I looked into this a bit more today & found that I can authenticate using the machine name using my Windows 7 laptop, it works in every building without issue.
I also ran a few more test connects with the Vista laptop & found that after it fails authentication it logs an error in the event viewer under WLAN-autoconfig stating 'Explicit EAP failure recieved'. I still do not see any attempt at machine authentication in the Radius server logs or any errors on the Radius server's event viewer logs. I mirrored the switchport that the ap is connected to & took a packet capture, I picked through the Radius access-request, access-challenge & access-reject packets, but I cannot tell from them whether the machine name is being passed or just the user name. Any ideas? On Mon, Feb 1, 2010 at 10:19 AM, Tim Mugherini <[email protected]> wrote: > agreed - thats why i asked if there were multiple AD sites > > Computer accounts in those sites have a modifed date with ADUC? > > One would think there would be events logs if comp auth was an issue though > > On Mon, Feb 1, 2010 at 9:27 AM, Butturini, Russell > <[email protected]> wrote: > > That sounds like you could some some underlying AD issues causing the > problem. Have you verified replication is working correctly? > > > > ________________________________ > > > > From: [email protected] on behalf of Robert > Portvliet > > Sent: Mon 2/1/2010 8:02 AM > > To: PaulDotCom Security Weekly Mailing List > > Subject: Re: [Pauldotcom] Configuring WPA2 & RADIUS > > > > > > I was incorrect, each building is it's own site in AD & it's own subnet, > which is a /16 on a private class A. > > > > > > > > On Sun, Jan 31, 2010 at 8:43 PM, Robert Portvliet < > [email protected]> wrote: > > > > > > That was going to be my next move, mirror the switchport the AP is > plugged into & take a capture of the auth attempt. (I'll do that tomorrow > morning) > > > > Like I said I'm coming into this a bit after the fact & didn't do > the initial setup, but yes the cert is self signed & generated using > Microsoft CA (I'll look into the settings further though), the clients are > all Vista btw. > > > > As far as the network, it's flat with layer 3 routing only in the > core switch, each building is on it's own vlan, but the wireless vlan is the > same no matter what building you are in, as far as AD goes there's only one > site, each building is an OU under that. > > > > I'm more of a Linux\Unix guy so I'm a bit light in the AD end of > things, I think it might be something to do with policy, but according to > the systems engineer you should be getting the same policy no matter where > you go. > > > > Thanks much for the help! > > > > > > > > > > On Sat, Jan 30, 2010 at 8:55 PM, Tim Mugherini < > [email protected]> wrote: > > > > > > Robert, > > > > First I would not trust the Radius server logs, grab a > packet dump to > > verify they are not trying to auth as the computer acct (I > have seen > > MS IAS not log attempts so even though I have no > experience with 2k8 > > NPS I would not trust the logs) > > > > Also you mentioned diff buildings, diff subnets? AD sites? > > > > Lastly you mentioned certifcates are you using a self > signed on the > > Radius server, MS CA? If MS CA what are your GO settings > for the > > Radius and Certs (have seen issues with MS CA and > "verification" on XP > > so just a hunch on my part. > > > > Tim > > > > > > On Sat, Jan 30, 2010 at 10:26 AM, Robert Portvliet > > <[email protected]> wrote: > > > > > > I'm attempting to troubleshoot an issue with an > implementation of WPA2 & > > > RADIUS with certificates (for wireless authentication), > it is a somewhat > > > perplexing issue which I am hoping someone on the list > may be able to > > > provide some guidance on. > > > > > > In the building local to the Radius server, the machine > will authenticate > > > to the Radius server using the machine name without > issue, however in the > > > other buildings the same machine (even using the same > access point) will > > > never try to pass the machine name to authenticate.. it > passes the user > > > name, which works if we allow that method of > authentication, but it's not > > > what we're after obviously. > > > > > > The strange thing is I see no trace in the Radius > server log of it even > > > trying the machine name and the policy the machine > receives should be the > > > same in each building. > > > > > > For the Radius server I am using NPS on win2k8. the > client machines are > > > Vista (latest patch level), AP's are HP ProCurve, > physical media is single > > > mode fiber between the buildings. > > > > > > I came into this a little late in the game, from what > I can tell > > > everything seems to be configured correctly, but I'm > getting the feeling I'm > > > missing something stupid, lol > > > > > > > > > Thanks in advance! > > > > > > > > > > > > > > _______________________________________________ > > > Pauldotcom mailing list > > > [email protected] > > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > > Main Web Site: http://pauldotcom.com < > http://pauldotcom.com/> > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com < > http://pauldotcom.com/> > > > > > > > > > > > > > ****************************************************************************** > > This email contains confidential and proprietary information and is not > to be used or disclosed to anyone other than the named recipient of this > email, > > and is to be used only for the intended purpose of this communication. > > > ****************************************************************************** > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
