PEAP user authentication failed - need help

Hi to everyone in this group. I have a problem and haven' find any
solution to it yet. It would be nice if someone could help me out:

I set up a domain controller (Windows Server 2008), and installed
DHCP, NPS (before known as IAS), AD certificate services and created
my own enterprise root certificate, let's call it ExampleCA. I
registered NPS in AD, and configured 802.1x settings for wireless
connection using wizzard. In network policy, I allowed access to
everyone in newly created WirelessAccess group. I added a computer
named Client1 to this group and newly created user WirelessUser to
the
same group. As a RADIUS client, I added a Planet AP.
After that, I set up Client 1 machine (first I used wired connection
to add the computer to the domain I named auth.com, and then logged
on
as WirelessU...@auth.com....Then in Preffered networks, I added the
network I configured on acces point, using open authentication and
wep
encryption...In 802.1x settings I selected PEAP MSCHAPv2, selected
Validate server certificate (I found it on the list - ExampleCA), and
unselected Authenticate as computer when computer information is
available, as well as Authenticate as guest....I also unselected Use
my windows logon...in MSCHAPv2 settings.

Now here is the problem: when I try to authenticate (user
authentication), it NEVER asks me to enter user credentials and there
are never traces of user authentication in log files. And when I
select Authenticate as computer when computer information is
available, authentication succeeds, but in log files there are only
traces of computer authentication, like this:

"AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
Client1.auth.com","AUTH
\CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
802.11b",,2,11,"Secure Wireless Connections",0,"311 1
fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
Windows authentication for all users",1,,,,
"AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
46",,,,"Microsoft: Secured password (EAP-MSCHAP
v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
authentication for all users",1,,,,

Does anyone have a clue what went wrong. In network policy it is said
that every computer or user that is a memeber of WirelessAccess can
access network, if the configuration of the auth method is properly
configured....

Also I have a question:
Is it possible that problem is with the certificate (I assumed that,
if the certificate is shown in the field while i configured wireless
client, it is also present in the user certificate store)? Do I have
to do something else with the certificate (via the mmc console) or i
set it up right?

Any event ID in the NPC server?

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
<(E-Mail Removed)> wrote in message
news:dd0a37ff-c733-43a9-b285-(E-Mail Removed)...
> Hi to everyone in this group. I have a problem and haven' find any
> solution to it yet. It would be nice if someone could help me out:
>
> I set up a domain controller (Windows Server 2008), and installed
> DHCP, NPS (before known as IAS), AD certificate services and created
> my own enterprise root certificate, let's call it ExampleCA. I
> registered NPS in AD, and configured 802.1x settings for wireless
> connection using wizzard. In network policy, I allowed access to
> everyone in newly created WirelessAccess group. I added a computer
> named Client1 to this group and newly created user WirelessUser to
> the
> same group. As a RADIUS client, I added a Planet AP.
> After that, I set up Client 1 machine (first I used wired connection
> to add the computer to the domain I named auth.com, and then logged
> on
> as WirelessU...@auth.com....Then in Preffered networks, I added the
> network I configured on acces point, using open authentication and
> wep
> encryption...In 802.1x settings I selected PEAP MSCHAPv2, selected
> Validate server certificate (I found it on the list - ExampleCA), and
> unselected Authenticate as computer when computer information is
> available, as well as Authenticate as guest....I also unselected Use
> my windows logon...in MSCHAPv2 settings.
>
> Now here is the problem: when I try to authenticate (user
> authentication), it NEVER asks me to enter user credentials and there
> are never traces of user authentication in log files. And when I
> select Authenticate as computer when computer information is
> available, authentication succeeds, but in log files there are only
> traces of computer authentication, like this:
>
> "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
> Client1.auth.com","AUTH
> \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
> 8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
> 802.11b",,2,11,"Secure Wireless Connections",0,"311 1
> fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
> Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
> Windows authentication for all users",1,,,,
> "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
> 0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
> 0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
> 46",,,,"Microsoft: Secured password (EAP-MSCHAP
> v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
> authentication for all users",1,,,,
>
> Does anyone have a clue what went wrong. In network policy it is said
> that every computer or user that is a memeber of WirelessAccess can
> access network, if the configuration of the auth method is properly
> configured....
>
> Also I have a question:
> Is it possible that problem is with the certificate (I assumed that,
> if the certificate is shown in the field while i configured wireless
> client, it is also present in the user certificate store)? Do I have
> to do something else with the certificate (via the mmc console) or i
> set it up right?

No, no events in the NPS server...it didn't even log the connection
requests that's what suprise me the most

Robert L. (MS-MVP) je napisao/la:
> Any event ID in the NPC server?
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> <(E-Mail Removed)> wrote in message
> news:dd0a37ff-c733-43a9-b285-(E-Mail Removed)...
> > Hi to everyone in this group. I have a problem and haven' find any
> > solution to it yet. It would be nice if someone could help me out:
> >
> > I set up a domain controller (Windows Server 2008), and installed
> > DHCP, NPS (before known as IAS), AD certificate services and created
> > my own enterprise root certificate, let's call it ExampleCA. I
> > registered NPS in AD, and configured 802.1x settings for wireless
> > connection using wizzard. In network policy, I allowed access to
> > everyone in newly created WirelessAccess group. I added a computer
> > named Client1 to this group and newly created user WirelessUser to
> > the
> > same group. As a RADIUS client, I added a Planet AP.
> > After that, I set up Client 1 machine (first I used wired connection
> > to add the computer to the domain I named auth.com, and then logged
> > on
> > as WirelessU...@auth.com....Then in Preffered networks, I added the
> > network I configured on acces point, using open authentication and
> > wep
> > encryption...In 802.1x settings I selected PEAP MSCHAPv2, selected
> > Validate server certificate (I found it on the list - ExampleCA), and
> > unselected Authenticate as computer when computer information is
> > available, as well as Authenticate as guest....I also unselected Use
> > my windows logon...in MSCHAPv2 settings.
> >
> > Now here is the problem: when I try to authenticate (user
> > authentication), it NEVER asks me to enter user credentials and there
> > are never traces of user authentication in log files. And when I
> > select Authenticate as computer when computer information is
> > available, authentication succeeds, but in log files there are only
> > traces of computer authentication, like this:
> >
> > "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
> > Client1.auth.com","AUTH
> > \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
> > 8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
> > 802.11b",,2,11,"Secure Wireless Connections",0,"311 1
> > fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
> > Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
> > Windows authentication for all users",1,,,,
> > "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
> > 0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
> > 0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
> > 46",,,,"Microsoft: Secured password (EAP-MSCHAP
> > v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
> > authentication for all users",1,,,,
> >
> > Does anyone have a clue what went wrong. In network policy it is said
> > that every computer or user that is a memeber of WirelessAccess can
> > access network, if the configuration of the auth method is properly
> > configured....
> >
> > Also I have a question:
> > Is it possible that problem is with the certificate (I assumed that,
> > if the certificate is shown in the field while i configured wireless
> > client, it is also present in the user certificate store)? Do I have
> > to do something else with the certificate (via the mmc console) or i
> > set it up right?

When a device tries to connect to the NPC, the Event Viewer should have a
log (successful or failed). I would double check the connection.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com
<(E-Mail Removed)> wrote in message
news:1b6ba767-3852-4066-8138-(E-Mail Removed)...
> No, no events in the NPS server...it didn't even log the connection
> requests that's what suprise me the most
>
> Robert L. (MS-MVP) je napisao/la:
>> Any event ID in the NPC server?
>>
>> --
>> Bob Lin, MS-MVP, MCSE & CNE
>> Networking, Internet, Routing, VPN Troubleshooting on
>> http://www.ChicagoTech.net
>> How to Setup Windows, Network, VPN & Remote Access on
>> http://www.HowToNetworking.com
>> <(E-Mail Removed)> wrote in message
>> news:dd0a37ff-c733-43a9-b285-(E-Mail Removed)...
>> > Hi to everyone in this group. I have a problem and haven' find any
>> > solution to it yet. It would be nice if someone could help me out:
>> >
>> > I set up a domain controller (Windows Server 2008), and installed
>> > DHCP, NPS (before known as IAS), AD certificate services and created
>> > my own enterprise root certificate, let's call it ExampleCA. I
>> > registered NPS in AD, and configured 802.1x settings for wireless
>> > connection using wizzard. In network policy, I allowed access to
>> > everyone in newly created WirelessAccess group. I added a computer
>> > named Client1 to this group and newly created user WirelessUser to
>> > the
>> > same group. As a RADIUS client, I added a Planet AP.
>> > After that, I set up Client 1 machine (first I used wired connection
>> > to add the computer to the domain I named auth.com, and then logged
>> > on
>> > as WirelessU...@auth.com....Then in Preffered networks, I added the
>> > network I configured on acces point, using open authentication and
>> > wep
>> > encryption...In 802.1x settings I selected PEAP MSCHAPv2, selected
>> > Validate server certificate (I found it on the list - ExampleCA), and
>> > unselected Authenticate as computer when computer information is
>> > available, as well as Authenticate as guest....I also unselected Use
>> > my windows logon...in MSCHAPv2 settings.
>> >
>> > Now here is the problem: when I try to authenticate (user
>> > authentication), it NEVER asks me to enter user credentials and there
>> > are never traces of user authentication in log files. And when I
>> > select Authenticate as computer when computer information is
>> > available, authentication succeeds, but in log files there are only
>> > traces of computer authentication, like this:
>> >
>> > "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
>> > Client1.auth.com","AUTH
>> > \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
>> > 8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
>> > 802.11b",,2,11,"Secure Wireless Connections",0,"311 1
>> > fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
>> > Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
>> > Windows authentication for all users",1,,,,
>> > "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
>> > 0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
>> > 0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
>> > 46",,,,"Microsoft: Secured password (EAP-MSCHAP
>> > v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
>> > authentication for all users",1,,,,
>> >
>> > Does anyone have a clue what went wrong. In network policy it is said
>> > that every computer or user that is a memeber of WirelessAccess can
>> > access network, if the configuration of the auth method is properly
>> > configured....
>> >
>> > Also I have a question:
>> > Is it possible that problem is with the certificate (I assumed that,
>> > if the certificate is shown in the field while i configured wireless
>> > client, it is also present in the user certificate store)? Do I have
>> > to do something else with the certificate (via the mmc console) or i
>> > set it up right?

that's what the problem is all about Here is how i set up the
network for testing...I set up virtual machine with Windows Server
2008 on my laptop, and configured it as a domain controler (domain
name auth.com, computer name AuthServer) and configured NPS
properly...I connect it with the cable on Planet AP. Then i connect
another computer to the same AP (also with cable), added it on domain,
and named it AuthClient (i connect to that computer via Remote
Desktop, cause I don't have another monitor), and logged in as
wirelessuser (member of WirelessUsers, the group i used in network
policies when i set up 802.1X setting on NPS - i also added AuthClient
to the same group). Then, after I configured the AP, I tried to
connect to the wireless network and it didn't succeed.

Maybe this is wrong: to be able to "see" the desktop of AuthClient, I
left it always connected with the cable to the domain controler or to
make it simplier:
1. do i have to disconnect the AuthClient (remove the cable) prior to
trying to access wireless network (in my case the name of the network
is Auth Network)?
2. in the official microsoft guide of configuring PEAP authentication
with server 2008 (Foundation Network Companion Guide: Deploying 802.1X
Authenticated Wireless Access with PEAP-MS-CHAP v2), i read that you
have to block the wireless client from sending the traffic on some TCP
and UDP ports, maybe that is the issue? Here is what it says:


In addition, to provide enhanced security for the network, the
wireless APs must support the following filtering options:
• DHCP filtering. The wireless AP must filter on IP ports to prevent
the transmission of DHCP broadcast messages in those cases in which
the client is a DHCP server. The wireless AP must block the client
from sending IP packets from UDP port 68 to the network.
• DNS filtering. The wireless AP must filter on IP ports to prevent a
client from performing as a DNS server. The wireless AP must block the
client from sending IP packets from TCP or UDP port 53 to the network.






On 17 velj, 15:19, "Robert L. \(MS-MVP\)" <findem...@chicagotech.net>
wrote:
> When a device tries to connect to the NPC, the Event Viewer should have a
> log (successful orfailed). I would double check the connection.
>
> --
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting onhttp://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access onhttp://www.HowToNetworking.com<zvone2...@gmail.com> wrote in message
>
> news:1b6ba767-3852-4066-8138-(E-Mail Removed)...
>
>
>
> > No, no events in the NPS server...it didn't even log the connection
> > requests that's what suprise me the most
>
> > Robert L. (MS-MVP) je napisao/la:
> >> Any event ID in the NPC server?
>
> >> --
> >> Bob Lin, MS-MVP, MCSE & CNE
> >> Networking, Internet, Routing, VPN Troubleshooting on
> >>http://www.ChicagoTech.net
> >> How to Setup Windows, Network, VPN & Remote Access on
> >>http://www.HowToNetworking.com
> >> <zvone2...@gmail.com> wrote in message
> >>news:dd0a37ff-c733-43a9-b285-(E-Mail Removed)....
> >> > Hi to everyone in this group. I have a problem and haven' find any
> >> > solution to it yet. It would be nice if someone couldhelpme out:
>
> >> > I set up a domain controller (Windows Server 2008), and installed
> >> > DHCP, NPS (before known as IAS), AD certificate services and created
> >> > my own enterprise root certificate, let's call it ExampleCA. I
> >> > registered NPS in AD, and configured 802.1x settings for wireless
> >> > connection using wizzard. In network policy, I allowed access to
> >> > everyone in newly created WirelessAccess group. I added a computer
> >> > named Client1 to this group and newly createduserWirelessUser to
> >> > the
> >> > same group. As a RADIUS client, I added a Planet AP.
> >> > After that, I set up Client 1 machine (first I used wired connection
> >> > to add the computer to the domain I named auth.com, and then logged
> >> > on
> >> > as WirelessU...@auth.com....Then in Preffered networks, I added the
> >> > network I configured on acces point, using openauthenticationand
> >> > wep
> >> > encryption...In 802.1x settings I selectedPEAPMSCHAPv2, selected
> >> > Validate server certificate (I found it on the list - ExampleCA), and
> >> > unselected Authenticate as computer when computer information is
> >> > available, as well as Authenticate as guest....I also unselected Use
> >> > my windows logon...in MSCHAPv2 settings.
>
> >> > Now here is the problem: when I try to authenticate (user
> >> >authentication), it NEVER asks me to enterusercredentials and there
> >> > are never traces ofuserauthenticationin log files. And when I
> >> > select Authenticate as computer when computer information is
> >> > available,authenticationsucceeds, but in log files there are only
> >> > traces of computerauthentication, like this:
>
> >> > "AUTHSERVER","IAS",02/11/2009,00:01:25,1,"host/
> >> > Client1.auth.com","AUTH
> >> > \CLIENT1$","00304f4c776e","00304f4e3def",,,"Realte k Access Point.
> >> > 8181","192.168.0.1",0,0,"192.168.0.1","PLANET",,,1 9,"CONNECT 11Mbps
> >> > 802.11b",,2,11,"Secure Wireless Connections",0,"311 1
> >> > fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37 46",,,,"Microsoft:
> >> > Secured password (EAP-MSCHAP v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use
> >> > Windowsauthenticationfor all users",1,,,,
> >> > "AUTHSERVER","IAS",02/11/2009,00:01:25,2,,"AUTH\CLIENT1$",,,,,,,,
> >> > 0,"192.168.0.1","PLANET",,,,,1,2,11,"Secure Wireless Connections",
> >> > 0,"311 1 fe80::9c11:ced0:97f:4d11 02/10/2009 22:33:37
> >> > 46",,,,"Microsoft: Secured password (EAP-MSCHAP
> >> > v2)",,,,,,,,,,,,,,,,,,,,,,,,,,,"0x0141555448",,,"U se Windows
> >> >authenticationfor all users",1,,,,
>
> >> > Does anyone have a clue what went wrong. In network policy it is said
> >> > that every computer oruserthat is a memeber of WirelessAccess can
> >> > access network, if the configuration of the auth method is properly
> >> > configured....
>
> >> > Also I have a question:
> >> > Is it possible that problem is with the certificate (I assumed that,
> >> > if the certificate is shown in the field while i configured wireless
> >> > client, it is also present in theusercertificate store)? Do I have
> >> > to do something else with the certificate (via the mmc console) or i
> >> > set it up right?