cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1281
Views
0
Helpful
7
Replies

Web-auth - CHAP with Microsoft IAS

sjohnson
Level 1
Level 1

I can get web-auth using PAP to work with IAS fine but it provides no encryption.

Is web-authentication using CHAP (or MD5-CHAP) possible when the RADIUS server being used is Microsoft IAS? Has anyone gotten this scenario to work?

Thanks,

Scott

7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

I havent' tried it, but do you have CHAP enabled on the IAS box? If not then this is how you enable it if you don't have it enabled already.

To enable authentication protocols

Open Routing and Remote Access.

Right-click the server name for which you want to enable authentication protocols, and then click Properties.

On the Security tab, click Authentication Methods.

In the Authentication Methods dialog box, select the appropriate check boxes for the authentication protocols that the remote access server will use to authenticate remote clients, and then click OK.

-Scott
*** Please rate helpful posts ***

Yes I have enabled CHAP in both Routing and Remote Access AND the IAS remote access profile properties but still get a Access-Reject Msg.

Output from debug aaa all enable:

00:1d:e0:0b:c5:dd Successful transmission of Authentication Packet (id 57) to 10.2.13.134:1812, proxy state 00:1d:e0:0b:c5:dd-00:01

Tue Feb 10 08:59:21 2009: 00000000: 01 39 00 81 b4 4b 73 c1 dd c7 92 a4 31 0a c2 5a .9...Ks.....1..Z

Tue Feb 10 08:59:21 2009: 00000010: c6 25 65 37 01 0a 73 6a 6f 68 6e 73 6f 6e 3c 12 .%e7..sjohnson<.

Tue Feb 10 08:59:21 2009: 00000020: 19 30 41 07 89 3c 39 c5 eb a2 08 13 7c a0 21 cb .0A..<9.....|.!.

Tue Feb 10 08:59:21 2009: 00000030: 03 13 04 a6 7e 93 19 42 92 ae cd d8 94 1e 0d e0 ....~..B........

Tue Feb 10 08:59:21 2009: 00000040: 0b 95 d0 06 06 00 00 00 01 04 06 c0 a8 64 0a 20 .............d..

Tue Feb 10 08:59:21 2009: 00000050: 05 57 4c 43 1a 0c 00 00 37 63 01 06 00 00 00 01 .WLC....7c......

Tue Feb 10 08:59:21 2009: 00000060: 1f 11 31 39 32 2e 31 36 38 2e 31 30 30 2e 31 30 ..192.168.100.10

Tue Feb 10 08:59:21 2009: 00000070: 36 1e 10 31 39 32 2e 31 36 38 2e 31 30 30 2e 31 6..192.168.100.1

Tue Feb 10 08:59:21 2009: 00000080: 30 0

Tue Feb 10 08:59:21 2009: 00000000: 03 39 00 14 fc a7 d6 13 84 af 26 34 b4 a0 39 29 .9........&4..9)

Tue Feb 10 08:59:21 2009: 00000010: c3 d9 ed 5c ...\

Tue Feb 10 08:59:21 2009: ****Enter processIncomingMessages: response code=3

Tue Feb 10 08:59:21 2009: ****Enter processRadiusResponse: response code=3

Tue Feb 10 08:59:21 2009: 00:1d:e0:0b:c5:dd Access-Reject received from RADIUS server 10.2.13.134 for mobile 00:1d:e0:0b:c5:dd receiveId = 0

Tue Feb 10 08:59:21 2009: 00:1d:e0:0b:c5:dd Returning AAA Error 'Authentication Failed' (-4) for mobile 00:1d:e0:0b:c5:dd

Tue Feb 10 08:59:21 2009: AuthorizationResponse: 0x36bf7880

Tue Feb 10 08:59:21 2009: structureSize................................28

Tue Feb 10 08:59:21 2009: resultCode...................................-4

Tue Feb 10 08:59:21 2009: protocolUsed.................................0xffffffff

Tue Feb 10 08:59:21 2009: proxyState...................................00:1D:E0:0B:C5:DD-00:00

Tue Feb 10 08:59:21 2009: Packet contains 0 AVPs:

Tue Feb 10 08:59:21 2009: Authentication failed for sjohnson

Do you have a guest anchor wlc or a stand alone wlc?

-Scott
*** Please rate helpful posts ***

This is a standalone WLC 4402.

jasonhumes
Level 1
Level 1

Hi

I'm trying to get WebAuth working, period, with IAS 2003. Can you provide me with an example of the policy you created on the IAS server? I have it set for 'time of day' and 'user is a member of group x' and left everything else default, yet all my web users are being rejected. Is there something else you had to do to get this working, even with PAP? (we do not care about encryption as this is a public access network). THanks very much.

J

Jason,

I've gotten web-auth working with IAS 2003 using PAP following this Word document I received from TAC. I just created a policy condition for a windows group only.

Change the Service-Type from Framed to Login.

Scott

Hi

So this worked great...with one small issue. The IAS server is in the root of the domain forest, and the users are in a different subdomain. In order to get the users to login via the webpage, they have to specify their account like 'username@domain.xx', otherwise it fails to login.

Is there anyway to avoid having to specify the @domain.xx part?

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: