Frequent EAP Authentication

I've setup a 802.1x wireless network using WPA and TKIP. I am getting
frequent re-authenticating messages on the client machine. When I do a
packet sniff these appear to be related to EAP authentication. Often this
authentication takes place when you initiate traffic (like loading a web
page) which causes the initial load of the page to timeout. However,
refreshing the page will often cause it to load. Reauthentication also
requires the pc to request a new IP address which frequently fails.
assigning a static IP resolves that issue, but that is not a solution I wish
to implement (Assigning static IP addresses) Certificates for these
connections are though GP and autoenrollment and certificates appear to be in
their proper locations on the client machine. I am at a loss as to why the
constant re-authentication to the network.
--
Steve Halvorson
Preferred Credit, Inc

Hello,

Thank you for your post.

Firstly, to get a better understanding of your current issue, I would like
to know the following info:

1. How did you configure the Wireless Network? Are you referring to any of
the Microsoft article on securing wireless network?
For your convenience, I include some articles as following:

Providing Secure Wireless Services
<http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>

IEEE 802.1X Authentication for Wireless Connections:
<http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>

To define 802.1X authentication for wireless networks in Group Policy:
<http://www.microsoft.com/resources/d...2003/standard/
proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
ndard/proddocs/en-us/define_8021x_inGP.asp>

2. Did you ues IAS Server for wireless authentication? If so, which
authentication protocol the Remote Access Policies are using? Please open
IAS, open the Remote Access Policy, click the Edit Profile button, go to
Authentication tab, press PrScrn key on the keyboard, paste it in MSPAINT
application and email to me.

3. The following article provides seven steps to trouble shooting the
wireless connection issue.
Please follow the steps mentioned below and check whether this helps
finding the cause of this issue.

How to troubleshoot wireless connection problems
http://support.microsoft.com/kb/831770/en-us

If the above trouble shooting steps don't help, please help collect the
following information for further investigation:
================================================== ==========================
===================

1. What's the error message it appears on the client computer when the
Wireless connection failed and re-authenticating? Please press PrScrn key
when the error message occurs, paste it in MSPAINT applicaiton and email to
me.

2. Please check whether this issue occurs on other client computers.

3. What is the OS version for the problematic client?

4. When this problem happens, is the client roaming between different APs?

5. During IAS access, after the wireless client contacted the AP and sent
the logon credential to the AP, the AP, which is also known as IAS client
will contact the IAS for validation. If the shared secret between the IAS
client matches the one stored in IAS Server, IAS client will then forward
the logon info to the IAS Server for validation. The logon info contains a
list of requirements that must be met to allow access for the user. This
list of requirements can include verification of the password, and it can
also specify whether the user is allowed access.

Regarding this issue, we need to firstly check out if it is a problem about
the communication between IAS Client and the IAS Server or if the issue
occurs on Logon info validation.
So, please do the following and provide me with the log files for research:

1). IAS Logging:
=============

Go to IAS Server, go to command prompt and type the following command
"netsh ras set tracing * enable" (without the quotation marks).
Repro the issue and then, compress and email me with the C:\winodws\debug
folder.

2). Networking Edition MPS_Report log:
=================================

Download the Network Edition of MPS_Report tool from
<http://download.microsoft.com/downlo...e5-a579-30b0bd
915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\network\bin\cab directory.

3). Directory Edition of MPS_Report log:
=================================

Download the Directory Edition of MPS_Report tool from
<http://download.microsoft.com/downlo...e5-a579-30b0bd
915706/MPSRPT_DirSvc.EXE>, run it on the SBS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\Setup\Lite\Cab directory.

4). Event log from client computer:
============================

a. On the wireless client computer, click Start -> Run, type EVENTVWR and
click OK.
b. Right click Application event, select ?Save Log File As???, save it as
.evt file, email it to me.
c. Export the System event log and email to me too.

You can send the log files to me at (E-Mail Removed)

Thanks for your time and I look forward to hearing from you.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Frequent EAP Authentication
| thread-index: AcjBrUrM6hlL8DwhQVSJZmaGwYX3ng==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?U3RldmUgSGFsdm9yc29u?= <(E-Mail Removed)>
| Subject: Frequent EAP Authentication
| Date: Thu, 29 May 2008 09:59:00 -0700
| Lines: 15
| Message-ID: <33C801BA-9045-416B-9F6A-(E-Mail Removed)>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.networking
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.networking:12913
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
| I've setup a 802.1x wireless network using WPA and TKIP. I am getting
| frequent re-authenticating messages on the client machine. When I do a
| packet sniff these appear to be related to EAP authentication. Often
this
| authentication takes place when you initiate traffic (like loading a web
| page) which causes the initial load of the page to timeout. However,
| refreshing the page will often cause it to load. Reauthentication also
| requires the pc to request a new IP address which frequently fails.
| assigning a static IP resolves that issue, but that is not a solution I
wish
| to implement (Assigning static IP addresses) Certificates for these
| connections are though GP and autoenrollment and certificates appear to
be in
| their proper locations on the client machine. I am at a loss as to why
the
| constant re-authentication to the network.
| --
| Steve Halvorson
| Preferred Credit, Inc
|

Dear Customer,

Regarding your last email , I am just check and follow-up on your status.

I was wondering , if you were available to try conduct test and provide
the necessary information and logs.

Thank you for your time and attention.
Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| Thread-Topic: Frequent EAP Authentication
| thread-index: AcjBrUrM6hlL8DwhQVSJZmaGwYX3ng==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?U3RldmUgSGFsdm9yc29u?= <(E-Mail Removed)>
| Subject: Frequent EAP Authentication
| Date: Thu, 29 May 2008 09:59:00 -0700
| Lines: 15
| Message-ID: <33C801BA-9045-416B-9F6A-(E-Mail Removed)>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
| Newsgroups: microsoft.public.windows.server.networking
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.networking:12913
| NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
| I've setup a 802.1x wireless network using WPA and TKIP. I am getting
| frequent re-authenticating messages on the client machine. When I do a
| packet sniff these appear to be related to EAP authentication. Often
this
| authentication takes place when you initiate traffic (like loading a web
| page) which causes the initial load of the page to timeout. However,
| refreshing the page will often cause it to load. Reauthentication also
| requires the pc to request a new IP address which frequently fails.
| assigning a static IP resolves that issue, but that is not a solution I
wish
| to implement (Assigning static IP addresses) Certificates for these
| connections are though GP and autoenrollment and certificates appear to
be in
| their proper locations on the client machine. I am at a loss as to why
the
| constant re-authentication to the network.
| --
| Steve Halvorson
| Preferred Credit, Inc
|