Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

PEAP authentication failure - Reason code 23

[ Edited ]

Hello,

I tried to change the security configuration of my wlan from Termination:Enabled to Termination: Disabled.
Before doing that, I was able to connect with windows computers, the authentication was made by mschapv2 (cf security logs).

With the Termination: Disabled, the authentication isn't working, and I can't figure out why.

The error message is: 
Reason code 23
An error occured during the Network Policy Server use of the Extensible Authentication Protocol (EAP), Check EAP log files for EAP errors.

Here are the logs:

------------ IASSAM ------------

[1980] 04-11 16:13:42:796: NT-SAM Names handler received request with user identity admin.
[1980] 04-11 16:13:42:796: Prepending default domain.
[1980] 04-11 16:13:42:796: NameMapper::prependDefaultDomain
[1980] 04-11 16:13:42:796: SAM-Account-Name is "DC\admin".
[1980] 04-11 16:13:42:796: Successfully created new RAP Based EAP session for user DC\admin.
[1980] 04-11 16:13:42:796: No AUTHENTICATION extensions, continuing
[1980] 04-11 16:13:42:796: NT-SAM Authentication handler received request for DC\admin.
[1980] 04-11 16:13:42:796: Validating windows user account DC\admin
[1980] 04-11 16:13:42:796: Sending LDAP search to WIN-35M4P8MNI43.dc.lab.
[1980] 04-11 16:13:42:796: LDAP ERROR in ldap_search_ext_sW. Code = 81
[1980] 04-11 16:13:42:796: Extended error string: (null)
[1980] 04-11 16:13:42:796: Retrying LDAP search.
[1980] 04-11 16:13:42:812: Opening LDAP connection to WIN-35M4P8MNI43.dc.lab.
[1980] 04-11 16:13:42:812: The registry value DisableLdapEncryption does not exist. Using default 0
[1980] 04-11 16:13:42:812: Trying to set LDAP encryption = 1
[1980] 04-11 16:13:42:812: Setting localServerName.User to WIN-35M4P8MNI43$
[1980] 04-11 16:13:42:858: LDAP connect succeeded.
[1980] 04-11 16:13:42:858: Sending LDAP search to WIN-35M4P8MNI43.dc.lab.
[1980] 04-11 16:13:42:858: Successfully validated windows account DC\admin.
[1980] 04-11 16:13:42:858: Allowed EAP type: 25
[1980] 04-11 16:13:42:858: Succesfully created EAP Host session with session id 5
[1980] 04-11 16:13:42:858: Processing output from EAP: action:1
[1980] 04-11 16:13:42:858: Inserting outbound EAP-Message of length 6.
[1980] 04-11 16:13:42:858: Issuing Access-Challenge.
[1980] 04-11 16:13:42:858: No AUTHORIZATION extensions, continuing
[2340] 04-11 16:13:42:858: Successfully retrieved session (5) for user DC\admin.
[2340] 04-11 16:13:42:858: No AUTHENTICATION extensions, continuing
[2340] 04-11 16:13:42:858: Processing output from EAP: action:1
[2340] 04-11 16:13:42:858: Inserting outbound EAP-Message of length 1096.
[2340] 04-11 16:13:42:858: Issuing Access-Challenge.
[2340] 04-11 16:13:42:858: No AUTHORIZATION extensions, continuing
[1980] 04-11 16:13:42:890: Successfully retrieved session (5) for user DC\admin.
[1980] 04-11 16:13:42:890: No AUTHENTICATION extensions, continuing
[1980] 04-11 16:13:42:890: Processing output from EAP: action:1
[1980] 04-11 16:13:42:890: Inserting outbound EAP-Message of length 383.
[1980] 04-11 16:13:42:890: Issuing Access-Challenge.
[1980] 04-11 16:13:42:890: No AUTHORIZATION extensions, continuing
[2340] 04-11 16:13:42:905: Successfully retrieved session (5) for user DC\admin.
[2340] 04-11 16:13:42:905: No AUTHENTICATION extensions, continuing
[2340] 04-11 16:13:42:905: Processing output from EAP: action:2
[2340] 04-11 16:13:42:905: Translating attributes returned by EAPHost.
[2340] 04-11 16:13:42:905: EAP authentication failed.
[2340] 04-11 16:13:42:905: No AUTHORIZATION extensions, continuing
[2340] 04-11 16:13:42:905: Inserting outbound EAP-Message of length 4.

 

------------ IASSAM ------------

[1980] 04-11 16:13:42:858: EapPeapEnd
[1980] 04-11 16:13:42:858: EapTlsEnd
[1980] 04-11 16:13:42:858: EapTlsEnd(dc\admin)
[1980] 04-11 16:13:42:858: EapPeapEnd done
[1980] 04-11 16:13:42:858: EapPeapBegin
[1980] 04-11 16:13:42:858: EapPeapBegin - flags(0x2)
[1980] 04-11 16:13:42:858: PeapReadUserData
[1980] 04-11 16:13:42:858:
[1980] 04-11 16:13:42:858: EapTlsBegin(DC\admin)
[1980] 04-11 16:13:42:858: SetupMachineChangeNotification
[1980] 04-11 16:13:42:858: State change to Initial
[1980] 04-11 16:13:42:858: EapTlsBegin: Detected PEAP authentication
[1980] 04-11 16:13:42:858: MaxTLSMessageLength is now 16384
[1980] 04-11 16:13:42:858: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[1980] 04-11 16:13:42:858: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[1980] 04-11 16:13:42:858: The root cert will not be checked for revocation
[1980] 04-11 16:13:42:858: The cert will be checked for revocation
[1980] 04-11 16:13:42:858: EapPeapBegin done
[1980] 04-11 16:13:42:858: EapPeapMakeMessage
[1980] 04-11 16:13:42:858: EapPeapSMakeMessage, flags(0x405)
[1980] 04-11 16:13:42:858: EapPeapSMakeMessage, user prop flags(0x1)
[1980] 04-11 16:13:42:858: PEAP:PEAP_STATE_INITIAL
[1980] 04-11 16:13:42:858: EapTlsSMakeMessage, state(0)
[1980] 04-11 16:13:42:858: EapTlsReset
[1980] 04-11 16:13:42:858: State change to Initial
[1980] 04-11 16:13:42:858: EapGetCredentials
[1980] 04-11 16:13:42:858: Flag is Server and Store is local Machine
[1980] 04-11 16:13:42:858: GetCachedCredentials Flags = 0x40e1
[1980] 04-11 16:13:42:858: FindNodeInCachedCredList, flags(0x40e1), default cached creds(0), check thread token(1)
[1980] 04-11 16:13:42:858: pNode->dwCredFlags = 0x12
[1980] 04-11 16:13:42:858: GetCachedCredentials: Using Cached Credentials
[1980] 04-11 16:13:42:858: GetCachedCredentials: Hash of the cert in the cache is
2B 3C 4B FD E9 11 18 49 74 60 4F 97 1E 1C A1 2A |+,K....ItpO....*|
6D BE 13 B6 00 00 00 00 00 00 00 00 00 00 00 00 |m...............|
[1980] 04-11 16:13:42:858: BuildPacket
[1980] 04-11 16:13:42:858: << Sending Request (Code: 1) packet: Id: 2, Length: 6, Type: 13, TLS blob length: 0. Flags: S
[1980] 04-11 16:13:42:858: State change to SentStart
[1980] 04-11 16:13:42:858: EapPeapSMakeMessage done
[1980] 04-11 16:13:42:858: EapPeapMakeMessage done
[2340] 04-11 16:13:42:858: EapPeapMakeMessage
[2340] 04-11 16:13:42:858: EapPeapSMakeMessage, flags(0x405)
[2340] 04-11 16:13:42:858: EapPeapSMakeMessage, user prop flags(0x1)
[2340] 04-11 16:13:42:858: Cloned PPP_EAP_PACKET packet
[2340] 04-11 16:13:42:858: PEAP:PEAP_STATE_TLS_INPROGRESS
[2340] 04-11 16:13:42:858: EapTlsSMakeMessage, state(1)
[2340] 04-11 16:13:42:858: MakeReplyMessage
[2340] 04-11 16:13:42:858: Reallocating input TLS blob buffer
[2340] 04-11 16:13:42:858: SecurityContextFunction
[2340] 04-11 16:13:42:858: AcceptSecurityContext returned 0x90312
[2340] 04-11 16:13:42:858: State change to SentHello
[2340] 04-11 16:13:42:858: BuildPacket
[2340] 04-11 16:13:42:858: << Sending Request (Code: 1) packet: Id: 3, Length: 1096, Type: 13, TLS blob length: 1463. Flags: LM
[2340] 04-11 16:13:42:858: EapPeapSMakeMessage done
[2340] 04-11 16:13:42:858: EapPeapMakeMessage done
[1980] 04-11 16:13:42:890: EapPeapMakeMessage
[1980] 04-11 16:13:42:890: EapPeapSMakeMessage, flags(0x605)
[1980] 04-11 16:13:42:890: EapPeapSMakeMessage, user prop flags(0x1)
[1980] 04-11 16:13:42:890: Cloned PPP_EAP_PACKET packet
[1980] 04-11 16:13:42:890: PEAP:PEAP_STATE_TLS_INPROGRESS
[1980] 04-11 16:13:42:890: EapTlsSMakeMessage, state(2)
[1980] 04-11 16:13:42:890: BuildPacket
[1980] 04-11 16:13:42:890: << Sending Request (Code: 1) packet: Id: 4, Length: 383, Type: 13, TLS blob length: 0. Flags:
[1980] 04-11 16:13:42:890: EapPeapSMakeMessage done
[1980] 04-11 16:13:42:890: EapPeapMakeMessage done
[2340] 04-11 16:13:42:905: EapPeapMakeMessage
[2340] 04-11 16:13:42:905: EapPeapSMakeMessage, flags(0x605)
[2340] 04-11 16:13:42:905: EapPeapSMakeMessage, user prop flags(0x1)
[2340] 04-11 16:13:42:905: Cloned PPP_EAP_PACKET packet
[2340] 04-11 16:13:42:905: PEAP:PEAP_STATE_TLS_INPROGRESS
[2340] 04-11 16:13:42:905: EapTlsSMakeMessage, state(2)
[2340] 04-11 16:13:42:905: MakeReplyMessage
[2340] 04-11 16:13:42:905: Reallocating input TLS blob buffer
[2340] 04-11 16:13:42:905: SecurityContextFunction
[2340] 04-11 16:13:42:905: AcceptSecurityContext returned 0x80090330
[2340] 04-11 16:13:42:905: State change to SentFinished. Error: 0x80090330
[2340] 04-11 16:13:42:905: Negotiation unsuccessful
[2340] 04-11 16:13:42:905: BuildPacket
[2340] 04-11 16:13:42:905: << Sending Failure (Code: 4) packet: Id: 5, Length: 4, Type: 0, TLS blob length: 0. Flags:
[2340] 04-11 16:13:42:905: AuthResultCode = (-2146893008), bCode = (4)
[2340] 04-11 16:13:42:905: EapPeapSMakeMessage done
[2340] 04-11 16:13:42:905: EapPeapMakeMessage done

 

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: PEAP authentication failure - Reason code 23

Do you have a valid server certificate for your NPS server?  Is it referenced in the remote access policy on NPS that serves clients?  Has it ever worked?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: PEAP authentication failure - Reason code 23

Well, I reproduced the error on a lab in which all services are installed in the same server (DC,AD,CA,..).

It worked before when the Termination was Enabled (I was thus receiving the IAP certificate instead of the DC certificate).

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: PEAP authentication failure - Reason code 23

All of your devices must trust the IAP's certificate, if you have termination enabled for it to work smoothly.  If you did not upload an alternate certificate to the IAP for all your devices to trust, you will have issues.  Your choices are:

 

1-  Make sure your NPS server has a valid server certificate and ensure all your devices trust that.  Ideally it would be generated by an enterprise CA that all your domain clients trust (best option).  Make sure your NPS server remote access policy references that certificate.

2-  Upload a certificate that all of your clients trust to IAP.

 

Instructions on how to configure NPS is here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: PEAP authentication failure - Reason code 23

I followed your paper.

Just to be sure,
As in my lab I have the NPS and the CA in the same server, I thus use the root certificate in the NPS configuration.
I have also added this certificate to some client that haven't joined the domain.

Am I right ?


Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: PEAP authentication failure - Reason code 23

There are two certificates:

 

One is the Root CA certificate.  The other is the server certificate that needs to be assigned to the radius server.  The second certificate is the one that you want in the Remote access policy, NOT the CA one...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: PEAP authentication failure - Reason code 23

I agree that, but as the radius server is in the same physical server, I'm not able to produce an other certificate for it.
Even in the document I could not find this.

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: PEAP authentication failure - Reason code 23

Please search the document for the section:  "Request
Certificates 
(optional)".  That details the procedure to request that certificate.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 23
Registered: ‎04-02-2013

Re: PEAP authentication failure - Reason code 23

I followed your tutorial and I have done that (even if I don't really get why). I still have the error.

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: PEAP authentication failure - Reason code 23

It is not my tuorial... I just link to it  ;)

 

Next, you need to ensure that in your remote access policy the correct certificate is used.   Can you see the server certificate in your remote access policy?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: