- Community Home
- >
- Networking
- >
- Legacy
- >
- Communications and Wireless
- >
- AP420, IAS and PEAP: sometimes IAS does not answer
Communications and Wireless
1753802
Members
8047
Online
108805
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-21-2006 04:59 AM
тАО11-21-2006 04:59 AM
AP420, IAS and PEAP: sometimes IAS does not answer
I am experiencing some sporadic authentication problems. The PCs are in an active directory, and log into the AP 420's (all with 2.1.5 firmware) with their machine account, PEAP MSCHAPv2 authentication, against a pair of IAS servers.
Usually everything goes well, but sporadically the server does not answer, and the event log says it did not answer because:
Reason-Code = 97
Reason = The authentication request was not processed because it contained a Remote Authentication Dial-In User Service (RADIUS) message that was not appropriate for the secure authentication transaction
We tried to watch the RADIUS packets, and it seems to me that the ignored requests are just the usual access-requests, with properly filled AV pairs, with the EAP message of type PEAP, with the SSL client hello inside.
The AP fails over to the second IAS server, but it does not answer either, and logs the same message.
In at least one event we saw the pc, immediatly after this timeout, roam to a nearby AP, where it immediately authenticated. The first request from the nearby AP had EAP type of "Identity", non type PEAP.
This is a sporadic thing, but users notice it and are complaining. Any idea about what might be going on?
Regards --Bergonz
Usually everything goes well, but sporadically the server does not answer, and the event log says it did not answer because:
Reason-Code = 97
Reason = The authentication request was not processed because it contained a Remote Authentication Dial-In User Service (RADIUS) message that was not appropriate for the secure authentication transaction
We tried to watch the RADIUS packets, and it seems to me that the ignored requests are just the usual access-requests, with properly filled AV pairs, with the EAP message of type PEAP, with the SSL client hello inside.
The AP fails over to the second IAS server, but it does not answer either, and logs the same message.
In at least one event we saw the pc, immediatly after this timeout, roam to a nearby AP, where it immediately authenticated. The first request from the nearby AP had EAP type of "Identity", non type PEAP.
This is a sporadic thing, but users notice it and are complaining. Any idea about what might be going on?
Regards --Bergonz
3 REPLIES 3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-22-2006 03:04 AM
тАО11-22-2006 03:04 AM
Re: AP420, IAS and PEAP: sometimes IAS does not answer
I followup because today I got the IAS trace of the event. It says (I obscured some identifying info):
[5852] 11-22 11:42:26:669: Creating EAP session
[5852] 11-22 11:42:26:669: NT-SAM Names handler received request with user identity ****************
[5852] 11-22 11:42:26:669: Successfully cracked username.
[5852] 11-22 11:42:26:669: SAM-Account-Name is "***********************".
[5852] 11-22 11:42:26:669: NT-SAM Authentication handler received request for ************************.
[5852] 11-22 11:42:26:669: Validating Windows account ********************.
[5852] 11-22 11:42:26:669: Sending LDAP search to my.ldap.server.
[5852] 11-22 11:42:26:669: Successfully validated windows account.
[5852] 11-22 11:42:26:669: NT-SAM User Authorization handler received request for ****************.
[5852] 11-22 11:42:26:669: Using native-mode dial-in parameters.
[5852] 11-22 11:42:26:669: Sending LDAP search to my.ldap.server.
[5852] 11-22 11:42:26:669: Successfully retrieved per-user attributes.
[5852] 11-22 11:42:26:669: Allowed EAP type: 25
[5852] 11-22 11:42:26:669: Setting max. packet length to 1396.
[5852] 11-22 11:42:26:669: EAP-Message is unexpected. Discarding packet.
The radius packet is as follows (taken from another event, but they are all equal):
Radius Protocol
Code: Access Request (1)
Packet identifier: 0xac (172)
Length: 213
Authenticator: 0x*********************
Attribute value pairs
t:NAS IP Address(4) l:6, Value:123.45.6.7
Nas IP Address: 123.45.6.7 (123.45.6.7)
t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19)
t:NAS Port(5) l:6, Value:1
t:Framed MTU(12) l:6, Value:1400
t:User Name(1) l:28, Value:"host/my.ad.fqdn.net"
User-Name: host/my.ad.fqdn.net
t:Calling Station Id(31) l:14, Value:"000a0b0c0d0e"
Calling-Station-Id: 000a0b0c0d0e
t:Called Station Id(30) l:14, Value:"00aabbccddee"
Called-Station-Id: 00aabbccddee
t:NAS identifier(32) l:13, Value:"ap420-hostname"
t:EAP Message(79) l:82
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 80
Type: PEAP [Palekar] (25)
Flags(0x80): Length
PEAP version 0
Length: 70
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 65
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 61
Version: TLS 1.0 (0x0301)
Random.gmt_unix_time: Nov 21, 2006 09:20:10.000000000
Random.bytes
Session ID Length: 0
Cipher Suites Length: 22
Cipher Suites (11 suites)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
t:Message Authenticator(80) l:18, Value:**********************************
Well, something I didn't notice yesterday is that it is an access-request with a EAP response in it. Could it simply be a bug in the RADIUS client of the AP 420? Maybe it lost sync of the authentication state with the PC? Anyone seeing something like that?
Please help!
[5852] 11-22 11:42:26:669: Creating EAP session
[5852] 11-22 11:42:26:669: NT-SAM Names handler received request with user identity ****************
[5852] 11-22 11:42:26:669: Successfully cracked username.
[5852] 11-22 11:42:26:669: SAM-Account-Name is "***********************".
[5852] 11-22 11:42:26:669: NT-SAM Authentication handler received request for ************************.
[5852] 11-22 11:42:26:669: Validating Windows account ********************.
[5852] 11-22 11:42:26:669: Sending LDAP search to my.ldap.server.
[5852] 11-22 11:42:26:669: Successfully validated windows account.
[5852] 11-22 11:42:26:669: NT-SAM User Authorization handler received request for ****************.
[5852] 11-22 11:42:26:669: Using native-mode dial-in parameters.
[5852] 11-22 11:42:26:669: Sending LDAP search to my.ldap.server.
[5852] 11-22 11:42:26:669: Successfully retrieved per-user attributes.
[5852] 11-22 11:42:26:669: Allowed EAP type: 25
[5852] 11-22 11:42:26:669: Setting max. packet length to 1396.
[5852] 11-22 11:42:26:669: EAP-Message is unexpected. Discarding packet.
The radius packet is as follows (taken from another event, but they are all equal):
Radius Protocol
Code: Access Request (1)
Packet identifier: 0xac (172)
Length: 213
Authenticator: 0x*********************
Attribute value pairs
t:NAS IP Address(4) l:6, Value:123.45.6.7
Nas IP Address: 123.45.6.7 (123.45.6.7)
t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19)
t:NAS Port(5) l:6, Value:1
t:Framed MTU(12) l:6, Value:1400
t:User Name(1) l:28, Value:"host/my.ad.fqdn.net"
User-Name: host/my.ad.fqdn.net
t:Calling Station Id(31) l:14, Value:"000a0b0c0d0e"
Calling-Station-Id: 000a0b0c0d0e
t:Called Station Id(30) l:14, Value:"00aabbccddee"
Called-Station-Id: 00aabbccddee
t:NAS identifier(32) l:13, Value:"ap420-hostname"
t:EAP Message(79) l:82
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 80
Type: PEAP [Palekar] (25)
Flags(0x80): Length
PEAP version 0
Length: 70
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 65
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 61
Version: TLS 1.0 (0x0301)
Random.gmt_unix_time: Nov 21, 2006 09:20:10.000000000
Random.bytes
Session ID Length: 0
Cipher Suites Length: 22
Cipher Suites (11 suites)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
t:Message Authenticator(80) l:18, Value:**********************************
Well, something I didn't notice yesterday is that it is an access-request with a EAP response in it. Could it simply be a bug in the RADIUS client of the AP 420? Maybe it lost sync of the authentication state with the PC? Anyone seeing something like that?
Please help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2006 09:46 PM
тАО11-27-2006 09:46 PM
Re: AP420, IAS and PEAP: sometimes IAS does not answer
What software are you using on your RADIUS clients? If using Intel PROSet I'd recommend you update to the latest and try again. If the problem is still occurring you may want to contact HP support about this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО11-27-2006 10:18 PM
тАО11-27-2006 10:18 PM
Re: AP420, IAS and PEAP: sometimes IAS does not answer
We are using the supplicant included in the operating system, which is Windows XP SP2. No external utilities. The PCs are in the Active Directory and use the machine account to log in.
Ragards --Bergonz
Ragards --Bergonz
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP