locked
Wired 802.1x Authentication (Server 2008) RRS feed

  • Question

  • Hi Everybody,

    I've recently being testing out using Server 2008 as a Radius server to provide 802.1x authentication for workstations on my LAN, all clients are Vista Business with all updates installed.  The AD controller, DHCP, RRAS and CA are all running a single server with an Eval version of Server 2008. I'm using a Cisco 2950 (IOS = 12.1(22)EA4a) Switch as the Authenticator.

    Although I thought I had configured everything I needed to for this to work I am unable to get the clients to correctly authentication and they all show similar event log messages:

    Wired 802.1X Authentication failed.
     Network Adapter: Broadcom 440x 10/100 Integrated Controller
     Interface GUID: {XXXXX-XXX-XXX-XXXXXX-XXXX}
     Peer Address: XXXXXXXXXXX
     Local Address: XXXXXXXXXXX
     Connection ID: 0x9
     Identity: DOMAIN\user1
     User: user1
     Domain: DOMAIN
     Reason: 0x50005
     Reason Text: Explicit Eap failure received
     Error Code: 0x80420400

    By the fact is it saying Explicit failure I am assuming that all communication between the client->Switch->Server is functioning correctly. This is confirmed with the Network Monitor logs as well as the debugs from the switch itself:

    03:14:42: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/2)
    03:14:42: dot1x-packet:Rx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:42: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/2)
    03:14:42: dot1x-packet:Tx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:46: dot1x-packet:Rx EAPOL-Start, ver 1, len 0 (Fa0/2)
    03:14:46: dot1x-packet:Rx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:46: dot1x-packet:Tx EAP-Request(Id), id 0, ver 1, len 5 (Fa0/2)
    03:14:46: dot1x-packet:Tx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: dot1x-packet:Rx EAP-Response(Id), id 0, ver 1, len 23 (Fa0/2)
    03:14:47: dot1x-packet:Rx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: RADIUS: ustruct sharecount=1
    03:14:47: RADIUS: EAP-login: length of radius packet = 151 code = 1
    03:14:47: RADIUS: Initial Transmit FastEthernet0/2 id 35 x.x.x.x:1812, Access-Request, len 151
    03:14:47: RADIUS: Received from id 35 x.x.x.x:1812, Access-Challenge, len 90
    03:14:47: RADIUS: EAP-login: length of eap packet = 6
    03:14:47:  RADIUS: EAP-login: got challenge from radius
    03:14:47: dot1x-packet:Tx EAP-Request(Unknown), id 1, ver 1, len 6 (Fa0/2)
    03:14:47: dot1x-packet:Tx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: dot1x-packet:Rx EAP-Response(Unknown), id 1, ver 1, len 129 (Fa0/2)
    03:14:47: dot1x-packet:Rx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: RADIUS: ustruct sharecount=1
    03:14:47: RADIUS: EAP-login: length of radius packet = 295 code = 1
    03:14:47: RADIUS: Initial Transmit FastEthernet0/2 id 36 x.x.x.x:1812, Access-Request, len 295
    03:14:47: RADIUS: Received from id 36 x.x.x.x:1812, Access-Challenge, len 1590
    03:14:47: RADIUS: EAP-login: length of eap packet = 1496
    03:14:47:  RADIUS: EAP-login: got challenge from radius
    03:14:47: dot1x-packet:Tx EAP-Request(Unknown), id 2, ver 1, len 1496 (Fa0/2)
    03:14:47: dot1x-packet:Tx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: dot1x-packet:Rx EAP-Response(Unknown), id 2, ver 1, len 6 (Fa0/2)
    03:14:47: dot1x-packet:Rx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: RADIUS: ustruct sharecount=1
    03:14:47: RADIUS: EAP-login: length of radius packet = 172 code = 1
    03:14:47: RADIUS: Initial Transmit FastEthernet0/2 id 37 x.x.x.x:1812, Access-Request, len 172
    03:14:47: RADIUS: Received from id
    SW1#37 x.x.x.x:1812, Access-Challenge, len 278
    03:14:47: RADIUS: EAP-login: length of eap packet = 194
    03:14:47:  RADIUS: EAP-login: got challenge from radius
    03:14:47: dot1x-packet:Tx EAP-Request(Unknown), id 3, ver 1, len 194 (Fa0/2)
    03:14:47: dot1x-packet:Tx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: dot1x
    SW1#-packet:Rx EAP-Response(Unknown), id 3, ver 1, len 6 (Fa0/2)
    03:14:47: dot1x-packet:Rx sa=XXXX.XXXX.XXXX, da=XXXX.XXXX.XXXX, et 888E (Fa0/2)
    03:14:47: RADIUS: ustruct sharecount=1
    03:14:47: RADIUS: EAP-login: length of radius packet = 172 code = 1
    03:14:47: RADIUS: Initial Transmit FastEthernet0/2 id 38 x.x.x.x:1812, Access-Request, len 172
    03:14:47: RADIUS: Received from id 38 x.x.x.x:1812, Access-Reject, len 44
    03:14:47: RADIUS: EAP-login: length of eap packet = 4
    03:14:47: RADIUS: EAP-login: got reject from radius
    03:14:47: dot1x-packet:Tx EAP-Failure, id 3, ver 1, len 4 (Fa0/2)

    And the RRAS logs:
    SERVER1","IAS",05/04/2009,20:42:55,1,"DOMAIN\user1","DOMAIN\user1","XX-XX-XX-XX-XX-XX","XX-XX-XX-XX-XX-XX",,,,"X.X.X.X",50002,0,"X.X.X.X","SW1",,,15,,,2,5,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 21",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,11,,"DOMAIN\user1",,,,,,,,0,"X.X.X.X","SW1",,,,,,,5,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 21",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,1,"DOMAIN\user1","DOMAIN\user1","XX-XX-XX-XX-XX-XX","XX-XX-XX-XX-XX-XX",,,,"X.X.X.X",50002,0,"X.X.X.X","SW1",,,15,,,2,5,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 22",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,11,,"DOMAIN\user1",,,,,,,,0,"X.X.X.X","SW1",,,,,,,5,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 22",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,1,"DOMAIN\user1","DOMAIN\user1","XX-XX-XX-XX-XX-XX","XX-XX-XX-XX-XX-XX",,,,"X.X.X.X",50002,0,"X.X.X.X","SW1",,,15,,,2,5,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 23",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,11,,"DOMAIN\user1",,,,,,,,0,"X.X.X.X","SW1",,,,,,,5,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 23",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,1,"DOMAIN\user1","DOMAIN\user1","XX-XX-XX-XX-XX-XX","XX-XX-XX-XX-XX-XX",,,,"X.X.X.X",50002,0,"X.X.X.X","SW1",,,15,,,2,11,"Secure Wired (Ethernet) Connections",0,"311 1 ::1 05/04/2009 19:30:16 24",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,
    SERVER1","IAS",05/04/2009,20:42:55,3,,"DOMAIN\user1",,,,,,,,0,"X.X.X.X","SW1",,,,,,,11,"Secure Wired (Ethernet) Connections",262,"311 1 ::1 05/04/2009 19:30:16 24",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wired (Ethernet) Connections",1,,,,

    All of the client configuration has been done through two group policies:

    Certificate Policy:
      Computer Configuration:
           Certificate Path Validation Settings: Allow user trusted root CAs to be used, Allow users to trust peer trust certificates
           Certificate Services Client Auto-Enrollment: Configuration Model Enabled
    802.1x Policy:
      Computer Configuration:
           Wired Network (802.3) Policies: New Vista Wired Network Policy
               Security: PEAP, User re-authentication, Single Sign On enabled

    The NPS server itself is a mostly the default setup.
      Connection Policies looks for Nas Port Type of Ethernet
      Network Policies looks for Nas Port Type of Ethernet and the specified Windows Groups

    Apologies for the streams of info, but I hope it all relevent.  Would anyone be so kind as to help me with out in finding the missing link.

    Thanks in advance

    Lee
    Monday, May 4, 2009 8:35 PM

Answers

  • Hi,

    When you get the RADIUS: EAP-login: got reject from radius what is the reason provided in the event log under Custom Views\Server Roles\Network Policy and Access Services? I am guessing you will see event 6273 or perhaps 6274. In this event, there is an Authentication Details section that should provide a reason for the failure.

    Thanks,
    -Greg
    Thursday, May 7, 2009 7:05 PM

All replies

  • After giving up on this yesterday I had another go this morning and strangly after powering back up the server and client everything was working. 

    Great I throught, the logs were showing both the machine and user accounts getting sucessfully authenticated from the radius/NPS server. I even removed the client from the domain and added it back in and still everything seemed to be working. 

    I then wanted to see what would happen with a non-domain client. I have another laptop with XP home and I was unable to get this to work, turns out the CA certificates and a few other things needed to be added manually.  I'll leave this for another day.

    Problem I now have is that I'm back to square one, the domain PCs will now not authenticate either even though no changes have been made to either group policy or the NPS configuration. I removed/added the client back into the domain but still not luck.

    Anyone got any ideas on this?

    OT: I managed to get the XP client to authenticate quite happily using the same switch configuration but authenticating to a Debian Linux box running Freeradius.  I understand that MS has removed MD5-Challenge as an available authentication method from Vista and 2008.  I would have tried using PEAP on FreeRadius but unfortunately it does not have SSL compliled in so is not available as an option on Debian

    Tuesday, May 5, 2009 11:29 AM
  • Hi,

    When you get the RADIUS: EAP-login: got reject from radius what is the reason provided in the event log under Custom Views\Server Roles\Network Policy and Access Services? I am guessing you will see event 6273 or perhaps 6274. In this event, there is an Authentication Details section that should provide a reason for the failure.

    Thanks,
    -Greg
    Thursday, May 7, 2009 7:05 PM
  • I am seeing Event 6273.

    Under EAP type it blank.

    Any suggestions on where to look ?

    Thanks in advance.

    Friday, November 19, 2010 3:22 PM