Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Event ID 18: authenticator attribute that is not valid

Wi-Fi, Mobile phone.

Event ID 18: authenticator attribute that is not valid

Postby chicagotech » Thu Oct 11, 2007 4:03 pm

Event Type: Error
Event Source: IAS
Event ID: 18
User: N/A
Computer: Chicagotech.IAS
Description:
An Access-Request message was received from RADIUS client WLC with a message authenticator attribute that is not valid.

Cause and solution: The secure password doesn't match between IAS and AP/WLC. Re-entering fixed the problem.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6486
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby chicagotech » Fri Mar 20, 2009 3:41 pm

The hotfix in KB 885453 is for the scenario when there's an authentication attempt to a third-party RADIUS server. Since you are using Microsoft IAS Server as the RADIUS server, so I don't think the hotfix helps in
this case.

There's a known issue that authentication fails if the certificate is not configured in EKU (Extended Key Usage) extensions on both the Windows XP-based (SP3) wireless client and Windows Server 2003-based
IAS server. This problem occurs because the current EAP-TLS implementation requires the presence of both the server authentication EKU and the client authentication EKU in the certificate that the client uses.
Please see "Authentication fails from a Windows XP-based client if the authentication uses a Windows Server 2003-based IAS server" <http> for more details. I have also found
another article "Select Authentication Protocols" <http> which introduces the authentication protocols that IAS supports and summarizes the conditions for which
each protocol is used and the requirements for each protocol.

I have checked the new RAS trace logs and the packet trace. Nothing changes in the RASMAN.LOG, the basic negotiation hasn't been established yet. The packet trace shows that the RADIUS authentication
fails on the RADIUS client-side, possible reasons may be due to the following:

1. The AP doesn't receive the Challenge message due to the network issue;
2. The AP doesn't process the Challenge message to the wireless client;
3. The wireless client doesn't receive the Challenge message;
4. The wireless client discards the Challenge message due to unknown reasons.

As you described, the wireless client can connect to the AP without validating the server certificate while it fails after switching on validation. Combined with the packet trace, I think it is probably the fourth reason I
listed above that causes the authentication failure. Since EKU is not contained in the client certificate and server certificate, the wireless client doesn't recognize the Challenge message from the IAS server since
no EKU is defined which represents the server authentication and then discards it without any responses.

I suggest installing the hotfix on your Windows XP-based wireless client, then creating and enabling the TlsServerUseAllPurposeCert registry entry on the Windows Server 2003-based IAS server by referring to
the KB 898061.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6486
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to Wireless

Your Ad Here

Who is online

Users browsing this forum: Yahoo [Bot] and 0 guests