02-09-2009 01:18 PM - edited 07-03-2021 05:08 PM
I can get web-auth using PAP to work with IAS fine but it provides no encryption.
Is web-authentication using CHAP (or MD5-CHAP) possible when the RADIUS server being used is Microsoft IAS? Has anyone gotten this scenario to work?
Thanks,
Scott
02-10-2009 07:00 AM
I havent' tried it, but do you have CHAP enabled on the IAS box? If not then this is how you enable it if you don't have it enabled already.
To enable authentication protocols
Open Routing and Remote Access.
Right-click the server name for which you want to enable authentication protocols, and then click Properties.
On the Security tab, click Authentication Methods.
In the Authentication Methods dialog box, select the appropriate check boxes for the authentication protocols that the remote access server will use to authenticate remote clients, and then click OK.
02-10-2009 07:57 AM
Yes I have enabled CHAP in both Routing and Remote Access AND the IAS remote access profile properties but still get a Access-Reject Msg.
Output from debug aaa all enable:
00:1d:e0:0b:c5:dd Successful transmission of Authentication Packet (id 57) to 10.2.13.134:1812, proxy state 00:1d:e0:0b:c5:dd-00:01
Tue Feb 10 08:59:21 2009: 00000000: 01 39 00 81 b4 4b 73 c1 dd c7 92 a4 31 0a c2 5a .9...Ks.....1..Z
Tue Feb 10 08:59:21 2009: 00000010: c6 25 65 37 01 0a 73 6a 6f 68 6e 73 6f 6e 3c 12 .%e7..sjohnson<.
Tue Feb 10 08:59:21 2009: 00000020: 19 30 41 07 89 3c 39 c5 eb a2 08 13 7c a0 21 cb .0A..<9.....|.!.
Tue Feb 10 08:59:21 2009: 00000030: 03 13 04 a6 7e 93 19 42 92 ae cd d8 94 1e 0d e0 ....~..B........
Tue Feb 10 08:59:21 2009: 00000040: 0b 95 d0 06 06 00 00 00 01 04 06 c0 a8 64 0a 20 .............d..
Tue Feb 10 08:59:21 2009: 00000050: 05 57 4c 43 1a 0c 00 00 37 63 01 06 00 00 00 01 .WLC....7c......
Tue Feb 10 08:59:21 2009: 00000060: 1f 11 31 39 32 2e 31 36 38 2e 31 30 30 2e 31 30 ..192.168.100.10
Tue Feb 10 08:59:21 2009: 00000070: 36 1e 10 31 39 32 2e 31 36 38 2e 31 30 30 2e 31 6..192.168.100.1
Tue Feb 10 08:59:21 2009: 00000080: 30 0
Tue Feb 10 08:59:21 2009: 00000000: 03 39 00 14 fc a7 d6 13 84 af 26 34 b4 a0 39 29 .9........&4..9)
Tue Feb 10 08:59:21 2009: 00000010: c3 d9 ed 5c ...\
Tue Feb 10 08:59:21 2009: ****Enter processIncomingMessages: response code=3
Tue Feb 10 08:59:21 2009: ****Enter processRadiusResponse: response code=3
Tue Feb 10 08:59:21 2009: 00:1d:e0:0b:c5:dd Access-Reject received from RADIUS server 10.2.13.134 for mobile 00:1d:e0:0b:c5:dd receiveId = 0
Tue Feb 10 08:59:21 2009: 00:1d:e0:0b:c5:dd Returning AAA Error 'Authentication Failed' (-4) for mobile 00:1d:e0:0b:c5:dd
Tue Feb 10 08:59:21 2009: AuthorizationResponse: 0x36bf7880
Tue Feb 10 08:59:21 2009: structureSize................................28
Tue Feb 10 08:59:21 2009: resultCode...................................-4
Tue Feb 10 08:59:21 2009: protocolUsed.................................0xffffffff
Tue Feb 10 08:59:21 2009: proxyState...................................00:1D:E0:0B:C5:DD-00:00
Tue Feb 10 08:59:21 2009: Packet contains 0 AVPs:
Tue Feb 10 08:59:21 2009: Authentication failed for sjohnson
02-10-2009 10:52 AM
Do you have a guest anchor wlc or a stand alone wlc?
02-10-2009 11:03 AM
This is a standalone WLC 4402.
02-10-2009 11:33 AM
Hi
I'm trying to get WebAuth working, period, with IAS 2003. Can you provide me with an example of the policy you created on the IAS server? I have it set for 'time of day' and 'user is a member of group x' and left everything else default, yet all my web users are being rejected. Is there something else you had to do to get this working, even with PAP? (we do not care about encryption as this is a public access network). THanks very much.
J
02-10-2009 11:39 AM
02-25-2009 08:18 AM
Hi
So this worked great...with one small issue. The IAS server is in the root of the domain forest, and the users are in a different subdomain. In order to get the users to login via the webpage, they have to specify their account like 'username@domain.xx', otherwise it fails to login.
Is there anyway to avoid having to specify the @domain.xx part?
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide