Archimede
2008-04-22 14:12:15 UTC
We have a 3Com RAS 1500 and until today we used MS-CHAPv1 to succesfully
authenticate remote users.
The authentication is provided by a W2K3 DC+IAS server via RADIUS.
Now, some users installed Vista, whitch requires the use of MS-CHAPv2.
I tried to setup MS-CHAPv2 in both ras/ias, but until now it doesn't work.
:-((
This is what happens:
1) if I use local RAS auth (with internal user), all works fine.
2) if I use RADIUS auth (RAS connects to the DC), the access is granted by
the server,
but the client will disconnect with a 778 error (cannot verify server ID).
I found on internet that the main difference between v1 and v2 is the
client/server mutual authentication
by exchange of some crypted messagges based on the user password hash.
Now is clear that in the first case the RAS has direct access to the user
password,
while in the second it will depend on the DC support.
Probably something is wrong in the DC/RAS communication.
How to debug this issue?
This is the event logged by W2K3 DC (sorry, is partially italian, but quite
simple to understand):
Origine evento: IAS
Categoria evento: Nessuno
ID evento: 1
Data: 22/04/2008
Ora: 15.23.25
Utente: N/D
Computer: CTSERVER
Descrizione:
Accesso consentito all'utente.
Fully-Qualified-User-Name = ct.int.ingv.it/Users/rastest
NAS-IP-Address = 10.200.1.2
NAS-Identifier = <non presente>
Client-Friendly-Name = ctras.ct.int.ingv.it
Client-IP-Address = 10.200.1.2
Calling-Station-Identifier = xxxxx
NAS-Port-Type = Async
NAS-Port = 1
Proxy-Policy-Name = Utilizza autenticazione Windows per tutti gli utenti
Authentication-Provider = Windows
Authentication-Server = <non determinato>
Policy-Name = Accesso RAS CT
Authentication-Type = MS-CHAPv2
EAP-Type = <non determinato>
authenticate remote users.
The authentication is provided by a W2K3 DC+IAS server via RADIUS.
Now, some users installed Vista, whitch requires the use of MS-CHAPv2.
I tried to setup MS-CHAPv2 in both ras/ias, but until now it doesn't work.
:-((
This is what happens:
1) if I use local RAS auth (with internal user), all works fine.
2) if I use RADIUS auth (RAS connects to the DC), the access is granted by
the server,
but the client will disconnect with a 778 error (cannot verify server ID).
I found on internet that the main difference between v1 and v2 is the
client/server mutual authentication
by exchange of some crypted messagges based on the user password hash.
Now is clear that in the first case the RAS has direct access to the user
password,
while in the second it will depend on the DC support.
Probably something is wrong in the DC/RAS communication.
How to debug this issue?
This is the event logged by W2K3 DC (sorry, is partially italian, but quite
simple to understand):
Origine evento: IAS
Categoria evento: Nessuno
ID evento: 1
Data: 22/04/2008
Ora: 15.23.25
Utente: N/D
Computer: CTSERVER
Descrizione:
Accesso consentito all'utente.
Fully-Qualified-User-Name = ct.int.ingv.it/Users/rastest
NAS-IP-Address = 10.200.1.2
NAS-Identifier = <non presente>
Client-Friendly-Name = ctras.ct.int.ingv.it
Client-IP-Address = 10.200.1.2
Calling-Station-Identifier = xxxxx
NAS-Port-Type = Async
NAS-Port = 1
Proxy-Policy-Name = Utilizza autenticazione Windows per tutti gli utenti
Authentication-Provider = Windows
Authentication-Server = <non determinato>
Policy-Name = Accesso RAS CT
Authentication-Type = MS-CHAPv2
EAP-Type = <non determinato>