Common Authentication Problems

Common Authentication Problems

The most common problem with wireless connectivity is that wireless clients cannot be successfully authenticated. There are many configurations and components that could be at fault. When troubleshooting any problem, it is helpful to use a logical approach. Some questions to ask include the following:

  • What works?

  • What does not work?

  • How are the things that do and do not work related?

  • Have the things that do not work ever worked?

  • If so, what has changed since it last worked?

One of the first places to look for troubleshooting information is the system event log on the IAS server that received the RADIUS Access-Request message for the event corresponding to the failed authentication. If there is an event, use the text of the event message as a basis for correcting the problem or performing additional troubleshooting. If attempting to correct the problem based on the event message text does not fix the problem, use the information in this section or in the Troubleshooting IAS Authentication and Authorization section of this chapter for additional troubleshooting ideas and directions.

If there is no event, troubleshoot the lack of connectivity or the inability to exchange RADIUS messages between the wireless AP and the IAS server. Check for packet filtering in intermediate routers and the incorrect configuration of intermediate RADIUS proxies (if any).

The following are common problems with wireless connectivity and authentication that can be caused by the authentication infrastructure:

  • No wireless clients can be authenticated (includes both EAP-TLS and PEAP-MS-CHAP v2-based wireless clients)

    If no wireless clients can be authenticated, do the following:

    • Verify that all the IAS servers and the wireless APs have symmetric reachability for RADIUS traffic. Symmetric reachability means that the IAS server can reach the wireless AP and the wireless AP can reach the IAS server.

    • Verify that Active Directory global catalog and domain controller computers are available and have symmetric reachability with the IAS servers.

    • Verify that the computer certificates on the IAS servers have not expired.

    • Verify that there is a matching remote access policy against which the wireless authentication requests are being evaluated. If there is no matching policy, all wireless authentication requests are rejected. If there is a matching policy, investigate the remote access policies conditions, remote access permission, and profile properties for the correct settings.

  • No EAP-TLS-based wireless clients can be authenticated.

    If EAP-TLS-based wireless clients cannot be authenticated (but PEAP-MS-CHAP v2-based wireless clients can), do the following:

    • Verify that the CRL locations, as specified in the wireless client user or computer certificate chains, are available to the IAS servers and are symmetrically reachable. If the IAS servers cannot access the CRLs, EAP-TLS authentication fails by default. This behavior can be modified with the IgnoreRevocationOffline registry setting previously described.

    • Verify that the CRLs available to the IAS servers have not expired. If the CRLs available to the IAS servers have expired, EAP-TLS authentication fails. If any of them have expired, manually publish new CRLs using either the Certification Authority snap-in (if you are using a Windows CA) or the appropriate tool (if you are using a third-party CA).

    • Verify that the remote access policy used for wireless connections is configured to allow EAP-TLS authentication.

    • Verify that the correct computer certificate is selected in the properties of the Smart Card or Other Certificate dialog box in the profile properties of the remote access policy used for wireless connections.

    • Verify that the root CA certificate for the issuing CA of the wireless client user or computer certificate is installed in the Trusted Root Certification Authorities Local Computer store on the IAS server.

    • Verify that the root CA certificate for the issuing CA of the IAS server certificate is installed in the Trusted Root Certification Authorities Local Computer store on the wireless client computers.

  • No PEAP-MS-CHAP v2-based wireless clients can be authenticated.

    If PEAP-MS-CHAP v2-based wireless clients cannot be authenticated (but EAP-TLS-based wireless clients can), do the following:

    • Verify that the remote access policy used for wireless connections is configured to allow PEAP authentication with the MS-CHAP v2 EAP type.

    • Verify that the correct computer certificate is selected in the properties of the Protected EAP Properties dialog box in the profile properties of the remote access policy used for wireless connections.

    • Verify that the root CA certificate for the issuing CA of the IAS server certificate is installed in the Trusted Root Certification Authorities Local Computer store on the wireless client computers.

  • Individual wireless clients cannot be authenticated.

    If an individual wireless client cannot be authenticated, do the following:

    • Verify that the account exists, is enabled, and is not locked out (via account properties or remote access account lockout); and that the connection is being attempted during allowed logon times.

    • Verify that the connection attempt for the user or computer account matches a remote access policy. For example, if you are using a group-based remote access policy, verify that the user or computer account is a member of the group specified in the Windows Groups condition of the appropriate remote access policy.

    • Verify that the root CA certificate for the issuing CA of the IAS server certificate is installed in the Trusted Root Certification Authorities Local Computer store on the wireless client computer.

  • For an EAP-TLS-based wireless client, verify that the computer or user certificate meets the conditions described in the Validating the Wireless Client s Certificate section of this chapter.

  • For a PEAP-MS-CHAP v2-based wireless client, investigate whether the wireless client s account password has expired and verify that the Allow Client to Change Password After It Has Expired check box on the EAP MS-CHAP v2 Properties dialog box is enabled on the IAS servers.



Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net