Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] Windows server 2003 RADIUS server rejects all logon attempts
New Posts  All Forums:Forum Nav:

[SOLVED] Windows server 2003 RADIUS server rejects all logon attempts

post #1 of 5
Thread Starter 
Hello,

These past few days I have been trying to get RADIUS to work on a network at my workplace. First, I tried using a Zentyal server with FreeRADIUS 802.1x aka WEP-Enterprise with TTLS PAP authentication. This worked fine in Linux, and fine in Windows 7 with SecureW2, but not in Windows 8 (with or without SecureW2) or on Mac. Windows 8 would simply try to connect to the network, say "Checking network requirements", and hang there until I rebooted the computer or killed Explorer.exe. Pressing the cancel button did nothing at all. It suddenly worked on two Windows 8 machines, both of which run Windows 8 (not 8.1), but not the other two Windows 8 computers (one 8.1 and one 8.0).

So after three days of banging my head against the RADIUS wall, today I decided to try with a Windows Server 2003 (since I had one on hand). I got RADIUS up, with WPA2-Enterprise EAP-MSCHAPv2 and all the other fancy abbreviations, and (for testing reasons) tried to log in with the "Accept users without validating credentials" option on. Using radtest on my Linux machine, I got Access-Accept Messages even if the password I entered was wrong (obviously). However, once I turned that option off (set it to "Authenticate requests on this server"), it rejects absolutely all logon requests (Accept-reject packets to radtest), even though the username and password combination is correct. I have tried adding the users to various groups, changing the RADIUS policies to allow only users from these groups, and so on and so forth. By the way, the Event Viewer seems to think that the logon attempts with valid credentials succeed, but that the user instantly logs off again.

A few months ago, however, I was having trouble getting Exchange server to work, and I called an expert on the subject. He immediately recognized the problem and told me to stop all Exchange services and start them again in a specific order, and poof, it worked. I am hoping there is such a thing as a RADIUS expert on here who can do the same for me now.

Thank you in advance.

EDIT: Problem solved. It turned out to be the "Remote Access Permission (Dial-in or VPN)" under the "Dial-in" tab in Active Directory.
Edited by CritiCal - 3/16/14 at 11:52pm
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
post #2 of 5
I have no experience with RADIUS on windows server 2003; but when working with freeradius I always start it with option -X -xx to get all debug output. In those logs I can usually find the issues I need to solve. I haven't seen issues with windows 8 yet but I also haven't focus tested that yet; I only worked with my own desktop in my lab using RADIUSso far
post #3 of 5
Thread Starter 
FreeRADIUS with -x spams this Message when trying to Connect with Windows 8:
Code:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x531fa749521db214 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Message appears 3-5 times per logon attempt.

As the Message implies, it's a certificate problem, but I am 100% certain that the certificate is compatible, so I hereby pronounce it... a bug. Note: this only happens on the extremely rare occasions where Windows 8 doesn't hang on "Checking network requirements".

You should also know that using Windows Server 2003 as the RADIUS server solved the problem with Windows 8 Clients hanging on "Checking network requirements", but they still can't Connect ("Can't Connect to this network").

PS: Excuse my strange capitalization, the computer is doing it of its own Accord now.
Edited by CritiCal - 3/13/14 at 5:11am
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
post #4 of 5
Thread Starter 
Update: Using a DD-WRT router configured With RADIUS authentication appears to solve the Windows 8 problem of "checking network requirements", however this problem was instantly replaced by the server (zentyal server again) saying:
Code:
Auth: Login incorrect: [*username*] (from Client *ip address* port 0 via TLS tunnel)
Auth: Login incorrect: [*username*] (from Client *ip address* port 6 cli *mac address*)

No more information than this is logged, no matter the amount of x's freeradius is started With.
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
post #5 of 5
Thread Starter 
Could it be a clock problem? Perhaps there is a one second difference between the clocks, and therefore kerberos doesn't want to log it on?
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
Old Bertha v6.0
(20 items)
 
Odin
(8 items)
 
 
CPUMotherboardGraphicsRAM
Intel Core i7 3930K ASROCK Fatal1ty X79 Champion GIGABYTE GeForce GTX 780Ti WINDFORCE Corsair Vengeance 
Hard DriveHard DriveHard DriveHard Drive
4 x Samsung ProSeries 840 128GB RAID10 Seagate Barracuda Seagate Barracuda Seagate Barracuda 
Optical DriveCoolingOSMonitor
Samsung SH203 DVD writer Corsair H100 Windows 8 x64 BenQ XL2420T 
MonitorMonitorKeyboardPower
BenQ XL2420T BenQ XL2420T Das Keyboard Ultimate S PC Power & Cooling Silencer 750w blue 
CaseMouseMouse PadAudio
Corsair Obsidian 800D Cyborg RAT 7 - looks incredible, is incredible Golden Gaming - Cheap but awesome Corsair Vengeance 2100 
CPUMotherboardGraphicsRAM
Intel Core i7-3930k ASUS P9X79 WS Zotac Geforce GTX 570 Corsair Vengeance 
Hard DriveCoolingOSCase
Seagate Barracuda 500GB Noctua NH-D14 Windows Server 2008 R2 Cooler Master HAF932 Advanced 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › [SOLVED] Windows server 2003 RADIUS server rejects all logon attempts