Results 1 to 5 of 5

Thread: PEAP user authentication failed - need help

  1. #1
    zvone2000@gmail.com Guest

    PEAP user authentication failed - need help

    Hi to everyone in this group. I have a problem and haven' find any
    solution to it yet. It would be nice if someone could help me out:

    I set up a domain controller (Windows Server 2008), and installed
    DHCP, NPS (before known as IAS), AD certificate services and created
    my own enterprise root certificate, let's call it ExampleCA. I
    registered NPS in AD, and configured 802.1x settings for wireless
    connection using wizzard. In network policy, I allowed access to
    everyone in newly created WirelessAccess group. I added a computer
    named Client1 to this group and newly created user WirelessUser to
    the
    same group. As a RADIUS client, I added a Planet AP.
    After that, I set up Client 1 machine (first I used wired connection
    to add the computer to the domain I named auth.com, and then logged
    on
    as WirelessU...@auth.com....Then in Preffered networks, I added the
    network I configured on acces point, using open authentication and
    wep
    encryption...In 802.1x settings I selected PEAP MSCHAPv2, selected
    Validate server certificate (I found it on the list - ExampleCA), and
    unselected Authenticate as computer when computer information is
    available, as well as Authenticate as guest....I also unselected Use
    my windows logon...in MSCHAPv2 settings.

    Now here is the problem: when I try to authenticate (user
    authentication), it NEVER asks me to enter user credentials and there
    are never traces of user authentication in log files. And when I
    select Authenticate as computer when computer information is
    available, authentication succeeds, but in log files there are only
    traces of computer authentication, like this:

    "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
    Client1.auth.com","AUTH
    \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realtek Access Point.
    8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,19,"CONNECT 11Mbps
    802.11b",,2,11,"Secure Wireless Connections",0,"311 1
    fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
    Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
    Windows authentication for all users",1,,,,
    "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
    0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
    0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
    46",,,,"Microsoft: Secured password (EAP-MSCHAP
    v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"Use Windows
    authentication for all users",1,,,,

    Does anyone have a clue what went wrong. In network policy it is said
    that every computer or user that is a memeber of WirelessAccess can
    access network, if the configuration of the auth method is properly
    configured....

    Also I have a question:
    Is it possible that problem is with the certificate (I assumed that,
    if the certificate is shown in the field while i configured wireless
    client, it is also present in the user certificate store)? Do I have
    to do something else with the certificate (via the mmc console) or i
    set it up right?

  2. #2
    Robert L. \(MS-MVP\) Guest

    Re: PEAP user authentication failed - need help

    Any event ID in the NPC server?

  3. #3
    zvone2000@gmail.com Guest
    No, no events in the NPS server...it didn't even log the connection
    requests:( that's what suprise me the most

    When a device tries to connect to the NPC, the Event Viewer should have a
    log (successful or failed). I would double check the connection.

  4. #4
    zvone2000@gmail.com Guest

    Re: PEAP user authentication failed - need help

    that's what the problem is all about :) Here is how i set up the
    network for testing...I set up virtual machine with Windows Server
    2008 on my laptop, and configured it as a domain controler (domain
    name auth.com, computer name AuthServer) and configured NPS
    properly...I connect it with the cable on Planet AP. Then i connect
    another computer to the same AP (also with cable), added it on domain,
    and named it AuthClient (i connect to that computer via Remote
    Desktop, cause I don't have another monitor), and logged in as
    wirelessuser (member of WirelessUsers, the group i used in network
    policies when i set up 802.1X setting on NPS - i also added AuthClient
    to the same group). Then, after I configured the AP, I tried to
    connect to the wireless network and it didn't succeed.

    Maybe this is wrong: to be able to "see" the desktop of AuthClient, I
    left it always connected with the cable to the domain controler or to
    make it simplier:
    1. do i have to disconnect the AuthClient (remove the cable) prior to
    trying to access wireless network (in my case the name of the network
    is Auth Network)?
    2. in the official microsoft guide of configuring PEAP authentication
    with server 2008 (Foundation Network Companion Guide: Deploying 802.1X
    Authenticated Wireless Access with PEAP-MS-CHAP v2), i read that you
    have to block the wireless client from sending the traffic on some TCP
    and UDP ports, maybe that is the issue? Here is what it says:


    In addition, to provide enhanced security for the network, the
    wireless APs must support the following filtering options:
    • DHCP filtering. The wireless AP must filter on IP ports to prevent
    the transmission of DHCP broadcast messages in those cases in which
    the client is a DHCP server. The wireless AP must block the client
    from sending IP packets from UDP port 68 to the network.
    • DNS filtering. The wireless AP must filter on IP ports to prevent a
    client from performing as a DNS server. The wireless AP must block the
    client from sending IP packets from TCP or UDP port 53 to the network.

  5. #5
    Join Date
    Jun 2009
    Posts
    1

    Re: PEAP user authentication failed - need help

    Hi,

    I up this topic because I encountered the same problem, and maybe I have other elements for investigation.

    I used to install 802.1x access for WiFi products.

    On 2003 server, there is no problem, set up peap method for users is ok. Then, in order to log on the computer (which means before the windows GINA, which permites to correctly deploy logon script when using only a wireless connection), set up the same configuration, in rule #1 (only difference is to match the "computers members domain group" instead of "wifi domain group" for users for example.

    Then, this week, I tried to do the same configuration using NPS on a 2008 server.

    First, we tried the only one rule to authenticate users using PEAP MsChapv2. It is working, but since the wireless connection activates and authenticate after windows logon, we miss the logon script.
    So, then, I do as in 2003, created an other security policy rule (don't remember the exact name, but same place than the user authentication).
    I configured the same as in 2003, to match the computers members domain group of the AD.

    But, this time, when trying to authenticate the machine (it is working on the client part I think, since I seein the WiFi controller logs than it is sending host/xxx.yyy.fr to authenticate.

    But, on the NPS part, the connexion rule, not the security rule, which is not a problem for user authentication, is rejecting the request directly.
    I see same information than the guy who opened this topic, like that:

    > >> > "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
    > >> > Client1.auth.com","AUTH
    > >> > \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
    > >> > 8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
    > >> > 802.11b",,2,11,"Secure Wireless Connections",0,"311 1
    > >> > fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
    > >> > Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
    > >> > Windowsauthenticationfor all users",1,,,,
    > >> > "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
    > >> > 0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
    > >> > 0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
    > >> > 46",,,,"Microsoft: Secured password (EAP-MSCHAP
    > >> > v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
    > >> >authenticationfor all users",1,,,,

    But, in the auth logs (that are a little biot difficult to find first time), I have this more information:
    the users XXX\computername$ is rejected because user name or password is incorrect.

    So, I have some ideas, but if someones already have the problem, I share it to help comprehension:

    - I set up mschapv2 for computers as for users in security rules, as I always done on 2003. Maybe something as changed about this in 2008?
    - The connexion rule (not security rule) is rejecting the request for YYY\computername$, and the comptuer is trying authenticate using is host/xxx.yyy.fr name. So it doesn't correspond, maybe there is a mistake here when trying to find XXX\computername$ in AD?

    Thanks for help :)

Similar Threads

  1. Replies: 4
    Last Post: 11-02-2012, 12:44 PM
  2. Authentication failed on users who shutdown
    By lionfish37 in forum Networking & Security
    Replies: 1
    Last Post: 12-01-2011, 02:15 AM
  3. Replies: 6
    Last Post: 29-09-2010, 11:57 PM
  4. How to Use PEAP for wireless authentication
    By Ameeryan in forum Networking & Security
    Replies: 3
    Last Post: 28-10-2009, 12:53 PM
  5. What is php user authentication?
    By amadeo in forum Software Development
    Replies: 3
    Last Post: 04-06-2009, 03:16 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,638,785.21311 seconds with 17 queries