No idea if this is the problem, but since you mention IAS...
I discovered on Monday (having been failing to connect to JRS for
months) that IAS requires a valid username as the EAP outer identity, as
well as for the EAP inner identity, which is the one that's supposed to
be used for authentication.
So a supplicant (or a security-conscious user) who sets the outer
identity to something anonymous in the interests of privacy doesn't even
get the chance to enter a password before being thrown out. Very
confusing debugging this over the phone:
Home site: "there's the authentication failure"
Visitor: "but I haven't tried to authenticate yet!"
And yes, this does break the first rule of authentication design, that
you should never tell the user whether it was the username or the
password they get wrong :-(
Andrew
--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation
Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399
> -----Original Message-----
> From: Wireless Issues in the JANET community
> [mailto:[log in to unmask]] On Behalf Of Caines, Max
> Sent: 29 November 2007 15:34
> To: [log in to unmask]
> Subject: Re: [WIRELESS-ADMIN] WPA and Vista
>
> WPA1 + WPA2. The RADIUS server is IAS
>
> Max
>
> > -----Original Message-----
> > From: Wireless Issues in the JANET community
> > [mailto:[log in to unmask]] On Behalf Of Alan Buxey
> > Sent: 29 November 2007 15:21
> > To: [log in to unmask]
> > Subject: Re: WPA and Vista
> >
> > Hi,
> >
> > > I've had a couple of people who have reported being unable
> > to connect to our
> > > WPA SSID using Vista laptops. The laptop believes that the
> > network is
> > > protected by WEP rather than WPA, despite the fact that WEP
> > is not enabled
> > > on any SSID. As a result it refuses to connect even though
> > the SSID is
> > > defined correctly on the laptop. The access points are all
> > Cisco lightweight
> > > ones, and the controllers are running 4.1.185.0, with WPA1
> > enabled with both
> > > TKIP and AES, but not WPA2. I imagine this is an issue with
> > the controller
> > > software rather than Vista, but I can't be sure. Has anyone
> > seen this, and
> > > if so, is there a fix?
> >
> > how have you defined the authentication method? ie WPA+WPA2 or
> > 802.1X?
> >
> > what RADIUS server are you using for the AAA?
> >
> > alan
> >
>
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
|