Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5882
  • Last Modified:

Slow RADIUS authentication

10:44:00 - System boot
10:45:33 - The Wired Autoconfig Service is starting
10:45:33 - The Wired Autoconfig service entered the running state
10:45:33 - The profile was applied on the network adapter
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Profile Type: Interface
      Profile Content:
      AutoConfig Version: 1
      802.1x: Enabled
      802.1x: Not Enforced
      EAP type: Microsoft: Protected EAP (PEAP)
      802.1X auth credential: Machine or user credential
      Cache user information: Yes

10:45:33 - There has been an NDIS Port state change on this network adapter.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      NDIS Control State: UnControlled
      NDIS Auth State: UnAuthorized

10:45:33 - Wired 802.1X Authentication was started.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Connection ID: 0x1

10:45:33 - Network authentication attempts have been temporarily suspended on this network adapter.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Reason Code: Explicit Eap failure received
      Length of block timer (seconds): 1200

10:45:33 - Wired 802.1X Authentication failed. (Error)

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x1
      Identity: host/xxxxxxxxxxxx.local
      User: -
      Domain: -
      Reason: 0x50005
      Reason Text: Explicit Eap failure received
      Error Code: 0x40420110

10:45:36 - Network authentication attempts have been resumed on this network adapter.
10:45:36 - Wired 802.1X Authentication was started.
10:45:44 - Wired 802.1X Authentication was restarted.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Connection ID: 0x2
      Restart Reason: Onex User Changed

10:45:59 - Wired 802.1X Authentication succeeded.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x2
      Identity: -
      User: -
      Domain: -
      Reason: 0x70003
      Reason Text: The network does not support authentication
      Error Code: 0x0

10:46:33 - Wired 802.1X Authentication succeeded.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x2
      Identity: domain\user (changed)
      User: XXX
      Domain: XXXXX
      Reason: 0x0
      Reason Text: The operation was successful
      Error Code: 0x0

10:46:33 - There has been an NDIS Port state change on this network adapter.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      NDIS Control State: UnControlled
      NDIS Auth State: Authorized

Connected and everything works fine.
Can anyone explain what is happening here?  It's obviously some misconfiguration.
Startup scripts doesn't execute and were not getting shares/printers etc when using radius, as it is probably to slow.

Policy is configured to check for username/pass and the VLAN group is the condition.
Switches are Dell Powerconnect 6248, and RADIUS is Windows 2003 R2.
0
olemrefv
Asked:
olemrefv
  • 6
  • 5
2 Solutions
 
TasmantCommented:
take a look at this and try please : http://support.microsoft.com/kb/953650/en-us
0
 
olemrefvAuthor Commented:
That is for clients not able to connect at all.  Im running Windows 7 and has Wired Autoconfig configured.
I can successfully connect, it just takes a while due to the errors during the process.
0
 
TasmantCommented:
- do you use computer authentication or user authentication?
- in which way? certificate or mschapv2?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
olemrefvAuthor Commented:
I'm using user authentication (User groups).
EAP types: MSCHAP2 v2 and PEAP.
0
 
TasmantCommented:
0
 
olemrefvAuthor Commented:
Yes, as you can see in the question, each policy is applied for each VLAN group.  So if a user is in VLAN user group 3, the switchport will be set to VLAN 3. This works perfectly.  It all works, but some errors are causing some serious delay and the authentication doesn't succeed until like 2 minutes has passed.  So im wondering what fails before it succeeds....
0
 
olemrefvAuthor Commented:
Btw, it's gonna be a problem for me reading french Microsoft articles :)
0
 
TasmantCommented:
I might be wrong but i've the feeling the computers cannot authenticate at startup and waits until you enter your user credentials and therefore being authorized to connect.
so i would check if the computer account is member of the VLAN group, and maybe review/or change the way the computer authenticate.

did you set the "control access through remote access policy" for both user and computer accounts? (dial-in tab)
i've reviewed the documentation and it's clear that PEAP-MS-CHAP v2 do not need computer certificates on wired clients.

But i've also found this:
For computer authentication with EAP-TLS, you must install a computer certificate, also known as a machine certificate, on the wired client computer. A computer certificate installed on the wired client computer is used to authenticate the wired client computer so that the computer can obtain network connectivity to the organization intranet and computer configuration Group Policy updates prior to user login. For user authentication with EAP-TLS after a network connection is made and the user logs in, you must use a user certificate on the wired client computer.

So it would mean that with PEAP-MS-CHAP v2 we couldn't authenticate prior to user login.

But later i've this ...:
Some network administrators want to use only computer authentication. By using only computer authentication, a client computer must perform computer-level 802.1X authentication with an authenticating switch using either a computer certificate (when using EAP-TLS authentication) or the computer's account name and password (when using PEAP-MS-CHAP v2 authentication) before it can access the organization network

0
 
olemrefvAuthor Commented:
Problem Solved.  Select "user authentication" only under the authentication tab.  I also enabled portfast and disabled STP.  Now its really fast.
0
 
olemrefvAuthor Commented:
Solved.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now