locked
IAS PEAP-MSChapv2 with AD for 802.1x radius authentication with Microsoft Server 2003 RRS feed

  • Question

  • I have been trying to setup IAS with Active Directory (AD) for radius authentication for a wireless access point using PEAP-MSChapv2. I also have a local standalone CA

    It works like a charm. 
    However, I cannot force a password change to my clients, as soon as I tick the account to change password at next logon it fails to authenticate.

    Debugging efforts :

    I did some sniffing on my client and I saw that the failure packet had the  error code E=648 but R=0 and V=3.0

    Based on IETF draft by MSFT draft-kamath-pppext-eap-mschapv2-01.txt
    SO I figured the issue is AUthentication retry bit is set to zero. How can I change the configuration of my IAS so that this R>0.

    I have done editing my wireless policy, authentication methods, PEAP, MSChapv2 to "allow client to change password" and "authentication retries =50"

    However I still get R=0 on the client. Is there a way to get around it ?


    Thursday, July 30, 2009 5:04 PM

All replies

  • Hi,

    We have tested this scenario and it should be working. If you can provide me following details, I can debug the issue for you.

    1. Client OS you are using.
    2. Server OS (on which the IAS Server) you are using.


    Can you share the trace files? Please follow the below steps to collect the trace files

    1. Open command prompt, Give " netsh ras set tr * en"
    2. Do the testing with the account that has change password at next logon set.
    3. copy the trace files from c:\windows\tracing\.

    You can use skydrive.live.com to upload the files and share it to me.

    Thanks,
    Srinivasulu.
    Thursday, July 30, 2009 6:08 PM
  • Whom do i share the folder with ?. I mean which email address ?

    meanwhile here is some more info
    client os: WINXP and Mac OS Leopard. (tried both)
    Server OS: Windows Server 2003 Enterprise Edition

    Some interesting logs from RASCHAP.log

    [2572] 07-30 11:51:12:059: Result=648,Tries=50
    [2572] 07-30 11:51:12:059: CS_Done...
    04 CE 00 34 45 3D 36 34 38 20 52 3D 30 20 43 3D |...4E=648 R=0 C=|
    36 33 38 32 46 39 32 34 37 37 42 43 33 33 43 33 |6382F92477BC33C3|
    42 30 36 35 45 34 42 36 46 43 32 39 31 36 36 37 |B065E4B6FC291667|
    20 56 3D 33 00 00 00 00 00 00 00 00 00 00 00 00 | V=3............|
    [3128] 07-30 11:51:23:340: EapMSChapv2MakeMessage
    [3128] 07-30 11:51:23:340: EapMSChapv2SMakeMessage
    [3128] 07-30 11:51:23:340: EMV2_RequestSend


    E=648 (Password Expired). Even though Tries=50 why is R=0 (Retry Bit) when sending the packet ? 


    Based on IETF Draft http://www.drizzle.com/~aboba/EAP/draft-kamath-pppext-eap-mschapv2-01.txt
    The "r" is a single character ASCII flag set to '1' if a retry is allowed, and '0' if not.  Typically, errors 646, 647, and 649 are
       non-retryable (R=0). When the authenticator sets this flag to '1' it
       disables short timeouts, expecting the peer to prompt the user for
       new credentials and resubmit the response.



    RASCHAP.log Full logs
    ======================================
    [2572] 07-30 11:50:57:699: GetInfoFromChangePw3...
    [2572] 07-30 11:50:57:699: GetInfoFromChangePw3 done(0)
    [3128] 07-30 11:51:12:043: EapChapBeginMSChapV2
    [3128] 07-30 11:51:12:043: ReadConnectionData
    [3128] 07-30 11:51:12:043: EapChapBeginCommon
    [3128] 07-30 11:51:12:043: ChapBegin(fS=1,bA=0x81)
    [3128] 07-30 11:51:12:043: ChapBegin done.
    [3128] 07-30 11:51:12:043: EapMSChapv2MakeMessage
    [3128] 07-30 11:51:12:043: EapMSChapv2SMakeMessage
    [3128] 07-30 11:51:12:043: EMV2_Initial
    [3128] 07-30 11:51:12:043: ChapMakeMessage,RBuf=00000000
    [3128] 07-30 11:51:12:043: CS_Initial...
    [3128] 07-30 11:51:12:043: MakeChallengeMessage...
    01 CE 00 24 10 0C 13 E7 90 61 C5 2B 7B ED 63 6E |...$.....a.+{.cn|
    F7 98 66 F5 94 4B 49 52 41 4E 2D 30 57 45 36 43 |..f..KIRAN-0WE6C|
    4A 43 39 55 00 00 00 00 00 00 00 00 00 00 00 00 |JC9U............|
    [2572] 07-30 11:51:12:059: EapMSChapv2MakeMessage
    [2572] 07-30 11:51:12:059: EapMSChapv2SMakeMessage
    [2572] 07-30 11:51:12:059: EMV2_RequestSend
    [2572] 07-30 11:51:12:059: ChapMakeMessage,RBuf=00DCFAA1
    [2572] 07-30 11:51:12:059: CS_ChallengeSent...
    [2572] 07-30 11:51:12:059: no change password attribute
    [2572] 07-30 11:51:12:059: Authenticate User
    [2572] 07-30 11:51:12:059: ChapMakeMessage,RBuf=00DCFAA1
    [2572] 07-30 11:51:12:059: Result=648,Tries=50
    [2572] 07-30 11:51:12:059: CS_Done...
    04 CE 00 34 45 3D 36 34 38 20 52 3D 30 20 43 3D |...4E=648 R=0 C=|
    36 33 38 32 46 39 32 34 37 37 42 43 33 33 43 33 |6382F92477BC33C3|
    42 30 36 35 45 34 42 36 46 43 32 39 31 36 36 37 |B065E4B6FC291667|
    20 56 3D 33 00 00 00 00 00 00 00 00 00 00 00 00 | V=3............|
    [3128] 07-30 11:51:23:340: EapMSChapv2MakeMessage
    [3128] 07-30 11:51:23:340: EapMSChapv2SMakeMessage
    [3128] 07-30 11:51:23:340: EMV2_RequestSend
    [3128] 07-30 11:51:23:340: ChapMakeMessage,RBuf=00D0F89D
    [3128] 07-30 11:51:23:340: CS_ChangePw...
    [3128] 07-30 11:51:23:340: GetInfoFromChangePw3...
    [3128] 07-30 11:51:23:340: GetInfoFromChangePw3 done(0) 

    ========================================
    Thursday, July 30, 2009 7:32 PM
  • Can you share it to me  ---psrinivasulu (at) msn (dot) com.

    Thanks,
    Srinivasulu.
    Saturday, August 1, 2009 12:54 AM
  • I have uploaded the log files when i tried using WINDOWS XP and MAC OS clients to skydrive and shared the folder with you.

    with Windows, I do get the dialogue to change the new password. I have created 13 character complex passwords etc .. they never work and Windows starts the whole EAP process again by asking me again for Username and password. It tries 3 times before giving up.

    Let me know if you need any other configuration logs etc ...



    Monday, August 3, 2009 5:07 PM
  • Hi Srinivasulu - Any updates on the logs I uploaded ? Let me know if I can upload any type of configuration logs.
    Thanks.
    Thursday, August 6, 2009 10:58 PM
  • Hi KP,

    It's been a while since you asked about this. Are you still having the problem?

    If so, please tell me what events are logged on IAS when it refuses to authenticate a client that has entered the new password.

    Note: This isn't a NAP related question, but we may be able to provide some help.

    -Greg
    Saturday, August 22, 2009 6:28 PM
  • Hi Greg- 
    I still have this problem.

    When I have my XP laptop connect to a WIFI access point with AD and IAS on Windows Server 2003 using PEAP-MSCHAPv2. It prompts me to change my password. I  created 13 character complex passwords etc ..but windows kindof restarts the EAP process again by asking me to enter my login name and password again.

    But on the IAS side when I enable logs. I see the following when new password was prompted! 
    "Authentication was not successful because an unknown user name or incorrect password was used"

    I used IASParse to parse the log file and here are the results


    The line logged into the file: 10.0.1.1,tim@ws2003.local,08/14/2009,11:42:55,IAS
    ,KIRAN-0WE6CJC9U,4,10.0.1.1,5,0,30,00-1B-63-2D-36-58:Mumbai,31,00-09-5B-66-E4-54
    ,12,1400,61,19,77,CONNECT 0Mbps 802.11,4108,10.0.1.1,4116,0,4128,WiFi Express,
    4155,1,25,311 1 10.0.1.3 07/29/2009 18:42:52 2784,4127,11,4155,1,4130,ws2003.loc
    al/Users/tim,4129,WS2003\tim,4136,1,4142,0

     NAS-IP-Address      : 10.0.1.1
     User-Name           : tim@ws2003.local
     Record-Date         : 08/14/2009
     Record-Time         : 11:42:55
     Service-Name        : IAS
     Computer-Name       : KIRAN-0WE6CJC9U
     NAS-IP-Address      : 10.0.1.1
     NAS-Port            : 0
     Called-Station-Id   : 00-1B-63-2D-36-58:Mumbai
     Calling-Station-Id  : 00-09-5B-66-E4-54
     Framed-MTU          : 1400
     NAS-Port-Type       : Wireless - IEEE 802.11
     Connect-Info        : CONNECT 0Mbps 802.11
     Client-IP-Address   : 10.0.1.1
     Client-Vendor       : RADIUS Standard
     Client-Friendly-Name: WiFi Express
     Provider-Type       : Windows
     Class               : 311 1 10.0.1.3 07/29/2009 18:42:52 2784
     Authentication-Type : 11
     Provider-Type       : Windows
     Fully-Qualifed-User-Name: ws2003.local/Users/tim
     SAM-Account-Name    : WS2003\tim
     Packet-Type         : Access-Request
     Reason-Code         : The operation completed successfully.


    The line logged into the file: 10.0.1.1,tim@ws2003.local,08/14/2009,11:42:55,IAS
    ,KIRAN-0WE6CJC9U,25,311 1 10.0.1.3 07/29/2009 18:42:52 2784,4127,11,4130,ws2003.
    local/Users/tim,4149,WiFi Policy,4129,WS2003\tim,4154,Use Windows authenticat
    ion for all users,4155,1,4154,Use Windows authentication for all users,4155,1,41
    08,10.0.1.1,4116,0,4128,WiFi Express,4136,3,4142,16

     NAS-IP-Address      : 10.0.1.1
     User-Name           : tim@ws2003.local
     Record-Date         : 08/14/2009
     Record-Time         : 11:42:55
     Service-Name        : IAS
     Computer-Name       : KIRAN-0WE6CJC9U
     Class               : 311 1 10.0.1.3 07/29/2009 18:42:52 2784
     Authentication-Type : 11
     Fully-Qualifed-User-Name: ws2003.local/Users/tim
     NP-Policy-Name      : WiFi Policy
     SAM-Account-Name    : WS2003\tim
     Proxy-Policy-Name   : Use Windows authentication for all users
     Provider-Type       : Windows
     Proxy-Policy-Name   : Use Windows authentication for all users
     Provider-Type       : Windows
     Client-IP-Address   : 10.0.1.1
     Client-Vendor       : RADIUS Standard
     Client-Friendly-Name: WiFi Express
     Packet-Type         : Access-Reject
     Reason-Code         : Authentication was not successful because an unknown user
     name or incorrect password was used.





    I have send complete trace logs to Srivivasulu. Let me know the email address if you want them too.
    Tuesday, August 25, 2009 8:46 PM
  • Sorry, I lost this thread. I haven't got the logs, Can you send the url to the uploaded logs? It looks like the issue with the auth component, I will send a note to the team members working on this module to see if they can help here.

    Thanks,

    Wednesday, August 26, 2009 5:55 PM

  • I have made the logs public so anyone can see them!

    https://cid-8b777d893bc6c6c2.skydrive.live.com/browse.aspx/WS2003-Logs





    Thursday, August 27, 2009 5:40 PM
  • Any updates srini/greg ? 

    Tuesday, September 8, 2009 9:25 PM
  • Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible, or move the question to another forum if it is not appropriate for the NAP forum.

    Greg Lindsay

    Friday, March 19, 2010 8:23 PM