I've been working on securing my wireless LAN, and was having issues getting Win2k Advanced Server's Radius to work properly with PEAP-MSCHAPv2. I've installed a CA on my network, and it is trusted by the clients. The Certificates are installed, and the machines are passing credentials to the Radius server... The problem is that the IAS server is dropping ALL of the Radius authorization requests because of unknown packets. I've looked in the IAS log, and system events, and there is no helpful information in either. I've searched all over the net for the issue that I'm having, but to no avail. It seems like the Authentication Server is not expecting the client machine's digital cert prior to user credential authentication.

I've gotten TLS to work just fine utilizing machine, and client certs... It's just PEAP that's acting really funky... Any help at all would be appreciated. Anybody care to share other issues they've had with labs, or production wireless LANs?

Last edited by Evilphil on 01-16-04 at 02:35 PM

Report this post to a moderator

The problem here is:

1. Cisco, Microsoft, and RSA codeveloped PEAP. After getting it all rolling, Cisco and Microsoft had differing opinions on how PEAP should be implemented.

2. As of VERY recently, both Cisco and Microsoft support both PEAP-EAP-TLS (certificates on the server and client) and PEAP-EAP-MSCHAPv2 (certificate on the server and passwords for the clients). HOWEVER, Cisco and Microsoft's implementations of PEAP (both kinds) are incompatible with each other.

3. Your solution options: 1) Switch to Funk, Cisco, or Meetinghouse RADIUS, or 2), Make sure to use Microsoft's XP-sp1 PEAP supplicant.

If you're already using the Microsoft PEAP supplicant, then that's a whole other list of details to cover.

Report this post to a moderator

Well, I've got SP1 installed, and even attempted it with the 802.1x supplicant for Win2k (on Win2k machines)... No dice... I'm ready to start stabbin monitors...

Report this post to a moderator

http://www.microsoft.com/downloads/...&displaylang=en

see if this helps.

Report this post to a moderator

That was one of the MANY references that I used, but it doesn't help... Maybe it's a corrupt install of Win2k... I should be getting Server03 soon, so I'll see if that clears it up.

Everything is technically setup correctly from what I can see... From the IAS log, it looks as though the Radius server isn't ready for a PEAP connection... DAMN MICROSOFT!

Report this post to a moderator