Few days ago I have renewed the Root CA certificate for the local certificate authority, installed on a Server 2003 Standard. The existing certificate was going to expire, so I got the new one with the same keys (All Tasks/Renew CA Certificate). The old certificate since had expired. The CA appears to be working just fine – it can issue valid certificates, passes all the tests (PKIview.msc shows OK Status for all the components). I use this CA primarily for wireless network authentication with PEAP. Since the certificate was change, all the wireless clients can connect to the network, except a few. After examining the System log on the RADIUS (IAS) server I found the following entries for those clients: Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 6/29/2011 Time: 8:16:06 PM User: N/A Computer: ServerName Description: User DOMAIN\username was denied access. … Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Authentication-Type = PEAP EAP-Type = <undetermined> Reason-Code = 268 Reason = The received certificate has expired. This does not make too much sense, as clients use PEAP, which only needs server certificate and the clients are not configured to verify server’s certificate to begin with. I suspect it is still related to the server’s certificate. I have checked the certificate, used for PEAP authentication on the IAS server and it is a valid certificate, good for another year. I have examined the AD with the ADSIEdit and the Public Key Services appear to be in working order. Everything matches. I’m out of ideas. Please help. Thanks, Dmitry

Dmitry, Although you IAS server has renewed it's certificate, you may still need to go into IAS, edit the PEAP remote access policy profile, select the authentication tab, edit the PEAP method and ensure that the certificate chosen is the renewed certificate. -Paul

Thanks Paul, I have verified that the certificate used in PEAP remote access profile is valid and not expired. I suspect that the root cause of the problem is a differences in PEAP implementation between Microsoft, Cisco (Access Points) and wpa_supplicant, used on wireless bridge, which is unable to connect and gives me those errors.As far as I can tell, the clients associate to the access point successfully but fail in the encryption key negotiation. Right now I have done the following: - Deployed new IAS server - Configured wireless network to use it instead of the other two That solved the problems for the Windows clients and iPhones. I also have re-compiled the firmware on one of the wireless bridges, which uses wpa_supplicant and now it can connect too. I'm still completely puzzled what is causing the issue in the first place and how "freshly" built firmware fix it. I don't understand why client is denied access because of "The received certificate has expired". There are no client-side certificates used in PEAP and wpa_supplicant and other are not set to verify server certificate. My next step would be to remove and re-install IAS. I have already done that, but it still picked-up old configuration. Do you know how to remove IAS completely, including the configuration? Thanks, Dmitry

Two updates. My IAS quit authenticating clients. Period. I'm running on the one, deployed yesterday. I have enabled tracing on the dead one, see relevant logs below. Looks like EapMSChapv2 is failing. Any ideas? Dmitry =====================IASSAM.LOG=============== ========================GOOD AUTHENTICATION================== [8040] 08-24 15:41:29:947: Creating EAP session [8040] 08-24 15:41:29:947: NT-SAM Names handler received request with user identity testuser4@domain. [8040] 08-24 15:41:29:947: Successfully cracked username. [8040] 08-24 15:41:29:947: SAM-Account-Name is "DOMAIN\testuser4". [8040] 08-24 15:41:29:947: NT-SAM Authentication handler received request for DOMIAN\testuser4. [8040] 08-24 15:41:29:947: Validating Windows account DOMAIN\testuser4. [8040] 08-24 15:41:29:947: Sending LDAP search to dc1.domain. [8040] 08-24 15:41:29:947: Successfully validated windows account. [8040] 08-24 15:41:29:947: NT-SAM User Authorization handler received request for DOMAIN\testuser4. [8040] 08-24 15:41:29:947: Using native-mode dial-in parameters. [8040] 08-24 15:41:29:947: Sending LDAP search to dc1.domain. [8040] 08-24 15:41:29:947: Successfully retrieved per-user attributes. [8040] 08-24 15:41:29:947: Allowed EAP type: 13 [8040] 08-24 15:41:29:947: Allowed EAP type: 25 [8040] 08-24 15:41:29:947: Setting max. packet length to 1396. [8040] 08-24 15:41:29:947: Processing output from EAP DLL. [8040] 08-24 15:41:29:947: EAPACTION_Send [8040] 08-24 15:41:29:947: Inserting outbound EAP-Message of length 6. [8040] 08-24 15:41:29:947: Issuing Access-Challenge. [8040] 08-24 15:41:29:947: Saving the response [7140] 08-24 15:41:31:509: Successfully retrieved existing session [7140] 08-24 15:41:31:509: Injecting the profile [7140] 08-24 15:41:31:509: Processing output from EAP DLL. ... [8040] 08-24 15:41:32:494: Injecting the profile [8040] 08-24 15:41:32:494: Processing output from EAP DLL. [8040] 08-24 15:41:32:494: EAPACTION_Done [8040] 08-24 15:41:32:494: Translating attributes returned by EAP DLL. [8040] 08-24 15:41:32:494: Inserting attribute 4140 [8040] 08-24 15:41:32:494: Inserting attribute 4141 [8040] 08-24 15:41:32:494: Inserting attribute 8097 [8040] 08-24 15:41:32:494: Inserting attribute 8097 [8040] 08-24 15:41:32:494: Inserting attribute 8097 [8040] 08-24 15:41:32:494: EAP authentication succeeded. ===============BAD========================= 1916] 06-30 13:05:31:254: NT-SAM User Authorization handler received request for domain\dmitrys. [1916] 06-30 13:05:31:254: Using native-mode dial-in parameters. [1916] 06-30 13:05:31:254: Sending LDAP search to dc1.domain. [1916] 06-30 13:05:31:254: Inserting attribute msNPAllowDialin. [1916] 06-30 13:05:31:254: Successfully retrieved per-user attributes. [1916] 06-30 13:05:31:254: Allowed EAP type: 25 [1916] 06-30 13:05:31:254: Setting max. packet length to 1396. [1916] 06-30 13:05:31:254: Processing output from EAP DLL. [1916] 06-30 13:05:31:254: EAPACTION_Send [1916] 06-30 13:05:31:254: Inserting outbound EAP-Message of length 6. [1916] 06-30 13:05:31:254: Issuing Access-Challenge. [1916] 06-30 13:05:31:254: Saving the response [6080] 06-30 13:05:36:363: Creating EAP session [6080] 06-30 13:05:36:363: NT-SAM Names handler received request with user identity domain\dmitrys. [6080] 06-30 13:05:36:363: Username is already an NT4 account name. [6080] 06-30 13:05:36:363: SAM-Account-Name is "domain\dmitrys". [6080] 06-30 13:05:36:363: NT-SAM Authentication handler received request for domain\dmitrys. [6080] 06-30 13:05:36:363: Validating Windows account domain\dmitrys. [6080] 06-30 13:05:36:363: Sending LDAP search to dc1.domain. [6080] 06-30 13:05:36:363: Successfully validated windows account. [6080] 06-30 13:05:36:363: NT-SAM User Authorization handler received request for Domain\dmitrys. [6080] 06-30 13:05:36:363: Using native-mode dial-in parameters. [6080] 06-30 13:05:36:363: Sending LDAP search to dc1.domain. [6080] 06-30 13:05:36:363: Inserting attribute msNPAllowDialin. [6080] 06-30 13:05:36:363: Successfully retrieved per-user attributes. [6080] 06-30 13:05:36:363: Allowed EAP type: 25 [6080] 06-30 13:05:36:363: Setting max. packet length to 1396. [6080] 06-30 13:05:36:363: Processing output from EAP DLL. [6080] 06-30 13:05:36:363: EAPACTION_Send [6080] 06-30 13:05:36:363: Inserting outbound EAP-Message of length 6. [6080] 06-30 13:05:36:363: Issuing Access-Challenge. [6080] 06-30 13:05:36:363: Saving the response [8040] 08-24 15:41:32:494: EAPACTION_Done [8040] 08-24 15:41:32:494: Translating attributes returned by EAP DLL. [8040] 08-24 15:41:32:494: Inserting attribute 4140 [8040] 08-24 15:41:32:494: Inserting attribute 4141 [8040] 08-24 15:41:32:494: Inserting attribute 8097 [8040] 08-24 15:41:32:494: Inserting attribute 8097 [8040] 08-24 15:41:32:494: Inserting attribute 8097 [8040] 08-24 15:41:32:494: EAP authentication succeeded. ========================RASCHAP.LOG=========== ========================GOOD================== [7140] 08-24 15:30:14:589: EapMSChapv2MakeMessage [7140] 08-24 15:30:14:589: EapMSChapv2SMakeMessage [7140] 08-24 15:30:14:589: EMV2_RequestSend [7140] 08-24 15:30:14:589: ChapMakeMessage,RBuf=019C400D [7140] 08-24 15:30:14:589: CS_ChallengeSent... [7140] 08-24 15:30:14:589: no change password attribute [7140] 08-24 15:30:14:589: Authenticate User [7140] 08-24 15:30:14:605: ChapMakeMessage,RBuf=019C400D [7140] 08-24 15:30:14:605: Result=0,Tries=2 [7140] 08-24 15:30:14:605: CS_Done... 03 0B 00 2E 53 3D 46 37 41 42 42 31 42 46 32 32 |....S=F7ABB1BF22| 37 31 46 33 41 37 42 37 33 44 42 38 42 43 39 32 |71F3A7B73DB8BC92| 41 44 41 32 30 34 46 36 36 34 36 38 38 45 00 00 |ADA204F664688E..| [7140] 08-24 15:20:37:914: EapMSChapv2MakeMessage [7140] 08-24 15:20:37:914: EapMSChapv2SMakeMessage [7140] 08-24 15:20:37:914: EMV2_CHAPAuthSuccess =========================BAD===================== [1916] 06-30 13:15:01:177: EapMSChapv2End [6080] 06-30 13:15:06:458: EapMSChapv2End [6080] 06-30 13:15:06:458: EapMSChapv2End [1916] 06-30 13:15:12:645: EapMSChapv2End [1916] 06-30 13:15:12:645: EapMSChapv2End [6080] 06-30 13:15:18:333: EapMSChapv2End [6080] 06-30 13:15:18:333: EapMSChapv2End [1916] 06-30 13:15:19:817: EapMSChapv2End [6080] 06-30 13:15:23:442: EapMSChapv2End [6080] 06-30 13:15:25:520: EapMSChapv2End [1916] 06-30 13:15:28:755: EapMSChapv2End [1916] 06-30 13:15:30:645: EapMSChapv2End [6080] 06-30 13:15:34:520: EapMSChapv2End [6080] 06-30 13:15:35:927: EapMSChapv2End [1916] 06-30 13:15:39:927: EapMSChapv2End [1916] 06-30 13:15:45:333: EapMSChapv2End [1916] 06-30 13:15:45:333: EapMSChapv2End [6080] 06-30 13:15:49:833: EapMSChapv2End [6080] 06-30 13:15:54:989: EapMSChapv2End [6080] 06-30 13:15:54:989: EapMSChapv2End [1916] 06-30 13:15:56:676: EapMSChapv2End [6080] 06-30 13:16:00:551: EapMSChapv2End

Dmitry, What EAP type are your clients configured for? PEAP supports either MS-CHAPV2 or TLS. I notice in the IASSAM.LOG - Good authentication the client is Allowed EAP Type 13 & 25 but in the IASSAM.LOG - Bad authentication, Allow 25 only. I believe 13 is TLS and 25 is MS-CHAPv2 I also notice int he good authentication - IAS is "retrieved existing session" verse in the bad authentication it's attempting to find a domain controller and perform a full authentication (which tells me in the bad case that it's doing MSCHAPv2, of a user account) Is your IAS remote access policy configured for PEAP TLS and MS-CHAPv2? TLS requires certificates and is mutual authentication. Are there any differences between the clients that can authenticate verse the clients that cannot from a certificate perspective? I know you mentioned in your original thead that you have a PKI, perhaps some clients have been issued a "Client authentication" certificate? Regards, Paul

Hi Paul, I have both TLS and PEAP enabled. The clients in question use PEAP. There is client certificate installed on the failing client, and again, the TLS authentication to the old IAS fails but succeeds to the new one. On the failing IAS I have removed TLS, only leaving PEAP. Authentication fails each time. On the newly installed IAS I also have both TLS and PEAP and authentication works. It looks like there is old server certificate or any other settings cached on old IAS, which is causing the problem. I'm unable to find how to clear the configuration of the IAS once it is uninstalled. Any advice on that? Dmitry

Dmitry, You may be able to clear the IAS configurations using the NETSH AAAA DELETE commands: http://technet.microsoft.com/en-us/library/cc772029(WS.10).aspx#BKMK_7 Please be advised I've never utilized these commands so run them at your own risk. I'm not sure if these commands delete/clear out the IAS DB or remove the IAS server object from the "RAS and IAS Servers" group in AD or something else. If you do run them please let me know your results. Regards, Paul

Hi Paul, The NETSH AAAA DELETE is implemented in Server 2008, not in the 2003. I took similar approach: saved configuration from the working IAS server and loaded it to the not working one. It did not help. No matter what I do, the IAS server fails to authenticate. Best regards, Dmitry