" list in the Wireless adapter settings and create a new connection entry for this network, selecting PEAP-MSCHAPv2. Please not that by default the logon credentials will be used, which in this case should correspond to domain accounts. -- Show quoteHide quoteBrian Wehrle bweh***@online.microsoft.com Software Test Engineer/Wireless Networking Microsoft Corp. "S. Pidgorny <MVP>" <slavi***@yahoo.com> wrote in message news:up59r6oZFHA.3184@TK2MSFTNGP15.phx.gbl... > What is in the RADIUS logs and in the system event log on the RADIUS > server? > > (and reboot everything and tyry again) > > -- > Svyatoslav Pidgorny, MS MVP - Security, MCSE > -= F1 is the key =- > > "rwickberg" <rwickb***@gmail.com> wrote in message > news:1117418496.575808.85640@g14g2000cwa.googlegroups.com... >> Somewhere on the 'net I found instructions on setting up 802.1x >> authentication with a 2000 server and XP clients, using EAP-TLS. I >> followed them, they worked fine, no problems. Installed IAS and >> certificate services on the server, configured the wireless access >> point (a linksys WRT54G), issued self signed certs to the client and >> the server, configured the client for wireless, and bam, it connects. >> >> Then I thought, what a pain it will be to issue certs to all the >> clients. All I should have to do is change the profile in IAS, change >> the settings on the client, to both use PEAP-MSCHAP2, and that should >> work, too, right? wrong. When I try to connect, I get prompted to >> enter a username/pw/domain ( cleared the flag that says use the windows >> login settings). I do that, and it sits there forever trying to >> connect. Ethereal traces on the ethernet show that the RADIUS server >> never issues an accept, it just keeps sending out more challenges. >> Why? what's failing here, and how do I fix it? >> >> The problem is not that the username and pw are invalid, if you use an >> invalid user, you are quickly prompted at the client to try another >> password. So the server seems happy with the username/pw. >> >> Anyone have any idea why EAP-TLS would work and PEAP in this setup, or >> what other info can I look at to help figure this out? >> > > The problem turned out to be the one described in Mirosoft Knowledge
base article 837020, which unfortunately makes no reference whatsoever to PEAP, which is why my initial attempts to search the Microsoft knowledge base was unsuccessful. So I had to call Microsoft and get the hotfix. I wish to hell MS would get these fixes into the update channel faster, they've had 6 months since this article was published to get this regression tested.  
Other interesting topics
connecting fine but........
Please help -- this network is a won'twork! Rank newbie question - browser setup? External exception E06D7363 message with Linksys card Wireless Networking in Windows 2000 Rate Trouble with Airport Express and Microsoft MN-500 Wireless Router USB Wireless Adapters compatible with Win CE 2.0 wireless speed question 2 Networking 2 Computers |
|||||||||||||||||||||||
