Re: Problems using PEAP with IAS

mzeman · ‎09-14-2003

I am trying to authenticate PEAP clients (W2K) for Cisco

1200 access points using IAS on Windows 2003. When the

initial RADIUS request packet is sent to the IAS it

includes the following information:

RADIUS: ----- RADIUS HEADER -----

RADIUS:

RADIUS: Code = 1 (Access-Request)

RADIUS: Identifier = 0

RADIUS: Length = 173

RADIUS: Authenticator =

30F51BA0C55ABDC0E7028131C927E056

RADIUS:

RADIUS: Attributes follow

RADIUS: Attribute Type = 1

RADIUS: Attribute Length = 19

RADIUS: User-Name = "PEAP-0009B7F1111F"

RADIUS:

RADIUS: Attribute Type = 26 (Vendor Specific)

RADIUS: Attribute Length = 25

RADIUS: Vendor ID = 9 (Cisco)

RADIUS: Attribute = 1 (minimum links)

RADIUS: Vendor Length = 19

RADIUS: Vendor Data =

737369643D496E7465726E65744F4E4C5904

RADIUS:

RADIUS: Attribute Type = 6

RADIUS: Attribute Length = 139

The RADIUS response that is sent back from the IAS looks

like this:

RADIUS: ----- RADIUS HEADER -----

RADIUS:

RADIUS: Code = 3 (Access-Reject)

RADIUS: Identifier = 0

RADIUS: Length = 20

RADIUS: Authenticator =

FAE99D0AFF61F66129DF6153B1AEED13

RADIUS:

RADIUS: No attributes

RADIUS:

The event written to the event log by the IAS for the

above request is as follows:

User PEAP-0009B7F1111F was denied access.

Fully-Qualified-User-Name = BOUNCER\PEAP-0009B7F1111F

NAS-IP-Address = 139.127.8.251

NAS-Identifier = HOMEAP2

Called-Station-Identifer = 0009b7d1fe47

Calling-Station-Identifier = 0009b7f1111f

Client-friendly-Name = HOMEAP2

Client-IP-Address = 139.127.8.251

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 38

Proxy-Policy-Name = Use Windows authentication for all

users.

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = EAP

EAP-Type = <undetermined>

Reason-Code = 8

Reason = The specified user does not exist.

Based on the above event message, it appears that the IAS

is looking for user BOUNCER\PEAP-0009B7F1111F in the local

user database. This doesn't seem to make sense since in

the first phase of PEAP, the IAS should return an identity

request message to the access point and then establish a

TLS tunnel directly to the authenticating wireless

client. Once the tunnel has been established, then the

client should deliver the actual username/password

combination to the IAS for authentication. Does anyone

know how to fix this problem?

.

mchin345 · ‎09-19-2003

I thought Cisco does not support PEAP with IAS servers. was I wrong in my thinking so ??

j.cusick · ‎10-06-2003

It does indeed work. I have setup 2 shops using IAS and 340's,350's, 1100's and 1200's. I used the ms-chap option. You create a server cert, configure the IAS server with the client (AP) and secret and configure the AP to point to the IAS server. On the client side I had to authenticate the workstation in order to get login scripts and policies to work. One problem we ran into was Native versus mixed modes in AD. You do not need to switch to native but in order for the machine to authenticate prior (meaning the machine is in the VPN group) you need to have the domain in Native mode as you can't grant dial in permission to the workstation. Once this is complete the machine logs in first allowing it to obtain an IP and giving the user time to authenticate. Keep in mind if the user does not succesfully authenticate the connection is terminated whether the computer authenticates or not. If you have any questions send me an email at jcusick@qmail.homelinux.com and I will be happy to help.

baileja · ‎10-05-2003

Can you provide us with a copy of your AP config? Here is a good link to setup Client, AP, and IAS for PEAP, just so you can verify all settings.

http://www.missl.cs.umd.edu/Projects/wireless/8021x/

mschuh · ‎10-07-2003

just another link for how-to configure client/AP/IAS

http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5

mhs · ‎11-13-2003

Not sure if you ever got your question answered, but in MS Active Directory you need to go t the Dial-in tab and set to allow access. If you need to do HOST based authentication, you need to call MS for a patch that allows you to see a Dial-in tab for computer accounts in AD, then change to allow access.

PK

mhs · ‎11-14-2003

It may be your NAS-Port-Type the setting for this on the latest IOS based 1200 AP is set to 16 I believe. In addition to this for Win 2003 IAS policy set up it puts that Nas-Port-type in automatically. You should remove this, that is comming right from Microsoft, it is known to cause problems. I hav ethe exact setup you are using except I am using XP clients. Also don't for get to set the EAP Client Timeout to something like 40 or so, this made all the difference in the world for me. It is under advanced security EAP authntication.

Good luck (I am still having problems)

PK

dengqi · ‎12-09-2003

I have the same problem. When I use MS PEAP, it works fine. After I install ACU and use Cisco PEAP. The user name change to PEAP-XXXXXXXXX. Anyone know what's wrong?