EAP with Windows 2000 client and IAS server

jason · ‎11-20-2002

Several messages on this site point to peole using EAP on a Windows 2000 client and authenticating against an IAS server. I am running an Aironet 350 AP and trying to setup my Windows 2000 clients to use EAP only and authenticate against a Windows 2000 AD forest via IAS. The access point and client are on the latest firmware and drivers (12.0 for AP). I have two basic questions.

1. It is my understanding that by enabling Network-EAP as the only authenticaiton type that users will authenticate and then dynamic WEP keys will be used, greatly reducing the risks of compromised WEP keys while at the same time keeping the data encrypted.

2. Does anyone have a quick HOW-TO or point-by-point list of how to configure the Windows 2000 client to authentication using the Network-EAP method? I am currently running into a situation where no matter what I configure on the client, the IAS server reports and error with "Reason: The authentication type is not supported on this system." I also noticed that the "Authentication-Type" and "EAP-Type" fields shown in the IAS messages in the Windows 2000 Event Viewer log have the value "<undetermined>". Has anyone else run into this?

nagle · ‎11-21-2002

I'm having a similar problem. I'm trying to do PEAP and it appears that IAS is not handling the request properly. It keeps trying to log the user PEAP-##### in instead of setting up the TLS and then asking for Username, Pass, Domain. The IAS error message I'm getting is:

User PEAP-00097CFCD901 was denied access.

Fully-Qualified-User-Name = APPLY\PEAP-00097CFCD901

NAS-IP-Address = 172.16.200.31

NAS-Identifier = AP1

Called-Station-Identifier = 004096570d87

Calling-Station-Identifier = 00097cfcd901

Client-Friendly-Name = WirelessAP

Client-IP-Address = 172.16.200.31

NAS-Port-Type = 19

NAS-Port = 37

Policy-Name =

Authentication-Type = EAP

EAP-Type =

Reason-Code = 8

Reason = The specified user does not exist.

So if anybody has the needed settings for Win2k (SP3 and 802.1x patch) IAS it would be much appreciated.

Ben

Note: if I had PEAP-####### as a user in Win2k I get:

User PEAP-00097CFCD901 was denied access.

Fully-Qualified-User-Name = apply.org/Users/PEAP TEST

NAS-IP-Address = 172.16.200.31

NAS-Identifier = AP1

Called-Station-Identifier = 004096570d87

Calling-Station-Identifier = 00097cfcd901

Client-Friendly-Name = WirelessAP

Client-IP-Address = 172.16.200.31

NAS-Port-Type = 19

NAS-Port = 37

Policy-Name = Wireless Policy

Authentication-Type = EAP

EAP-Type =

Reason-Code = 16

Reason = There was an authentication failure because of an unknown user name or a bad password.

jason · ‎11-21-2002

Nagle,

It looks like you are getting a little further than I am. Here's what appears in my logs:

Authentication-Type =

EAP-Type =

Reason-Code = 18

Reason = The specified authentication type is not supported on this system.

It seems that no matter what I have tried, I cannot get the IAS server to recognize the Authentication-Type used is EAP. On the Access Point I have "Network EAP" selected as the only option on the WEP page and the Radius server has "EAP Authentication" and "User Authentication" selected. Is this what you have as well?

ndoshi · ‎11-22-2002

Which EAP implemenation are you trying ? LEAP or PEAP or EAP-TLS ?

Leap is kind of Cisco Properitory solution so It will not work with IAS .

EAP-TLS requires certificates on client as well as server side . You will need

CA certificate server for this . Have you installed CA root certificate ?

For PEAP - you need only server side certificate . Client gets authenticated bia username and password .

For Cisco Peap client you will need windows 2000 service pack 3 and 802.11 hotfixes , have you installed that ?

Nilesh

jason · ‎11-22-2002

Nilesh,

Thank you for the information. I had been trying to use Cisco's LEAP with IAS because I was not able to get the host-based EAP option to show up in the ACU. After changing a dozen options and rebooting several times, I finally got the option to use host-EAP. Once I configured host-EAP, I saved our company's CA server cert and the IAS server's cert on the client. For the purposes of this test though, the CA and IAS server happen to be the same machine.

NOTE: I have Windows 2000 SP3 and the 802.11 hotfixes and I am trying this with an Aironet 350 PCMCIA card in a laptop.

I am getting the same results as Nagle using PEAP on the client. Does anyone know of a log on the client that indicates what is happening or would give more troubleshooting information?

Jason

jason · ‎11-22-2002

EAP-TLS now working but PEAP is still not working.

I was able to finally get EAP-TLS working. It turns out my CA was not setup issue certificates correctly. For those who are interested, here's what I did.

1. On the client, Installed a certificate for the domain user I wished to authenticate as.

2. On the client, installed the Root CA certificate

2. On the client, configure ACU to use correct SSID and Host based EAP

3. On the client, under the Authentication tab of the NIC settings, enable 802.1x and set it to use Smart Card/Certificate with the following options:

a. Use a certificate on this computer

b. Use simple certificate selection

c. Validate server certificate

d. In the trusted ROOT CA box, select my CA

e. Use a different user name for the connection

4. On the Access Point, configure Network-EAP as the only authentication method under the WEP settings.

5. On the Access Point, configure the RADIUS server IP Address and set to EAP authentication only.

6. On the IAS server, configure the client to use RADIUS STANDARD

7. On the IAS server, configure the wireless policy to contain a Windows User group and the NAS-IP address.

8. On the IAS server, configure the wireless policy authentication to use EAP and select the Smart Card/Certificate option.

9. On the Domain Controller, ensure that the user you will connect as has dial-in access granted.

I hope this helps others. If anyone gets PEAP working, please share with us.

Jason

hoita · ‎12-05-2002

Hi, There

I have same problem. The problem is very very critical.

If anyone has answer or solution. Please let me know.

This proble almost kill me.

Email: stan@steptech.com.tw

Phone: +86-13701865791

Best Regards,

Stan

ekrogh · ‎12-05-2002

Hi there

Are you using the cisco peap client or the one built into XP ?

I want to use the Microsoft one with autorization against a CISCO Secure ACS. According to our CISCO engineer this will not work until we get a fix to CISCO Secure 3.1 - reason being that there is a difference between the CISCO and the Microsoft implementation of PEAP

jason · ‎12-05-2002

Stan,

What type of access point are you running and what software revision is running on it? Are your clients Windows 2000 or Windows XP? Are you trying to authenticate against Microsoft's IAS server or Cisco's server? Are you planning on using digitial certificates for authentication or do you want to just uses passwords? My understanding is that PEAP only works against Cisco's server and as such if you want to use something like Microsoft's IAS server for RADIUS authentication you have to configure EAP-TLS and use digital certificates.

If anyone else can verify this is correct, please let us know.

Jason