?
Solved

Wireless with Radius Authentication

Posted on 2005-03-07
3
Medium Priority
?
1,456 Views
Last Modified: 2008-01-09
I have a 3com access point setup with Radius 802.1x authentication. The access point log files show as Authentication succesful and also at the clients "laptop" Wireless Network Connection. At the IAS Server Log files it also seems Like Authentication is succesfull although I cant get an Ip Address at the Client. From the Installation instructions for IAS and the Ca there is only one aspect I cant install. The instructions specify to make sure Ras and IAS Server Authentication CA template is Present and also Wireless Authentication. Ras and Ias Server is installed but the Wireless CA is not. When trying to install Wireless Authentication CA by going to Certificate Templates and choosing Certificate Template to issue Wireless Authentication CA is not present. Im not sure if this might be where the issue Im having lies. Here is a sample of a log file that might be Helpfull. Any help in this matter is greatly appreceiated.

 EapTlsBegin(WIRELESS\test)
[1084] 21:29:05:770: SetupMachineChangeNotification
[1084] 21:29:05:770: State change to Initial
[1084] 21:29:05:770: EapTlsBegin: Detected PEAP authentication
[1084] 21:29:05:770: MaxTLSMessageLength is now 16384
[1084] 21:29:05:770: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1084] 21:29:05:770: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1084] 21:29:05:770: The root cert will not be checked for revocation
[1084] 21:29:05:770: The cert will be checked for revocation
[1084] 21:29:05:770: EapPeapBegin done
[1084] 21:29:05:770: EapPeapMakeMessage
[1084] 21:29:05:770: EapPeapSMakeMessage
[1084] 21:29:05:770: PEAP:PEAP_STATE_INITIAL
[1084] 21:29:05:770: EapTlsSMakeMessage
[1084] 21:29:05:770: EapTlsReset
[1084] 21:29:05:770: State change to Initial
[1084] 21:29:05:770: GetCredentials
[1084] 21:29:05:770: Flag is Server and Store is local Machine
[1084] 21:29:05:770: GetCachedCredentials Flags = 0x4061
[1084] 21:29:05:770: GetCachedCredentials: Using Cached Credentials
[1084] 21:29:05:770: GetCachedCredentials: Hash of the cert in the cache is
 
 9 6   6 2   5 C   F C   8 8   E F   5 2   A B   A 0   8 A   5 0   A 9   4 9   9 8   2 5   E D   | . b \ . . . R . . . P . I . % . |
 
 C D   B 7   0 6   0 B   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   | . . . . . . . . . . . . . . . . |
[1084] 21:29:05:770: BuildPacket
[1084] 21:29:05:770: << Sending Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1084] 21:29:05:770: State change to SentStart
[1084] 21:29:05:770: EapPeapSMakeMessage done
[1084] 21:29:05:770: EapPeapMakeMessage done
[1084] 21:29:05:770: EapPeapEnd12:14 AM 3/7/2005
[1084] 21:29:05:770: EapTlsEnd(wireless\test)
[1084] 21:29:05:770: EapPeapEnd done
[2240] 21:29:05:861: EapPeapMakeMessage
[2240] 21:29:05:861: EapPeapSMakeMessage
[2240] 21:29:05:861: PEAP:PEAP_STATE_TLS_INPROGRESS
[2240] 21:29:05:861: EapTlsSMakeMessage
[2240] 21:29:05:861: MakeReplyMessage
[2240] 21:29:05:861: Reallocating input TLS blob buffer
[2240] 21:29:05:861: SecurityContextFunction
[2240] 21:29:05:871: AcceptSecurityContext returned 0x90312
[2240] 21:29:05:871: State change to SentHello
[2240] 21:29:05:871: BuildPacket
[2240] 21:29:05:871: << Sending Request (Code: 1) packet: Id: 3, Length: 1396, Type: 13, TLS blob length: 4641. Flags: LM
[2240] 21:29:05:871: EapPeapSMakeMessage done
[2240] 21:29:05:871: EapPeapMakeMessage done
[1084] 21:29:05:961: EapPeapMakeMessage
[1084] 21:29:05:961: EapPeapSMakeMessage
[1084] 21:29:05:961: PEAP:PEAP_STATE_TLS_INPROGRESS
[1084] 21:29:05:961: EapTlsSMakeMessage
[1084] 21:29:05:961: BuildPacket
[1084] 21:29:05:961: << Sending Request (Code: 1) packet: Id: 4, Length: 1396, Type: 13, TLS blob length: 0. Flags: M
[1084] 21:29:05:961: EapPeapSMakeMessage done
[1084] 21:29:05:961: EapPeapMakeMessage done
[2240] 21:29:06:071: EapPeapMakeMessage
[2240] 21:29:06:071: EapPeapSMakeMessage
[2240] 21:29:06:071: PEAP:PEAP_STATE_TLS_INPROGRESS
[2240] 21:29:06:071: EapTlsSMakeMessage
[2240] 21:29:06:071: BuildPacket
[2240] 21:29:06:071: << Sending Request (Code: 1) packet: Id: 5, Length: 1396, Type: 13, TLS blob length: 0. Flags: M
[2240] 21:29:06:071: EapPeapSMakeMessage done
[2240] 21:29:06:071: EapPeapMakeMessage done
[1084] 21:29:06:171: EapPeapMakeMessage
[1084] 21:29:06:171: EapPeapSMakeMessage
[1084] 21:29:06:171: PEAP:PEAP_STATE_TLS_INPROGRESS
[1084] 21:29:06:171: EapTlsSMakeMessage
[1084] 21:29:06:171: BuildPacket
[1084] 21:29:06:171: << Sending Request (Code: 1) packet: Id: 6, Length: 481, Type: 13, TLS blob length: 0. Flags:
[1084] 21:29:06:171: EapPeapSMakeMessage done
[1084] 21:29:06:171: EapPeapMakeMessage done
[1084] 21:29:06:271: EapPeapMakeMessage
[1084] 21:29:06:271: EapPeapSMakeMessage
[1084] 21:29:06:271: PEAP:PEAP_STATE_TLS_INPROGRESS
[1084] 21:29:06:271: EapTlsSMakeMessage
[1084] 21:29:06:271: MakeReplyMessage
[1084] 21:29:06:271: Reallocating input TLS blob buffer
[1084] 21:29:06:271: SecurityContextFunction
[1084] 21:29:06:281: AcceptSecurityContext returned 0x0
[1084] 21:29:06:281: AuthenticateUser
[1084] 21:29:06:281: QueryContextAttributes failed and returned 0x8009030e
[1084] 21:29:06:281: Got no credentials from the client and executing PEAP.  This is a success for eaptls.
[1084] 21:29:06:281: SetTLSFastReconnect
[1084] 21:29:06:281: IsTLSSessionReconnect
[1084] 21:29:06:281: Fast Reconnects Enabled/Disabled
[1084] 21:29:06:281: CreateMPPEKeyAttributes
[1084] 21:29:06:281: State change to SentFinished
[1084] 21:29:06:281: BuildPacket
[1084] 21:29:06:281: << Sending Request (Code: 1) packet: Id: 7, Length: 53, Type: 13, TLS blob length: 43. Flags: L
[1084] 21:29:06:281: EapPeapSMakeMessage done
[1084] 21:29:06:281: EapPeapMakeMessage done
[2240] 21:29:06:381: EapPeapMakeMessage
[2240] 21:29:06:381: EapPeapSMakeMessage
[2240] 21:29:06:381: PEAP:PEAP_STATE_TLS_INPROGRESS
[2240] 21:29:06:381: EapTlsSMakeMessage
[2240] 21:29:06:381: Negotiation successful
[2240] 21:29:06:381: BuildPacket
[2240] 21:29:06:381: << Sending Success (Code: 3) packet: Id: 7, Length: 4, Type: 0, TLS blob length: 0. Flags:
[2240] 21:29:06:381: AuthResultCode = (0), bCode = (3)
[2240] 21:29:06:381: PeapGetTunnelProperties
[2240] 21:29:06:381: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x6801, CipherStrength=0x80, Hash=0x8003
[2240] 21:29:06:381: PeapGetTunnelProperties done
[2240] 21:29:06:381: GetTLSSessionCookie
[2240] 21:29:06:381: IsTLSSessionReconnect
[2240] 21:29:06:381: Full TLS handshake
[2240] 21:29:06:381: PeapEncryptTunnelData
[2240] 21:29:06:381: PeapEncryptTunnelData completed with status 0x0
[2240] 21:29:06:381: EapPeapSMakeMessage done
[2240] 21:29:06:381: EapPeapMakeMessage done
[2240] 21:29:06:482: EapPeapMakeMessage
[2240] 21:29:06:482: EapPeapSMakeMessage
[2240] 21:29:06:482: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT
[2240] 21:29:06:482: PeapDecryptTunnelData
[2240] 21:29:06:482: PeapDecryptTunnelData completed with status 0x0
[2240] 21:29:06:482: PeapEncryptTunnelData
[2240] 21:29:06:482: PeapEncryptTunnelData completed with status 0x0
[2240] 21:29:06:482: EapPeapSMakeMessage done
[2240] 21:29:06:482: EapPeapMakeMessage done
[1084] 21:29:06:992: EapPeapMakeMessage
[1084] 21:29:06:992: EapPeapSMakeMessage
[1084] 21:29:06:992: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[1084] 21:29:06:992: PeapDecryptTunnelData
[1084] 21:29:06:992: PeapDecryptTunnelData completed with status 0x0
[1084] 21:29:07:032: PeapEncryptTunnelData
[1084] 21:29:07:032: PeapEncryptTunnelData completed with status 0x0
[1084] 21:29:07:032: EapPeapSMakeMessage done
[1084] 21:29:07:032: EapPeapMakeMessage done
[2240] 21:29:07:132: EapPeapMakeMessage
[2240] 21:29:07:132: EapPeapSMakeMessage
[2240] 21:29:07:132: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[2240] 21:29:07:132: PeapDecryptTunnelData
[2240] 21:29:07:132: PeapDecryptTunnelData completed with status 0x0
[2240] 21:29:07:132: CreatePEAPTLVStatusMessage
[2240] 21:29:07:132: PeapEncryptTunnelData
[2240] 21:29:07:132: PeapEncryptTunnelData completed with status 0x0
[2240] 21:29:07:132: PeapSetTypeUserAttributes
[2240] 21:29:07:132: EapPeapSMakeMessage done
[2240] 21:29:07:132: EapPeapMakeMessage done
[2240] 21:29:07:233: EapPeapMakeMessage
[2240] 21:29:07:233: EapPeapSMakeMessage
[2240] 21:29:07:233: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
[2240] 21:29:07:233: PeapDecryptTunnelData
[2240] 21:29:07:233: PeapDecryptTunnelData completed with status 0x0
[2240] 21:29:07:233: GetPEAPTLVStatusMessageValue
[2240] 21:29:07:233: PeapCreateCookie
[2240] 21:29:07:233: SetTLSSessionCookie
[2240] 21:29:07:233: Session cookie set successfully

[2240] 21:29:07:233: PeapAddContextAttributes
[2240] 21:29:07:233: RasAuthAttributeConcat
[2240] 21:29:07:233: EapPeapSMakeMessage done
[2240] 21:29:07:233: EapPeapMakeMessage do
0
Comment
Question by:4isteam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 750 total points
ID: 13487946
You already had the answer--"Wireless Authentication CA is not present."  
This document should help you setup your CA the IAS server:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_dep_srv_pki.asp

Although after reviewing your log, PEAP appears to have negotioated properly.

This is an additional troubleshooting guide:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_tbr0.asp

Look at the second issue:
Problem: Connection attempts using Protected Extensible Authentication Protocol (PEAP) fail.
Cause:  The wireless remote access policy on the IAS server is not configured to use PEAP as the authentication method.
Solution:  Create a wireless remote access policy on the IAS server that is configured with PEAP-EAP-MS-CHAPv2 or PEAP-EAP-TLS.

I believe this should correct what is misconfigured.

HTH
0
 

Author Comment

by:4isteam
ID: 13497848
Thanks for your response.. I am able to get Authenticated to the Access point and Server. The Log status at Access point says successful and also Event viewer says successfull using 802.1x so it seems authentication is happening. I just cant get an Ip from the same computer Im trying to loggin from. This is the same computer that is getting Authenticated. If it gets Authenticated how come I dont get an Ip Address.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13776598
I'm not familiar with 3Com APs. but check out the IP address lease assignments.

There should be a list of IPs that are granted after 802.1x.

Sorry if I'm not much more help here.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question