locked
Wireless Authentication Help RRS feed

  • Question

  • I'm tring to setup NPS to handle wireless authentication for my network and I'm having a lot of problems with it.

    Clients are stuck "Validating Identity"...

    IAS log shows TONS of entries like this:

    "SERVERNAME","IAS",09/24/2009,20:12:15,1,"DOMAIN\Administrator","DOMAIN\Administrator","00-13-XX-XX-XX-XX:DOMAIN","00-0F-XX-XX-XX-XX",,,,"10.100.0.253",0,0,"10.100.0.253","Wireless",,,19,"CONNECT 11Mbps 802.11b",,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/24/2009 00:06:00 3982",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVERNAME","IAS",09/24/2009,20:12:15,11,,"DOMAIN\Administrator",,,,,,,,0,"10.100.0.253","Wireless",,,,,,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/24/2009 00:06:00 3982",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVERNAME","IAS",09/24/2009,20:12:15,1,"host/host.domain.net","DOMAIN\HOST$","00-13-XX-XX-XX-XX:DOMAIN","00-0F-XX-XX-XX-XX",,,,"10.100.0.253",0,0,"10.100.0.253","Wireless",,,19,"CONNECT 11Mbps 802.11b",,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/24/2009 00:06:00 3983",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVERNAME","IAS",09/24/2009,20:12:15,11,,"DOMAIN\HOST$",,,,,,,,0,"10.100.0.253","Wireless",,,,,,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/24/2009 00:06:00 3983",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,

    Notice the log shows ONLY RADIUS_CODE:
    rcAccessRequest  = 1
    rcAccessChallenge = 11

    Here are the settings I'm using (basicly):
    WPA2 - Enterprise
    AES
    MS-PEAP (inside that i have EAP-MSCHAP v2)

    I setup the NPS server using the wizard and I'm pushing the same stuff via GP...
    No authentication or NPS errors in any "Event Viewer" logs...

    Any advice?
    Friday, September 25, 2009 12:24 AM

Answers

  • Everything is working...for a while now actually.

    I never came back to report things working because I forgot.

    I wouldn't really mark anyone as the answer, it's just working now.

     

    Thanks for checking back.

    Saturday, March 20, 2010 12:49 AM

All replies

  • Could Hyper-V be stoping up something?
    I have a separate NIC for it though...

    Also, I can get VPN & TS Gateway connections to negotiate just fine.

    Update:
    I believe this error (not sure because it has no "Account Name"), logged on the client, also has to do with the problem:
    A request was made to authenticate to a wireless network.
    
    Subject:
    	Security ID:		
    	Account Name:		-
    	Account Domain:		-
    	Logon ID:		0x0
    
    Network Information:
    	Name (SSID):		SSID
    	Interface GUID:		{27c6f566-f8b5-488f-ac63-f1d9d3e3d119}
    	Local MAC Address:	00:13:02:XX:XX:XX
    	Peer MAC Address:	00:13:60:XX:XX:XX
    
    Additional Information:
    	Reason Code:		Explicit Eap failure received (0x50005)
    	Error Code:		0x8007045b
    Saturday, September 26, 2009 5:15 PM
  • Might be a certificate issue. How is your CA and PKI configured?

    Does your NPS server have a cert?
    http://technet.microsoft.com/en-us/library/cc730811.aspx

    Can you authenticate using just EAP-MSCHAPv2 without PEAP?
    Friday, October 2, 2009 1:11 AM
  • I'm using a third party wildcard cert for the NPS server as well as the rest of my domain.

    I don't see an option in the group policy wireless settings to use just EAP.
    Looks like it has to be PEAP then inside that, EAP.

    Funny thing is: I can get on if I disable and re-enable the wireless card a few times...
    This is how I've been getting the clients on in the mean time.
    Sometimes, they even go through the first time, it seems.

    I'm wondering where the thing is getting hung up: the AP, the server, or where?
    I'll do some more digging...

    BTW,
    This is what a successfull attempt looks like in my logs (user attempt looks the same but with their name, etc):
    (Some output omitted)


    "SERVER","IAS",09/30/2009,10:55:32,1,"host/host.domain.net","DOMAIN\HOST$","00-13-60-XX-XX-XX:DOMAIN","00-13-02-XX-XX-XX",,,,"10.100.0.253",0,9,"10.100.0.253","Wireless",,,19,"CONNECT 11Mbps 802.11b",,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 153",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:32,11,,"DOMAIN\HOST$",,,,,,,,9,"10.100.0.253","Wireless",,,,,,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 153",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:33,1,"host/host.domain.net","DOMAIN\HOST$","00-13-60-XX-XX-XX:DOMAIN","00-13-02-XX-XX-XX",,,,"10.100.0.253",0,9,"10.100.0.253","Wireless",,,19,"CONNECT 11Mbps 802.11b",,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 154",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:33,11,,"DOMAIN\HOST$",,,,,,,,9,"10.100.0.253","Wireless",,,,,,,5,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 154",60,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:33,1,"host/host.domain.net","DOMAIN\HOST$","00-13-60-XX-XX-XX:DOMAIN","00-13-02-XX-XX-XX",,,,"10.100.0.253",0,9,"10.100.0.253","Wireless",,,19,"CONNECT 11Mbps 802.11b",,,11,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 155",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"0x01444A584D4D58",,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:33,11,,"DOMAIN\HOST$",,,,,,,,9,"10.100.0.253","Wireless",,,,,,,11,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 155",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:33,1,"host/host.domain.net","DOMAIN\HOST$","00-13-60-XX-XX-XX:DOMAIN","00-13-02-XX-XX-XX",,,,"10.100.0.253",0,9,"10.100.0.253","Wireless",,,19,"CONNECT 11Mbps 802.11b",,,11,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 156",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Wireless Connection Policy",1,,,,
    "SERVER","IAS",09/30/2009,10:55:33,2,,"DOMAIN\HOST$",,,,,,,,9,"10.100.0.253","Wireless",,,,,1,2,11,"Wireless Access Policy",0,"311 1 fe80::4d3a:e808:89e8:c9bc 09/28/2009 22:44:51 156",,,,"Microsoft: Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x01444A584D4D58",,,"Wireless Connection Policy",1,,,,
    Friday, October 2, 2009 2:33 AM
  • Another thing to check might be your PEAP fast re-connect settings. Do you have it enabled on the client but not in the NPS policy's PEAP settings? Or vice versa?

    Perhaps your clients are attempting a fast re-connect which is failing and you see success when you disable/re-enable the wireless card becuase it is forcing a full PEAP authentication.

    More here: http://technet.microsoft.com/en-us/library/cc754179(WS.10).aspx
    Friday, October 2, 2009 9:07 PM
  • I checked that,
    It's enabled on both sides...

    It could be the AP...
    I was doing some research into it and it looks like there may be a bug with the AP.
    Excerpt from the AP help:


    To use wireless security which requires RADIUS server (802.1X) authentication, the VLAN ID needs to be the same as AP management VLAN ID.
    We will remove this restriction in future releases.

    I'm not sure if this fits my setup though...

    Here's my AP Setup:

    AP Management VLAN  on VLAN 100
    Main SSID on VLAN 100
    The primary RADIUS server on VLAN 1
    Backup RADIUS server on VLAN 100
    Friday, October 2, 2009 9:45 PM
  • Have you tried having NPS and the AP management VLAN ID the same to see if you still see the issue? Do you have the latest software on the AP?

    What OS are your clients? Are they up-to-date as well?
    Saturday, October 3, 2009 12:25 AM
  • I'm tring the primary & backup RADIUS servers on VLAN 100, to see if that helps at all.

    Yes, latest firmware.

    We are running Vista (SP2) and XP (SP3), all patched and up-to-date.
    Saturday, October 3, 2009 4:40 AM
  • Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible.

    Greg Lindsay

    Friday, March 19, 2010 8:16 PM
  • Everything is working...for a while now actually.

    I never came back to report things working because I forgot.

    I wouldn't really mark anyone as the answer, it's just working now.

     

    Thanks for checking back.

    Saturday, March 20, 2010 12:49 AM