Microsoft IAS and 1231G authentication failures

Unanswered Question
Feb 19th, 2007

I am attempting to configure a 1231G to use PEAP Authentication. I am using Windows 2003 Server running IAS as my RADIUS Server. The AP has been configured and is communicating with the IAS Server, but all of the authentication attempts are rejected because the username always gets changed to "anonymous" somewhere in the process.

The AP is running IOS 12.3(2)JA2

Can anyone help me understand what is happening? I have attached a copy of my AP Config along with an entry from the IAS Log. Any advice would be welcome.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
frankzehrer Tue, 02/20/2007 - 04:49

Hi Terry,

a few questions:

- Could it be that you setup for a test a account named anonymous?

- In the Windows Group Policies there are several settings for the login Anonymous. Maybe somthing changed there.

There are so many points of possible failure. Maybe the best is to verify the setup with this document: http://wireless.dweezle.org/Docs/PEAP/Step-by-Step%20Guide%20for%20Setting%20Up%20Secure%20Wireless%20Access.ppt

Good Luck

Frank

tpelley Tue, 02/20/2007 - 05:13

Hi Frank,

Thanks for the link, I'll definitely take a look.

I have not configured any sort of guest account named anonymous. I am actually using myself as the test account.

As for the group policies, I will have to take another look. I followed all of the docs I downloaded from both Cisco and Microsoft very carefully, but mabey I missed something.

LouisBHirst Tue, 02/27/2007 - 19:17

I followed the steps here and got it working:

http://articles.techrepublic.com.com/5100-1035-6148551.html

Only thing that I had to do is go into the domain accounts dial-in tab and change it from allow to deny.

Also, the cisco configs in this article don't work with mbssid, so I used a single ssid. I'm going back now and trying to figure out the whole mbssid / wlan thing. To tell the truth it's driving me nuts!

weerapatr Wed, 02/28/2007 - 00:47

Hi Terry,

I've been faced this problem.

This problem will occur on MS IAS RADIUS.

Because when use PEAP with MS IAS the client will send "Roaming Identity" instead of username/passwd. So log file on RADIUS will see anonymous as username ( default Roaming Identity is "anonymous").

So you need a wireless client utility that can modify Roaming Identity such as Intel Wireless PRo, Odyssey.

Hope this will help.

Weerapatr

P.S. I found issue of Roaming Identity on help file of Intel Wireless Pro Utility Version 9 or 10.

tpelley Wed, 02/28/2007 - 04:38

Thanks for the advice, I did get to the bottom of the issue. I discovered the same article on Tech Republic as LouisBHirst. One of the other Issues I ran into, since you mentioned Intel Proset is that the Intel(R) PRO/Wireless LAN 2100 3B adaptor has some problems with certain types of authentication. There is a lot of documentation floating around the net pertaining to issues this card has or has had with VPN. It seems to me that I have stumbled on some shortcomings with PEAP authentication. I never did get the ProSet utility to work with this card, but the Windows XP settings work perfectly. I have now had success using IAS and FreeRADIUS with a variety of client adaptors in the Lab.

The next step is to have the RADIUS server assign users to a predetermined VLAN once they have been authenticated. Who knows, perhaps then I'll get this mess onto a live network somewhere.

Thanks to all who have offered help

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode