?
Solved

Slow RADIUS authentication

Posted on 2011-03-03
11
Medium Priority
?
5,684 Views
Last Modified: 2012-05-11
10:44:00 - System boot
10:45:33 - The Wired Autoconfig Service is starting
10:45:33 - The Wired Autoconfig service entered the running state
10:45:33 - The profile was applied on the network adapter
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Profile Type: Interface
      Profile Content:
      AutoConfig Version: 1
      802.1x: Enabled
      802.1x: Not Enforced
      EAP type: Microsoft: Protected EAP (PEAP)
      802.1X auth credential: Machine or user credential
      Cache user information: Yes

10:45:33 - There has been an NDIS Port state change on this network adapter.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      NDIS Control State: UnControlled
      NDIS Auth State: UnAuthorized

10:45:33 - Wired 802.1X Authentication was started.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Connection ID: 0x1

10:45:33 - Network authentication attempts have been temporarily suspended on this network adapter.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Reason Code: Explicit Eap failure received
      Length of block timer (seconds): 1200

10:45:33 - Wired 802.1X Authentication failed. (Error)

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x1
      Identity: host/xxxxxxxxxxxx.local
      User: -
      Domain: -
      Reason: 0x50005
      Reason Text: Explicit Eap failure received
      Error Code: 0x40420110

10:45:36 - Network authentication attempts have been resumed on this network adapter.
10:45:36 - Wired 802.1X Authentication was started.
10:45:44 - Wired 802.1X Authentication was restarted.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Connection ID: 0x2
      Restart Reason: Onex User Changed

10:45:59 - Wired 802.1X Authentication succeeded.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x2
      Identity: -
      User: -
      Domain: -
      Reason: 0x70003
      Reason Text: The network does not support authentication
      Error Code: 0x0

10:46:33 - Wired 802.1X Authentication succeeded.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x2
      Identity: domain\user (changed)
      User: XXX
      Domain: XXXXX
      Reason: 0x0
      Reason Text: The operation was successful
      Error Code: 0x0

10:46:33 - There has been an NDIS Port state change on this network adapter.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      NDIS Control State: UnControlled
      NDIS Auth State: Authorized

Connected and everything works fine.
Can anyone explain what is happening here?  It's obviously some misconfiguration.
Startup scripts doesn't execute and were not getting shares/printers etc when using radius, as it is probably to slow.

Policy is configured to check for username/pass and the VLAN group is the condition.
Switches are Dell Powerconnect 6248, and RADIUS is Windows 2003 R2.
0
Comment
Question by:olemrefv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35026271
take a look at this and try please : http://support.microsoft.com/kb/953650/en-us
0
 

Author Comment

by:olemrefv
ID: 35026467
That is for clients not able to connect at all.  Im running Windows 7 and has Wired Autoconfig configured.
I can successfully connect, it just takes a while due to the errors during the process.
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 2000 total points
ID: 35026722
- do you use computer authentication or user authentication?
- in which way? certificate or mschapv2?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:olemrefv
ID: 35026805
I'm using user authentication (User groups).
EAP types: MSCHAP2 v2 and PEAP.
0
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 2000 total points
ID: 35026931
0
 

Author Comment

by:olemrefv
ID: 35027100
Yes, as you can see in the question, each policy is applied for each VLAN group.  So if a user is in VLAN user group 3, the switchport will be set to VLAN 3. This works perfectly.  It all works, but some errors are causing some serious delay and the authentication doesn't succeed until like 2 minutes has passed.  So im wondering what fails before it succeeds....
0
 

Author Comment

by:olemrefv
ID: 35027228
Btw, it's gonna be a problem for me reading french Microsoft articles :)
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35027537
I might be wrong but i've the feeling the computers cannot authenticate at startup and waits until you enter your user credentials and therefore being authorized to connect.
so i would check if the computer account is member of the VLAN group, and maybe review/or change the way the computer authenticate.

did you set the "control access through remote access policy" for both user and computer accounts? (dial-in tab)
i've reviewed the documentation and it's clear that PEAP-MS-CHAP v2 do not need computer certificates on wired clients.

But i've also found this:
For computer authentication with EAP-TLS, you must install a computer certificate, also known as a machine certificate, on the wired client computer. A computer certificate installed on the wired client computer is used to authenticate the wired client computer so that the computer can obtain network connectivity to the organization intranet and computer configuration Group Policy updates prior to user login. For user authentication with EAP-TLS after a network connection is made and the user logs in, you must use a user certificate on the wired client computer.

So it would mean that with PEAP-MS-CHAP v2 we couldn't authenticate prior to user login.

But later i've this ...:
Some network administrators want to use only computer authentication. By using only computer authentication, a client computer must perform computer-level 802.1X authentication with an authenticating switch using either a computer certificate (when using EAP-TLS authentication) or the computer's account name and password (when using PEAP-MS-CHAP v2 authentication) before it can access the organization network

0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35027565
0
 

Author Comment

by:olemrefv
ID: 35095286
Problem Solved.  Select "user authentication" only under the authentication tab.  I also enabled portfast and disabled STP.  Now its really fast.
0
 

Author Closing Comment

by:olemrefv
ID: 35095325
Solved.
0

Featured Post

Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses
Course of the Month8 days, 11 hours left to enroll

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question