wsantner Absent Member.
Absent Member.
6651 views

802.1x Auth

We're using Network Policy Server (NPS) on Windows 2008 to handle RADIUS Authentication (PEAP w/ MS-CHAP-v2) from our Wireless LAN Controller for WPA2. This configuration works with standard windows accounts, mac clients, and even iPods. Trying to get this to work with 802.1x on the Novell client 4.91 SP5 on WinXP SP3 seems to be a problem, though. I've tried the latest IR1 rollup, too.

I haven't tried a packet capture yet, but I was hoping someone might be able to tell me if the Novell client uses some nonstandard MS-CHAP-v2 for 802.1x? I see in the NPS logs that the username comes across fine, but the password is being rejected. Does 802.1x in the Novell client only work with FreeRadius integrated with eDirectory?
Labels (1)
0 Likes
31 Replies
wsantner Absent Member.
Absent Member.

Re: 802.1x Auth

I did a packet capture of 802.1x with the Novell Client as well as with the stand-alone Windows supplicant. The process seems to progress exactly the same for both except with an EAP Failure at the end when using Novell 802.1x.

I'm trying to log what is going on with the instructions here:

Enable Debug Logging for NOVEAP.DLL (802.1x Wireless)

My noveap.dll is version 1.1.0.7, and has a file date after 08Feb2010, but none of the registry keys mentioned exist...
0 Likes
rolflidvall Absent Member.
Absent Member.

Re: 802.1x Auth

> My noveap.dll is version 1.1.0.7, and has a file date after 08Feb2010,
> but none of the registry keys mentioned exist...


Did you register the file with regsvr32?


Regards
Rolf Lidvall
Swedish Radio (Ltd)


0 Likes
rolflidvall Absent Member.
Absent Member.

Re: 802.1x Auth

> but none of the registry keys mentioned exist...

You must create them. This is often the case with debug logging settings.


Regards
Rolf Lidvall
Swedish Radio (Ltd)


0 Likes
wsantner Absent Member.
Absent Member.

Re: 802.1x Auth

Thanks for the response. I was actually able to get some tracing with an "older" 1.0.1.0 verion of noveap.dll. Not sure how to interpret. I see all these attempts on the RADIUS server, but the password is being rejected. Any ideas?

[1452] 14:23:11:406: RasEapGetInfo
[1452] 14:23:11:406: Type ID 26
[1452] 14:23:11:406: StartServer called
[1452] 14:23:11:406: RasEapGetIdentity flags 82
[1452] 14:23:11:406: RasEapGetIdentity RAS_EAP_FLAG_NON_INTERACTIVE
[1452] 14:23:11:406: RasEapGetIdentity phone entry Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
[1452] 14:23:11:406: StartServer called
[1452] 14:23:11:406: calling getidentity to ask for credentials 82
[1452] 14:23:11:421: GetIdentity identity XXusernameXX
[1452] 14:23:11:421: RasEapGetIdentity1 returned 0
[1452] 14:23:11:421: RasEapFreeMemory
[2024] 14:23:11:515: EapBegin(XXusernameXX)
[2024] 14:23:11:515: EapBegin tickCount = 1211203
[1460] 14:23:11:515: NovRasEAPWaitForAuthResults_s gEapState gEapFinishEvent 0 7500
[2024] 14:23:11:515: EapMakeMessage sendbufsize(1290)
[2024] 14:23:11:515: EapMakeMessage (XXusernameXX)
[2024] 14:23:11:515: EapMakeMessage recieve code(1)
[2024] 14:23:11:515: EapMakeMessage pChallengeData opcode(1)
[2024] 14:23:11:515: AuthenticateeMakeMessage code 1
[2024] 14:23:11:515: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[2024] 14:23:11:515: AuthenticateeMakeMessage opcode 1
[2024] 14:23:11:515: AuthenticateeMakeMessage CHAPv2OCdChallenge
[2024] 14:23:11:515: EapMakeMessage action(4)
[2024] 14:23:11:515: EapMakeMessage send code(2)
[2024] 14:23:11:515: EapMakeMessage challenge response opcode(2)
[2024] 14:23:11:515: EapMakeMessage returned(0)
[2024] 14:23:11:531: EapMakeMessage sendbufsize(1290)
[2024] 14:23:11:531: EapMakeMessage (XXusernameXX)
[2024] 14:23:11:531: EapMakeMessage recieve code(1)
[2024] 14:23:11:531: EapMakeMessage pChallengeData opcode(3)
[2024] 14:23:11:531: AuthenticateeMakeMessage code 1
[2024] 14:23:11:531: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[2024] 14:23:11:531: AuthenticateeMakeMessage opcode 3
[2024] 14:23:11:531: AuthenticateeMakeMessage CHAPv2OCdSuccess
[2024] 14:23:11:531: GenerateAuthResponse returned 0
[2024] 14:23:11:531: AuthenticateeMakeMessage CheckAuthResponse returned 1
[2024] 14:23:11:531: EapMakeMessage action(4)
[2024] 14:23:11:531: EapMakeMessage send code(2)
[2024] 14:23:11:531: EapMakeMessage challenge response opcode(3)
[2024] 14:23:11:531: EapMakeMessage returned(0)
[2024] 14:23:11:531: EapMakeMessage sendbufsize(1290)
[2024] 14:23:11:531: EapMakeMessage (XXusernameXX)
[2024] 14:23:11:531: EapMakeMessage recieve code(3)
[2024] 14:23:11:531: EapMakeMessage pChallengeData opcode(250)
[2024] 14:23:11:531: AuthenticateeMakeMessage code 3
[2024] 14:23:11:531: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[1460] 14:23:11:531: NovRasEAPWaitForAuthResults_s returned 0
[2024] 14:23:11:546: EapMakeMessage action(2)
[2024] 14:23:11:546: EapMakeMessage send code(0)
[2024] 14:23:11:546: EapMakeMessage challenge response opcode(0)
[2024] 14:23:11:546: EapMakeMessage returned(0)
[2024] 14:23:11:562: EapEnd(XXusernameXX)
[2024] 14:23:11:562: EapEnd tickCount = 1211250
[2024] 14:23:11:562: EapEnd result = 0
[2024] 14:23:11:562: EapEnd returned(0)
[1384] 14:23:12:109: RasEapGetInfo
[1384] 14:23:12:109: Type ID 26
[1384] 14:23:12:109: StartServer called
[1384] 14:23:12:109: RasEapGetIdentity flags 82
[1384] 14:23:12:109: RasEapGetIdentity RAS_EAP_FLAG_NON_INTERACTIVE
[1384] 14:23:12:109: RasEapGetIdentity phone entry Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
[1384] 14:23:12:109: StartServer called
[1384] 14:23:12:109: calling getidentity to ask for credentials 82
[1384] 14:23:12:109: GetIdentity identity XXusernameXX
[1384] 14:23:12:109: RasEapGetIdentity1 returned 0
[1384] 14:23:12:109: RasEapFreeMemory
[1384] 14:23:12:171: EapBegin(XXusernameXX)
[1384] 14:23:12:171: EapBegin tickCount = 1211859
[1384] 14:23:12:171: EapMakeMessage sendbufsize(1290)
[1384] 14:23:12:171: EapMakeMessage (XXusernameXX)
[1384] 14:23:12:171: EapMakeMessage recieve code(1)
[1384] 14:23:12:171: EapMakeMessage pChallengeData opcode(1)
[1384] 14:23:12:171: AuthenticateeMakeMessage code 1
[1384] 14:23:12:171: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[1384] 14:23:12:171: AuthenticateeMakeMessage opcode 1
[1384] 14:23:12:171: AuthenticateeMakeMessage CHAPv2OCdChallenge
[1384] 14:23:12:171: EapMakeMessage action(4)
[1384] 14:23:12:171: EapMakeMessage send code(2)
[1384] 14:23:12:171: EapMakeMessage challenge response opcode(2)
[1384] 14:23:12:171: EapMakeMessage returned(0)
[1384] 14:23:12:187: EapMakeMessage sendbufsize(1290)
[1384] 14:23:12:187: EapMakeMessage (XXusernameXX)
[1384] 14:23:12:187: EapMakeMessage recieve code(1)
[1384] 14:23:12:187: EapMakeMessage pChallengeData opcode(3)
[1384] 14:23:12:187: AuthenticateeMakeMessage code 1
[1384] 14:23:12:187: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[1384] 14:23:12:187: AuthenticateeMakeMessage opcode 3
[1384] 14:23:12:187: AuthenticateeMakeMessage CHAPv2OCdSuccess
[1384] 14:23:12:187: GenerateAuthResponse returned 0
[1384] 14:23:12:187: AuthenticateeMakeMessage CheckAuthResponse returned 1
[1384] 14:23:12:187: EapMakeMessage action(4)
[1384] 14:23:12:187: EapMakeMessage send code(2)
[1384] 14:23:12:187: EapMakeMessage challenge response opcode(3)
[1384] 14:23:12:187: EapMakeMessage returned(0)
[1384] 14:23:12:203: EapMakeMessage sendbufsize(1290)
[1384] 14:23:12:203: EapMakeMessage (XXusernameXX)
[1384] 14:23:12:203: EapMakeMessage recieve code(3)
[1384] 14:23:12:203: EapMakeMessage pChallengeData opcode(250)
[1384] 14:23:12:203: AuthenticateeMakeMessage code 3
[1384] 14:23:12:203: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[1384] 14:23:12:203: EapMakeMessage action(2)
[1384] 14:23:12:203: EapMakeMessage send code(0)
[1384] 14:23:12:203: EapMakeMessage challenge response opcode(0)
[1384] 14:23:12:203: EapMakeMessage returned(0)
[1384] 14:23:12:218: EapEnd(XXusernameXX)
[1384] 14:23:12:218: EapEnd tickCount = 1211906
[1384] 14:23:12:218: EapEnd result = 0
[1384] 14:23:12:218: EapEnd returned(0)
[3324] 14:23:12:765: RasEapGetInfo
[3324] 14:23:12:765: Type ID 26
[3324] 14:23:12:765: StartServer called
[3324] 14:23:12:765: RasEapGetIdentity flags 82
[3324] 14:23:12:765: RasEapGetIdentity RAS_EAP_FLAG_NON_INTERACTIVE
[3324] 14:23:12:765: RasEapGetIdentity phone entry Dell Wireless 1397 WLAN Mini-Card - Packet Scheduler Miniport
[3324] 14:23:12:765: StartServer called
[3324] 14:23:12:765: calling getidentity to ask for credentials 82
[3324] 14:23:12:765: GetIdentity identity XXusernameXX
[3324] 14:23:12:765: RasEapGetIdentity1 returned 0
[3324] 14:23:12:765: RasEapFreeMemory
[3324] 14:23:12:843: EapBegin(XXusernameXX)
[3324] 14:23:12:843: EapBegin tickCount = 1212531
[3324] 14:23:12:843: EapMakeMessage sendbufsize(1290)
[3324] 14:23:12:843: EapMakeMessage (XXusernameXX)
[3324] 14:23:12:843: EapMakeMessage recieve code(1)
[3324] 14:23:12:843: EapMakeMessage pChallengeData opcode(1)
[3324] 14:23:12:843: AuthenticateeMakeMessage code 1
[3324] 14:23:12:843: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[3324] 14:23:12:843: AuthenticateeMakeMessage opcode 1
[3324] 14:23:12:843: AuthenticateeMakeMessage CHAPv2OCdChallenge
[3324] 14:23:12:843: EapMakeMessage action(4)
[3324] 14:23:12:843: EapMakeMessage send code(2)
[3324] 14:23:12:843: EapMakeMessage challenge response opcode(2)
[3324] 14:23:12:843: EapMakeMessage returned(0)
[3324] 14:23:12:843: EapMakeMessage sendbufsize(1290)
[3324] 14:23:12:843: EapMakeMessage (XXusernameXX)
[3324] 14:23:12:843: EapMakeMessage recieve code(1)
[3324] 14:23:12:843: EapMakeMessage pChallengeData opcode(3)
[3324] 14:23:12:843: AuthenticateeMakeMessage code 1
[3324] 14:23:12:843: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[3324] 14:23:12:843: AuthenticateeMakeMessage opcode 3
[3324] 14:23:12:843: AuthenticateeMakeMessage CHAPv2OCdSuccess
[3324] 14:23:12:843: GenerateAuthResponse returned 0
[3324] 14:23:12:843: AuthenticateeMakeMessage CheckAuthResponse returned 1
[3324] 14:23:12:843: EapMakeMessage action(4)
[3324] 14:23:12:843: EapMakeMessage send code(2)
[3324] 14:23:12:843: EapMakeMessage challenge response opcode(3)
[3324] 14:23:12:843: EapMakeMessage returned(0)
[3324] 14:23:12:859: EapMakeMessage sendbufsize(1290)
[3324] 14:23:12:859: EapMakeMessage (XXusernameXX)
[3324] 14:23:12:859: EapMakeMessage recieve code(3)
[3324] 14:23:12:859: EapMakeMessage pChallengeData opcode(250)
[3324] 14:23:12:859: AuthenticateeMakeMessage code 3
[3324] 14:23:12:859: AuthenticateeMakeMessage flags RAS_EAP_FLAG_8021X_AUTH
[3324] 14:23:12:859: EapMakeMessage action(2)
[3324] 14:23:12:859: EapMakeMessage send code(0)
[3324] 14:23:12:859: EapMakeMessage challenge response opcode(0)
[3324] 14:23:12:859: EapMakeMessage returned(0)
[3324] 14:23:12:875: EapEnd(XXusernameXX)
[3324] 14:23:12:875: EapEnd tickCount = 1212562
[3324] 14:23:12:875: EapEnd result = 0
[3324] 14:23:12:875: EapEnd returned(0)
0 Likes
wsantner Absent Member.
Absent Member.

Re: 802.1x Auth

Well, I've made no progress on this...

Decided to try to get it working on Win 7, but apparently that is still broken?

Unable to configure 802.1x authentication on Windows 7
0 Likes
blittrell2 Absent Member.
Absent Member.

Re: 802.1x Auth

I have an open incident with Novell on this, their response has been extremely slow. So far I have 802.1x working perfectly with MSClient, but once I login on WinXP with client32 I get one good login then it fails after that. Every time I reboot the adapter keeps coming up disabled, so I a register the noveap.dll as many suggest but it does nothing, I have to enable the adapter, unregister noveap and then reregister, then the next reboot will work after that one reboot then it fails on the next reboot. Seems totally screwed up to me.

Think Windows 7 is better? Think again, finally got that adapter to stop being disabled, but instead of working it seems to fail at the last moment.

I tell you, Novell really has this thing screwed up, my boss is already pushing me to move off Novell with the whole attachmate acquisition this may be the final straw that breaks the camels back.


wsantner;2067857 wrote:
Well, I've made no progress on this...

Decided to try to get it working on Win 7, but apparently that is still broken?

Unable to configure 802.1x authentication on Windows 7

Brett Littrell Network Manager Milpitas Unified School District
0 Likes
rolflidvall Absent Member.
Absent Member.

Re: 802.1x Auth

> We're using Network Policy Server (NPS) on Windows 2008 to handle RADIUS
> Authentication (PEAP w/ MS-CHAP-v2) from our Wireless LAN Controller for
> WPA2. This configuration works with standard windows accounts, mac
> clients, and even iPods. Trying to get this to work with 802.1x on the
> Novell client 4.91 SP5 on WinXP SP3 seems to be a problem, though.


See:
"802.1x authentication fails with Windows XP SP3 and Windows Server 2008 R2
RADIUS server"
http://www.novell.com/support/viewContent.do?externalId=7007679&sliceId=1

"Use a different RADIUS server, such as FreeRADIUS instead of the Microsoft
Windows 2008 R2 NPS RADIUS server."


Regards
Rolf Lidvall
Swedish Radio (Ltd)


0 Likes
blittrell2 Absent Member.
Absent Member.

Re: 802.1x Auth

Not much of an answer, seeing as we do have Freeradius running and still can not get the Novell client to reliably connect. After the initial reboot and it restarts it disables the adapter, then you have to login locally, enable the adapter, unreg noveap.dll and rereg it then guess what it works for just one more boot up, then you get to do it all again.

I know Novell probably wants to dump winXP as a platform but I hope they know they will also be dumping all their users that use 802.1x as well. I have tried Cisco ACS, Steelbelted radius and FreeRadius along with the the Cisco Secure Services supplicant, Juniper Odyssey supplicant and MS supplicant in all different ways to get Single sign on to Novell and 802.1x. As of right now the only one that works consistently is the is CSSC supplicant with the Cisco ACS server or FreeRadius and that only works on Winxp, Cisco dropped support for Novell Single Sign on when Vista came out.

I have heard through the forums that some people get the Novell client to work 75% of the time but I have not personally seen that. Granted I am only working with SP4 and SP5 clients so maybe older clients work better, I don't know. I still have a support incident into Novell so maybe they will glean some little known setting that will cause this all to work but I am not holding my breath, I have been waiting a week now and have nothing to show for it, well except a lot of logs they requested.

rolflidvall;2069132 wrote:
> We're using Network Policy Server (NPS) on Windows 2008 to handle RADIUS
> Authentication (PEAP w/ MS-CHAP-v2) from our Wireless LAN Controller for
> WPA2. This configuration works with standard windows accounts, mac
> clients, and even iPods. Trying to get this to work with 802.1x on the
> Novell client 4.91 SP5 on WinXP SP3 seems to be a problem, though.


See:
"802.1x authentication fails with Windows XP SP3 and Windows Server 2008 R2
RADIUS server"
802.1x authentication fails with Windows XP SP3 and Windows Server 2008 R2 RADIUS server

"Use a different RADIUS server, such as FreeRADIUS instead of the Microsoft
Windows 2008 R2 NPS RADIUS server."


Regards
Rolf Lidvall
Swedish Radio (Ltd)

Brett Littrell Network Manager Milpitas Unified School District
0 Likes
Knowledge Partner
Knowledge Partner

Re: 802.1x Auth

Hi Brett, not sure if you got my PM or not.
Novell's requesting that you call the 800# and ask that the SR be escalated (or you can post into the "talk to a technical services manager" to get a more speedy response.
0 Likes
blittrell2 Absent Member.
Absent Member.

Re: 802.1x Auth

Yep, already did that, did it yesterday first thing in the morning, in the afternoon I finally got a reply from my engineer saying it was being escalated.

Like I said, I am just sitting here waiting, maybe something will pop up but I am not holding my breath, none of the fixes out there seem to have worked for me yet. With the exception of running some script to unreg and rereg the noveap on every bootup I am pretty much stuck.

Brett Littrell Network Manager Milpitas Unified School District
0 Likes
Knowledge Partner
Knowledge Partner

Re: 802.1x Auth

Thanks for the update. Please keep us informed (as I see you're not the only one having problems with the 802.1x stuff)
0 Likes
dmilam Absent Member.
Absent Member.

Re: 802.1x Auth

Did you ever get a fix for this
We are going to implement this soon and do not want to run into the same problems
0 Likes
blittrell2 Absent Member.
Absent Member.

Re: 802.1x Auth

It has been in development for about 2 weeks now, the engineer is keeping me up to date but devs have not even responded to him yet. I will update as soon as I know something.


dmilam;2074140 wrote:
Did you ever get a fix for this
We are going to implement this soon and do not want to run into the same problems

Brett Littrell Network Manager Milpitas Unified School District
0 Likes
blittrell2 Absent Member.
Absent Member.

Re: 802.1x Auth

Ok I do have an update on this. We have figured out part of the problem with Windows 7, in the settings you have to specify user and workstation login under the additional settings on the authentication tab. This fixed Windows 7 logging in with just the Novell client. I then stumbled upon a second issue, and this may be what is wrong with our WinXP stations as well, that seems to point to Zen 10 breaking the dot1x Novell client. What happens is when Zen 10 is installed the station will boot up fine on the first reboot but on the second reboot the adapter is disabled. We are getting the same thing with our Windows XP stations as well. You can get the adapter re-enabled on Windows 7 but it will turn off on the following reboots.

One big difference between Winxp and 7 is that with Win 7 if I uninstall Zen 10 and re-enable the adapter it works with all successive logins until I reinstall Zen 10, then it breaks again. WinXP the only way I can get the adapter to come up is to unreg noveap, then rereg noveap regardless of Zen10 being installed. I have not tested to see if a clean install of WinXP and novell client will work successively until I install Zen 10 but that will be the next test.

So if you just have Novell client you may be good with the Dot1X config, but if you have zen10 you better check it before you start to push anything out.

As soon as I find out more I will let you all know.


dmilam;2074140 wrote:
Did you ever get a fix for this
We are going to implement this soon and do not want to run into the same problems

Brett Littrell Network Manager Milpitas Unified School District
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.