Discussion:
Radius Authentication using Window XP SP3
(too old to reply)
Westcort
2009-01-13 23:59:07 UTC
Permalink
Hello
I am currently trying to build a test enviroment in order to determine
if 802.1x can be implemented on our network. I am currently using a
IAS server via Peap-MSChapv2, Window XP and a Dell PC6224 switch.
The problem I am currently having is that the Window XP client cannot
log on to the domain in order to authenticate to the Radius and Domain
Server. When trying to log on Window XP tells me that it cannot find
the domain. I have a suspicious that it is because the domain user and
password is not passing to the radius server. But the weird thing is
that if i try to authenticate manually when i bypass the window logon
screen I am able to type in a domain password and be authenticated to
the network.

I have also gotten it to work when i force the port on the swith to
force authenticate and cache the logon settings for the user. When i
turn off force authentication that user can still log into window XP
and connect to our network.

Has anyone ran into an issue like this before? or know of a solution
to this problem?
James McIllece [MS]
2009-01-19 21:15:36 UTC
Permalink
Post by Westcort
Hello
I am currently trying to build a test enviroment in order to determine
if 802.1x can be implemented on our network. I am currently using a
IAS server via Peap-MSChapv2, Window XP and a Dell PC6224 switch.
The problem I am currently having is that the Window XP client cannot
log on to the domain in order to authenticate to the Radius and Domain
Server. When trying to log on Window XP tells me that it cannot find
the domain. I have a suspicious that it is because the domain user and
password is not passing to the radius server. But the weird thing is
that if i try to authenticate manually when i bypass the window logon
screen I am able to type in a domain password and be authenticated to
the network.
I have also gotten it to work when i force the port on the swith to
force authenticate and cache the logon settings for the user. When i
turn off force authentication that user can still log into window XP
and connect to our network.
Has anyone ran into an issue like this before? or know of a solution
to this problem?
Hi Ken --

Have you deployed a server certificate to the IAS server from a CA that the
client computer trusts? If so, does the certificate meet the minimum server
certificate requirements? Do you have a remote access policy configured to
use PEAP-MS-CHAP v2 with the server certificate selected?

Thanks for any information you can provide --
--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Westcort
2009-01-27 00:09:54 UTC
Permalink
On Jan 19, 4:15 pm, "James McIllece [MS]"
Post by James McIllece [MS]
Post by Westcort
Hello
I am currently trying to build a test enviroment in order to determine
if 802.1x can be implemented on our network. I am currently using a
IAS server via Peap-MSChapv2, Window XP and a Dell PC6224 switch.
The problem I am currently having is that the Window XP client cannot
log on to the domain in order to authenticate to the Radius and Domain
Server. When trying to log on Window XP tells me that it cannot find
the domain. I have a suspicious that it is because the domain user and
password is not passing to the radius server. But the weird thing is
that if i try to authenticate manually when i bypass the window logon
screen I am able to type in a domain password and be authenticated to
the network.
I have also gotten it to work when i force the port on the swith to
force authenticate and cache the logon settings for the user. When i
turn off force authentication that user can still log into window XP
and connect to our network.
Has anyone ran into an issue like this before? or know of a solution
to this problem?
Hi Ken --
Have you deployed a server certificate to the IAS server from a CA that the
client computer trusts? If so, does the certificate meet the minimum server
certificate requirements? Do you have a remote access policy configured to
use PEAP-MS-CHAP v2 with the server certificate selected?
Thanks for any information you can provide --
--
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
As the laptop is part of the same domain as the IAS the computer
should trust the CA.
I do have a remote access policy configured and attach the certificate
that the CA generate for the server.
For my EAP Types I have Secured Password (EAP-MSCHAP v2) and I also
have fast reconnect enable.
what other piece of information do you require?
James McIllece [MS]
2009-01-28 23:53:50 UTC
Permalink
Post by Westcort
On Jan 19, 4:15 pm, "James McIllece [MS]"
Post by James McIllece [MS]
Post by Westcort
Hello
I am currently trying to build a test enviroment in order to
determine if 802.1x can be implemented on our network. I am
currently using a IAS server via Peap-MSChapv2, Window XP and a
Dell PC6224 switch. The problem I am currently having is that the
Window XP client cannot log on to the domain in order to
authenticate to the Radius and Domain Server. When trying to log on
Window XP tells me that it cannot find the domain. I have a
suspicious that it is because the domain user and password is not
passing to the radius server. But the weird thing is that if i try
to authenticate manually when i bypass the window logon screen I am
able to type in a domain password and be authenticated to the
network.
I have also gotten it to work when i force the port on the swith to
force authenticate and cache the logon settings for the user. When
i turn off force authentication that user can still log into window
XP and connect to our network.
Has anyone ran into an issue like this before? or know of a
solution to this problem?
Hi Ken --
Have you deployed a server certificate to the IAS server from a CA
that t
he
Post by James McIllece [MS]
client computer trusts? If so, does the certificate meet the minimum
serv
er
Post by James McIllece [MS]
certificate requirements? Do you have a remote access policy
configured t
o
Post by James McIllece [MS]
use PEAP-MS-CHAP v2 with the server certificate selected?
Thanks for any information you can provide --
--
James McIllece, Microsoft
Please do not send email directly to this alias.  This is my online
acc
ount
Post by James McIllece [MS]
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
right
s.
As the laptop is part of the same domain as the IAS the computer
should trust the CA.
I do have a remote access policy configured and attach the certificate
that the CA generate for the server.
For my EAP Types I have Secured Password (EAP-MSCHAP v2) and I also
have fast reconnect enable.
what other piece of information do you require?
Hi there --

Thanks very much for the information. It sounds like your server
certificate deployment is correct. Just to make sure, please open the
Certificates snap in on the client and see if the CA cert is in the Trusted
Root Certification Authorities certificate store.

Also ensure that the user account dial-in properties in Active Directory
are set to "Control access through remote access policy" or to "Allow
access."

This sounds like a switch configuration issue. If I understand you
correctly, you're saying that you can log onto the local computer rather
than the domain, but then connect to the domain through the switch anyhow,
bypassing RADIUS authentication. Normally with RADIUS authentication, the
switch should take authentication credentials, create an access request
message, and send the access request to the RADIUS/IAS server for
authentication and authorization.

So I would say double-check the switch settings to ensure that EAP
authentication is enabled, and that it is correctly configured with the
shared secret and IP address of your IAS server as the authenticating
server. There may be other settings that affect how your switch
communicates with IAS that should be configured as well, I don't know, not
familiar with the product.
--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...