Discussion:
IAS/Radius/MS-CHAPv2
(too old to reply)
Archimede
2008-04-22 14:12:15 UTC
Permalink
We have a 3Com RAS 1500 and until today we used MS-CHAPv1 to succesfully
authenticate remote users.
The authentication is provided by a W2K3 DC+IAS server via RADIUS.

Now, some users installed Vista, whitch requires the use of MS-CHAPv2.
I tried to setup MS-CHAPv2 in both ras/ias, but until now it doesn't work.
:-((

This is what happens:
1) if I use local RAS auth (with internal user), all works fine.
2) if I use RADIUS auth (RAS connects to the DC), the access is granted by
the server,
but the client will disconnect with a 778 error (cannot verify server ID).

I found on internet that the main difference between v1 and v2 is the
client/server mutual authentication
by exchange of some crypted messagges based on the user password hash.
Now is clear that in the first case the RAS has direct access to the user
password,
while in the second it will depend on the DC support.
Probably something is wrong in the DC/RAS communication.

How to debug this issue?

This is the event logged by W2K3 DC (sorry, is partially italian, but quite
simple to understand):

Origine evento: IAS
Categoria evento: Nessuno
ID evento: 1
Data: 22/04/2008
Ora: 15.23.25
Utente: N/D
Computer: CTSERVER
Descrizione:
Accesso consentito all'utente.
Fully-Qualified-User-Name = ct.int.ingv.it/Users/rastest
NAS-IP-Address = 10.200.1.2
NAS-Identifier = <non presente>
Client-Friendly-Name = ctras.ct.int.ingv.it
Client-IP-Address = 10.200.1.2
Calling-Station-Identifier = xxxxx
NAS-Port-Type = Async
NAS-Port = 1
Proxy-Policy-Name = Utilizza autenticazione Windows per tutti gli utenti
Authentication-Provider = Windows
Authentication-Server = <non determinato>
Policy-Name = Accesso RAS CT
Authentication-Type = MS-CHAPv2
EAP-Type = <non determinato>
Nick
2008-05-05 20:05:00 UTC
Permalink
I was reading this recently
http://technet2.microsoft.com/windowsserver2008/en/library/f1d1a2b4-a967-451c-a256-f8c757aa32421033.mspx

This may be your case.
Post by Archimede
We have a 3Com RAS 1500 and until today we used MS-CHAPv1 to succesfully
authenticate remote users.
The authentication is provided by a W2K3 DC+IAS server via RADIUS.
Now, some users installed Vista, whitch requires the use of MS-CHAPv2.
I tried to setup MS-CHAPv2 in both ras/ias, but until now it doesn't work.
:-((
1) if I use local RAS auth (with internal user), all works fine.
2) if I use RADIUS auth (RAS connects to the DC), the access is granted by
the server,
but the client will disconnect with a 778 error (cannot verify server ID).
I found on internet that the main difference between v1 and v2 is the
client/server mutual authentication
by exchange of some crypted messagges based on the user password hash.
Now is clear that in the first case the RAS has direct access to the user
password,
while in the second it will depend on the DC support.
Probably something is wrong in the DC/RAS communication.
How to debug this issue?
This is the event logged by W2K3 DC (sorry, is partially italian, but quite
Origine evento: IAS
Categoria evento: Nessuno
ID evento: 1
Data: 22/04/2008
Ora: 15.23.25
Utente: N/D
Computer: CTSERVER
Accesso consentito all'utente.
Fully-Qualified-User-Name = ct.int.ingv.it/Users/rastest
NAS-IP-Address = 10.200.1.2
NAS-Identifier = <non presente>
Client-Friendly-Name = ctras.ct.int.ingv.it
Client-IP-Address = 10.200.1.2
Calling-Station-Identifier = xxxxx
NAS-Port-Type = Async
NAS-Port = 1
Proxy-Policy-Name = Utilizza autenticazione Windows per tutti gli utenti
Authentication-Provider = Windows
Authentication-Server = <non determinato>
Policy-Name = Accesso RAS CT
Authentication-Type = MS-CHAPv2
EAP-Type = <non determinato>
Mariano La Via
2008-05-08 06:48:47 UTC
Permalink
Sorry, seems not.
There is nothing between IAS and RAS (they are on the same switch).
Also, I don't use EAP-TLS.

Thanks anyway.

- Mariano La Via.-
------------------------------------------------------
Network & System Administrator
Istituto Nazionale di Geofisica e Vulcanologia
Sezione di Catania - Piazza Roma 2, 95125 Catania
------------------------------------------------------
Post by Nick
I was reading this recently
http://technet2.microsoft.com/windowsserver2008/en/library/f1d1a2b4-a967-451c-a256-f8c757aa32421033.mspx
This may be your case.
Post by Archimede
We have a 3Com RAS 1500 and until today we used MS-CHAPv1 to succesfully
authenticate remote users.
The authentication is provided by a W2K3 DC+IAS server via RADIUS.
Now, some users installed Vista, whitch requires the use of MS-CHAPv2.
I tried to setup MS-CHAPv2 in both ras/ias, but until now it doesn't work.
:-((
1) if I use local RAS auth (with internal user), all works fine.
2) if I use RADIUS auth (RAS connects to the DC), the access is granted by
the server,
but the client will disconnect with a 778 error (cannot verify server ID).
I found on internet that the main difference between v1 and v2 is the
client/server mutual authentication
by exchange of some crypted messagges based on the user password hash.
Now is clear that in the first case the RAS has direct access to the user
password,
while in the second it will depend on the DC support.
Probably something is wrong in the DC/RAS communication.
How to debug this issue?
This is the event logged by W2K3 DC (sorry, is partially italian, but quite
Origine evento: IAS
Categoria evento: Nessuno
ID evento: 1
Data: 22/04/2008
Ora: 15.23.25
Utente: N/D
Computer: CTSERVER
Accesso consentito all'utente.
Fully-Qualified-User-Name = ct.int.ingv.it/Users/rastest
NAS-IP-Address = 10.200.1.2
NAS-Identifier = <non presente>
Client-Friendly-Name = ctras.ct.int.ingv.it
Client-IP-Address = 10.200.1.2
Calling-Station-Identifier = xxxxx
NAS-Port-Type = Async
NAS-Port = 1
Proxy-Policy-Name = Utilizza autenticazione Windows per tutti gli utenti
Authentication-Provider = Windows
Authentication-Server = <non determinato>
Policy-Name = Accesso RAS CT
Authentication-Type = MS-CHAPv2
EAP-Type = <non determinato>
Loading...