cancel
Showing results for 
Search instead for 
Did you mean: 

SBR 6 issue with Windows 7 Supplicant

SOLVED
Highlighted
New Contributor

SBR 6 issue with Windows 7 Supplicant

I haven't seen this in the past, but we haven't done much Windows 7 802.1X before this week.

The standard Windows 7 supplicant appears to duplicate the "User-Name" TLV inside of an 802.1X/RADIUS tunnel, which then weirds out SBR which claims that this is a problem. I tried this with the Mac OS X supplicant and it isn't happening there, so that would tend to eliminate the switch (although since it's in the tunnel, it can't be the switch anyway) in case anyone wants to point fingers.

Is there any magical hidden way to tell SBR not to get upset by a duplicated value in the tunnel?

Here is the essence of the log from the SBR system:

02/23/2010 12:54:12 Tunneled Authentication Request
02/23/2010 12:54:12 Packet : Code = 0x1 ID = 0x20
02/23/2010 12:54:12 Client Name = NAC-CISCO-SWITCH Dictionary Name = Cisco.dct
02/23/2010 12:54:12 Vector =
02/23/2010 12:54:12 000: 38ddaffe 0e5d2328 281ea5d4 3130256c |8....]#((...10%l|
02/23/2010 12:54:12 Parsed Packet =
02/23/2010 12:54:12 EAP-Message : Value =
02/23/2010 12:54:12 000: 0206000d 016e6163 74657374 31 |.....nactest1 |
02/23/2010 12:54:12 User-Name : String Value = nactest1
02/23/2010 12:54:12 User-Name : String Value = nactest1
02/23/2010 12:54:12 Service-Type : Integer Value = 2
02/23/2010 12:54:12 Framed-MTU : Integer Value = 1500
02/23/2010 12:54:12 Called-Station-Id : String Value = 00-16-46-72-F3-02
02/23/2010 12:54:12 Calling-Station-Id : String Value = 00-16-D3-3A-4F-1B
02/23/2010 12:54:12 Cisco-AVPAIR : String Value = audit-session-id=C023C35B0000000E1E2E7043
02/23/2010 12:54:12 NAS-Port-Type : Integer Value = 15
02/23/2010 12:54:12 NAS-Port : Integer Value = 50102
02/23/2010 12:54:12 NAS-Port-ID : String Value = GigabitEthernet1/0/2
02/23/2010 12:54:12 State : String Value = SBR-CH 3|4
02/23/2010 12:54:12 NAS-IP-Address : IPAddress = 192.35.195.91
02/23/2010 12:54:12 -----------------------------------------------------------
02/23/2010 12:54:12 Doing inventory check on request
02/23/2010 12:54:12 Multiple User-Name attributes in request
02/23/2010 12:54:12 Request has invalid syntax (e.g. invalid, missing or duplicate attributes), Rejecting
02/23/2010 12:54:12 -----------------------------------------------------------

In case anyone at Juniper wants to see the whole thing, I will attach the whole log and a PCAP of a different authentication (but one which is essentially identical).

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
New Contributor

Re: SBR 6 issue with Windows 7 Supplicant

I found the problem thanks to the help of Jeff Reilly at Juniper.

To make 802.1X work properly, we were using filter.ini to copy attributes from outer to inner & vice versa. This was actually causing the attribute to get copied so that SBR saw it "twice." (maybe a bug? Hard to say...) Anyway, I changed the filter.ini that we were calling to "Exclude User-Name" and the duplicate attribute is no longer seen.

View solution in original post

8 REPLIES 8
Highlighted
New Contributor

Re: SBR 6 issue with Windows 7 Supplicant

I found the problem thanks to the help of Jeff Reilly at Juniper.

To make 802.1X work properly, we were using filter.ini to copy attributes from outer to inner & vice versa. This was actually causing the attribute to get copied so that SBR saw it "twice." (maybe a bug? Hard to say...) Anyway, I changed the filter.ini that we were calling to "Exclude User-Name" and the duplicate attribute is no longer seen.

View solution in original post

Highlighted
Not applicable

Re: SBR 6 issue with Windows 7 Supplicant

Hi Joel,

If possible, can you please share your filter.ini and auth config files ? I am trying to achieve following scenario, but couldn't manage to get it working.

Scenario:

Outer: EAP-PEAP, Inner: GTC/MS-CHAPV2, forwarding the Inner part to a directed realm and then copy the attributes from outer to inner ones and forwarding it to a 3rd. party radius server. I have modified the necessary files and spotted my username is routed properly to the directed realm i created in the log files, but also found out that the SBR does not copy the attributes from outer to inner while sniffing the traffic between the SBR and other radius server.

Note: i also tried enabling master directory as well as adding the specific attributes i want to see in inner auth via putting them in filter.ini but didnt work out again.

peapauth.aut

[Inner_Authentication]
;Script=
Directed_Realm=test2

[Request_Filters]
Transfer_Outer_Attribs_to_New=peap_transfer_inner_to_accept
;Transfer_Outer_Attribs_to_Continue=
;Edit_New=
;Edit_Continue=

filter.ini

[peap_transfer_inner_to_accept]
Allow

test2.dir

[Auth]
Enable = 1
StripRealm = 1
UseMasterDictionary = no

[Acct]
[AuthMethods]
proxy: FREERADIUS

[AcctMethods]
[Called-Station-Id]

Thanks.

Tunc

Highlighted
New Contributor

Re: SBR 6 issue with Windows 7 Supplicant

I couldnt connect my windows 7 clients to EAP PEAP Authentication with SBR 6.1.7.

All my windows 8 clients work fine though.

 

I have added the filter for "Exclude User-name" for both Accept and Reject in filter.ini file. Still the issue persists.

Any help is much appreciated.

Highlighted
Regular Contributor

Re: SBR 6 issue with Windows 7 Supplicant

Can you look at the debug logs and see what's in there ? Debug log (@Level2) will provide Verbose Logs and should provide you with failure reasons.

 

Thanks

Highlighted
New Contributor

Re: SBR 6 issue with Windows 7 Supplicant

Thanks for the quick help.

I could see that the log says "user xxxx failed the challenge sequence"

 

I have attached the log file from restarting the server till making a connection with win 7 client.

 

SBR EE 6.1.7 installed on windows 2008 R2 64 bit enterprise edition with domain controller installed and configured with some users under active directory and users.

 


Attached the sniffer logs as well. Kindly suggest a solution for this.

 

 

Highlighted
New Contributor

Re: SBR 6 issue with Windows 7 Supplicant

Hi Ashish,

 

Could you help me on fixing this ? Have you taken a look at the logs that i attached earlier..


I tried installing SBR 6.1.7 in windows 2008 32 bit Enterprise Edition and facing the same issue.

Windows 8 clients are working.however windows 7 are not.

 

The logs are the same as i attached.

 

Any help is highly appreciated....

 

Thanks
Ramesh

Highlighted
Regular Contributor

Re: SBR 6 issue with Windows 7 Supplicant

Hi Ramesh,

 

Logs reports that the error is triggered @ Client, possible due to some access restriction issue ?

Refer below

05/22/2013 14:37:24 EAP-PEAP authentication failed - client issued alert number 49
05/22/2013 14:37:24 User peapuser ultimately failed challenge sequence

 

Does this issue happens to all your Windows 7 clients  or are these isolated cases ?

 

Highlighted
New Contributor

Re: SBR 6 issue with Windows 7 Supplicant

Ashish,

 

Thanks again for your response.

Yes,It happened on all of the windows 7 clients.I suspected if the client side server validation is not happening properly (or) some encryption issues while clients do the initial handshake. No idea !!!!!

 

Later I just changed the server certificate from mmc console to webserver template and then tried to connect with the win 7 clients, which gave missing service type attribute error in SBR server logs.

And then i added "Framed"  and "Administrative" Service types which finally solved :-) :-) :-) all of my issues.

 

Thanks anyway

Ramesh