Security

Reply
Occasional Contributor I
Posts: 8
Registered: ‎11-16-2012

Odd PEAP/MSCHAP auth issue

We just rolled out a pretty large Aruba implementation yesterday. We're having issues with certain Windows clients using cached credentials for authentication to our corporate network. Here is how we're setting clients up:

1. Create new wireless profile

2. Use WPA2-Enterprise secuirty

3. Don't validate the server cert

4. Forcing user auth versus computer or the "Computer or user" option

5. Telling Windows to use cached credentials (under the MSCHAP config)

 

We're running a 2k8 R2 NPS server to handle the .1x requests.

 

This worked awesome for our test group. Everyone connected up right away without being prompted for credentials or anything like that. Then we went to roll it out to everyone else....

 

About 1:4 people are being re-prompted for credentials, stating that their credentials (cached) are incorrect. This is not a stale cache issue as I had someone wire into the network and reboot. They had zero issues signing into their laptop and were prompted again once their wireless came up. Entering their credentials into the prompt just causes another failure. We're having people get locked out left at right because of this. There is a work around which is to specify the credentials to use under wireless profile properties -> security tab -> advanced settings. This for some reason has no issue connecting but will create quite the headache every month when passwords expire.

 

I was in the test group and was able to connect fine following the steps above until I started trying to reproduce the problem. I went into the profile properties and told it not to remember my credentials and rebooted. After doing so, the only way I can connect  is to enter my credentials manually like mentioned above. 

 

Any one have any ideas on what could be causing Windows to pass the wrong credentials? I've been fighting this all day and have come up empty handed.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Odd PEAP/MSCHAP auth issue

- Turn on Computer or User Authentication

- Make sure on the NPS/IAS side, you have a remote access policy that allows users from the group "Domain Computers".



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎11-16-2012

Re: Odd PEAP/MSCHAP auth issue

[ Edited ]

No dice there. I added a condition in our policy to match the machine to the domain computers group. I then set my machine back to computer or user, also tried leaving it unspecified. It just straight up fails to connect when not specified. Computer or user and just user auth presents the same the symptoms as the OP.

Guru Elite
Posts: 21,269
Registered: ‎03-29-2007

Re: Odd PEAP/MSCHAP auth issue

Make your ONLY condition in the policy nas-port-type = IEEE 802.11.  Remove any other condition for now.

 

Log your computer out to the ctrl-alt-delete screen and look at the eventviewer on the NPS server under Server Roles> NPS and make sure the computer successfully authenticates.

 

Why do you have "Validate Server Certificate" unchecked?  Do you have Termination Enabled in the 802.1x profile on the controller? If so, it needs to be off, and the NPS server needs to have a Valid server certificate fthat your clients trust for Machine Authentication to occur..

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 8
Registered: ‎11-16-2012

Re: Odd PEAP/MSCHAP auth issue

Not 100% certain why the validation is disabled. We actually paid for an Aruba partner who we purcahsed the equipment from to set this up. We're going through some physical changes at our office and a strong wireless network was a must. I wasn't involved in any of the Aruba configuration (nor the RADIUS/NPS side of things). We purchased Clear Pass and they suggested we not worry about the certs until that was in place. I figured they were the experts and didn't argue.  Today is the first time I've even seen the GUI :(. 

 

In short, can you point me to where I can check the termination settings?

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: Odd PEAP/MSCHAP auth issue

[ Edited ]

This looks more like a Active directory issue not a Wireless controller issue neither a NPS issue...

Do you have a healthy AD? i mean no errors and all that? For those users do you see any errors on the AD for those users?

I mean it looks like your credential and the credential on the AD are out of sync for some users

 

You might have  AD credentials and the cached credentials became out of sync

 

You can try maybe clearing the credentials in the computer?  so it then cache it again ?

 

The other thing isthat you using this without a certificate on the NPS server? and not even checking for the server or the cert? without that you have good security using EAP PEAP...

 

Cheers

Carlos

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor I
Posts: 8
Registered: ‎11-16-2012

Re: Odd PEAP/MSCHAP auth issue

[ Edited ]

Nevermind, think I found it:

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: Odd PEAP/MSCHAP auth issue

Also here is a manual of how you should set up clients...

http://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/m-p/43398

 

On the NPS you should use a Cert... if you got Cert authority you can use a Machine template to create a certificate for the NPS and use that one.

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor I
Posts: 8
Registered: ‎11-16-2012

Re: Odd PEAP/MSCHAP auth issue

Yes our AD is healthy, busy, but healthy.

 

Here is someone else I found who is having the same unsolved mistery:

http://freeradius.1045715.n5.nabble.com/PEAP-MSCHAPv2-failing-with-Windows-7-td4383068.html

 

 

MVP
Posts: 3,009
Registered: ‎10-25-2011

Re: Odd PEAP/MSCHAP auth issue

[ Edited ]

Well i actually have no experience implementing with termination on the controller as always the clients got a NPS in the local side where the controller is... so.. well ill leave Collin advice you better


Didnt know it was terminating on the controller

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: