PEAP user authentication failed - need help

Hi to everyone in this group. I have a problem and haven' find any
solution to it yet. It would be nice if someone could help me out:

I set up a domain controller (Windows Server 2008), and installed
DHCP, NPS (before known as IAS), AD certificate services and created
my own enterprise root certificate, let's call it ExampleCA. I
registered NPS in AD, and configured 802.1x settings for wireless
connection using wizzard. In network policy, I allowed access to
everyone in newly created WirelessAccess group. I added a computer
named Client1 to this group and newly created user WirelessUser to
the
same group. As a RADIUS client, I added a Planet AP.
After that, I set up Client 1 machine (first I used wired connection
to add the computer to the domain I named auth.com, and then logged
on
as WirelessU...@auth.com....Then in Preffered networks, I added the
network I configured on acces point, using open authentication and
wep
encryption...In 802.1x settings I selected PEAP MSCHAPv2, selected
Validate server certificate (I found it on the list - ExampleCA), and
unselected Authenticate as computer when computer information is
available, as well as Authenticate as guest....I also unselected Use
my windows logon...in MSCHAPv2 settings.

Now here is the problem: when I try to authenticate (user
authentication), it NEVER asks me to enter user credentials and there
are never traces of user authentication in log files. And when I
select Authenticate as computer when computer information is
available, authentication succeeds, but in log files there are only
traces of computer authentication, like this:

"AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
Client1.auth.com","AUTH
\CLIENT1$","00304f4c776e","00304f4e3def",,,"Realtek Access Point.
8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,19,"CONNECT 11Mbps
802.11b",,2,11,"Secure Wireless Connections",0,"311 1
fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
Windows authentication for all users",1,,,,
"AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
46",,,,"Microsoft: Secured password (EAP-MSCHAP
v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"Use Windows
authentication for all users",1,,,,

Does anyone have a clue what went wrong. In network policy it is said
that every computer or user that is a memeber of WirelessAccess can
access network, if the configuration of the auth method is properly
configured....

Also I have a question:
Is it possible that problem is with the certificate (I assumed that,
if the certificate is shown in the field while i configured wireless
client, it is also present in the user certificate store)? Do I have
to do something else with the certificate (via the mmc console) or i
set it up right?

Any event ID in the NPC server?

No, no events in the NPS server...it didn't even log the connection
requests:( that's what suprise me the most

When a device tries to connect to the NPC, the Event Viewer should have a
log (successful or failed). I would double check the connection.

that's what the problem is all about :) Here is how i set up the
network for testing...I set up virtual machine with Windows Server
2008 on my laptop, and configured it as a domain controler (domain
name auth.com, computer name AuthServer) and configured NPS
properly...I connect it with the cable on Planet AP. Then i connect
another computer to the same AP (also with cable), added it on domain,
and named it AuthClient (i connect to that computer via Remote
Desktop, cause I don't have another monitor), and logged in as
wirelessuser (member of WirelessUsers, the group i used in network
policies when i set up 802.1X setting on NPS - i also added AuthClient
to the same group). Then, after I configured the AP, I tried to
connect to the wireless network and it didn't succeed.

Maybe this is wrong: to be able to "see" the desktop of AuthClient, I
left it always connected with the cable to the domain controler or to
make it simplier:
1. do i have to disconnect the AuthClient (remove the cable) prior to
trying to access wireless network (in my case the name of the network
is Auth Network)?
2. in the official microsoft guide of configuring PEAP authentication
with server 2008 (Foundation Network Companion Guide: Deploying 802.1X
Authenticated Wireless Access with PEAP-MS-CHAP v2), i read that you
have to block the wireless client from sending the traffic on some TCP
and UDP ports, maybe that is the issue? Here is what it says:


In addition, to provide enhanced security for the network, the
wireless APs must support the following filtering options:
• DHCP filtering. The wireless AP must filter on IP ports to prevent
the transmission of DHCP broadcast messages in those cases in which
the client is a DHCP server. The wireless AP must block the client
from sending IP packets from UDP port 68 to the network.
• DNS filtering. The wireless AP must filter on IP ports to prevent a
client from performing as a DNS server. The wireless AP must block the
client from sending IP packets from TCP or UDP port 53 to the network.

Hi,

I up this topic because I encountered the same problem, and maybe I have other elements for investigation.

I used to install 802.1x access for WiFi products.

On 2003 server, there is no problem, set up peap method for users is ok. Then, in order to log on the computer (which means before the windows GINA, which permites to correctly deploy logon script when using only a wireless connection), set up the same configuration, in rule #1 (only difference is to match the "computers members domain group" instead of "wifi domain group" for users for example.

Then, this week, I tried to do the same configuration using NPS on a 2008 server.

First, we tried the only one rule to authenticate users using PEAP MsChapv2. It is working, but since the wireless connection activates and authenticate after windows logon, we miss the logon script.
So, then, I do as in 2003, created an other security policy rule (don't remember the exact name, but same place than the user authentication).
I configured the same as in 2003, to match the computers members domain group of the AD.

But, this time, when trying to authenticate the machine (it is working on the client part I think, since I seein the WiFi controller logs than it is sending host/xxx.yyy.fr to authenticate.

But, on the NPS part, the connexion rule, not the security rule, which is not a problem for user authentication, is rejecting the request directly.
I see same information than the guy who opened this topic, like that:

> >> > "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
> >> > Client1.auth.com","AUTH
> >> > \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
> >> > 8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
> >> > 802.11b",,2,11,"Secure Wireless Connections",0,"311 1
> >> > fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
> >> > Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
> >> > Windowsauthenticationfor all users",1,,,,
> >> > "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
> >> > 0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
> >> > 0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
> >> > 46",,,,"Microsoft: Secured password (EAP-MSCHAP
> >> > v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
> >> >authenticationfor all users",1,,,,

But, in the auth logs (that are a little biot difficult to find first time), I have this more information:
the users XXX\computername$ is rejected because user name or password is incorrect.

So, I have some ideas, but if someones already have the problem, I share it to help comprehension:

- I set up mschapv2 for computers as for users in security rules, as I always done on 2003. Maybe something as changed about this in 2008?
- The connexion rule (not security rule) is rejecting the request for YYY\computername$, and the comptuer is trying authenticate using is host/xxx.yyy.fr name. So it doesn't correspond, maybe there is a mistake here when trying to find XXX\computername$ in AD?

Thanks for help :)