802.1x MD5-Challege authenticated failure

Discussion:

(too old to reply)

Michael chen

2008-08-22 02:44:00 UTC

i have installed IAS Server on Windows 2003 r2 standard for d-link des-1228
switches 802.1x wired authentication .I want to perform MD5-Challege for AD
user rather than PEAP.Our AD is windows 2003.clients are wxp sp2 or later.
I puzzled why NAS-PORT-TYPE IN Policy conditions was Ethernet,but ias log
shows Wireless - IEEE 802.11 ?
Here is the Policy conditions:
NAS-Port-Type matches "Ethernet"AND Windows-Groups matches "ASIA\#CN - WUJ
Radius"

the following is ias log detail:

The line logged into the file:

NAS-IP-Address : 10.200.224.47
User-Name : ASIA\radius
Record-Date : 08/21/2008
Record-Time : 14:38:59
Service-Name : IAS
Computer-Name : WUJNT009
NAS-IP-Address : 10.200.224.47
NAS-Port : 0
Called-Station-Id : 00-1C-F0-BD-C2-95
Calling-Station-Id : 00-03-25-58-80-10
Framed-MTU : 1300
NAS-Port-Type : Wireless - IEEE 802.11
Connect-Info : CONNECT 10/100Mbps
Client-IP-Address : 10.200.224.47
Client-Vendor : RADIUS Standard
Client-Friendly-Name: 2F HP LAB 224.47
Provider-Type : Windows
Proxy-Policy-Name : Use Windows authentication for all users
Class : 311 1 10.200.224.16 08/15/2008 07:22:12 10
SAM-Account-Name : ASIA\radius
Fully-Qualifed-User-Name: ASIA\radius
Authentication-Type : EAP
Packet-Type : Access-Request
Reason-Code : The operation completed successfully.

NAS-IP-Address : 10.200.224.47
User-Name : ASIA\radius
Record-Date : 08/21/2008
Record-Time : 14:38:59
Service-Name : IAS
Computer-Name : WUJNT009
Class : 311 1 10.200.224.16 08/15/2008 07:22:12 10
Authentication-Type : EAP
Fully-Qualifed-User-Name: ASIA\radius
SAM-Account-Name : ASIA\radius
Proxy-Policy-Name : Use Windows authentication for all users
Provider-Type : Windows
Client-Friendly-Name: 2F HP LAB 224.47
Client-Vendor : RADIUS Standard
Client-IP-Address : 10.200.224.47
Packet-Type : Access-Reject
Reason-Code : The connection attempt did not match any remote
access policy.

S. Pidgorny <MVP>

2008-08-29 10:24:24 UTC

Permalink

So there is port type mismatch, because of which the access policy
doesn't apply...
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

Post by Michael chen
i have installed IAS Server on Windows 2003 r2 standard for d-link des-1228
switches 802.1x wired authentication .I want to perform MD5-Challege for AD
user rather than PEAP.Our AD is windows 2003.clients are wxp sp2 or later.
I puzzled why NAS-PORT-TYPE IN Policy conditions was Ethernet,but ias log
shows Wireless - IEEE 802.11 ?
NAS-Port-Type matches "Ethernet"AND Windows-Groups matches "ASIA\#CN - WUJ
Radius"
NAS-IP-Address : 10.200.224.47
User-Name : ASIA\radius
Record-Date : 08/21/2008
Record-Time : 14:38:59
Service-Name : IAS
Computer-Name : WUJNT009
NAS-IP-Address : 10.200.224.47
NAS-Port : 0
Called-Station-Id : 00-1C-F0-BD-C2-95
Calling-Station-Id : 00-03-25-58-80-10
Framed-MTU : 1300
NAS-Port-Type : Wireless - IEEE 802.11
Connect-Info : CONNECT 10/100Mbps
Client-IP-Address : 10.200.224.47
Client-Vendor : RADIUS Standard
Client-Friendly-Name: 2F HP LAB 224.47
Provider-Type : Windows
Proxy-Policy-Name : Use Windows authentication for all users
Class : 311 1 10.200.224.16 08/15/2008 07:22:12 10
SAM-Account-Name : ASIA\radius
Fully-Qualifed-User-Name: ASIA\radius
Authentication-Type : EAP
Packet-Type : Access-Request
Reason-Code : The operation completed successfully.
NAS-IP-Address : 10.200.224.47
User-Name : ASIA\radius
Record-Date : 08/21/2008
Record-Time : 14:38:59
Service-Name : IAS
Computer-Name : WUJNT009
Class : 311 1 10.200.224.16 08/15/2008 07:22:12 10
Authentication-Type : EAP
Fully-Qualifed-User-Name: ASIA\radius
SAM-Account-Name : ASIA\radius
Proxy-Policy-Name : Use Windows authentication for all users
Provider-Type : Windows
Client-Friendly-Name: 2F HP LAB 224.47
Client-Vendor : RADIUS Standard
Client-IP-Address : 10.200.224.47
Packet-Type : Access-Reject
Reason-Code : The connection attempt did not match any remote
access policy.

Michael chen

2008-09-06 16:39:10 UTC

Permalink

I have successed while i configured the remote access policy as wireless,my
problem is why my radius client is wired switch,but i must set the remote
access policy as wireless ?

thanks in advanced !

Post by S. Pidgorny <MVP>
So there is port type mismatch, because of which the access policy
doesn't apply...
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *

James McIllece [MS]

2008-09-08 20:44:29 UTC

Permalink

Post by Michael chen
I have successed while i configured the remote access policy as
wireless,my problem is why my radius client is wired switch,but i must
set the remote access policy as wireless ?
thanks in advanced !

Do not configure the remote access policy as wireless if you are deploying
a switch. If you do, the policy will not work.

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.