PEAP/MS-CHAPV2 Machine Authentication

PEAP/MS-CHAPV2 Machine Authentication

Post by TWlrZSBCZW » Wed, 24 May 2006 07:01:02


rying to get IAS on 2003 server to authenticate a machine via PEAP/MS-CHAPV2
and contacting Active Directory seems to be broken. Domain server is Windows
2000 mixed with a name of lucentradius.com and a pre-2000 name of LCP. Do I
need to manipulate user-name to get IAS to work? I've been bang my head for a
couple of days trying to get this to work. Supplicant is Windows XP, IAS is
on different machine than DC, user authentication works but appears to take
two AD requests. Any help would be appreciated.

Mike

I get the following in the Event Log:

Access request for user host/xp-dev-lap3.lucentradius.com was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 135.140.160.50
NAS-Identifier = cisco350
Called-Station-Identifier = 0008.2130.f4c1
Calling-Station-Identifier = 0007.eb31.766d
Client-Friendly-Name = cedar
Client-IP-Address = 135.140.160.15
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 291
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 4
Reason = The Active Directory global catalog cannot be accessed.

This is what I see in IASSAM.LOG (includes two machine failures and one
successful user auth):

[980] 05-22 14:23:30:647: DsCrackNames failed: The specified domain either
does not exist or could not be contacted.
[980] 05-22 14:23:30:647: Caught COM exception: The system cannot open the
file.
[2744] 05-22 14:23:39:790: Creating EAP session
[2744] 05-22 14:23:39:790: NT-SAM Names handler received request with user
identity host/xp-dev-lap3.lucentradius.com.
[2744] 05-22 14:23:39:800: DsCrackNames failed: The specified domain either
does not exist or could not be contacted.
[2744] 05-22 14:23:39:800: Caught COM exception: The system cannot open the
file.
[980] 05-22 14:23:49:795: Creating EAP session
[980] 05-22 14:23:49:795: NT-SAM Names handler received request with user
identity host/xp-dev-lap3.lucentradius.com.
[980] 05-22 14:23:49:805: DsCrackNames failed: The specified domain either
does not exist or could not be contacted.
[980] 05-22 14:23:49:805: Caught COM exception: The system cannot open the
file.
[2744] 05-22 14:24:00:481: Creating EAP session
[2744] 05-22 14:24:00:481: NT-SAM Names handler received request with user
identity authnt.
[2744] 05-22 14:24:00:481: Prepending default domain.
[2744] 05-22 14:24:00:481: NameMapper::prependDefaultDomain
[2744] 05-22 14:24:00:481: SAM-Account-Name is "LCP\authnt".
[2744] 05-22 14:24:00:481: NT-SAM Authentication handler received request
for LCP\authnt.
[2744] 05-22 14:24:00:481: Validating Windows account LCP\authnt.
[2744] 05-22 14:24:00:481: Sending LDAP search to sprague.lucentradius.com.
[2744] 05-22 14:24:00:481: LDAP ERROR in ldap_search_ext_sW. Code = 81
[2744] 05-22 14:24:00:481: Extended error string: (null)
[2744] 05-22 14:24:00:481: Retrying LDAP search.
[2744] 05-22 14:24:00:491: Opening LDAP connection to
sprague.lucentradius.com.
[2744] 05-22 14:24:00:491: The registry value DisableLdapEncryption does not
exist. Using default 0
[2744] 05-22 14:24:00:491: Trying to set LDAP encryption = 1
[2744] 05-22 14:24:00:721: LDAP connect succeeded.
[2744] 05-22 14:24:00:721: Sending LDAP search to sprague.lucentradius.com.
[2744] 05-22 14:24:00:731: Successfully validated windows account.
[2744] 05-22 14:24:00:731: NT-SAM User Authori
 
 
 

1. Compatibility requirements for PEAP, MS-CHAPv2 and Aironet basic question

2. PEAP machine authentication problem

I'm trying to set-up a limited deployment of dot1x authentication on
some wired 4506/3550 connections. As we already have ACS (3.3.2)
linked into our domain database, running through a couple of the Cisco
guides I thought it should be pretty straightforward.

We don't have a Microsoft CA integrated into our domain yet, so I
started by generating a self-signed cert on the ACS server. I enabled
PEAP machine authentication in the Windows external DB configuration
and also enabled PEAP in the global authentication setup. I also
ensured that my Windows database was selected in the unknown user
policy setting.

I manually added the self signed certificate into both the user and
machine certificate stores as a trusted root CA and then selected the
appropriate CA from the PEAP properties in my LAN adaptor (Windows XP).

I was initially having problems authenticating and after investigating,
it transpired that the user authentication element of PEAP seemed to be
working, it's machine authentication that's failing. In the ACS logs I
can see failure codes of "External DB account restriction" for the
machine account login attempt.

I've asked the Windows guys to check the logs at their end to see if
they can see any specific messages, but they've not found anything yet.

Can anyone see any flaws in my approach? Any help would be great!

Cheers,
Chris

3. question about IAS and PEAP MS-CHAP V2 (wireless authentication)

4. PEAP-MS-CHAP v2 Wireless Authentication Certificate

5. can't connect via ms-chapv2

6. MS-CHAPv2 encryption

7. Win2003 IAS CRP's attribute manipulations == MS-CHAPv2 login failures.

8. EAP-MS-CHAPv2

9. Computer authentication doesn't work with PEAP ?

10. PEAP and DHCP authentication failure

11. PEAP authentication failure

12. PEAP authentication very Slow!!!!!!!

13. 802.1x PEAP authentication problem

14. PEAP Authentication

15. Peap Authentication fails after boot up (RASTLS LOG)