Solved

Slow RADIUS authentication

Posted on 2011-03-03
11
5,311 Views
Last Modified: 2012-05-11
10:44:00 - System boot
10:45:33 - The Wired Autoconfig Service is starting
10:45:33 - The Wired Autoconfig service entered the running state
10:45:33 - The profile was applied on the network adapter
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Profile Type: Interface
      Profile Content:
      AutoConfig Version: 1
      802.1x: Enabled
      802.1x: Not Enforced
      EAP type: Microsoft: Protected EAP (PEAP)
      802.1X auth credential: Machine or user credential
      Cache user information: Yes

10:45:33 - There has been an NDIS Port state change on this network adapter.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      NDIS Control State: UnControlled
      NDIS Auth State: UnAuthorized

10:45:33 - Wired 802.1X Authentication was started.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Connection ID: 0x1

10:45:33 - Network authentication attempts have been temporarily suspended on this network adapter.
      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Reason Code: Explicit Eap failure received
      Length of block timer (seconds): 1200

10:45:33 - Wired 802.1X Authentication failed. (Error)

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x1
      Identity: host/xxxxxxxxxxxx.local
      User: -
      Domain: -
      Reason: 0x50005
      Reason Text: Explicit Eap failure received
      Error Code: 0x40420110

10:45:36 - Network authentication attempts have been resumed on this network adapter.
10:45:36 - Wired 802.1X Authentication was started.
10:45:44 - Wired 802.1X Authentication was restarted.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Connection ID: 0x2
      Restart Reason: Onex User Changed

10:45:59 - Wired 802.1X Authentication succeeded.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x2
      Identity: -
      User: -
      Domain: -
      Reason: 0x70003
      Reason Text: The network does not support authentication
      Error Code: 0x0

10:46:33 - Wired 802.1X Authentication succeeded.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      Peer Address: 5C260A913591
      Local Address: 5C260A0B510B
      Connection ID: 0x2
      Identity: domain\user (changed)
      User: XXX
      Domain: XXXXX
      Reason: 0x0
      Reason Text: The operation was successful
      Error Code: 0x0

10:46:33 - There has been an NDIS Port state change on this network adapter.

      Network Adapter: Intel(R) 82577LM Gigabit Network Connection
      Interface GUID: {7c908468-d424-4687-85a4-f8fe8b09f479}
      NDIS Control State: UnControlled
      NDIS Auth State: Authorized

Connected and everything works fine.
Can anyone explain what is happening here?  It's obviously some misconfiguration.
Startup scripts doesn't execute and were not getting shares/printers etc when using radius, as it is probably to slow.

Policy is configured to check for username/pass and the VLAN group is the condition.
Switches are Dell Powerconnect 6248, and RADIUS is Windows 2003 R2.
0
Comment
Question by:olemrefv
  • 6
  • 5
11 Comments
 
LVL 11

Expert Comment

by:Tasmant
ID: 35026271
take a look at this and try please : http://support.microsoft.com/kb/953650/en-us
0
 

Author Comment

by:olemrefv
ID: 35026467
That is for clients not able to connect at all.  Im running Windows 7 and has Wired Autoconfig configured.
I can successfully connect, it just takes a while due to the errors during the process.
0
 
LVL 11

Accepted Solution

by:
Tasmant earned 500 total points
ID: 35026722
- do you use computer authentication or user authentication?
- in which way? certificate or mschapv2?
0
 

Author Comment

by:olemrefv
ID: 35026805
I'm using user authentication (User groups).
EAP types: MSCHAP2 v2 and PEAP.
0
 
LVL 11

Assisted Solution

by:Tasmant
Tasmant earned 500 total points
ID: 35026931
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:olemrefv
ID: 35027100
Yes, as you can see in the question, each policy is applied for each VLAN group.  So if a user is in VLAN user group 3, the switchport will be set to VLAN 3. This works perfectly.  It all works, but some errors are causing some serious delay and the authentication doesn't succeed until like 2 minutes has passed.  So im wondering what fails before it succeeds....
0
 

Author Comment

by:olemrefv
ID: 35027228
Btw, it's gonna be a problem for me reading french Microsoft articles :)
0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35027537
I might be wrong but i've the feeling the computers cannot authenticate at startup and waits until you enter your user credentials and therefore being authorized to connect.
so i would check if the computer account is member of the VLAN group, and maybe review/or change the way the computer authenticate.

did you set the "control access through remote access policy" for both user and computer accounts? (dial-in tab)
i've reviewed the documentation and it's clear that PEAP-MS-CHAP v2 do not need computer certificates on wired clients.

But i've also found this:
For computer authentication with EAP-TLS, you must install a computer certificate, also known as a machine certificate, on the wired client computer. A computer certificate installed on the wired client computer is used to authenticate the wired client computer so that the computer can obtain network connectivity to the organization intranet and computer configuration Group Policy updates prior to user login. For user authentication with EAP-TLS after a network connection is made and the user logs in, you must use a user certificate on the wired client computer.

So it would mean that with PEAP-MS-CHAP v2 we couldn't authenticate prior to user login.

But later i've this ...:
Some network administrators want to use only computer authentication. By using only computer authentication, a client computer must perform computer-level 802.1X authentication with an authenticating switch using either a computer certificate (when using EAP-TLS authentication) or the computer's account name and password (when using PEAP-MS-CHAP v2 authentication) before it can access the organization network

0
 
LVL 11

Expert Comment

by:Tasmant
ID: 35027565
0
 

Author Comment

by:olemrefv
ID: 35095286
Problem Solved.  Select "user authentication" only under the authentication tab.  I also enabled portfast and disabled STP.  Now its really fast.
0
 

Author Closing Comment

by:olemrefv
ID: 35095325
Solved.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now