Authentication fails/no response to the EAP Response identity packet
Hello NAP gurus,
I’ve been unsuccessfully trying to set up NAP on Server 2008 (Standard version, SP1), and spending more time troubleshooting than I’d like to admit. I’m hoping someone on this forum can point me in the right direction.
My eventual goal is to setup up NAP with dynamic VLAN distribution, depending on security membership status in Active Directory. (And later on I’d like to add more NAP bells and whistles of course.) Currently I’m just trying to get the authentication process working.
Problem: Each time I connect a host to my switch on an 802.1X enabled port, the authentication fails.
The error message on the 802.1x enabled supplicant (laptop, running XP SP3) is:
Wired 802.1X authentication failed
Reason: 327687
Reason Text: There was no response to the EAP Response identity packet
Corresponding log entry on NAP server (slightly obfuscated):
10.1.0.216,DOMAIN\user,07/16/2008,13:47:23,IAS,BRIDGE,12,1480,4,10.1.0.216,32,LAB SWITCH,6,2,7,1,5,3,61,15,87,3,30,00-1f-28-03-XX-XX,31,00-19-b9-69-XX-XX,77,CONNECT Ethernet 1000Mbps Full duplex,64,13,65,6,81,1,4108,10.3.0.253,4116,0,4128,Lab Switch in 10.3 subnet,4154,NAP 802.1X (Wired),4155,0,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 7,4136,1,4142,0
10.1.0.216,DOMAIN\user,07/16/2008,13:47:23,IAS,BRIDGE,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 7,4155,0,4154,NAP 802.1X (Wired),4128,Lab Switch in 10.3 subnet,4116,0,4108,10.3.0.253,4136,2,4142,0
10.1.0.216,DOMAIN\user,07/16/2008,13:47:42,IAS,BRIDGE,12,1480,4,10.1.0.216,32,LAB SWITCH,6,2,7,1,5,3,61,15,87,3,30,00-1f-28-03-XX-XX,31,00-19-b9-69-XX-XX,77,CONNECT Ethernet 1000Mbps Full duplex,64,13,65,6,81,1,4108,10.3.0.253,4116,0,4128,Lab Switch in 10.3 subnet,4154,NAP 802.1X (Wired),4155,0,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 8,4136,1,4142,0
10.1.0.216,DOMAIN\user,07/16/2008,13:47:42,IAS,BRIDGE,25,311 1 fe80::8c00:968d:9eca:XXXX 07/11/2008 19:51:26 8,4155,0,4154,NAP 802.1X (Wired),4128,Lab Switch in 10.3 subnet,4116,0,4108,10.3.0.253,4136,2,4142,0
BRIDGE = NAP server, 10.3.1.1/16
LAB SWITCH = authenticator (HP ProCurve 2848), 10.1.0.216/16
Switch configuration (HP ProCurve 2848), mostly 802.1X relevant part(s):
hostname "LAB SWITCH"
vlan 1
name "DEFAULT_VLAN"
untagged 1-48
ip address 10.1.0.216 255.255.0.0
ip helper-address 10.3.1.1
exit
vlan 118
name "restricted"
ip helper-address 10.3.1.1
tagged 48
exit
vlan 103
name "core"
ip address 10.3.0.253 255.255.0.0
ip helper-address 10.3.1.1
tagged 48
exit
vlan 110
name "staff"
ip helper-address 10.3.1.1
tagged 48
exit
[…]
aaa authentication port-access eap-radius
radius-server host 10.3.1.1
radius-server key password
aaa port-access authenticator 1-4
aaa port-access authenticator active
The switch has an uplink to a core Cisco switch on port 48 via trunk. The NAP server and the DHCP server are directly connected to the core switch. Both servers can be pinged from the switch.
NAP configuration:
1. I have a NAP 802.1X (Wired) Connection Request Policy, NAS port type: Ethernet
2. There are multiple Network policies in place (each for different VLANS, although at the moment I’m more concerned just getting the client/user authenticated.)
Each Network Policy is configured for Protected EAP, the RADIUS attributes include Framed-Protocol (PPP), Service Type (Framed), Tunnel-Type (Virtual LAN), Tunnel-Medium-Type (802), and Tunnel-Pvt-Group-ID (VLAN ID, for example 110). IP settings are set to “Client may request an IP address” (although I am currently using a static IP on the host, just for troubleshooting purposes. Once the authentication works I’ll switch it back to DHCP).Settings on the host (XP, SP3):
1. IEEE 802.1X authentication is enabled
2. Network authentication method: PEAP
PEAP settings: Secured password (EAP-MSCHAP v2);and “Automatically use my Windows logon name and password).
Sorry for the long post, but I wasn’t quite sure how to condense the problem without omitting potentially important information/configurations.
Any hint/tip is greatly appreciated. At the moment it seems I’m out of moves.
Thanks,
Dan.
Respostas
- Hi, Jean,
the switch I'm using is an HP 2848, and it does support dynamic vlans. However, you were on the right track pointing at the switch as the culprit. The firmware I was using had a bug in it where PEAP fails to authenticate with Microsoft IAS Radius server (it works without any problems with FreeRADIUS). The switch event log will report "can't reach RADIUS server". I upgraded to I.10.43, and now it seems to work, this thread can be closed.
Thanks for your time guys, I really appreciate it!
Cheers,
Dan
- Marcado como Respostadbau terça-feira, 22 de julho de 2008 16:32
Todas as Respostas
- Hi Dan,
Can you please provide the following:
- The output of "netsh nap client show state" from a command line on your XP SP3 machine.
- In event viewer, custom views, server roles, network policy and access services, do you see event 6273? What is the reason that access was denied? If possible, provide the text of any events with a task category of "Network Policy Server" or if present any error events with a source of "NPS."
Thanks,
-Greg- Não Marcado como RespostaGreg LindsayMSFT, Proprietárioquinta-feira, 17 de julho de 2008 23:52
- Marcado como RespostaGreg LindsayMSFT, Proprietárioquinta-feira, 17 de julho de 2008 23:52
- EditadoGreg LindsayMSFT, Proprietárioquinta-feira, 17 de julho de 2008 23:52still formatting problems
- EditadoGreg LindsayMSFT, Proprietárioquinta-feira, 17 de julho de 2008 23:51formatting strangely
- Hi, Greg,
here's what I could find:
1. netsh nap client show state
Client state:
----------------------------------------------------
Name = Network Access Protection Client
Description = Microsoft Network Access Protection Client
Protocol version = 1.0
Status = Enabled
Restriction state = Not restricted
Troubleshooting URL =
Restriction start time =
Extended state =
Enforcement client state:
----------------------------------------------------
Id = 79617
Name = DHCP Quarantine Enforcement Client
Description = Provides DHCP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79618
Name = Remote Access Quarantine Enforcement Client
Description = Provides the quarantine enforcement for RAS Client
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79619
Name = IPSec Relying Party
Description = Provides IPSec based enforcement for Network Access Protection
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79620
Name = Wireless Eapol Quarantine Enforcement Client
Description = Provides wireless Eapol based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79621
Name = TS Gateway Quarantine Enforcement Client
Description = Provides TS Gateway enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = No
Id = 79623
Name = EAP Quarantine Enforcement Client
Description = Provides EAP based enforcement for NAP
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
System health agent (SHA) state:
----------------------------------------------------
Id = 79744
Name = Windows Security Health Agent
Description = The Windows Security Health Agent checks the compliance of a computer with an administrator-defined policy.
Version = 1.0
Vendor name = Microsoft Corporation
Registration date =
Initialized = Yes
Failure category = None
Remediation state = Success
Remediation percentage = 0
Fixup Message = (3237937214) - The Windows Security Health Agent has finished updating its security state.
Compliance results =
Remediation results =
Ok.
#################################################################
2. There are no NPS entries in the event viewer; but there are plenty of entries like these two in the IAS log:
10.1.0.216,DOMAIN\user,07/18/2008,09:11:00,IAS,RAD,12,1480,4,10.1.0.216,32,LAB SWITCH,6,2,7,1,5,1,61,15,87,1,30,00-1f-28-03-aa-3f,31,00-19-b9-69-45-bc,77,CONNECT Ethernet 1000Mbps Full duplex,64,13,65,6,81,109,4108,10.3.0.253,4116,0,4128,lab_switch 10.3,4154,NAP 802.1X (Wired),4155,1,4129,DOMAIN\user,4130,DOMAIN\user,25,311 1 ::1 07/17/2008 23:04:39 175,4136,1,4142,0
10.1.0.216,DOMAIN\user,07/18/2008,09:11:00,IAS,RAD,25,311 1 ::1 07/17/2008 23:04:39 175,27,30,4130,DOMAIN\user,4129,DOMAIN\user,4108,10.3.0.253,4116,0,4128,lab_switch 10.3,4154,NAP 802.1X (Wired),4155,1,4136,11,4142,0
I don't see any inner authentication protocol info ("Secured password (EAP-MSCHAP v2)") or encoded password string. Could this be a certificate issue? How could I test this?
To see if any RADIUS packets actually make it to NPS I removed my 802.1X switch from my list of RADIUS clients, and immediately I started seeing entries like this one:
"A RADIUS message was received from the invalid RADIUS client [...]" .
Thanks for your help,
Dan
#########
# #
# UPDATE: #
# #
########
Hours later I now have a lot of entries in event viewer (under custom views, server roles, network policy and access services). I'm not sure why those log entries didn't show up at the time...??? Anyways, here's one log entry (all the other ones are the same, event ID 6274):
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/18/2008 12:58:49 PM
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: rad.DOMAIN.edu
Description:
Network Policy Server discarded the request for a user.
User:
Security ID: NULL SID
Account Name: DOMAIN\user
Account Domain: DOMAIN
Fully Qualified Account Name: DOMAIN\user
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 00-1f-28-03-aa-3f
Calling Station Identifier: 00-19-b9-69-45-bc
NAS:
NAS IPv4 Address: 10.1.0.216
NAS IPv6 Address: -
NAS Identifier: LAB SWITCH
NAS Port-Type: Ethernet
NAS Port: 1
RADIUS Client:
Client Friendly Name: lab_switch 10.3
Client IP Address: 10.3.0.253
Authentication Details:
Proxy Policy Name: NAP 802.1X (Wired)
Network Policy Name: -
Authentication Provider: Windows
Authentication Server: rad.DOMAIN.edu
Authentication Type: -
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
I didn't see any additional info in the system event log.- Editadodbau sexta-feira, 18 de julho de 2008 21:06additional info
- Hello , Dan
Question. Your switch have RFC 3580 Support ( Vlan dynamic ) ? - Hi, Jean,
the switch I'm using is an HP 2848, and it does support dynamic vlans. However, you were on the right track pointing at the switch as the culprit. The firmware I was using had a bug in it where PEAP fails to authenticate with Microsoft IAS Radius server (it works without any problems with FreeRADIUS). The switch event log will report "can't reach RADIUS server". I upgraded to I.10.43, and now it seems to work, this thread can be closed.
Thanks for your time guys, I really appreciate it!
Cheers,
Dan
- Marcado como Respostadbau terça-feira, 22 de julho de 2008 16:32
Hello,
I'm running into the same problem. Only have a HP MSM750 Access Controller running:
Software version: 5.2.6.0-01-7057
Has anyone else had this problem with the HP MSM750 Access Controller and Windows Server Ent 2008?
- EditadoMike Van Slambrouck sexta-feira, 26 de junho de 2009 19:14
- EditadoMike Van Slambrouck terça-feira, 30 de junho de 2009 0:02
- Have same problem with HP 5400.. anyone has a solution? Thanks
- Sugerido como RespostaMullahvik quarta-feira, 19 de agosto de 2009 11:44
- If you are using XP SP3 see: KB969111 - A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain.
KM - Hi,
XP SP3 can use PEAP MSCHAPv2 with 802.1X. The problem noted in the hotfix is when you use it with a mandatory profile. This problem has been noted a few times on the forum.
-Greg
