none
Authentication Failed

    Question

  • Hi,

    I setup NAP client for some standalone computers (withou domain). After start this NAP directed PC, LAN Connection status is authentication failed.

    After I disable/enable LAN connection, all working OK.

     

    PC try authentificate after reboot with local PCname/user, but dialog about this is not checked !! 

     

    Thanks for help,
    L.

    Wednesday, April 09, 2008 9:31 AM

Answers

  • Hi,

     

    I think this problem may be fixed by applying Vista SP1. What version are you running?

     

    You can get SP1 here: http://www.microsoft.com/downloads/details.aspx?FamilyID=a45652b1-e838-420a-b065-83960458e2ec&DisplayLang=en

     

    I believe the issue may be related to some issues resolved by a wireless hotfix (http://support.microsoft.com/kb/932063)

     

    Please update to SP1 or apply the hotfix and let me know if this resolves the problem.

     

    Thanks,

    -Greg

    Friday, April 18, 2008 7:15 PM
  • Hi,

     

    IASSAM.LOG agrees with your netmon analysis that RADIUS seems to be trying to authenticate a windows machine account (FAFUKHK\PCUVT10$) as a user account after rebooting. This is strange, but I am able to duplicate this with my 2950 if I reboot the client machine. I think this is actually normal.

     

    My log also says "Successfully retrieved session (171) for user WOODGROVEBANK\CLI-1$, which is the machine account.

     

    Does your port shut down after rebooting? Here is what happens for me:

     

    <--reboot here-->

    13w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
    13w5d: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

    13w5d: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

    <--reboot completed, user not logged in-->

    <--user logged in-->

    <--network credentials entered-->

    13w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

     

    As you can see, line protocol is down but the port is up prior to the user entering their network/domain credentials. Is your port down or up?

     

    I enabled dot1x debug on the switch to see what happens prior to the user logging in, and the port does appear to enter an "unauthorized" state. I wonder if your client is failing to VLAN 33 in this case. Please issue a "show vlan" on the switch before you enter user credentials and see if the client is in VLAN 33.

     

    The 802.1X auth failure continues until network/domain credentials are entered, when I get authsuccess and the link changes to UP.

     

    You might try removing the auth-fail VLAN from your configuration and see if this helps. Please tell me if line protocol is up or down.

     

    I also see this in svchost_rastls.log:

     

    [2184] 04-22 10:36:17:149: Authentication failed due to IAS policy restrictions

     

    This is strange, because I only see this if I configure connection request policy to not match the client's PEAP settings. Please confirm your server-side configuration on NPS by posting the output of netsh nps show config.

     

    Thanks,

    -Greg

    Tuesday, April 22, 2008 8:53 PM
  • Hi,

     

    I'm not familiar with configuring DHCP for auth-failed clients, but you might try enabling "dot1x guest-vlan" on the port. I will continue to research and see what I can find.

     

    -Greg

    Friday, April 25, 2008 10:30 PM

All replies

  • Hi,

     

    Are you using PEAP authentication (802.1X or VPN)? If so, then in order to get authentication to work in a workgroup environment, you will need to either uncheck "Automatically use my Windows logon name and password..." in EAP MSCHAPv2 properties, or you must use PEAP-TLS and import a user certificate on the client computer.

     

    I'm not sure if you are saying above that you have already unchecked the box to "Automatically use my Windows logon name and password..." but if that is working then you will get a notification that "additional information is required..." to connect to the network.

     

    -Greg

    Wednesday, April 09, 2008 7:45 PM
  • Hi,

     

    One more thing that is required here.

     

    If you are using workgroup computers, you must do one of two things:

     

    1) Un-check "validate server certificate" in PEAP properties.

     

    - OR -

     

    2) Import the Root CA certificate into your trusted root store.

     

    -Greg

    Thursday, April 10, 2008 12:37 AM
  • Hi Greg,

    I using PEAP 802.1x for wired network. I have unchecked checkbox "Automaticaly ..."

     

    Setup is OK, after I disable NIC and enable NIC, immediately all working correctly. But after restart PC and first logon to PC, NIC in status authentication failed.

     

    L.

     

     

    Thursday, April 10, 2008 5:39 AM
  • Hi,

     

    I use GTE Cybertrust certificate. This CA is built-in OS.

     

    L.

     

    Thursday, April 10, 2008 5:40 AM
  • Hi,

     

    Please also disable fast reconnect and see if this helps.

     

    -Greg

    Thursday, April 10, 2008 6:15 AM
  • Hi,

     

    the same problem.

    ? create script to disable/enable NIC after login to computer ?

     

    L.

     

    Thursday, April 10, 2008 7:25 AM
  • Hi,

    i try debug this via Network Monitor.

     

    After PC run, immediately start authentification for:

    UserName: host/PName

     

    Why ?

     

    After this:

    MessageType: Access Reject, 3(0x03)

     

    On computer is not save user credentials, User must enter this via "Addition information is required to connect the network".

     

    Thanks,

    Ladislav

     

     

     

    Friday, April 11, 2008 8:00 AM
  • Hi,

     

    This is machine authentication which happens first. Have you disabled fast reconnect as I requested?

     

    -Greg

    Friday, April 11, 2008 3:29 PM
  • Hi,

    I try this and result the same - "Authenticatin failed".

     

    After I disable/enable network inteface, all OK.

     

    Event log when I power on Computer:

    13.4.2008 17:38:07 Service Control Manager Information None 7036 N/A PCUVT10 The Computer Browser service entered the Zastaveno state.
    13.4.2008 17:38:04 Service Control Manager Information None 7036 N/A PCUVT10 The Application Layer Gateway Service service entered the Spuštěno state.
    13.4.2008 17:38:04 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM PCUVT10 The Application Layer Gateway Service service was successfully sent a Spuštěno control.
    13.4.2008 17:38:04 Service Control Manager Information None 7036 N/A PCUVT10 The SSDP Discovery Service service entered the Spuštěno state.
    13.4.2008 17:38:04 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM PCUVT10 The SSDP Discovery Service service was successfully sent a Spuštěno control.
    13.4.2008 17:38:04 Service Control Manager Information None 7036 N/A PCUVT10 The Network Location Awareness (NLA) service entered the Spuštěno state.
    13.4.2008 17:38:04 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM PCUVT10 The Network Location Awareness (NLA) service was successfully sent a Spuštěno control.
    13.4.2008 17:37:57 W32Time Error None 29 N/A PCUVT10 The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 15 minutes. NtpClient has no source of accurate time.
    13.4.2008 17:37:57 W32Time Error None 17 N/A PCUVT10 Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Došlo k pokusu o operaci se soketem v okamžiku nedosažitelnosti hostitele. (0x80072751)
    13.4.2008 17:37:57 Dhcp Warning None 1007 N/A PCUVT10 Your computer has automatically configured the IP address for the Network Card with network address 001AA0D617D2.  The IP address being used is 169.254.46.187.
    13.4.2008 17:37:57 W32Time Error None 29 N/A PCUVT10 The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
    13.4.2008 17:37:57 W32Time Error None 29 N/A PCUVT10 The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
    13.4.2008 17:37:57 W32Time Error None 17 N/A PCUVT10 Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Došlo k pokusu o operaci se soketem v okamžiku nedosažitelnosti hostitele. (0x80072751)
    13.4.2008 17:37:57 W32Time Error None 29 N/A PCUVT10 The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible.  No attempt to contact a source will be made for 14 minutes. NtpClient has no source of accurate time.
    13.4.2008 17:37:57 W32Time Error None 17 N/A PCUVT10 Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: Došlo k pokusu o operaci se soketem v okamžiku nedosažitelnosti hostitele. (0x80072751)
    13.4.2008 17:37:57 NapAgent None None 9 N/A PCUVT10 The enforcement client 79623 successfully initialized.
    13.4.2008 17:37:57 NapAgent None None 4 N/A PCUVT10 The System Health Agent 79744 successfully initialized.
    13.4.2008 17:37:57 NapAgent Warning None 39 N/A PCUVT10 The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.
    A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.
    Contact the HRA administrator for more information.
    13.4.2008 17:37:57 NapAgent None None 9 N/A PCUVT10 The enforcement client 79871 successfully initialized.
    13.4.2008 17:37:57 NapAgent Information None 26 N/A PCUVT10 The NAP service has started.
     NAP has the following information for this computer:
     Computer name is pcuvt10.
     Domain status is: Not Domain Joined.
     The OS SKU is: CLIENT.
     The service pack version is: 3.0.
     The processor type is: 0.

    13.4.2008 17:37:48 Dhcp Warning None 1003 N/A PCUVT10 Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001AA0D617D2.  The following error occurred:
    The semaphore timeout period has expired. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
    13.4.2008 17:37:16 e1express Information None 33 N/A PCUVT10 Intel(R) 82566DM-2 Gigabit Network Connection Link has been established: 100Mbps full duplex.
    13.4.2008 17:37:10 HECI Information None 2 N/A PCUVT10 HECI driver has started successfully.
    13.4.2008 17:37:21 DCOM Error None 10016 NT AUTHORITY\SYSTEM PCUVT10 The specifické pro aplikaci permission settings do not grant Místní Spuštění permission for the COM Server application with CLSID
    {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
     to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.
    13.4.2008 17:37:20 EventLog Information None 6005 N/A PCUVT10 The Event log service was started.
    13.4.2008 17:37:20 EventLog Information None 6009 N/A PCUVT10 Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3, v.3311 Multiprocessor Free.

     

    Event log when I disable/enable network interface:

    13.4.2008 17:41:04 Service Control Manager Information None 7036 N/A PCUVT10 The Remote Access Connection Manager service entered the Spuštěno state.
    13.4.2008 17:41:04 Service Control Manager Information None 7035 PCUVT10\Administrator PCUVT10 The Remote Access Connection Manager service was successfully sent a Spuštěno control.
    13.4.2008 17:41:04 Service Control Manager Information None 7036 N/A PCUVT10 The Telephony service entered the Spuštěno state.
    13.4.2008 17:40:46 NapAgent Information None 29 N/A PCUVT10 A Statement of Health Response with correlation ID {AD92BBEC-E2E0-4F63-AF32-40C65F11B197} - 2008-04-13 15:40:46.250Z was received from the enforcement client 79623.
     The current client state is Full Access.
     The current client extended state is No Data.
     The following SHAs report this client non-compliant:
     The following error categories were encountered:
     The probation expiration time is:
     The help URL is:
     The duration of health check was 78 ms.

    13.4.2008 17:40:46 NapAgent Information None 28 N/A PCUVT10 A Statement of Health with correlation ID {AD92BBEC-E2E0-4F63-AF32-40C65F11B197} - 2008-04-13 15:40:46.250Z was sent to the enforcment client 79623.
    13.4.2008 17:40:46 NapAgent Information None 27 N/A PCUVT10 A Statement of Health with correlation ID {AD92BBEC-E2E0-4F63-AF32-40C65F11B197} - 2008-04-13 15:40:46.250Z was received from the System Health Agent 79744.
     The duration to check the client's health was 32 ms.
    13.4.2008 17:40:31 e1express Information None 33 N/A PCUVT10 Intel(R) 82566DM-2 Gigabit Network Connection Link has been established: 100Mbps full duplex.
    13.4.2008 17:40:28 Tcpip Information None 4201 N/A PCUVT10 The system detected that network adapter Intel(R) 82566DM-2 Gigabit Network Connection was connected to the network, and has initiated normal operation over the network adapter.

     

    L.

    Sunday, April 13, 2008 3:50 PM
  • Hi,

     

    This looks like a DHCP problem. Please try using a static IP address on the client and see if this fixes it. What is your DHCP setup?

     

    -Greg 

    Monday, April 14, 2008 11:05 PM
  • Hi,

    this is not fix for me, I must use set IP dynamically. DHCP server is setup corectly a working fine for non NAPed ports on CISCO switch. NAPed port closed before this WORKGROUP clients (PCs) not athenticated, DHCP server PC is not possible to contacted.

     

    This is problem Authentication Failed, computers after start authenticating via account Host/Computername. Why ??

    After run

    netsh lan reconnect

    imediately initiated "Addition information is required to connect the network" and after set this, correctly athenticated.

     

    Thanks,

    Ladislav

    Tuesday, April 15, 2008 3:55 AM
  • Hi,

     

    I am not requesting you try static IP as a fix, only as a method to troubleshoot. My Cisco switch does not behave this way, but I am not using DHCP. I want to see if this can be isolated to a DHCP problem.

     

    -Greg

    Tuesday, April 15, 2008 7:33 AM
  • Hi,

    i now try set static IP and result the same: Authentication Failed.

     

    Cisco open port 802.1X after correct athenticate via NAP.

     

    You wrote DHCP problem -> I must set special configuration for DHCP server ?

     

    Log:

    15.4.2008 9:45:30 Service Control Manager Information None 7036 N/A PCUVT10 The Network Location Awareness (NLA) service entered the Spuštěno state.
    15.4.2008 9:45:30 NapAgent None None 9 N/A PCUVT10 The enforcement client 79623 successfully initialized.
    15.4.2008 9:45:30 Service Control Manager Information None 7035 NT AUTHORITY\SYSTEM PCUVT10 The Network Location Awareness (NLA) service was successfully sent a Spuštěno control.
    15.4.2008 9:45:01 e1express Information None 33 N/A PCUVT10 Intel(R) 82566DM-2 Gigabit Network Connection Link has been established: 100Mbps full duplex.
    15.4.2008 9:44:56 HECI Information None 2 N/A PCUVT10 HECI driver has started successfully.
    15.4.2008 9:45:14 NapAgent None None 4 N/A PCUVT10 The System Health Agent 79744 successfully initialized.
    15.4.2008 9:45:14 NapAgent Warning None 39 N/A PCUVT10 The Network Access Protection Agent was unable to determine which HRAs to request a health certificate from.
    A network change or if GP is configured, a configuration change will prompt further attempts to acquire a health certificate. Otherwise no further attempts will be made.
    Contact the HRA administrator for more information.
    15.4.2008 9:45:14 NapAgent None None 9 N/A PCUVT10 The enforcement client 79871 successfully initialized.
    15.4.2008 9:45:14 NapAgent Information None 26 N/A PCUVT10 The NAP service has started.
     NAP has the following information for this computer:
     Computer name is pcuvt10.
     Domain status is: Not Domain Joined.
     The OS SKU is: CLIENT.
     The service pack version is: 3.0.
     The processor type is: 0.

    15.4.2008 9:45:07 DCOM Error None 10016 NT AUTHORITY\SYSTEM PCUVT10 The specifické pro aplikaci permission settings do not grant Místní Spuštění permission for the COM Server application with CLSID
    {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}
     to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.
    15.4.2008 9:45:06 EventLog Information None 6005 N/A PCUVT10 The Event log service was started.

     

    after this i run:

    netsh lan reconnect

    + enter credentilas and authentication OK.

     

    XP try authenticate via Host/PCname - this is really this problem verifyed via Network Monitor.

     

     

    Thanks,

    Ladislav

     

    Tuesday, April 15, 2008 8:17 AM
  • Hi,

     

    I think this problem may be fixed by applying Vista SP1. What version are you running?

     

    You can get SP1 here: http://www.microsoft.com/downloads/details.aspx?FamilyID=a45652b1-e838-420a-b065-83960458e2ec&DisplayLang=en

     

    I believe the issue may be related to some issues resolved by a wireless hotfix (http://support.microsoft.com/kb/932063)

     

    Please update to SP1 or apply the hotfix and let me know if this resolves the problem.

     

    Thanks,

    -Greg

    Friday, April 18, 2008 7:15 PM
  • :-) you see in log:

    13.4.2008 17:37:20 EventLog Information None 6009 N/A PCUVT10 Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3, v.3311 Multiprocessor Free.

     

    Another thread about delay is for Windows Vista SP1 client.

     

    L.

     

     

     

    Friday, April 18, 2008 7:28 PM
  • Hi,

     

    That log entry isn't for your client system. I think you are saying that you are already using Vista SP1 - correct?

     

    The server version should be 6.0 if it is Server 2008. You'll find the version of your Server 2008 in Windows\panther\setupact.log. It should be 6.0.6001.18000.

     

    Let's try this, enable tracing and provide the output of IASSAM.log. At an elevated command prompt, type:

     

    Netsh ras set tr * en

     

    Demonstrate the problem scenario, then disable with netsh ras set tr * dis

     

    Provide the output of IASSAM.log. Also check svchost_rastls.log for errors. These files are populated in the Windows\tracing directory.

     

    Thanks,

    -Greg

    Friday, April 18, 2008 7:50 PM
  • Hi,

     

    ??

    I initiate two thread:

     

    1) "Authentication Failed"

    Windows XP w/SP3, WORGROUP PC (not in domain PC) with configure NAP Client

    authenticate via 802.1X capable CISCO, and NPS Server on Windows 2008 Server X64 and domain account

    2) "First Logon Delay"

    Windows Vista w/SP1, Domain PC with configure NAP Client

    authenticate via 802.1X capable CISCO, and NPS Server on Windows 2008 Server X64 and domain account

     

    ad 1) All workng, but only small problem is when PC first started, Network interface wrote Authentication failed. After I run:

    netsh lan reconect

    all is OK !!!

    Why:  I trace this via network monitor and after Windows Xp boot immediatelly NAP client athenticate via HOST/namePC and cisco this send to NPS server and ---> authentication faled. Not valid domain user.

     

    First, after run/boot PC:

    "TED","IAS",02/28/2008,12:56:16,1,"host/pcuvt10","FAFUKHK\PCUVT10$","00-1C-0F-9A-56-30","00-1A-A0-D6-17-D2",,,,"192.168.11.12",50048,0,"192.168.11.12","Cat12",,,15,,,2,11,,0,"311 1 ::1 02/27/2008 09:19:12 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wired)",1,,,,
    "TED","IAS",02/28/2008,12:56:16,3,,"FAFUKHK\PCUVT10$",,,,,,,,0,"192.168.11.12","Cat12",,,,,,,11,,16,"311 1 ::1 02/27/2008 09:19:12 10",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wired)",1,,,,

    Second and all other (before shutdown PC):

    "TED","IAS",02/28/2008,12:58:40,1,"rudisar@faf.cuni.cz","FAFUKHK\rudisar","00-1C-0F-9A-56-30","00-1A-A0-D6-17-D2",,,,"192.168.11.12",50048,0,"192.168.11.12","Cat12",,,15,,,2,11,"Non-domain (Wired) Compliant",0,"311 1 ::1 02/27/2008 09:19:12 20",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wired)",1,,,,
    "TED","IAS",02/28/2008,12:58:40,2,,"FAFUKHK\rudisar",,,,,,,,0,"192.168.11.12","Cat12",,,,,1,2,11,"Non-domain (Wired) Compliant",0,"311 1 ::1 02/27/2008 09:19:12 20",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,16777229,16777222,,,,"0x013334",,,,,,,,"0x01464146554B484B",,,"NAP 802.1X (Wired)",1,,,,

     

    WHY NAP client after boot authenticate via host/namePC and NO WAITING for enter correct credetials ?

    After netsh lan reconnect NAP client wait !!!

     

     

    ad 2) After start PC, started too DHCP client a try lease IP via closed port. Port is opened after NAP client successfully athenticate, how to minimase this delay ?

     

    Thanks,

    L.

     

     

    Saturday, April 19, 2008 4:40 PM
  • Hi,

     

    There are two authentication processes, machine authentication happens first, then user authentication. This is normal, but also can be changed. See http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=761315&SiteID=17 for more information.

     

    I mentioned before to disable fast reconnect. You said it was disabled on the client. I think this still may be having an effect if it is not disabled on both the client and server-side. Please un-check the "fast reconnect" setting on the SERVER. This is found on your NPS server in the 802.1X connection request policy, PEAP properties. Tell me if this helps.

     

    Thanks,

    -Greg

    Saturday, April 19, 2008 4:54 PM
  • Hi,

     

    If the suggestions above don't solve your problem, I will need more information. Please provide the logs as requested and also your switch configuration including the type of switch you are using. I will also attempt to reproduce your problem, but thus far I am not having the same issue with non-domain joined machines and my Cisco switch.

     

    I realize there are two issues, but I think they may be related. Please provide the IASSAM.log file for both. I will continue to research the issue for you and find out what I can.

     

    Thanks,

    -Greg

    Sunday, April 20, 2008 7:29 PM
  • Hi,

     

    I try change authMode in LAN profile, but this is not possible in Windows XP w/SP3.

     

    authMode (OneX) Element Element

    This element is optional. When authMode is not specified in a profile, a value of machineOrUser is used.

    Windows XP SP3 and Wireless LAN API for Windows XP SP2:  This element will be ignored if it is present in a profile.

     

    This PC is not in domain and I use for authentication username and password from domain via NPS server.

     

     

    Fast reconnect, I disable this on client and dissable this on NPS server. Result the same - Authentication failed:

     

    "TED","IAS",04/21/2008,13:41:29,1,"host/pcuvt10","FAFUKHK\PCUVT10$","00-1C-0F-9A-56-2F","00-1A-A0-D6-17-D2",,,,"192.168.11.12",50047,0,"192.168.11.12","Cat12",,,15,,,2,11,,0,"311 1 ::1 04/20/2008 11:08:13 2698",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wired)",1,,,,
    "TED","IAS",04/21/2008,13:41:29,3,,"FAFUKHK\PCUVT10$",,,,,,,,0,"192.168.11.12","Cat12",,,,,,,11,,34,"311 1 ::1 04/20/2008 11:08:13 2698",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wired)",1,,,,

     

    After manually run "netsh lan reconnect":

     

    "TED","IAS",04/21/2008,13:43:28,1,"rudisar@faf.cuni.cz","FAFUKHK\rudisar","00-1C-0F-9A-56-2F","00-1A-A0-D6-17-D2",,,,"192.168.11.12",50047,0,"192.168.11.12","Cat12",,,15,,,2,11,"Non-domain (Wired) Compliant",0,"311 1 ::1 04/20/2008 11:08:13 2708",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"NAP 802.1X (Wired)",1,,,,
    "TED","IAS",04/21/2008,13:43:28,2,,"FAFUKHK\rudisar",,,,,,,,0,"192.168.11.12","Cat12",,,,,1,2,11,"Non-domain (Wired) Compliant",0,"311 1 ::1 04/20/2008 11:08:13 2708",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,16777229,16777222,,,,"0x013334",,,,,,,,"0x01464146554B484B",,,"NAP 802.1X (Wired)",1,,,,

     

    PS: I try tomorrow the same on Windows Vista w/SP1

     

     

    Thanks,

    L.

    Monday, April 21, 2008 12:13 PM
  • Hi,

     

    Someone here suggested that this may be caused by a spanning tree setting. Please try enabling "spanning tree portfast" on the switch port.

     

    What switch are you using?

     

    Thanks,

    -Greg

    Tuesday, April 22, 2008 4:26 AM
  • Hi,

     

    i use C2960 with IOS 12.2.44 and config:

     

    aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control

     

    interface FastEthernet0/47

     switchport access vlan 33

     switchport mode access

     dot1x pae authenticator

     dot1x port-control auto

     dot1x timeout reauth-period 300

     dot1x max-req 3

     dot1x max-reauth-req 3

     dot1x auth-fail vlan 33

     no cdp enable

     spanning-tree portfast

     

     

    Thanks,

    Ladislav

     

     

    Tuesday, April 22, 2008 5:38 AM
  • Hi,

     

    I see you already have spanning-tree portfast enabled. You might try increasing the max-req and max-reauth-req values to see if this helps.

     

    What I recommend you do is to issue a "debug aaa authentication" command on the switch and watch the authentication process. Issue "no debug AAA authentication" to turn it off again. This will provide detailed logs of the authentication process.

     

    You should see something like:

     

    04:14:33: AAA/MEMORY: create_user (0x80D09554) user='CONTOSO\user1' ruser='CONTOSO\user1' port='FastEthernet0/1' rem_addr='00-06-5B-A6-51-33/00-0D-28-C0-48-41' authen_type=EAP service=802.1x priv=1
    04:14:33: AAA/AUTHEN/START (367017375): port='FastEthernet0/1' list='Dot1x Acc List' action=LOGIN service=802.1x
    04:14:33: AAA/AUTHEN/START (367017375): using "default" list
    04:14:33: AAA/AUTHEN/START (367017375): Method=NPS (radius)
    04:14:33: AAA/AUTHEN (367017375): status = GETDATA
    04:14:33: AAA/AUTHEN/CONT (367017375): continue_login (user='CONTOSO\user1')

     

    Also please provide the logs I've requested. Issue Netsh ras set tr * en on the NPS server. Demonstrate the problem scenario, then disable with netsh ras set tr * dis and provide the output of IASSAM.log.

    Also check svchost_rastls.log for errors. These files are populated in the Windows\tracing directory.

     

    -Greg

    Tuesday, April 22, 2008 7:41 AM
  • Hi,

     

    svchost_rastls.log:


    [2184] 04-22 10:36:14:336: EapPeapMakeMessage
    [2184] 04-22 10:36:14:336: EapPeapSMakeMessage, flags(0x805)
    [2184] 04-22 10:36:14:336: EapPeapSMakeMessage, user prop flags(0x2)
    [2184] 04-22 10:36:14:336: Cloned PPP_EAP_PACKET packet
    [2184] 04-22 10:36:14:336: PEAPStick out tongueEAP_STATE_TLS_INPROGRESS
    [2184] 04-22 10:36:14:336: EapTlsSMakeMessage, state(1)
    [2184] 04-22 10:36:14:336: MakeReplyMessage
    [2184] 04-22 10:36:14:336: Reallocating input TLS blob buffer
    [2184] 04-22 10:36:14:336: SecurityContextFunction
    [2184] 04-22 10:36:14:336: AcceptSecurityContext returned 0x90312
    [2184] 04-22 10:36:14:336: State change to SentHello
    [2184] 04-22 10:36:14:336: BuildPacket
    [2184] 04-22 10:36:14:336: << Sending Request (Code: 1) packet: Id: 4, Length: 1496, Type: 13, TLS blob length: 2962. Flags: LM
    [2184] 04-22 10:36:14:336: EapPeapSMakeMessage done
    [2184] 04-22 10:36:14:336: EapPeapMakeMessage done
    [1640] 04-22 10:36:14:399: EapPeapMakeMessage
    [1640] 04-22 10:36:14:399: EapPeapSMakeMessage, flags(0xa05)
    [1640] 04-22 10:36:14:399: EapPeapSMakeMessage, user prop flags(0x2)
    [1640] 04-22 10:36:14:399: Cloned PPP_EAP_PACKET packet
    [1640] 04-22 10:36:14:399: PEAPStick out tongueEAP_STATE_TLS_INPROGRESS
    [1640] 04-22 10:36:14:399: EapTlsSMakeMessage, state(2)
    [1640] 04-22 10:36:14:399: BuildPacket
    [1640] 04-22 10:36:14:399: << Sending Request (Code: 1) packet: Id: 5, Length: 1482, Type: 13, TLS blob length: 0. Flags:
    [1640] 04-22 10:36:14:399: EapPeapSMakeMessage done
    [1640] 04-22 10:36:14:399: EapPeapMakeMessage done
    [2184] 04-22 10:36:14:571: EapPeapMakeMessage
    [2184] 04-22 10:36:14:571: EapPeapSMakeMessage, flags(0xa05)
    [2184] 04-22 10:36:14:571: EapPeapSMakeMessage, user prop flags(0x2)
    [2184] 04-22 10:36:14:571: Cloned PPP_EAP_PACKET packet
    [2184] 04-22 10:36:14:571: PEAPStick out tongueEAP_STATE_TLS_INPROGRESS
    [2184] 04-22 10:36:14:571: EapTlsSMakeMessage, state(2)
    [2184] 04-22 10:36:14:571: MakeReplyMessage
    [2184] 04-22 10:36:14:571: Reallocating input TLS blob buffer
    [2184] 04-22 10:36:14:571: SecurityContextFunction
    [2184] 04-22 10:36:14:571: AcceptSecurityContext returned 0x0
    [2184] 04-22 10:36:14:571: AuthenticateUser
    [2184] 04-22 10:36:14:571: QueryContextAttributes failed and returned 0x8009030e
    [2184] 04-22 10:36:14:571: Got no credentials from the client and executing PEAP.  This is a success for eaptls.
    [2184] 04-22 10:36:14:571: CreateMPPEKeyAttributes
    [2184] 04-22 10:36:14:571: State change to SentFinished
    [2184] 04-22 10:36:14:571: BuildPacket
    [2184] 04-22 10:36:14:571: << Sending Request (Code: 1) packet: Id: 6, Length: 57, Type: 13, TLS blob length: 47. Flags: L
    [2184] 04-22 10:36:14:571: EapPeapSMakeMessage done
    [2184] 04-22 10:36:14:571: EapPeapMakeMessage done
    [1640] 04-22 10:36:15:649: EapPeapMakeMessage
    [1640] 04-22 10:36:15:649: EapPeapSMakeMessage, flags(0xa05)
    [1640] 04-22 10:36:15:649: EapPeapSMakeMessage, user prop flags(0x2)
    [1640] 04-22 10:36:15:649: Cloned PPP_EAP_PACKET packet
    [1640] 04-22 10:36:15:649: PEAPStick out tongueEAP_STATE_TLS_INPROGRESS
    [1640] 04-22 10:36:15:649: EapTlsSMakeMessage, state(3)
    [1640] 04-22 10:36:15:649: Negotiation successful
    [1640] 04-22 10:36:15:649: IsTLSSessionReconnect
    [1640] 04-22 10:36:15:649: Full Tls authentication performed
    [1640] 04-22 10:36:15:649: BuildPacket
    [1640] 04-22 10:36:15:649: << Sending Success (Code: 3) packet: Id: 6, Length: 4, Type: 0, TLS blob length: 0. Flags:
    [1640] 04-22 10:36:15:649: AuthResultCode = (0), bCode = (3)
    [1640] 04-22 10:36:15:649: PeapGetTunnelProperties
    [1640] 04-22 10:36:15:649: Successfully negotiated TLS with following parametersdwProtocol = 0x40, Cipher= 0x6801, CipherStrength=0x80, Hash=0x8004
    [1640] 04-22 10:36:15:649: PeapGetTunnelProperties done
    [1640] 04-22 10:36:15:649: Full authentication
    [1640] 04-22 10:36:15:649: PeapEncryptTunnelData
    [1640] 04-22 10:36:15:649: Blob length 26
    [1640] 04-22 10:36:15:649: PeapEncryptTunnelData completed with status 0x0
    [1640] 04-22 10:36:15:649: EapPeapSMakeMessage done
    [1640] 04-22 10:36:15:649: EapPeapMakeMessage done
    [2184] 04-22 10:36:17:149: EapPeapMakeMessage
    [2184] 04-22 10:36:17:149: EapPeapSMakeMessage, flags(0xa05)
    [2184] 04-22 10:36:17:149: EapPeapSMakeMessage, user prop flags(0x2)
    [2184] 04-22 10:36:17:149: Cloned PPP_EAP_PACKET packet
    [2184] 04-22 10:36:17:149: PEAPStick out tongueEAP_STATE_IDENTITY_REQUEST_SENT
    [2184] 04-22 10:36:17:149: PeapDecryptTunnelData dwSizeofData = 38, pData = 0x4ccab76
    [2184] 04-22 10:36:17:149: Blob length 38
    [2184] 04-22 10:36:17:149: PeapDecryptTunnelData completed with status 0x0
    [2184] 04-22 10:36:17:149:  Buffer length is 13
    [2184] 04-22 10:36:17:149: CRP - Create Identity Attribute
    [2184] 04-22 10:36:17:149: EapPeapSMakeMessage done
    [2184] 04-22 10:36:17:149: EapPeapMakeMessage done
    [2184] 04-22 10:36:17:149: EapPeapMakeMessage
    [2184] 04-22 10:36:17:149: EapPeapSMakeMessage, flags(0x2a05)
    [2184] 04-22 10:36:17:149: EapPeapSMakeMessage, user prop flags(0x2)
    [2184] 04-22 10:36:17:149: PEAPStick out tongueEAP_STATE_IDENTITY_REQUEST_SENT
    [2184] 04-22 10:36:17:149: CreateEAPTLVPacket
    [2184] 04-22 10:36:17:149: TLV contents:
     
     8 0   0 3   0 0   0 2   0 0   0 2   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   0 0   | . . . . . . . . . . . . . . . . |
    [2184] 04-22 10:36:17:149: Found a status TLV
    [2184] 04-22 10:36:17:149: Client returned Failure TLV
    [2184] 04-22 10:36:17:149: PeapEncryptTunnelData
    [2184] 04-22 10:36:17:149: Blob length 36
    [2184] 04-22 10:36:17:149: PeapEncryptTunnelData completed with status 0x0
    [2184] 04-22 10:36:17:149: Authentication failed due to IAS policy restrictions
    [2184] 04-22 10:36:17:149: EapPeapSMakeMessage done
    [2184] 04-22 10:36:17:149: EapPeapMakeMessage done
    [1640] 04-22 10:36:18:758: EapPeapMakeMessage
    [1640] 04-22 10:36:18:758: EapPeapSMakeMessage, flags(0x3a05)
    [1640] 04-22 10:36:18:758: EapPeapSMakeMessage, user prop flags(0x2)
    [1640] 04-22 10:36:18:758: Cloned PPP_EAP_PACKET packet
    [1640] 04-22 10:36:18:758: PEAPStick out tongueEAP_STATE_PEAP_FAIL_SEND
    [1640] 04-22 10:36:18:758: PeapDecryptTunnelData dwSizeofData = 36, pData = 0x4ccba36
    [1640] 04-22 10:36:18:758: Blob length 36
    [1640] 04-22 10:36:18:758: PeapDecryptTunnelData completed with status 0x0
    [1640] 04-22 10:36:18:758:  Buffer length is 11
    [1640] 04-22 10:36:18:758: GetPEAPTLVStatusMessageValueServer
    [1640] 04-22 10:36:18:758: Found a result TLV 2
    [1640] 04-22 10:36:18:758: SetTLSFastReconnect
    [1640] 04-22 10:36:18:758: IsTLSSessionReconnect
    [1640] 04-22 10:36:18:758: Full Tls authentication performed
    [1640] 04-22 10:36:18:758: The session is not setup for fast reconnects.  No need to disable.
    [1640] 04-22 10:36:18:758: PeapAddContextAttributes
    [1640] 04-22 10:36:18:758: RasAuthAttributeConcat
    [1640] 04-22 10:36:18:758: EapPeapSMakeMessage done
    [1640] 04-22 10:36:18:758: EapPeapMakeMessage done

     

    IASSAM.LOG:

    2184] 04-22 10:36:14:336: Successfully retrieved session (1103) for user FAFUKHK\PCUVT10$.
    [2184] 04-22 10:36:14:336: Processing output from EAP: action:1
    [2184] 04-22 10:36:14:336: Inserting outbound EAP-Message of length 1496.
    [2184] 04-22 10:36:14:336: Issuing Access-Challenge.
    [2184] 04-22 10:36:14:336: No AUTHENTICATION extensions, continuing
    [2184] 04-22 10:36:14:336: No AUTHORIZATION extensions, continuing
    [1640] 04-22 10:36:14:399: Successfully retrieved session (1103) for user FAFUKHK\PCUVT10$.
    [1640] 04-22 10:36:14:399: Processing output from EAP: action:1
    [1640] 04-22 10:36:14:399: Inserting outbound EAP-Message of length 1482.
    [1640] 04-22 10:36:14:399: Issuing Access-Challenge.
    [1640] 04-22 10:36:14:399: No AUTHENTICATION extensions, continuing
    [1640] 04-22 10:36:14:399: No AUTHORIZATION extensions, continuing
    [2184] 04-22 10:36:14:571: Successfully retrieved session (1103) for user FAFUKHK\PCUVT10$.
    [2184] 04-22 10:36:14:571: Processing output from EAP: action:1
    [2184] 04-22 10:36:14:571: Inserting outbound EAP-Message of length 57.
    [2184] 04-22 10:36:14:571: Issuing Access-Challenge.
    [2184] 04-22 10:36:14:571: No AUTHENTICATION extensions, continuing
    [2184] 04-22 10:36:14:571: No AUTHORIZATION extensions, continuing
    [1640] 04-22 10:36:15:649: Successfully retrieved session (1103) for user FAFUKHK\PCUVT10$.
    [1640] 04-22 10:36:15:649: Processing output from EAP: action:1
    [1640] 04-22 10:36:15:649: Inserting outbound EAP-Message of length 32.
    [1640] 04-22 10:36:15:649: Issuing Access-Challenge.
    [1640] 04-22 10:36:15:649: No AUTHENTICATION extensions, continuing
    [1640] 04-22 10:36:15:649: No AUTHORIZATION extensions, continuing
    [2184] 04-22 10:36:17:149: Successfully retrieved session (1103) for user FAFUKHK\PCUVT10$.
    [2184] 04-22 10:36:17:149: Processing output from EAP: action:4
    [2184] 04-22 10:36:17:149: Processing PEAP inner identity
    [2184] 04-22 10:36:17:149: Translating attributes returned by EAPHost.
    [2184] 04-22 10:36:17:149: Inserting attribute 1
    [2184] 04-22 10:36:17:149: NT-SAM Names handler received request with user identity host/pcuvt10.
    [2184] 04-22 10:36:17:149: Successfully cracked username.
    [2184] 04-22 10:36:17:149: SAM-Account-Name is "FAFUKHK\PCUVT10$".
    [2184] 04-22 10:36:17:149: No AUTHENTICATION extensions, continuing
    [2184] 04-22 10:36:17:149: NT-SAM Authentication handler received request for FAFUKHK\PCUVT10$.
    [2184] 04-22 10:36:17:149: Validating windows user account FAFUKHK\PCUVT10$
    [2184] 04-22 10:36:17:149: Sending LDAP search to ted.faf.cuni.cz.
    [2184] 04-22 10:36:17:149: ValidateLdapResponse failed: Logon failure: account currently disabled.
    [2184] 04-22 10:36:17:149: No AUTHORIZATION extensions, continuing
    [2184] 04-22 10:36:17:149: pEapHost->EapHostAuthenticatorSetAttributes called succesfullywith 1 EAP attributes
    [2184] 04-22 10:36:17:149: Processing output from EAP: action:1
    [2184] 04-22 10:36:17:149: Inserting outbound EAP-Message of length 42.
    [2184] 04-22 10:36:17:149: Issuing Access-Challenge.
    [1640] 04-22 10:36:18:758: Successfully retrieved session (1103) for user FAFUKHK\PCUVT10$.
    [1640] 04-22 10:36:18:758: Processing output from EAP: action:2
    [1640] 04-22 10:36:18:758: Translating attributes returned by EAPHost.
    [1640] 04-22 10:36:18:758: Inserting attribute 8100
    [1640] 04-22 10:36:18:758: Inserting attribute 8099
    [1640] 04-22 10:36:18:758: Inserting attribute 4140
    [1640] 04-22 10:36:18:758: Inserting attribute 4141
    [1640] 04-22 10:36:18:758: EAP authentication failed.
    [1640] 04-22 10:36:18:758: No AUTHENTICATION extensions, continuing
    [1640] 04-22 10:36:18:758: No AUTHORIZATION extensions, continuing
    [1640] 04-22 10:36:18:758: Inserting outbound EAP-Message of length 4.

     

    cisco debug aaa:

     

    CLUSTER_MEMBER_5: RADIUS/DECODE: EAP-Message fragments, 42, total 42 bytes

    CLUSTER_MEMBER_5: RADIUS/ENCODE(000002BB)Surpriserig. component type = DOT1X

    CLUSTER_MEMBER_5: RADIUS:  AAA Unsupported Attr: audit-session-id  [599] 24

    CLUSTER_MEMBER_5: RADIUS:   43 30 41 38 30 42 30 43 30 30 30 30 30 33 43 44

    [C0A80B0C000003CD]

    CLUSTER_MEMBER_5: RADIUS:   35 39 30 44 42 46            [ 590DBF]

    CLUSTER_MEMBER_5: RADIUS:  AAA Unsupported Attr: interface         [170] 16

    CLUSTER_MEMBER_5: RADIUS:   46 61 73 74 45 74 68 65 72 6E 65 74 30 2F    [

    FastEthernet0/]

    CLUSTER_MEMBER_5: RADIUS(000002BB): Config NAS IP: 0.0.0.0

    CLUSTER_MEMBER_5: RADIUS/ENCODE(000002BB): acct_session_id: 699

    CLUSTER_MEMBER_5: RADIUS(000002BB): sending

    CLUSTER_MEMBER_5: RADIUS/ENCODE: Best Local IP-Address 192.168.11.12 for Radius-Server 172.18.100.28

    CLUSTER_MEMBER_5: RADIUS(000002BB): Send Access-Request to 172.18.100.28:1812 id 1645/142, len 220

    CLUSTER_MEMBER_5: RADIUS:  authenticator E2 BC 3D E5 7C 33 00 B6 - 00 D8 ED 4B

    14 1D 7F EB

    CLUSTER_MEMBER_5: RADIUS:  User-Name           [1]   14  "host/pcuvt10"

    CLUSTER_MEMBER_5: RADIUS:  Service-Type        Devil   6   Framed

    [2]

    CLUSTER_MEMBER_5: RADIUS:  Framed-MTU          [12]  6   1500

    CLUSTER_MEMBER_5: RADIUS:  Called-Station-Id   [30]  19  "00-1C-0F-9A-56-2F"

    CLUSTER_MEMBER_5: RADIUS:  Calling-Station-Id  [31]  19  "00-1A-A0-D6-17-D2"

    CLUSTER_MEMBER_5: RADIUS:  EAP-Message         [79]  44

    CLUSTER_MEMBER_5: RADIUS:   02 08 00 2A 19 00 17 03 01 00 1F 9C 32 F2 77 DB 2D

    47 7C E6 81 BE AF 92 D2 62 4F A4 43 95 5F BE 69 32 D1 85 92 E1 07 6A 56 F6    [

    *2w-G|bOC_i2jV]

    CLUSTER_MEMBER_5: RADIUS:  Message-Authenticato[80]  18

    CLUSTER_MEMBER_5: RADIUS:   29 8F 1A C6 28 B4 D6 A6 A8 A2 EA BC 6E 29 B5 40

    [ )(n)@]

    CLUSTER_MEMBER_5: RADIUS:  NAS-Port-Type       [61]  6   Ethernet

    [15]

    CLUSTER_MEMBER_5: RADIUS:  NAS-Port            [5]   6   50047

    CLUSTER_MEMBER_5: RADIUS:  NAS-Port-Id         [87]  18  "FastEthernet0/47"

    CLUSTER_MEMBER_5: RADIUS:  State               [24]  38

    CLUSTER_MEMBER_5: RADIUS:   0D 20 01 C5 00 00 01 37 00 01 17 00 00 00 00 00 00

    00 00 00 00 00 00 00 00 00 00 01 00 00 00 08 67 99 33 38             [  7g38]

    CLUSTER_MEMBER_5: RADIUS:  NAS-IP-Address      [4]   6   192.168.11.12

    CLUSTER_MEMBER_5: RADIUS: Received from id 1645/142 172.18.100.28:1812, Access-Reject, len 160

    CLUSTER_MEMBER_5: RADIUS:  authenticator A3 26 A5 8C 8E 6F 87 20 - 9A 32 6D 02 1A 82 B6 AF

    CLUSTER_MEMBER_5: RADIUS:  EAP-Message         [79]  6

    CLUSTER_MEMBER_5: RADIUS:   04 08 00 04

    CLUSTER_MEMBER_5: RADIUS:  Vendor, Microsoft   [26]  58

    CLUSTER_MEMBER_5: RADIUS:   MS-MPPE-Send-Key   [16]  52  *

    CLUSTER_MEMBER_5: RADIUS:  Vendor, Microsoft   [26]  58

    CLUSTER_MEMBER_5: RADIUS:   MS-MPPE-Recv-Key   [17]  52  *

    CLUSTER_MEMBER_5: RADIUS:  Message-Authenticato[80]  18

    CLUSTER_MEMBER_5: RADIUS:   0F C0 DD C6 FA 13 D8 60 A4 5C 85 90 A0 81 A3 00

    [ `\]

     

     

     

     

     

    Thanks,

    L.

    Tuesday, April 22, 2008 8:42 AM
  • Hi,

     

    IASSAM.LOG agrees with your netmon analysis that RADIUS seems to be trying to authenticate a windows machine account (FAFUKHK\PCUVT10$) as a user account after rebooting. This is strange, but I am able to duplicate this with my 2950 if I reboot the client machine. I think this is actually normal.

     

    My log also says "Successfully retrieved session (171) for user WOODGROVEBANK\CLI-1$, which is the machine account.

     

    Does your port shut down after rebooting? Here is what happens for me:

     

    <--reboot here-->

    13w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
    13w5d: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

    13w5d: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up

    <--reboot completed, user not logged in-->

    <--user logged in-->

    <--network credentials entered-->

    13w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

     

    As you can see, line protocol is down but the port is up prior to the user entering their network/domain credentials. Is your port down or up?

     

    I enabled dot1x debug on the switch to see what happens prior to the user logging in, and the port does appear to enter an "unauthorized" state. I wonder if your client is failing to VLAN 33 in this case. Please issue a "show vlan" on the switch before you enter user credentials and see if the client is in VLAN 33.

     

    The 802.1X auth failure continues until network/domain credentials are entered, when I get authsuccess and the link changes to UP.

     

    You might try removing the auth-fail VLAN from your configuration and see if this helps. Please tell me if line protocol is up or down.

     

    I also see this in svchost_rastls.log:

     

    [2184] 04-22 10:36:17:149: Authentication failed due to IAS policy restrictions

     

    This is strange, because I only see this if I configure connection request policy to not match the client's PEAP settings. Please confirm your server-side configuration on NPS by posting the output of netsh nps show config.

     

    Thanks,

    -Greg

    Tuesday, April 22, 2008 8:53 PM
  • Hi Greg,

    yes port down/up.

    I try the same scenario on Windows Vista w/SP1 and this OS working FINE !

     

    After this I remove  auth-fail VLAN and result is: Windows XP working !!! (with 60s delay for authentication).

     

    nps config:

    Client configuration:
    ---------------------------------------------------------
    Name                = Cat12  (C2950 !!!!)
    Address             = 192.168.11.12
    State               = Enabled
    Shared secret       =
    Require auth attrib = No
    NAP capable         = No
    Vendor              = RADIUS Standard

    Client configuration:
    ---------------------------------------------------------
    Name                = lisa.faf.cuni.cz
    Address             = 192.168.16.10
    State               = Enabled
    Shared secret       =
    Require auth attrib = No
    NAP capable         = No
    Vendor              = RADIUS Standard

    Client configuration:
    ---------------------------------------------------------
    Name                = radius1.hknet.cz
    Address             = radius1.hknet.cz
    State               = Enabled
    Shared secret       =
    Require auth attrib = Yes
    NAP capable         = No
    Vendor              = RADIUS Standard

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = Use Windows authentication for all users
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"

    Connection request policy configuration:
    ---------------------------------------------------------
    Name             = NAP 802.1X (Wired)
    State            = Enabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^15$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Auth-Provider-Type                      0x1025      "0x1"
    EAP-Configuration                       0x1fa2      "19000000000000000000000000000000380000000200000038000000020000001400000005238B1F487C4CF94972BBA2710DE1ECEE9B30E10100000001000000100000001A00000000000000"
    NP-Allowed-EAP-Type                     0x100a      "19000000000000000000000000000000"
    NP-Authentication-Type                  0x1009      "0x5"
    Override-RAP-Auth                       0x1fb0      "TRUE"

    Event log configuration:
    ---------------------------------------------------------
    Accepted authentication requests = Enabled
    Rejected authentication requests = Enabled

    File log configuration:
    ---------------------------------------------------------
    Accounting                     = Disabled
    Authentication                 = Enabled
    Periodic accounting status     = Disabled
    Periodic authentication status = Disabled
    Directory                      = C:\Windows\system32\LogFiles
    Format                         = ODBC formatting
    Delete old logs                = Enabled
    Frequency                      = Monthly logs
    Max size                       = 10 MB

    Ports configuration:
    ---------------------------------------------------------
    Accounting ports     = 1813,1646
    Authentication ports = 1812,1645

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to other access servers
    State            = Enabled
    Processing order = 9
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1006      "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Authentication-Type                  0x1009      "0x3" "0x4" "0x9" "0xa"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Connections to Microsoft Routing and Remote Access server
    State            = Enabled
    Processing order = 8
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1033      "^311$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    NP-Allow-Dial-in                        0x100f      "FALSE"
    NP-Allowed-EAP-Type                     0x100a      "0D000000000000000000000000000000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa" "0x3" "0x9"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    MS-Filter                               0x102f     

     ===============================================================
     IPFILTER_IPV4INFILTER Action: DENY
     ---------------------------------------------------------------
     Address . . . . . : 0.0.0.0
     Mask. . . . . . . : 0.0.0.0
     Protocol. . . . . : 0
     Source Port . . . : 0
     Destination Port. : 0
     ---------------------------------------------------------------

    MS-MPPE-Encryption-Policy               0xffffffa7  "0x2"
    MS-MPPE-Encryption-Types                0xffffffa6  "0xe"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = NAP 802.1X (Wired) Non NAP-Capable
    State            = Disabled
    Processing order = 7
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbb      "^1$"
    Condition1                              0x3d        "^15$"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x7"
    MS-Quarantine-State                     0x1faf      "0x1"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "33"
    Tunnel-Type                             0x40        "0xd"
    Saved-Machine-HealthCheck-Only          0x1fdc      "0x0"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Non-domain (Wired) Compliant
    State            = Enabled
    Processing order = 5
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP 802.1X (Wired) Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "34"
    Tunnel-Type                             0x40        "0xd"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Non-domain (Wired) Noncompliant
    State            = Enabled
    Processing order = 6
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP 802.1X (Wired) Noncompliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "33"
    Tunnel-Type                             0x40        "0xd"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Domain (Wired) Compliant
    State            = Enabled
    Processing order = 3
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fb4      "S-1-5-21-2141392567-1894731518-2036863733-515"
    Condition1                              0x1fbd      "NAP 802.1X (Wired) Compliant"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "32"
    Tunnel-Type                             0x40        "0xd"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = Domain (Wired) Noncompliant
    State            = Enabled
    Processing order = 4
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x1fbd      "NAP 802.1X (Wired) Noncompliant"
    Condition1                              0x1fb4      "S-1-5-21-2141392567-1894731518-2036863733-515"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"
    Tunnel-Medium-Type                      0x41        "0x6"
    Tunnel-Pvt-Group-ID                     0x51        "33"
    Tunnel-Type                             0x40        "0xd"
    Tunnel-Tag                              0x104a      "0x1"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = VPN Users Policy
    State            = Enabled
    Processing order = 1
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^5$"
    Condition1                              0x1023      "S-1-5-21-2141392567-1894731518-2036863733-434183"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Ignore-User-Dialin-Properties           0x1005      "TRUE"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Authentication-Type                  0x1009      "0x3" "0x9" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Framed-Protocol                         0x7         "0x1"
    Service-Type                            0x6         "0x2"

    Network policy configuration:
    ---------------------------------------------------------
    Name             = WiFi Users Policy - GTE CA
    State            = Enabled
    Processing order = 2
    Policy source    = 0

    Condition attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    Condition0                              0x3d        "^19$|^18$"
    Condition1                              0x1023      "S-1-5-21-2141392567-1894731518-2036863733-513"

    Profile attributes:

    Name                                    Id          Value
    ---------------------------------------------------------
    EAP-Configuration                       0x1fa2      "190000000000000000000000000000005C020000020000005C020000000000001400000005238B1F487C4CF94972BBA2710DE1ECEE9B30E10100000001000000340200001A000000000000000200000004000000020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    NP-Allow-Dial-in                        0x100f      "TRUE"
    NP-Allowed-EAP-Type                     0x100a      "19000000000000000000000000000000"
    NP-Authentication-Type                  0x1009      "0x5" "0x4" "0xa"
    MS-Quarantine-State                     0x1faf      "0x0"
    Quarantine-Update-Non-Compliant         0x1fc8      "TRUE"
    Service-Type                            0x6         "0x2"

    Server registration:
    ---------------------------------------------------------
    Status = Registered

    SHV configuration:
    ---------------------------------------------------------
    Id                             = 79744
    Name                           = Windows Security Health Validator
     
    Vendor                         = Microsoft Corporation
     
    Description                    = The Windows Security Health Validator defines the policy that client computers must be compliant with.
     
    Version                        = 1.0
     
    Policy server unreachable      = Noncompliant
    Remediation server unreachable = Noncompliant
    System Health Agent failure    = Noncompliant
    NAP server failure             = Noncompliant
    Other errors                   = Noncompliant

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP 802.1X (Wired) Compliant
    Configuration = All must pass
    Id            = 79744

    Health policy configuration:
    ---------------------------------------------------------
    Name          = NAP 802.1X (Wired) Noncompliant
    Configuration = One or more must fail
    Id            = 79744

    SQL log configuration:
    ---------------------------------------------------------
    Connection                     = 
    Description                    = 
    Accounting                     = Enabled
    Authentication                 = Enabled
    Periodic accounting status     = Enabled
    Periodic authentication status = Enabled
    Max sessions                   = 2

    Ok.

     

     

    Thanks,

    Ladislav

     

    Wednesday, April 23, 2008 6:31 AM
  • Hi,

    I have other question - If I remove auth-fail VLAN from CISCO config, other clients (clients without OS, f.e. PXE booting PC) on this port is not fall down to VLAN 33.

    Is posible this via configuration NPS server - vwithout configure auth-fail in CISCO IOS ?

     

    Thanks,

    L.

    Wednesday, April 23, 2008 8:50 AM
  • Hi,

     

    I'm glad to hear it is working - I thought you were already using Vista SP1, but apparently not.

     

    I am guessing that you also removed the "switchport access vlan 33" port setting - true? This would automatically place all clients on VLAN 33 until they authenticate.

     

    To answer your question: With 802.1X, the user or machine must authenticate either to RADIUS or some other user database. This authentication doesn't happen until AFTER the user enters credentials in the dialog box (user name, password, and domain). This means that unauthenticated users are not processed at all by NPS, so you can't set up a policy for this. You must use the switch settings to handle computers that do not authenticate.

     

    You might be able to configure a policy to handle users that enter incorrect credentials, but I don't think this is what you want and it may not be possible.

     

    **Note that if your auth-fail VLAN is the same VLAN as the default VLAN for the port (switchport access VLAN 33), then the auth-fail setting is redundant because clients will already be on this VLAN.

     

    What I think you need to do is troubleshoot why clients on VLAN 33 are not able to get an IP address and move to the correct VLAN after they enter user/domain credentials. I would check your DHCP settings on VLAN 33 and perhaps see if the switch is doing some kind of port blocking.

     

    -Greg

     

    Wednesday, April 23, 2008 5:25 PM
  •  

    Hi,

    I see on status NAP configured port FE0/47 when I try power on PC and press F12 - boot via PXE protocol -> port is notconnect:

     

    FastEthernet0/47 is up, line protocol is down (notconnect)

      Hardware is Fast Ethernet, address is 001c.0f9a.562f (bia 001c.0f9a.562f)

      Description: 247 UVT 726

      MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

         reliability 255/255, txload 1/255, rxload 1/255

      Encapsulation ARPA, loopback not set

      Keepalive set (10 sec)

      Full-duplex, 100Mb/s, media type is 10/100BaseTX

      input flow-control is off, output flow-control is unsupported

     

    Port      Name               Status       Vlan       Duplex  Speed Type

    Fa0/47    247 UVT 726        notconnect   33         a-full  a-100 10/100BaseTX

     

    In this port status not possible lease IP via DHCP, only send/receive EAP frames.

     

    Send Wake On Lan packets from VLAN33 to this PC not working.

     

    DHCP server settings is correct.

    Thanks,

    L.

    Thursday, April 24, 2008 5:31 AM
  • Hi,

     

    I'm not familiar with configuring DHCP for auth-failed clients, but you might try enabling "dot1x guest-vlan" on the port. I will continue to research and see what I can find.

     

    -Greg

    Friday, April 25, 2008 10:30 PM
  • Hi Greg,

    many thanks for your help and patience. I now find famous URL:

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_37_se/configuration/guide/sw8021x.html

    and try some scenario.

    After 29.4. 2008 I try final version Windows XP SP3.

     

    Nice weekend,

    L.

     

     

    Saturday, April 26, 2008 4:08 AM
  • Hi Greg,

    guest VLAN and final version SP3 for Windows XP is solution for this problem.

     

    My config now:

     

    interface FastEthernet0/47

     switchport access vlan 33

     switchport mode access

     dot1x pae authenticator

     dot1x port-control auto

     dot1x timeout quiet-period 5

     dot1x timeout reauth-period 180

     dot1x timeout tx-period 10

     dot1x guest-vlan 33

    spanning-tree portfast

     

    VLAN 33 is non-compliant VLAN.

     

     

    Many thanks for your help,

    L.

     

    Tuesday, April 29, 2008 7:18 AM
  • Hi,

     

    I'm glad this is working now. One thing to point out is that the guest VLAN, default VLAN, and noncompliant VLAN should not all be the same for security reasons. This will allow guests to access your corporate noncompliant PCs and other resources.

     

    -Greg

    Tuesday, April 29, 2008 9:27 AM
  • Hi,

    I understand this and maybe I search impossible nonexist solution (wih good security aspects)

    I have about 1000 cisco ports and I search global solution -> tha same configuration for all ports. Users is corporate (all in windows domain, and others - corporate standalone PCs, notebooks and guests notebooks).

    I use wake on lan and I planned implementation of SCCM 2007 (installation new PCs via PXE).

     

    Now my noncompliant vlan see only to DHCP, non domain DNS, Windows Update and AV base update. All working, but OS wrote in event log 2 error before correctly athenticated.

     

    L.

     

     

    Tuesday, April 29, 2008 10:38 AM