Showing results for 
Search instead for 
Did you mean: 

Radius Auth with IAS as backend

Occasional Contributor

Radius Auth with IAS as backend

Hi everyone,

quick question I am hoping someone has run into before -- I am setting up UAC in a lab environment and testing the various configuration options with native supplicants, OAC, etc.

I am running into an issue with the native Windows 802.1x supplicant authenticating with my IC:

- Radius authentication rejected for wmclendon (realm 'wired') from location-group 'Internal Loc Group' and attributes are: NAS-IP-Address =,NAS-Port = 76,NAS-Port-Type = 5

Info AUT23457 2009-08-31 11:09:28 - ic - [] wmclendon(wired)[] - Login failed using auth server LAB-AD (LDAP Server). - Primary authentication failed for wmclendon/LAB-AD from 00-21-70-76-4d-01

-Could not authenticate user wmclendon in LDAP server LAB-AD using protocol MSCHAPV2: challenge-response open protocols are disabled.

I have my ADserver in the IC as an LDAP server (I seem to remember someone telling me this was a better idea than just using AD . . . is that still the case?)

The issue seems obvious, but I have no idea how to enable MSCHAPv2 on my AD server . . . and google has gotten me nowhere. I realize this is an MS issue and not Juniper, but hoping my fellow Juniper brethren know a quick fix for this Smiley Happy

If the supplicant is OAC, authentication works without issue

Also when I change it from an LDAP server to an AD server, everything works fine. So really I guess my question is what are the advantages (disadvantages?) of using an LDAP server vs configuring it as an AD?



Occasional Contributor

Re: Radius Auth with IAS as backend

You can't use PEAP(EAP-MS-CHAP-V2) against LDAP server,

because MS-CHAP-V2 send hashed password by using MD4, LDAP connection (Bind) needs a clear text password.

IC can't convert a password from MD4 to clear text, the authentication fail.

If you need to use LDAP connection, you need to use PEAP(EAP-GenericTokenCard, EAP-JUAC) or TTLS(PAP, EAP-JUAC, EAP-GenericTokenCard).

If you need to use PEAP(EAP-MS-CHAP-V2),you need to select the Active Directory /Windows NT in Authentication Servers panel.