Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem with Computer Authentication (IAS / Wireless)

Status
Not open for further replies.
aZLAn2000

aZLAn2000

Technical User
Oct 29, 2003
45
DK
Hi,

I am currently setting up a wireless network using EAP/PEAPv2 (802.11x auth) and all is working when authenticating users, but when I want to connect using a computer account I get this in the eventviewer:

Reason-Code = 16
Reason = There was an authentication failure because of an unknown user name or a bad password.

I have installed a patch so I can set the dial-up flag to yes in Active Directory on Computer Accounts so that shouldn't be the problem.

Then I have tried to activate tracing on the IAS server and the error here is:

[15568] 08:26:23:348: NT-SAM Names handler received request with user identity host/pc-dell.domain.dom.
[15568] 08:26:23:348: Successfully cracked username.
[15568] 08:26:23:348: SAM-Account-Name is "DOMAIN\PC-DELL$".
[15568] 08:26:23:348: NT-SAM Authentication handler received request for DOMAIN\PC-DELL$.
[15568] 08:26:23:348: Processing MS-CHAP v2 authentication.
[15568] 08:26:23:348: LogonUser failed: The account used is a computer account. Use your global user account or local user account to access this server.
[15568] 08:26:23:348: No SAM credentials found. Checking account restrictions and computing groups manually.
[15568] 08:26:23:348: Sending LDAP search to domain.dom.
[15568] 08:26:23:348: ldap_search_ext_sW failed: The specified server cannot perform the requested operation.
[15568] 08:26:23:348: Retrying LDAP search.
[15568] 08:26:23:364: Opening LDAP connection to dc.domain.dom.
[15568] 08:26:23:364: LDAP connect succeeded.
[15568] 08:26:23:379: Sending LDAP search to domain.dom.
[15568] 08:26:23:379: Successfully processed account.
---

I have changed the domainname to domain.dom for security reasons :)

Please - could anyone send me in the right direction? I can't google any of this up anywhere :(.

/Christian

WLAN Hardware: Trapeze Networks MX-8 with 4 MP-241's.
 
Sort by date Sort by votes
Hallo,

I think, that EAP/PEAPv2 is for user authentication only.
I you want computer authentication,
you have to use EAP/TLS.


mewi
 
Upvote 0 Downvote
Mewi: Are you sure? I'll look into it.

ADB100: Already done that. Did no difference at all.

/Christian
 
Upvote 0 Downvote
hi,

I am not 100% sure,
but we will get our trapeze equipment in some weeks,
and we will work with EAP/TLS and computer authentication.
(windows 2003).
I tested PEAP some month ago, and my opinion is, that the is only username/password authentication.

best regards,
mewi



 
Upvote 0 Downvote
Hi Mewi,

It is username/password authentication, but a computer account on Windows 2000 / 2003 should also have a password which it can provide for validation. Reading 'Securing Wireless LANs with PEAP and Passwords' from Microsoft also talk about computer authentication and howto's with no config of EAP/TLS.

/Christian
 
Upvote 0 Downvote
Ok,

Maybe you´re right,
I only told you about my experiences.

btw:
Are you satisfied with your trapeze equipment?

best regards,
mewi
 
Upvote 0 Downvote
Hi Mewi,

Yes! Apart from the few problems i've had its been a blast. It really good. I would probably recommend some sort of course to learn about all the features as its very comprehensive but overall I don't think anything can match Trapeze at the moment.

/Christian
 
Upvote 0 Downvote
ok,

We will get the MX-400 in January.
In February I go to The Nethlerland for a trapeze course.

mewi

 
Upvote 0 Downvote
Cool! We have 2 x MX-8 and 1 MXR-2 divided at 3 seperate locations. All working wonderfully.

/Christian
 
Upvote 0 Downvote
I've seen this done (microsoft technet meeting in 2003), but it was done using certificates. If you install a certificate server and issue one to the computer then you can use that certificate as the authentication. It's a nice way to go since certificates are hard to break and it's something that has to "exist" on the PC trying to authenticate. If the PC hasn't been issued a certificate (meaning the rest of the world) they they're not getting in.

A+/MCP/MCSE/MCDBA
 
Upvote 0 Downvote

Thanks! After I got the certificates working the Computer Authentification also worked! It was a minor setup error in my config on the Trapeze Wireless that made certificates not work.

/Christian
 
Upvote 0 Downvote
Hi,

At the moment we have 2 MX400 running and now I can say
that this system was a good decision!
We just have about 50 APs (MP372) running.
But this will be much more this year!

I was at trapeze-trainig in hilversum/netherlands for 3 days. This was one of the best trainigs I´ve ever had.

mewi


 
Upvote 0 Downvote
Cool! Sounds like I should do the same soon. Its a pretty large setup! 50 APs!! We have like 10 and that divided on 3 seperat locations!

/C
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
467
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
307
suncit
suncit
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
270
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
137
DrB0b
DrB0b
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
96
maybeimaleo
maybeimaleo

Part and Inventory Search

Sponsor

Back
Top