Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1491
  • Last Modified:

Wireless with Radius Authentication

I have a 3com access point setup with Radius 802.1x authentication. The access point log files show as Authentication succesful and also at the clients "laptop" Wireless Network Connection. At the IAS Server Log files it also seems Like Authentication is succesfull although I cant get an Ip Address at the Client. From the Installation instructions for IAS and the Ca there is only one aspect I cant install. The instructions specify to make sure Ras and IAS Server Authentication CA template is Present and also Wireless Authentication. Ras and Ias Server is installed but the Wireless CA is not. When trying to install Wireless Authentication CA by going to Certificate Templates and choosing Certificate Template to issue Wireless Authentication CA is not present. Im not sure if this might be where the issue Im having lies. Here is a sample of a log file that might be Helpfull. Any help in this matter is greatly appreceiated.

 EapTlsBegin(WIRELESS\test)
[1084] 21:29:05:770: SetupMachineChangeNotification
[1084] 21:29:05:770: State change to Initial
[1084] 21:29:05:770: EapTlsBegin: Detected PEAP authentication
[1084] 21:29:05:770: MaxTLSMessageLength is now 16384
[1084] 21:29:05:770: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1084] 21:29:05:770: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1084] 21:29:05:770: The root cert will not be checked for revocation
[1084] 21:29:05:770: The cert will be checked for revocation
[1084] 21:29:05:770: EapPeapBegin done
[1084] 21:29:05:770: EapPeapMakeMessage
[1084] 21:29:05:770: EapPeapSMakeMessage
[1084] 21:29:05:770: PEAP:PEAP_STATE_INITIAL
[1084] 21:29:05:770: EapTlsSMakeMessage
[1084] 21:29:05:770: EapTlsReset
[1084] 21:29:05:770: State change to Initial
[1084] 21:29:05:770: GetCredentials
[1084] 21:29:05:770: Flag is Server and Store is local Machine
[1084] 21:29:05:770: GetCachedCredentials Flags = 0x4061
[1084] 21:29:05:770: GetCachedCredentials: Using Cached Credentials
[1084] 21:29:05:770: GetCachedCredentials: Hash of the cert in the cache is
 
 9 6   6 2   5 C   F C   8 8   E F   5 2   A B   A 0   8 A   5 0   A 9   4 9   9 8   2 5   E D   | . b \ . . . R . . . P . I . % . |
 
 C D   B 7   0 6   0 B   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   | . . . . . . . . . . . . . . . . |
[1084] 21:29:05:770: BuildPacket
[1084] 21:29:05:770: << Sending Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1084] 21:29:05:770: State change to SentStart
[1084] 21:29:05:770: EapPeapSMakeMessage done
[1084] 21:29:05:770: EapPeapMakeMessage done
[1084] 21:29:05:770: EapPeapEnd12:14 AM 3/7/2005
[1084] 21:29:05:770: EapTlsEnd(wireless\test)
[1084] 21:29:05:770: EapPeapEnd done
[2240] 21:29:05:861: EapPeapMakeMessage
[2240] 21:29:05:861: EapPeapSMakeMessage
[2240] 21:29:05:861: PEAP:PEAP_STATE_TLS_INPROGRESS
[2240] 21:29:05:861: EapTlsSMakeMessage
[2240] 21:29:05:861: MakeReplyMessage
[2240] 21:29:05:861: Reallocating input TLS blob buffer
[2240] 21:29:05:861: SecurityContextFunction
[2240] 21:29:05:871: AcceptSecurityContext returned 0x90312
[2240] 21:29:05:871: State change to SentHello
[2240] 21:29:05:871: BuildPacket
[2240] 21:29:05:871: << Sending Request (Code: 1) packet: Id: 3, Length: 1396, Type: 13, TLS blob length: 4641. Flags: LM
[2240] 21:29:05:871: EapPeapSMakeMessage done
[2240] 21:29:05:871: EapPeapMakeMessage done
[1084] 21:29:05:961: EapPeapMakeMessage
[1084] 21:29:05:961: EapPeapSMakeMessage
[1084] 21:29:05:961: PEAP:PEAP_STATE_TLS_INPROGRESS
[1084] 21:29:05:961: EapTlsSMakeMessage
[1084] 21:29:05:961: BuildPacket
[1084] 21:29:05:961: << Sending Request (Code: 1) packet: Id: 4, Length: 1396, Type: 13, TLS blob length: 0. Flags: M
[1084] 21:29:05:961: EapPeapSMakeMessage done
[1084] 21:29:05:961: EapPeapMakeMessage done
[2240] 21:29:06:071: EapPeapMakeMessage
[2240] 21:29:06:071: EapPeapSMakeMessage
[2240] 21:29:06:071: PEAP:PEAP_STATE_TLS_INPROGRESS
[2240] 21:29:06:071: EapTlsSMakeMessage
[2240] 21:29:06:071: BuildPacket
[2240] 21:29:06:071: << Sending Request (Code: 1) packet: Id: 5, Length: 1396, Type: 13, TLS blob length: 0. Flags: M
[2240] 21:29:06:071: EapPeapSMakeMessage done
[2240] 21:29:06:071: EapPeapMakeMessage done
[1084] 21:29:06:171: EapPeapMakeMessage
[1084] 21:29:06:171: EapPeapSMakeMessage
[1084] 21:29:06:171: PEAP:PEAP_STATE_TLS_INPROGRESS
[1084] 21:29:06:171: EapTlsSMakeMessage
[1084] 21:29:06:171: BuildPacket
[1084] 21:29:06:171: << Sending Request (Code: 1) packet: Id: 6, Length: 481, Type: 13, TLS blob length: 0. Flags:
[1084] 21:29:06:171: EapPeapSMakeMessage done
[1084] 21:29:06:171: EapPeapMakeMessage done
[1084] 21:29:06:271: EapPeapMakeMessage
[1084] 21:29:06:271: EapPeapSMakeMessage
[1084] 21:29:06:271: PEAP:PEAP_STATE_TLS_INPROGRESS
[1084] 21:29:06:271: EapTlsSMakeMessage
[1084] 21:29:06:271: MakeReplyMessage
[1084] 21:29:06:271: Reallocating input TLS blob buffer
[1084] 21:29:06:271: SecurityContextFunction
[1084] 21:29:06:281: AcceptSecurityContext returned 0x0
[1084] 21:29:06:281: AuthenticateUser
[1084] 21:29:06:281: QueryContextAttributes failed and returned 0x8009030e
[1084] 21:29:06:281: Got no credentials from the client and executing PEAP.  This is a success for eaptls.
[1084] 21:29:06:281: SetTLSFastReconnect
[1084] 21:29:06:281: IsTLSSessionReconnect
[1084] 21:29:06:281: Fast Reconnects Enabled/Disabled
[1084] 21:29:06:281: CreateMPPEKeyAttributes
[1084] 21:29:06:281: State change to SentFinished
[1084] 21:29:06:281: BuildPacket
[1084] 21:29:06:281: << Sending Request (Code: 1) packet: Id: 7, Length: 53, Type: 13, TLS blob length: 43. Flags: L
[1084] 21:29:06:281: EapPeapSMakeMessage done
[1084] 21:29:06:281: EapPeapMakeMessage done
[2240] 21:29:06:381: EapPeapMakeMessage
[2240] 21:29:06:381: EapPeapSMakeMessage
[2240] 21:29:06:381: PEAP:PEAP_STATE_TLS_INPROGRESS
[2240] 21:29:06:381: EapTlsSMakeMessage
[2240] 21:29:06:381: Negotiation successful
[2240] 21:29:06:381: BuildPacket
[2240] 21:29:06:381: << Sending Success (Code: 3) packet: Id: 7, Length: 4, Type: 0, TLS blob length: 0. Flags:
[2240] 21:29:06:381: AuthResultCode = (0), bCode = (3)
[2240] 21:29:06:381: PeapGetTunnelProperties
[2240] 21:29:06:381: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x6801, CipherStrength=0x80, Hash=0x8003
[2240] 21:29:06:381: PeapGetTunnelProperties done
[2240] 21:29:06:381: GetTLSSessionCookie
[2240] 21:29:06:381: IsTLSSessionReconnect
[2240] 21:29:06:381: Full TLS handshake
[2240] 21:29:06:381: PeapEncryptTunnelData
[2240] 21:29:06:381: PeapEncryptTunnelData completed with status 0x0
[2240] 21:29:06:381: EapPeapSMakeMessage done
[2240] 21:29:06:381: EapPeapMakeMessage done
[2240] 21:29:06:482: EapPeapMakeMessage
[2240] 21:29:06:482: EapPeapSMakeMessage
[2240] 21:29:06:482: PEAP:PEAP_STATE_IDENTITY_REQUEST_SENT
[2240] 21:29:06:482: PeapDecryptTunnelData
[2240] 21:29:06:482: PeapDecryptTunnelData completed with status 0x0
[2240] 21:29:06:482: PeapEncryptTunnelData
[2240] 21:29:06:482: PeapEncryptTunnelData completed with status 0x0
[2240] 21:29:06:482: EapPeapSMakeMessage done
[2240] 21:29:06:482: EapPeapMakeMessage done
[1084] 21:29:06:992: EapPeapMakeMessage
[1084] 21:29:06:992: EapPeapSMakeMessage
[1084] 21:29:06:992: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[1084] 21:29:06:992: PeapDecryptTunnelData
[1084] 21:29:06:992: PeapDecryptTunnelData completed with status 0x0
[1084] 21:29:07:032: PeapEncryptTunnelData
[1084] 21:29:07:032: PeapEncryptTunnelData completed with status 0x0
[1084] 21:29:07:032: EapPeapSMakeMessage done
[1084] 21:29:07:032: EapPeapMakeMessage done
[2240] 21:29:07:132: EapPeapMakeMessage
[2240] 21:29:07:132: EapPeapSMakeMessage
[2240] 21:29:07:132: PEAP:PEAP_STATE_EAP_TYPE_INPROGRESS
[2240] 21:29:07:132: PeapDecryptTunnelData
[2240] 21:29:07:132: PeapDecryptTunnelData completed with status 0x0
[2240] 21:29:07:132: CreatePEAPTLVStatusMessage
[2240] 21:29:07:132: PeapEncryptTunnelData
[2240] 21:29:07:132: PeapEncryptTunnelData completed with status 0x0
[2240] 21:29:07:132: PeapSetTypeUserAttributes
[2240] 21:29:07:132: EapPeapSMakeMessage done
[2240] 21:29:07:132: EapPeapMakeMessage done
[2240] 21:29:07:233: EapPeapMakeMessage
[2240] 21:29:07:233: EapPeapSMakeMessage
[2240] 21:29:07:233: PEAP:PEAP_STATE_PEAP_SUCCESS_SEND
[2240] 21:29:07:233: PeapDecryptTunnelData
[2240] 21:29:07:233: PeapDecryptTunnelData completed with status 0x0
[2240] 21:29:07:233: GetPEAPTLVStatusMessageValue
[2240] 21:29:07:233: PeapCreateCookie
[2240] 21:29:07:233: SetTLSSessionCookie
[2240] 21:29:07:233: Session cookie set successfully

[2240] 21:29:07:233: PeapAddContextAttributes
[2240] 21:29:07:233: RasAuthAttributeConcat
[2240] 21:29:07:233: EapPeapSMakeMessage done
[2240] 21:29:07:233: EapPeapMakeMessage do
0
4isteam
Asked:
4isteam
  • 2
1 Solution
 
Phil_AgcaoiliCommented:
You already had the answer--"Wireless Authentication CA is not present."  
This document should help you setup your CA the IAS server:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_dep_srv_pki.asp

Although after reviewing your log, PEAP appears to have negotioated properly.

This is an additional troubleshooting guide:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/sag_ias_tbr0.asp

Look at the second issue:
Problem: Connection attempts using Protected Extensible Authentication Protocol (PEAP) fail.
Cause:  The wireless remote access policy on the IAS server is not configured to use PEAP as the authentication method.
Solution:  Create a wireless remote access policy on the IAS server that is configured with PEAP-EAP-MS-CHAPv2 or PEAP-EAP-TLS.

I believe this should correct what is misconfigured.

HTH
0
 
4isteamAuthor Commented:
Thanks for your response.. I am able to get Authenticated to the Access point and Server. The Log status at Access point says successful and also Event viewer says successfull using 802.1x so it seems authentication is happening. I just cant get an Ip from the same computer Im trying to loggin from. This is the same computer that is getting Authenticated. If it gets Authenticated how come I dont get an Ip Address.
0
 
Phil_AgcaoiliCommented:
I'm not familiar with 3Com APs. but check out the IP address lease assignments.

There should be a list of IPs that are granted after 802.1x.

Sorry if I'm not much more help here.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now