Security

Reply
Trusted Contributor I

Re: Reason code 265 and i'm not using certificates

i believe that is related to the fact that you are using both PEAP and MSCHAPv2 to do authentication. so it might be logical you see both in the logs, can you see the combination together (after each other or such)?

 

is the NPS server used by others or can you really do a single request determine the related logs and do that for both a good and bad request? might be worth it do that and share those. with NPS it is useful to check both the NPS log and the event logs.

 

do you have multiple services on the NPS server?

Occasional Contributor II

Re: Reason code 265 and i'm not using certificates

I haven't found a combination of both types in a single authentication process for a device. Nonetheless i have seen one device send a request using type 4 and the next one with type 11.

 

I can't do a single request, the server is been used in the whole organization and multiple requests happen per second. I've checked the event viewer but the only events i found there are requests from non-authorized clients and warnings when the server can't connect to the domain controller.

 

There aren't any other services in this server, active directory is in a different one.

 

I upload a succesful and a failed log both with auth-type 11.

 

Trusted Contributor I

Re: Reason code 265 and i'm not using certificates

did you just search for those two? because they seem from different radius clients (APs? controllers?). are the settings on that side the same?

Occasional Contributor II

Re: Reason code 265 and i'm not using certificates

Yes, they are from different virtual controllers but configurations are
exactly the same. When I mean successful and failed attempts they're not
necessarily from the same virtual controller but they should behave in the
same way.

Trusted Contributor I

Re: Reason code 265 and i'm not using certificates

they should behave the same way, but they don't. if you compare them you see differences beyond the 265 result.

 

why would that be the case? i would focus on getting a succesful and failed auth in a controllered method and preferably on the same AP / VC and comparing those.

Occasional Contributor II

Re: Reason code 265 and i'm not using certificates

Well looks like we finally managed to make it work, and that the authentication type is always 4 (MSCHAPv2), which is the one that always works.....the workaround was no other than to configure the windows PC to validate certificates from the default trusted CAs and enable termination on the instant solution.

 

Even though i'll keep looking for a reason why those PCs didn't work without certificates and mine does, the NPS server was never setup to use them and there is not even a CA enabled in it or in the domain server.

Trusted Contributor I

Re: Reason code 265 and i'm not using certificates

ok, that is good for you.

 

enabling termination on the AP is an intereseting step. have you ever checked the MSCHAPv2 settings on the NPS server. it might be there is no certificate available to do start the PEAP session. but still i can't understand why it would work on some and not on others with the same settings.

 

can't really imagine that trusting the server cert would allow access where it didn't before.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: