Microsoft IAS and 1231G authentication failures

tpelley · ‎02-19-2007

I am attempting to configure a 1231G to use PEAP Authentication. I am using Windows 2003 Server running IAS as my RADIUS Server. The AP has been configured and is communicating with the IAS Server, but all of the authentication attempts are rejected because the username always gets changed to "anonymous" somewhere in the process.

The AP is running IOS 12.3(2)JA2

Can anyone help me understand what is happening? I have attached a copy of my AP Config along with an entry from the IAS Log. Any advice would be welcome.

frankzehrer · ‎02-20-2007

Hi Terry,

a few questions:

- Could it be that you setup for a test a account named anonymous?

- In the Windows Group Policies there are several settings for the login Anonymous. Maybe somthing changed there.

There are so many points of possible failure. Maybe the best is to verify the setup with this document: http://wireless.dweezle.org/Docs/PEAP/Step-by-Step%20Guide%20for%20Setting%20Up%20Secure%20Wireless%20Access.ppt

Good Luck

Frank

tpelley · ‎02-20-2007

Hi Frank,

Thanks for the link, I'll definitely take a look.

I have not configured any sort of guest account named anonymous. I am actually using myself as the test account.

As for the group policies, I will have to take another look. I followed all of the docs I downloaded from both Cisco and Microsoft very carefully, but mabey I missed something.

LouisBHirst · ‎02-27-2007

I followed the steps here and got it working:

http://articles.techrepublic.com.com/5100-1035-6148551.html

Only thing that I had to do is go into the domain accounts dial-in tab and change it from allow to deny.

Also, the cisco configs in this article don't work with mbssid, so I used a single ssid. I'm going back now and trying to figure out the whole mbssid / wlan thing. To tell the truth it's driving me nuts!

weerapatr · ‎02-28-2007

Hi Terry,

I've been faced this problem.

This problem will occur on MS IAS RADIUS.

Because when use PEAP with MS IAS the client will send "Roaming Identity" instead of username/passwd. So log file on RADIUS will see anonymous as username ( default Roaming Identity is "anonymous").

So you need a wireless client utility that can modify Roaming Identity such as Intel Wireless PRo, Odyssey.

Hope this will help.

Weerapatr

P.S. I found issue of Roaming Identity on help file of Intel Wireless Pro Utility Version 9 or 10.

tpelley · ‎02-28-2007

Thanks for the advice, I did get to the bottom of the issue. I discovered the same article on Tech Republic as LouisBHirst. One of the other Issues I ran into, since you mentioned Intel Proset is that the Intel(R) PRO/Wireless LAN 2100 3B adaptor has some problems with certain types of authentication. There is a lot of documentation floating around the net pertaining to issues this card has or has had with VPN. It seems to me that I have stumbled on some shortcomings with PEAP authentication. I never did get the ProSet utility to work with this card, but the Windows XP settings work perfectly. I have now had success using IAS and FreeRADIUS with a variety of client adaptors in the Lab.

The next step is to have the RADIUS server assign users to a predetermined VLAN once they have been authenticated. Who knows, perhaps then I'll get this mess onto a live network somewhere.

Thanks to all who have offered help