RE: [WIRELESS-LAN] IAS Logging
I've tried this with our current implementation of IAS and it works fine, re-challenges for correct password, and throws an event in ias evenlog... perhaps its something else? although I am glad to be moving to a idengines igition server... albeit for different reasons. From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Mike King Sent: Sat 3/8/2008 5:12 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] IAS Logging I have to clarify something for myself here. When you enter the wrong password into the Windows PEAP Client, IAS will lock the account out because the client will keep trying the wrong password? Wow. The major RADIUS servers all have the correct behavior, in that if you put the wrong password, it will send the correct response back to the client to force it to reprompt the client to re-enter the username/password. I've tested this with FreeRadius (Everything from .97 up has it) Funk (Juniper now) Steel Belted Radius (SBR) and IDEngines Ignition server. I figured Microsoft would use they're own API, and perform the correct action. I guess that would be a false assumption. (To clarify my point, I'm blaming IAS for not following the RADIUS specs that Microsoft created when they made the PEAP client in Windows XP. ) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] IAS Logging
I have to clarify something for myself here. When you enter the wrong password into the Windows PEAP Client, IAS will lock the account out because the client will keep trying the wrong password? Wow. The major RADIUS servers all have the correct behavior, in that if you put the wrong password, it will send the correct response back to the client to force it to reprompt the client to re-enter the username/password. I've tested this with FreeRadius (Everything from .97 up has it) Funk (Juniper now) Steel Belted Radius (SBR) and IDEngines Ignition server. I figured Microsoft would use they're own API, and perform the correct action. I guess that would be a false assumption. (To clarify my point, I'm blaming IAS for not following the RADIUS specs that Microsoft created when they made the PEAP client in Windows XP. ) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] IAS Logging
On my windows xp pro sp2 laptop with KB917021 and KB893357 that has a working 802.1x setup I intentionally entered a wrong password for my AD account and locked it out. Searched the IAS logs saw a bunch of Reason-Code16 (IAS_AUTH_FAILURE) then I saw the Reason-Code 36. Maybe it's something on the client end? - Original Message - From: Howd, Walt [EMAIL PROTECTED] To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, March 06, 2008 5:35 PM Subject: Re: [WIRELESS-LAN] IAS Logging We have a similar setup (Cisco LWAPP environment, controllers logging to IAS) and have seen the same issue. If you find anything useful, I would be interested. Walt Howd Network Systems Admin Information Technology Services Truman State University SunGard Higher Education Managed Services 100 East Normal Street Kirksville, MO 63501 [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Craig Pluchinsky Sent: Thursday, March 06, 2008 3:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] IAS Logging Currently we have an 802.1x wireless network setup with Cisco APs, Cisco Wireless Lan Controllers and Microsoft IAS as our RADIUS server. We are seeing issues where a users active directory account is being locked out because of too many incorrect password attempts. This is being logged in the security event log on the server but not in the IAS logs. The security event log does not show a mac address or machine name. IAS should be logging a Reason-Code 36 IAS_ACCOUNT_LOCKED_OUT in the IAS log. The problem is the client looks like it is incorrectly configured so it keeps trying to authenticate every few seconds keeping the users active directory account locked out. We then have to track down the mac address either with a packet sniffer or find it in WCS and add it to the disabled clients list on the controllers to keep it from repeatedly trying to connect and locking the active directory account out. Any ideas as to why IAS is not logging this error? If it logged in the IAS logs we could then get the mac address from the Calling-Station-ID. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] IAS Logging
We have a similar setup (Cisco LWAPP environment, controllers logging to IAS) and have seen the same issue. If you find anything useful, I would be interested. Walt Howd Network Systems Admin Information Technology Services Truman State University SunGard Higher Education Managed Services 100 East Normal Street Kirksville, MO 63501 [EMAIL PROTECTED] -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL PROTECTED] On Behalf Of Craig Pluchinsky Sent: Thursday, March 06, 2008 3:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] IAS Logging Currently we have an 802.1x wireless network setup with Cisco APs, Cisco Wireless Lan Controllers and Microsoft IAS as our RADIUS server. We are seeing issues where a users active directory account is being locked out because of too many incorrect password attempts. This is being logged in the security event log on the server but not in the IAS logs. The security event log does not show a mac address or machine name. IAS should be logging a Reason-Code 36 IAS_ACCOUNT_LOCKED_OUT in the IAS log. The problem is the client looks like it is incorrectly configured so it keeps trying to authenticate every few seconds keeping the users active directory account locked out. We then have to track down the mac address either with a packet sniffer or find it in WCS and add it to the disabled clients list on the controllers to keep it from repeatedly trying to connect and locking the active directory account out. Any ideas as to why IAS is not logging this error? If it logged in the IAS logs we could then get the mac address from the Calling-Station-ID. --- Craig Pluchinsky IT Services Indiana University of Pennsylvania ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
