PEAP problem

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Somewhere on the 'net I found instructions on setting up 802.1x
authentication with a 2000 server and XP clients, using EAP-TLS. I
followed them, they worked fine, no problems. Installed IAS and
certificate services on the server, configured the wireless access
point (a linksys WRT54G), issued self signed certs to the client and
the server, configured the client for wireless, and bam, it connects.

Then I thought, what a pain it will be to issue certs to all the
clients. All I should have to do is change the profile in IAS, change
the settings on the client, to both use PEAP-MSCHAP2, and that should
work, too, right? wrong. When I try to connect, I get prompted to
enter a username/pw/domain ( cleared the flag that says use the windows
login settings). I do that, and it sits there forever trying to
connect. Ethereal traces on the ethernet show that the RADIUS server
never issues an accept, it just keeps sending out more challenges.
Why? what's failing here, and how do I fix it?

The problem is not that the username and pw are invalid, if you use an
invalid user, you are quickly prompted at the client to try another
password. So the server seems happy with the username/pw.

Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
what other info can I look at to help figure this out?

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

What is in the RADIUS logs and in the system event log on the RADIUS server?

(and reboot everything and tyry again)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

"rwickberg" <rwickberg@gmail.com> wrote in message
news:1117418496.575808.85640@g14g2000cwa.googlegroups.com...
> Somewhere on the 'net I found instructions on setting up 802.1x
> authentication with a 2000 server and XP clients, using EAP-TLS. I
> followed them, they worked fine, no problems. Installed IAS and
> certificate services on the server, configured the wireless access
> point (a linksys WRT54G), issued self signed certs to the client and
> the server, configured the client for wireless, and bam, it connects.
>
> Then I thought, what a pain it will be to issue certs to all the
> clients. All I should have to do is change the profile in IAS, change
> the settings on the client, to both use PEAP-MSCHAP2, and that should
> work, too, right? wrong. When I try to connect, I get prompted to
> enter a username/pw/domain ( cleared the flag that says use the windows
> login settings). I do that, and it sits there forever trying to
> connect. Ethereal traces on the ethernet show that the RADIUS server
> never issues an accept, it just keeps sending out more challenges.
> Why? what's failing here, and how do I fix it?
>
> The problem is not that the username and pw are invalid, if you use an
> invalid user, you are quickly prompted at the client to try another
> password. So the server seems happy with the username/pw.
>
> Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
> what other info can I look at to help figure this out?
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

There could be many problems here. I would make sure that you are not
hitting a known issue that was fixed in XPSP2. Many changes were made and
many improvements; there is more feedback given to the user as well.
If the password were wrong the client would re-prompt you to enter your
credentials. So something else is occuring.

I believe that the client is NAKing the server's request to do EAP-TLS.
Please double check that PEAP-MSCHAPv2 is highest on the list for this type
of Access Policy. As a precaution, remove all of the other Access Policies,
as it is likely that, if there are others, the wrong one is being selected
and consequently the wrong EAP type is being used.

If this does not work, please also delete this wireless network
configuration entry from the "Preferred Network" list in the Wireless
adapter settings and create a new connection entry for this network,
selecting PEAP-MSCHAPv2. Please not that by default the logon credentials
will be used, which in this case should correspond to domain accounts.

--
Brian Wehrle
bwehrle@online.microsoft.com
Software Test Engineer/Wireless Networking
Microsoft Corp.


"S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
news:up59r6oZFHA.3184@TK2MSFTNGP15.phx.gbl...
> What is in the RADIUS logs and in the system event log on the RADIUS
> server?
>
> (and reboot everything and tyry again)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> "rwickberg" <rwickberg@gmail.com> wrote in message
> news:1117418496.575808.85640@g14g2000cwa.googlegroups.com...
>> Somewhere on the 'net I found instructions on setting up 802.1x
>> authentication with a 2000 server and XP clients, using EAP-TLS. I
>> followed them, they worked fine, no problems. Installed IAS and
>> certificate services on the server, configured the wireless access
>> point (a linksys WRT54G), issued self signed certs to the client and
>> the server, configured the client for wireless, and bam, it connects.
>>
>> Then I thought, what a pain it will be to issue certs to all the
>> clients. All I should have to do is change the profile in IAS, change
>> the settings on the client, to both use PEAP-MSCHAP2, and that should
>> work, too, right? wrong. When I try to connect, I get prompted to
>> enter a username/pw/domain ( cleared the flag that says use the windows
>> login settings). I do that, and it sits there forever trying to
>> connect. Ethereal traces on the ethernet show that the RADIUS server
>> never issues an accept, it just keeps sending out more challenges.
>> Why? what's failing here, and how do I fix it?
>>
>> The problem is not that the username and pw are invalid, if you use an
>> invalid user, you are quickly prompted at the client to try another
>> password. So the server seems happy with the username/pw.
>>
>> Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
>> what other info can I look at to help figure this out?
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

The problem turned out to be the one described in Mirosoft Knowledge
base article 837020, which unfortunately makes no reference whatsoever
to PEAP, which is why my initial attempts to search the Microsoft
knowledge base was unsuccessful. So I had to call Microsoft and get
the hotfix. I wish to hell MS would get these fixes into the update
channel faster, they've had 6 months since this article was published
to get this regression tested.