Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

EAP Auth REJECT received from RADIUS

Created: 28 Mar 2012 | 1 comment

Hey Guys,

I'm not all that Gun Ho on the SNAC side of things (But I am with the SEPM side) So just need some help trying to figure this bitch out.

So I have this one laptop (My test laptop for SNAC Windows XP) and all of a sudden yesterday it just started to get Auth Failed and was unable to get on to the network. All the other laptop users both XP and W7 are able to (I freaked out a little thinking it was everyone for about 5 minutes)

Setup:

All clients using SNAC are on Wireless (No 802.1x over LAN) 

Lan Enforcers are Linux 2.6.18-92

Here are the Lan Enforcer logs showing you where its going wrong:

 

 

Mar/28/2012 11:54:14  [  radproxy.c][ 3841]: EAP Identity received!
Mar/28/2012 11:54:14  [  radproxy.c][ 4075]: Forward identity to 172.xx.x.xx with user domain\markg from authenticator 172.xx.x.xx! HI=14
Mar/28/2012 11:54:14  [  radproxy.c][ 5620]: Get Start Packet id as 66
Mar/28/2012 11:54:14  [  radproxy.c][ 5715]: Send PEAP Challenge to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:14  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 66
Mar/28/2012 11:54:14  [  radproxy.c][ 4508]: Payload=115, EAP Length=279, eaphdr=4, Reply=52
Mar/28/2012 11:54:14  [  radproxy.c][ 7425]: Get UID as from client(000001bb), domain\markg:
Mar/28/2012 11:54:14
00000000  DF E1 C1 8D DD 82 EE 6C   76 C8 6B D9 81 FA D0 3F   .......l v.k....?
00000010  95 27 3F BD A7 80 3D 15   24 5F 00 9D 4D 11 D3 60   .'?...=. $_..M..`
00000020  F6 40 1C 0A B8 C4 13 78   51 E2 9B E7 BA B9 9C 93   .@.....x Q.......
00000030  67 5C F5 38 58 C4 95 7E   62 63 EC 25 89 57 93 EC   g\.8X..~ bc.%.W..
00000040  DD AA EC 3E AC 1C 01 68   00 C0 79 30 7B BD B9 E1   ...>...h ..y0{...
00000050
Mar/28/2012 11:54:14  [  radproxy.c][ 7434]: Get profile serial number from SSA 000001bb: 548E-03/21/2012 04:12:11 280, and server is Valid 548E-03/28/2012 02:53:49 384
 
Mar/28/2012 11:54:14  [  radproxy.c][ 7567]: In R_id=3, domain\markg
Mar/28/2012 11:54:14  [  radproxy.c][ 4951]: Forward remove HI packet to 172.xx.x.xx from domain\markg via 172.xx.x.xx.
Mar/28/2012 11:54:14  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 67
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 68
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 69
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 70
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 71
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 72
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 5784]: Simple Forward PEAP to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 4494]: PEAP, start packet eap id is 66, current eap packet id 73
Mar/28/2012 11:54:15  [  radproxy.c][ 4734]: Forward packet from user domain\markg via switch 172.xx.x.xx to RADIUS server 172.xx.x.xx
Mar/28/2012 11:54:15  [  radproxy.c][ 6070]: EAP Auth REJECT received from RADIUS 172.xx.x.xx for user domain\markg.
Mar/28/2012 11:54:15  [  radproxy.c][ 8019]: No rule macthed in action table, close port!
Mar/28/2012 11:54:15  [  radproxy.c][ 8195]: Client[000001bb] domain\markg, Status Recevied(HI:PASSED, EAP:FAILED, PRO:FAILED), UID is CORRECT, Enforcer matches(HI:ANY, EAP:ANY, PRO:ANY), CLOSE_PORT on switch 172.xx.x.xx.
Mar/28/2012 11:54:19  [  radproxy.c][ 3841]: EAP Identity received!
Mar/28/2012 11:54:19  [  radproxy.c][ 4075]: Forward identity to 172.xx.x.xx with user domain\markg from authenticator 172.xx.x.xx! HI=14
Mar/28/2012 11:54:19  [  radproxy.c][ 5620]: Get Start Packet id as 68
Mar/28/2012 11:54:19  [  radproxy.c][ 5715]: Send PEAP Challenge to user domain\markg via switch 172.xx.x.xx
Mar/28/2012 11:54:19  [  radproxy.c][ 4494]: PEAP, start packet eap id is 68, current eap packet id 68
Mar/28/2012 11:54:19  [  radproxy.c][ 4508]: Payload=115, EAP Length=279, eaphdr=4, Reply=52
Mar/28/2012 11:54:19  [  radproxy.c][ 7425]: Get UID as from client(000001bb), domain\markg:

Comments 1 CommentJump to latest comment

Chuck Edson's picture

EAP Failed means the RADIUS server rejected the username/password combo.  Check the logs of the RADIUS/IAS/NPS server.

Because you do not have a rule that matches (HI:PASSED, EAP:FAILED, PRO:FAILED) the default action (CLOSE PORT) is taken.

Note that if you are running IAS (Win2k3) or NPS (Win2k8) on the same box as the SEPM, you will end up with a port conflict, as the SEPM listens on 1812 (RADIUS) to do client lookups.  The workaround for this is to have the IAS or NPS listen on a different port.

If a post helps you, please mark it as the solution to your issue.