Hi everyone,
first of all, before I start asking stupid noob questions, I wish all of you a happy new year 
Before I start asking my question, I just want u to let know, that I'm completely new to the Juniper stuff - so please excuse, if my question is a noob-one (although I didn't find anything in the knowledge base)
Currently I have an issue with an IC6500, which was bought a time ago by one of our customers to authenticate WiFi User (the current solution will be switched off soon). The goal is to authenticate WiFi User against their User Certificate and the AD Account. Unfortunately I already have some Problems with the AD authentication... 
When we ran into problems, we decided to set up the solution step by step, to verify what the problem is. We also decided to start with the authentication via Web Interface, to check if the problem is with the Wireless System Communication and/or is a general one.
Architecture:
We currently use several Cisco APs and WLCs to associate clients. The new IC6500 will be used to check if the client has a valid client certificate and forward the User Credentials to the corporate AD Server. After successfully authentication, the client will be allowed to connect to the WLAN.
First Test - Authentication via IC6500 Webpage:
We set up the authentication via the IC6500 Webpage (SignIn page). After some tests, everything worked fine. The client Certificate was checked and the user credentials were forwarded to the corporate AD Server. So everything (e.g.. communication to the AD Server) should be fine.
Second Test - Authentication via 802.1x and WiFi:
This is, where we ran into problems. Certificate authentication didn't work at all. Authentication against the AD Server didn't work, too. But if I set up a user locally (on the IC6500) the user is authenticated and could log into the WLAN. Which in my opinion means, that the WLC / IC6500 communication is working properly.
Now, before we want to proceed with the two Factor Authentication, we want to set up just the AD Authentication. The client uses the built-in MS (MS Vista) WiFi Client. We want to use 802.1x PEAP / MSchapv2. But everytime we connect to the WLAN, the IC refuses our authentication request (internal Authentication error). According to the debug files, the "drop" comes from the AD Server.
Does anyone had had similar issue and can point me to the right direction...as written above - the communication itself with the different subsystems seems to be ok, because in one scenarios everything is working (SignIn page) and the WLC IC communication seems to be ok, too (WLAN Authentication against local IC User). It must be something with the payload of the AD Authentication from the client....
Thx in advance!
Cheers
Martin
Hi,
yesw - DOMAIN is correct, because I replaced the real Domain name with that one
I gonna cheeck this with the AD Group again, but I doubt that they'll find something (as said before - authenticatioin via AD is working with the SignIn page and w/o 802.1x PEAP and WLC...and I tried it several times, so there shouldn't be a problem with misstyping.
Cheers
Martin
According to the log, username is not being validated at the server. Server is rejecting the username.
You can try checking strip domain name from windows username located under the Auth Servers under authentication.
Authentication -----> Auth Servers ----> <your Auth Server (AD in this case or LDAP)> Remove Domain from Windows user names?
Check the box below.
I also suggest you to check if CHAP alone works with out 802.1x Authentication.
If your client is unable to authenticate using CHAP alone on the Server, you might me missing store passwords using reverse encryption in AD password policies.
Siince, in the last post one poster reported that EAP-TTLS/EAP-JUAC works fine, I suspect this reverse passwod encryption setting to be off.
It must be enabled to perform any authentication related to MSCHAP.
Please post if this doesnt work. Let us know if it works as well
Hope it helps.
Regards,
Parth
