Microsoft IAS + Aironet 1100

d.locci · ‎01-24-2003

Hi guys,

I have a wireless network composed by IAS server on windows 2000 server, I'd wish to authenticate the clients by the IAS server in the leap-tls mode (certificates + login) and the communication must be encrypted in wep, but the authentication fails.I tried with winXP and Win2K and use LEAP authentication in ACU utility.

in the IAS server, the authentication is set in EAP with the certificate server (installed and configured in the same machine)

these are the logs of "debug radius" in aironet 1100 console:

RADIUS: User-Name [1] 18 "ICT-TEST-01\leap"

RADIUS: Framed-MTU [12] 6 1400

RADIUS: Called-Station-Id [30] 16 "0002.8a0e.3494"

RADIUS: Calling-Station-Id [31] 16 "0009.7c72.30fa"

RADIUS: NAS-Port-Type [61] 6 802.11 wireless [19]

RADIUS: Message-Authenticato[80] 18 *

RADIUS: EAP-Message [79] 8

RADIUS: 02 03 00 06 03 11 [??????]

RADIUS: NAS-Port-Type [61] 6 Virtual [5]

RADIUS: NAS-Port [5] 6 163

RADIUS: State [24] 24

RADIUS: 1A FB 02 79 00 00 01 37 00 01 C0 A8 00 D0 00 00 [???y???7????????]

RADIUS: 00 01 00 00 00 06 [??????]

RADIUS: Service-Type [6] 6 Login [1]

RADIUS: NAS-IP-Address [4] 6 192.168.0.213

RADIUS: Nas-Identifier [32] 13 "ICT-AP-00 "

RADIUS: Received from id 26 192.168.0.208:1812, Access-Challenge, len76

RADIUS: authenticator 29 44 AF 62 13 8C 9B 17 - 17 B9 98 28 7E 29 E8A1

RADIUS: Session-Timeout [27] 6 30

RADIUS: EAP-Message [79] 8

RADIUS: 01 03 00 06 0D 20 [????? ]

RADIUS: State [24] 24

RADIUS: 1A FB 02 79 00 00 01 37 00 01 C0 A8 00 D0 00 00 [???y???7????????]

RADIUS: 00 01 00 00 00 06 [??????]

RADIUS: Message-Authenticato[80] 18 *

RADIUS: Received from id A5

RADIUS/DECODE: EAP-Message fragments, 6, total 6 bytes

RADIUS: not a valid author-type 0!!

RADIUS/ENCODE(000000A5): acct_session_id: 165

RADIUS(000000A5): sending

RADIUS: Send to unknown id 27 192.168.0.208:1812, Access-Request, len 169

RADIUS: authenticator 1C 2C 9E C0 72 C9 EE 96 - 49 78 C5 87 13 9A 36AE

*******************************

and these are the logs of microsoft IAS Server:

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 26/12/2002

Time: 14.28.35

User: N/A

Computer: ICT-TEST-00

Description:

User leap was denied access.

Fully-Qualified-User-Name = <undetermined>

NAS-IP-Address = 192.168.0.213

NAS-Identifier = ICT-AP-00

Called-Station-Identifier = 0002.8a0e.3494

Calling-Station-Identifier = 0009.7c72.30fa

Client-Friendly-Name = ICT-AP-00

Client-IP-Address = 192.168.0.213

NAS-Port-Type = 19

NAS-Port = 90

Policy-Name = <undetermined>

Authentication-Type = <undetermined>

EAP-Type = <undetermined>

Reason-Code = 18

Reason = The specified authentication type is not supported on this system.

**********************************************

thanx a lot

Dani

derwin · ‎01-24-2003

Here is your answer from the debugs

Reason = The specified authentication type is not supported on this system.

LEAP can only be used on servers that support leap

Third-Party AAA RADIUS Support

Several third-party AAA RADIUS servers including Funk Software (Steel-Belted RADIUS) and Interlink Networks (AAA RADIUS) now support the Cisco LEAP security framework. These servers, along with the Cisco Secure Access Control Server (ACS) and Cisco Access Registrar (AR), provide network managers with flexibility and options for selecting back-end services without compromising WLAN security.

The microsoft server may support EAP but it doesnt support LEAP