Authentication fails/no response to the EAP Response identity packet

Wed, 16 Jul 2008 21:57:48 Z

Hello NAP gurus,

I’ve been unsuccessfully trying to set up NAP on Server 2008 (Standard version, SP1), and spending more time troubleshooting than I’d like to admit. I’m hoping someone on this forum can point me in the right direction.

My eventual goal is to setup up NAP with dynamic VLAN distribution, depending on security membership status in Active Directory. (And later on I’d like to add more NAP bells and whistles of course.) Currently I’m just trying to get the authentication process working.

Problem: Each time I connect a host to my switch on an 802.1X enabled port, the authentication fails.

The error message on the 802.1x enabled supplicant (laptop, running XP SP3) is:

Wired 802.1X authentication failed

Reason: 327687

Reason Text: There was no response to the EAP Response identity packet

Corresponding log entry on NAP server (slightly obfuscated):

10.1.0.216,DOMAIN\user,07/16/2008,13:47:23,IAS,BRIDGE,12,1480,4,10.1.0.216,32,LAB SWITCH,6,2,7,1,5,3,61,15,87,3,30,00-1f-28-03-XX-XX,31,00-19-b9-69-XX-XX,77,CONNECT Ethernet 1000Mbps Full duplex,64,13,65,6,81,1,4108,10.3.0.253,4116,0,4128,Lab Switch in 10.3 subnet,4154,NAP 802.1X (Wired),4155,0,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 7,4136,1,4142,0

10.1.0.216,DOMAIN\user,07/16/2008,13:47:23,IAS,BRIDGE,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 7,4155,0,4154,NAP 802.1X (Wired),4128,Lab Switch in 10.3 subnet,4116,0,4108,10.3.0.253,4136,2,4142,0

10.1.0.216,DOMAIN\user,07/16/2008,13:47:42,IAS,BRIDGE,12,1480,4,10.1.0.216,32,LAB SWITCH,6,2,7,1,5,3,61,15,87,3,30,00-1f-28-03-XX-XX,31,00-19-b9-69-XX-XX,77,CONNECT Ethernet 1000Mbps Full duplex,64,13,65,6,81,1,4108,10.3.0.253,4116,0,4128,Lab Switch in 10.3 subnet,4154,NAP 802.1X (Wired),4155,0,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 8,4136,1,4142,0

10.1.0.216,DOMAIN\user,07/16/2008,13:47:42,IAS,BRIDGE,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 8,4155,0,4154,NAP 802.1X (Wired),4128,Lab Switch in 10.3 subnet,4116,0,4108,10.3.0.253,4136,2,4142,0

BRIDGE = NAP server, 10.3.1.1/16

LAB SWITCH = authenticator (HP ProCurve 2848), 10.1.0.216/16

Switch configuration (HP ProCurve 2848), mostly 802.1X relevant part(s):

hostname "LAB SWITCH"

vlan 1

name "DEFAULT_VLAN"

untagged 1-48

ip address 10.1.0.216 255.255.0.0

ip helper-address 10.3.1.1

exit

vlan 118

name "restricted"

ip helper-address 10.3.1.1

tagged 48

exit

vlan 103

name "core"

ip address 10.3.0.253 255.255.0.0

ip helper-address 10.3.1.1

tagged 48

exit

vlan 110

name "staff"

ip helper-address 10.3.1.1

tagged 48

exit

[…]

aaa authentication port-access eap-radius

radius-server host 10.3.1.1

radius-server key password

aaa port-access authenticator 1-4

aaa port-access authenticator active

The switch has an uplink to a core Cisco switch on port 48 via trunk. The NAP server and the DHCP server are directly connected to the core switch. Both servers can be pinged from the switch.

NAP configuration:

1. I have a NAP 802.1X (Wired) Connection Request Policy, NAS port type: Ethernet

2. There are multiple Network policies in place (each for different VLANS, although at the moment I’m more concerned just getting the client/user authenticated.)
Each Network Policy is configured for Protected EAP, the RADIUS attributes include Framed-Protocol (PPP), Service Type (Framed), Tunnel-Type (Virtual LAN), Tunnel-Medium-Type (802), and Tunnel-Pvt-Group-ID (VLAN ID, for example 110). IP settings are set to “Client may request an IP address” (although I am currently using a static IP on the host, just for troubleshooting purposes. Once the authentication works I’ll switch it back to DHCP).

Settings on the host (XP, SP3):

1. IEEE 802.1X authentication is enabled

2. Network authentication method: PEAP
PEAP settings: Secured password (EAP-MSCHAP v2);

and “Automatically use my Windows logon name and password).

Sorry for the long post, but I wasn’t quite sure how to condense the problem without omitting potentially important information/configurations.

Any hint/tip is greatly appreciated. At the moment it seems I’m out of moves.

Thanks,

Dan.

Authentication fails/no response to the EAP Response identity packet

Thu, 17 Jul 2008 23:50:55 Z

Hi Dan,

Can you please provide the following:

The output of "netsh nap client show state" from a command line on your XP SP3 machine.

In event viewer, custom views, server roles, network policy and access services, do you see event 6273? What is the reason that access was denied? If possible, provide the text of any events with a task category of "Network Policy Server" or if present any error events with a source of "NPS."

Thanks,
-Greg

Authentication fails/no response to the EAP Response identity packet

Fri, 18 Jul 2008 16:29:03 Z

Hi, Greg,
here's what I could find:

1. netsh nap client show state

Client state:
----------------------------------------------------
Name                       = Network Access Protection Client
Description              = Microsoft Network Access Protection Client
Protocol version     = 1.0
Status                   = Enabled
Restriction state      = Not restricted
Troubleshooting URL    =
Restriction start time =
Extended state         =

Enforcement client state:
----------------------------------------------------
Id                     = 79617
Name                   = DHCP Quarantine Enforcement Client
Description            = Provides DHCP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79618
Name                   = Remote Access Quarantine Enforcement Client
Description            = Provides the quarantine enforcement for RAS Client
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79619
Name                   = IPSec Relying Party
Description            = Provides IPSec based enforcement for Network Access Protection
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79620
Name                   = Wireless Eapol Quarantine Enforcement Client
Description            = Provides wireless Eapol based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79621
Name                   = TS Gateway Quarantine Enforcement Client
Description            = Provides TS Gateway enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = No

Id                     = 79623
Name                   = EAP Quarantine Enforcement Client
Description            = Provides EAP based enforcement for NAP
Version                = 1.0
Vendor name            = Microsoft Corporation
Registration date      =
Initialized            = Yes

System health agent (SHA) state:
----------------------------------------------------
Id                     = 79744
Name                   = Windows Security Health Agent

Description            = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.

Version                = 1.0

Vendor name            = Microsoft Corporation

Registration date      =
Initialized            = Yes
Failure category       = None
Remediation state      = Success
Remediation percentage = 0
Fixup Message          = (3237937214) - The Windows Security Health Agent has finished updating its security state.

Compliance results     =
Remediation results    =

Ok.

#################################################################

2. There are no NPS entries in the event viewer; but there are plenty of entries like these two in the IAS log:

10.1.0.216,DOMAIN\user,07/18/2008,09:11:00,IAS,RAD,12,1480,4,10.1.0.216,32,LAB SWITCH,6,2,7,1,5,1,61,15,87,1,30,00-1f-28-03-aa-3f,31,00-19-b9-69-45-bc,77,CONNECT Ethernet 1000Mbps Full duplex,64,13,65,6,81,109,4108,10.3.0.253,4116,0,4128,lab_switch 10.3,4154,NAP 802.1X (Wired),4155,1,4129,DOMAIN\user,4130,DOMAIN\user,25,311 1 ::1 07/17/2008 23:04:39 175,4136,1,4142,0

10.1.0.216,DOMAIN\user,07/18/2008,09:11:00,IAS,RAD,25,311 1 ::1 07/17/2008 23:04:39 175,27,30,4130,DOMAIN\user,4129,DOMAIN\user,4108,10.3.0.253,4116,0,4128,lab_switch 10.3,4154,NAP 802.1X (Wired),4155,1,4136,11,4142,0

I don't see any inner authentication protocol info ("Secured password (EAP-MSCHAP v2)") or encoded password string. Could this be a certificate issue? How could I test this?

To see if any RADIUS packets actually make it to NPS I removed my 802.1X switch from my list of RADIUS clients, and immediately I started seeing entries like this one:
"A RADIUS message was received from the invalid RADIUS client [...]" .

Thanks for your help,

Dan

#########
#                 #
# UPDATE: #
#                #
########
Hours later I now have a lot of entries in event viewer (under custom views, server roles, network policy and access services). I'm not sure why those log entries didn't show up at the time...??? Anyways, here's one log entry (all the other ones are the same, event ID 6274):

Log Name: Security

Source: Microsoft-Windows-Security-Auditing

Date: 7/18/2008 12:58:49 PM

Event ID: 6274

Task Category: Network Policy Server

Level: Information

Keywords: Audit Failure

User: N/A

Computer: rad.DOMAIN.edu

Description:

Network Policy Server discarded the request for a user.

User:

Security ID: NULL SID

Account Name: DOMAIN\user

Account Domain: DOMAIN

Fully Qualified Account Name: DOMAIN\user

Client Machine:

Security ID: NULL SID

Account Name: -

Fully Qualified Account Name: -

OS-Version: -

Called Station Identifier: 00-1f-28-03-aa-3f

Calling Station Identifier: 00-19-b9-69-45-bc

NAS:

NAS IPv4 Address: 10.1.0.216

NAS IPv6 Address: -

NAS Identifier: LAB SWITCH

NAS Port-Type: Ethernet

NAS Port: 1

RADIUS Client:

Client Friendly Name: lab_switch 10.3

Client IP Address: 10.3.0.253

Authentication Details:

Proxy Policy Name: NAP 802.1X (Wired)

Network Policy Name: -

Authentication Provider: Windows

Authentication Server: rad.DOMAIN.edu

Authentication Type: -

EAP Type: -

Account Session Identifier: -

Reason Code: 1

Reason: An internal error occurred. Check the system event log for additional information.

I didn't see any additional info in the system event log.

Authentication fails/no response to the EAP Response identity packet

Tue, 22 Jul 2008 12:17:20 Z

Hello , Dan

Question. Your switch have RFC 3580 Support ( Vlan dynamic ) ?

Authentication fails/no response to the EAP Response identity packet

Tue, 22 Jul 2008 16:31:34 Z

Hi, Jean,
the switch I'm using is an HP 2848, and it does support dynamic vlans. However, you were on the right track pointing at the switch as the culprit. The firmware I was using had a bug in it where PEAP fails to authenticate with Microsoft IAS Radius server (it works without any problems with FreeRADIUS). The switch event log will report "can't reach RADIUS server". I upgraded to I.10.43, and now it seems to work, this thread can be closed.

Thanks for your time guys, I really appreciate it!

Cheers,
Dan

Authentication fails/no response to the EAP Response identity packet

Fri, 26 Jun 2009 18:49:10 Z

Hello,

I'm running into the same problem. Only have a HP MSM750 Access Controller running:

Software version:

5.2.6.0-01-7057

Has anyone else had this problem with the HP MSM750 Access Controller and Windows Server Ent 2008?

Authentication fails/no response to the EAP Response identity packet

Tue, 28 Jul 2009 22:28:41 Z

Have same problem with HP 5400.. anyone has a solution? Thanks

Authentication fails/no response to the EAP Response identity packet

Wed, 19 Aug 2009 11:47:26 Z

If you are using XP SP3 see: KB969111 - A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain.

KM

Authentication fails/no response to the EAP Response identity packet

Wed, 19 Aug 2009 20:16:14 Z

Hi,

XP SP3 can use PEAP MSCHAPv2 with 802.1X. The problem noted in the hotfix is when you use it with a mandatory profile. This problem has been noted a few times on the forum.

-Greg