PEAP problem

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Somewhere on the 'net I found instructions on setting up 802.1x
authentication with a 2000 server and XP clients, using EAP-TLS. I
followed them, they worked fine, no problems. Installed IAS and
certificate services on the server, configured the wireless access
point (a linksys WRT54G), issued self signed certs to the client and
the server, configured the client for wireless, and bam, it connects.

Then I thought, what a pain it will be to issue certs to all the
clients. All I should have to do is change the profile in IAS, change
the settings on the client, to both use PEAP-MSCHAP2, and that should
work, too, right? wrong. When I try to connect, I get prompted to
enter a username/pw/domain ( cleared the flag that says use the windows
login settings). I do that, and it sits there forever trying to
connect. Ethereal traces on the ethernet show that the RADIUS server
never issues an accept, it just keeps sending out more challenges.
Why? what's failing here, and how do I fix it?

The problem is not that the username and pw are invalid, if you use an
invalid user, you are quickly prompted at the client to try another
password. So the server seems happy with the username/pw.

Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
what other info can I look at to help figure this out?
3 answers Last reply
More about peap problem
  1. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    What is in the RADIUS logs and in the system event log on the RADIUS server?

    (and reboot everything and tyry again)

    --
    Svyatoslav Pidgorny, MS MVP - Security, MCSE
    -= F1 is the key =-

    "rwickberg" <rwickberg@gmail.com> wrote in message
    news:1117418496.575808.85640@g14g2000cwa.googlegroups.com...
    > Somewhere on the 'net I found instructions on setting up 802.1x
    > authentication with a 2000 server and XP clients, using EAP-TLS. I
    > followed them, they worked fine, no problems. Installed IAS and
    > certificate services on the server, configured the wireless access
    > point (a linksys WRT54G), issued self signed certs to the client and
    > the server, configured the client for wireless, and bam, it connects.
    >
    > Then I thought, what a pain it will be to issue certs to all the
    > clients. All I should have to do is change the profile in IAS, change
    > the settings on the client, to both use PEAP-MSCHAP2, and that should
    > work, too, right? wrong. When I try to connect, I get prompted to
    > enter a username/pw/domain ( cleared the flag that says use the windows
    > login settings). I do that, and it sits there forever trying to
    > connect. Ethereal traces on the ethernet show that the RADIUS server
    > never issues an accept, it just keeps sending out more challenges.
    > Why? what's failing here, and how do I fix it?
    >
    > The problem is not that the username and pw are invalid, if you use an
    > invalid user, you are quickly prompted at the client to try another
    > password. So the server seems happy with the username/pw.
    >
    > Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
    > what other info can I look at to help figure this out?
    >
  2. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    There could be many problems here. I would make sure that you are not
    hitting a known issue that was fixed in XPSP2. Many changes were made and
    many improvements; there is more feedback given to the user as well.
    If the password were wrong the client would re-prompt you to enter your
    credentials. So something else is occuring.

    I believe that the client is NAKing the server's request to do EAP-TLS.
    Please double check that PEAP-MSCHAPv2 is highest on the list for this type
    of Access Policy. As a precaution, remove all of the other Access Policies,
    as it is likely that, if there are others, the wrong one is being selected
    and consequently the wrong EAP type is being used.

    If this does not work, please also delete this wireless network
    configuration entry from the "Preferred Network" list in the Wireless
    adapter settings and create a new connection entry for this network,
    selecting PEAP-MSCHAPv2. Please not that by default the logon credentials
    will be used, which in this case should correspond to domain accounts.

    --
    Brian Wehrle
    bwehrle@online.microsoft.com
    Software Test Engineer/Wireless Networking
    Microsoft Corp.


    "S. Pidgorny <MVP>" <slavickp@yahoo.com> wrote in message
    news:up59r6oZFHA.3184@TK2MSFTNGP15.phx.gbl...
    > What is in the RADIUS logs and in the system event log on the RADIUS
    > server?
    >
    > (and reboot everything and tyry again)
    >
    > --
    > Svyatoslav Pidgorny, MS MVP - Security, MCSE
    > -= F1 is the key =-
    >
    > "rwickberg" <rwickberg@gmail.com> wrote in message
    > news:1117418496.575808.85640@g14g2000cwa.googlegroups.com...
    >> Somewhere on the 'net I found instructions on setting up 802.1x
    >> authentication with a 2000 server and XP clients, using EAP-TLS. I
    >> followed them, they worked fine, no problems. Installed IAS and
    >> certificate services on the server, configured the wireless access
    >> point (a linksys WRT54G), issued self signed certs to the client and
    >> the server, configured the client for wireless, and bam, it connects.
    >>
    >> Then I thought, what a pain it will be to issue certs to all the
    >> clients. All I should have to do is change the profile in IAS, change
    >> the settings on the client, to both use PEAP-MSCHAP2, and that should
    >> work, too, right? wrong. When I try to connect, I get prompted to
    >> enter a username/pw/domain ( cleared the flag that says use the windows
    >> login settings). I do that, and it sits there forever trying to
    >> connect. Ethereal traces on the ethernet show that the RADIUS server
    >> never issues an accept, it just keeps sending out more challenges.
    >> Why? what's failing here, and how do I fix it?
    >>
    >> The problem is not that the username and pw are invalid, if you use an
    >> invalid user, you are quickly prompted at the client to try another
    >> password. So the server seems happy with the username/pw.
    >>
    >> Anyone have any idea why EAP-TLS would work and PEAP in this setup, or
    >> what other info can I look at to help figure this out?
    >>
    >
    >
  3. Archived from groups: microsoft.public.windows.networking.wireless (More info?)

    The problem turned out to be the one described in Mirosoft Knowledge
    base article 837020, which unfortunately makes no reference whatsoever
    to PEAP, which is why my initial attempts to search the Microsoft
    knowledge base was unsuccessful. So I had to call Microsoft and get
    the hotfix. I wish to hell MS would get these fixes into the update
    channel faster, they've had 6 months since this article was published
    to get this regression tested.
Ask a new question

Read More

Wireless Servers Wireless Networking