Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Radius Auth with IAS as backend

wimclend_
Occasional Contributor
‎08-31-2009 08:15:AM
‎08-31-2009 08:15:AM

Radius Auth with IAS as backend

Hi everyone,

quick question I am hoping someone has run into before -- I am setting up UAC in a lab environment and testing the various configuration options with native supplicants, OAC, etc.

I am running into an issue with the native Windows 802.1x supplicant authenticating with my IC:

- Radius authentication rejected for wmclendon (realm 'wired') from location-group 'Internal Loc Group' and attributes are: NAS-IP-Address = 172.17.1.1,NAS-Port = 76,NAS-Port-Type = 5

Info AUT23457 2009-08-31 11:09:28 - ic - [0.0.0.0] wmclendon(wired)[] - Login failed using auth server LAB-AD (LDAP Server). - Primary authentication failed for wmclendon/LAB-AD from 00-21-70-76-4d-01

-Could not authenticate user wmclendon in LDAP server LAB-AD using protocol MSCHAPV2: challenge-response open protocols are disabled.

I have my ADserver in the IC as an LDAP server (I seem to remember someone telling me this was a better idea than just using AD . . . is that still the case?)

The issue seems obvious, but I have no idea how to enable MSCHAPv2 on my AD server . . . and google has gotten me nowhere. I realize this is an MS issue and not Juniper, but hoping my fellow Juniper brethren know a quick fix for this Smiley Happy

If the supplicant is OAC, authentication works without issue

Also when I change it from an LDAP server to an AD server, everything works fine. So really I guess my question is what are the advantages (disadvantages?) of using an LDAP server vs configuring it as an AD?

Thanks,

Will

0 Kudos
1 REPLY 1
Puffin_
Occasional Contributor
‎09-15-2009 11:45:PM
‎09-15-2009 11:45:PM

Re: Radius Auth with IAS as backend

You can't use PEAP(EAP-MS-CHAP-V2) against LDAP server,

because MS-CHAP-V2 send hashed password by using MD4, LDAP connection (Bind) needs a clear text password.

IC can't convert a password from MD4 to clear text, the authentication fail.

If you need to use LDAP connection, you need to use PEAP(EAP-GenericTokenCard, EAP-JUAC) or TTLS(PAP, EAP-JUAC, EAP-GenericTokenCard).

If you need to use PEAP(EAP-MS-CHAP-V2),you need to select the Active Directory /Windows NT in Authentication Servers panel.

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.