locked
802.1x authentication failed RRS feed

  • General discussion

  •  


    Hi Guys,

    I set up a testing 802.1x wired environment. but when i plugged the PC to the switch, after typing the username and password, I always got the following eorror:

     

        EAPType -
        AccountSessionIdentifier -
        ReasonCode 23
        Reason An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
        LoggingResult Accounting information was written to the local log file.

     

    as I can see the PC got the certificate from CA and from the switch, I can test the aaa function successfully. any ideas pls? :)

     

    cheers

    Jim 

     

    System Updates:

    server: win 2008 R2

    PC: win XP sp2

    • Changed type Miles Zhang Monday, March 29, 2010 2:08 AM
    • Changed type Miles Zhang Monday, March 29, 2010 2:08 AM
    Thursday, March 25, 2010 1:12 AM

All replies

  • Hi,

    Please open the %windir%\System32\Logfiles folder and send the relevant log files for analysis.

    You could send the files to me directly at tfwst@microsoft.com

     

    Thanks,

     

    Miles

     

    Friday, March 26, 2010 10:02 AM
  • Hi,

    i need to set up a radius server (the radius server resides on DC sever and it’s a Windows Server 2008 R2), for users authentication through wireless access points.

    Surfing on the web, i found an useful post about setting up a radius server as in my case. You can find under the links to the posts:

    Part 1) http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

    Part 2) http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part2.html

    What i did is exactly what you can see in the posts:

    1. I created a certificate under the path “Personal” à “Certificates” in the DC sever;
    2. I added a NPS server and, using the wizard, i configured it for Wireless Connections; in the authentication pane i selected “Microsoft Protected EAP (PEAP)” and configured it for using the certificate i created early in the step 1;
    3. I setted up the access point in this way:
      1. Security mode: WPA2-Enterprise;
      2. Radius Server: the ip address of the NAP sever (in my case 10.254.92.10);
      3. <st1:place w:st="on"><st1:placename w:st="on">Radius</st1:placename> <st1:placetype w:st="on">Port</st1:placetype></st1:place>: 1812;
      4. Encryption: AES;
      5. Shared secret: the same of the relative client radius on the NAP server.
    4. Finally on the client computer i installed the certificate i created early, and configured the wireless connection in this way:
      1. Network authentication:WPA2 (in the post he speaks about set it to “WPA2-Enterprise”, but in windows xp sp3 there isn’t any WPA2-Enterprise, just WPA2);
      2. Encryption: AES;
      3. Authentication: PEAP and in the setting tab of PEAP i selected the certificate i installed early.

    Here a piece of information about network and client computer model:

    1. DC = NAP = 10.254.92.10 (vsi08r2). Windows Server 2008 R2
    2. Domain name = vsisrv2k;
    3. AP ip address = 10.254.92.38;
    4. AP model = Linksys WAP200;
    5. Client radius name = vs-open;
    6. Client radius ip = 10.254.92.38.
    7. Client Computer = Windows XP sp3.

     

     

    When i try to connect to through the AP by client (after typed user & psw), on the NAP server i always receive the following logs:

     

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.352</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 5</Class>

      <Session-Timeout data_type="0">30</Session-Timeout>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <Authentication-Type data_type="0">5</Authentication-Type>

      <NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Packet-Type data_type="0">11</Packet-Type>

      <Reason-Code data_type="0">0</Reason-Code>

    </Event>

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.446</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <NAS-IP-Address data_type="3">10.254.92.38</NAS-IP-Address>

      <NAS-Port data_type="0">0</NAS-Port>

      <Called-Station-Id data_type="1">00-21-29-71-63-40</Called-Station-Id>

      <Calling-Station-Id data_type="1">00-13-02-97-06-8D</Calling-Station-Id>

      <Framed-MTU data_type="0">1400</Framed-MTU>

      <NAS-Port-Type data_type="0">19</NAS-Port-Type>

      <Connect-Info data_type="1">CONNECT 11Mbps 802.11b</Connect-Info>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <User-Name data_type="1">VSISRV2K\bertig</User-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 6</Class>

      <Authentication-Type data_type="0">5</Authentication-Type>

      <NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Packet-Type data_type="0">1</Packet-Type>

      <Reason-Code data_type="0">0</Reason-Code>

    </Event>

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.446</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 6</Class>

      <Session-Timeout data_type="0">30</Session-Timeout>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Authentication-Type data_type="0">5</Authentication-Type

      ><NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Packet-Type data_type="0">11</Packet-Type>

      <Reason-Code data_type="0">0</Reason-Code>

    </Event>

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.477</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <NAS-IP-Address data_type="3">10.254.92.38</NAS-IP-Address>

      <NAS-Port data_type="0">0</NAS-Port>

      <Called-Station-Id data_type="1">00-21-29-71-63-40</Called-Station-Id>

      <Calling-Station-Id data_type="1">00-13-02-97-06-8D</Calling-Station-Id>

      <Framed-MTU data_type="0">1400</Framed-MTU>

      <NAS-Port-Type data_type="0">19</NAS-Port-Type>

      <Connect-Info data_type="1">CONNECT 11Mbps 802.11b</Connect-Info>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <User-Name data_type="1">VSISRV2K\bertig</User-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 7</Class>

      <Authentication-Type data_type="0">5</Authentication-Type>

      <NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Packet-Type data_type="0">1</Packet-Type>

      <Reason-Code data_type="0">0</Reason-Code>

    </Event>

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.477</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 7</Class>

      <Session-Timeout data_type="0">30</Session-Timeout>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <Authentication-Type data_type="0">5</Authentication-Type>

      <NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Packet-Type data_type="0">11</Packet-Type>

      <Reason-Code data_type="0">0</Reason-Code>

    </Event>

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.493</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <NAS-IP-Address data_type="3">10.254.92.38</NAS-IP-Address>

      <NAS-Port data_type="0">0</NAS-Port>

      <Called-Station-Id data_type="1">00-21-29-71-63-40</Called-Station-Id>

      <Calling-Station-Id data_type="1">00-13-02-97-06-8D</Calling-Station-Id>

      <Framed-MTU data_type="0">1400</Framed-MTU>

      <NAS-Port-Type data_type="0">19</NAS-Port-Type>

      <Connect-Info data_type="1">CONNECT 11Mbps 802.11b</Connect-Info>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <User-Name data_type="1">VSISRV2K\bertig</User-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 8</Class>

      <NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Authentication-Type data_type="0">11</Authentication-Type>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Packet-Type data_type="0">1</Packet-Type>

      <Reason-Code data_type="0">0</Reason-Code>

    </Event>

    <Event>

      <Timestamp data_type="4">04/20/2012 08:22:28.493</Timestamp>

      <Computer-Name data_type="1">VSI08R2</Computer-Name>

      <Event-Source data_type="1">IAS</Event-Source>

      <Class data_type="1">311 1 10.254.92.10 04/20/2012 05:45:08 8</Class>

      <Authentication-Type data_type="0">11</Authentication-Type>

      <Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant>

      <Client-IP-Address data_type="3">10.254.92.38</Client-IP-Address>

      <Client-Vendor data_type="0">0</Client-Vendor>

      <Client-Friendly-Name data_type="1">VSI-open</Client-Friendly-Name>

      <Proxy-Policy-Name data_type="1">Connessioni wireless sicure</Proxy-Policy-Name>

      <Provider-Type data_type="0">1</Provider-Type>

      <SAM-Account-Name data_type="1">VSISRV2K\bertig</SAM-Account-Name>

      <Fully-Qualifed-User-Name data_type="1">VSISRV2K\bertig</Fully-Qualifed-User-Name>

      <NP-Policy-Name data_type="1">Connessioni wireless sicure</NP-Policy-Name>

      <Packet-Type data_type="0">3</Packet-Type>

      <Reason-Code data_type="0">23</Reason-Code>

    </Event>

     

    Do you have any ideas about the problem? What’s wrong in what I’m doing?

    If you have any requests about others configuration useful for solving the problem, please let me know it.

    Really hope you’ll be able to help me.

     

    Thanks,

    Gianluca

    Friday, April 20, 2012 8:22 AM
  • Are you sure the client pc has already gotten the his own certificate from your ca server?

    Rudolf


    rudolf

    Thursday, July 5, 2012 5:54 AM