Identity and Policy Control
Reply
Contributor
Wraeth
Posts: 11
Registered: ‎06-17-2010
0

EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Hi all,

 

I've found a couple of post relating to this issue but I'm not sure about the version of Windows used in the "windows 2008 and microsoft native agent issue" post.

 

 

'Rabbit' responded in that post with the following:

In addition to allowing nt4 crypto, you will have also have to configure the DC to send LM &NTLM responses as it has been disabled by default in Server 2008 and our Samba code requires it.


I was fairly sure that I got this working about a year ago in staging, but now that I need to get it happening in production I can't remember how! :smileyfrustrated:

 

I'm using an IC4000 with 4.0R3 and trying to get the native Win7 and other 802.1x supplicants to authenticate using MS-CHAP-V2. The system is completely functional the second I point it to a 2003 server.

 

Is the note above what I'm after?

 

 

Recognized Expert
Raveen
Posts: 409
Registered: ‎04-15-2010
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

As Rich said, for windows 2008R1, you need to allow NT4 crypto and NTLM response.

Windows 2008R2 is *NOT* supported yet for MSCHAPv2 and Machien authentication.

 

It is supported from IC version 4.2 which is now in BETA.

It would be available officaily, by end of february or early March 2012

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Recognized Expert
Raveen
Posts: 409
Registered: ‎04-15-2010
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

About the workaround for 2008R1, please refer: KB14345

 

For 2008R2 issue, We have a PSN for this PSN-2010-09-936: Juniper Networks Unified Access Control (UAC) IC Appliance issue with Microsoft Win...

 

Regards,

Raveen

 

Note: You could mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
rrosiak
Posts: 12
Registered: ‎10-20-2011
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

[ Edited ]

Hi, can you please update us when the IC 4.2 will be officially available ? Do you supports IC 4.2 Beta2 in production environment ?

Recognized Expert
Raveen
Posts: 409
Registered: ‎04-15-2010
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Hi,

 

IC 4.2 is likely to be officially available by end of this month.

You please wait untill end of this month for adding 4.2 appliance in production.

However, beta testing in lab is highly appreciated.

 

Regards,

Raveen

 

Note: You could mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Hi Raveen,

 

I have seen your posts and found that you are well educated in IC implementation.

 

I am a but new to IC deployment with regards to 802.1x with native supplicant of Windows. I have SoH license for host checker. Customer perhaps has 2008R2 :smileysad:

 

Can you please guide me to do this implementation in some step by step manner or refer a relevant KB that can help me doing this easily.

 

I will really appreciate your help.

 

Awaiting for urgent response.

 

Thanks and regards,

 

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Recognized Expert
Raveen
Posts: 409
Registered: ‎04-15-2010

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Hi Fahad,

 

Windows native supplicant uses EAP-MSCHAPv2 as the authentication protocol.

Currently, IC can't work well with windows 2008R2 for EAP-MSCHAPv2.

 

IC version 4.2 supports 2008R2 for EAP-MSCAHv2 authentication.

It is likely to be realesed in couple of weeks.

 

Regards,

Raveen

 

Note: IF this answers your question, you could mark this as accepted solution, that way it helps others. Kudos is a bonus thanks!

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Thanks for the prompt response.

 

Ok lets assume, customer is using 2008R1 or earlier. Please guide me to steps I need to do on UAC and Switch for 802.1x with AD and DHCP with SSO in the environment.

 

Thanks for the help

 

regards,

 

 

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Recognized Expert
Raveen
Posts: 409
Registered: ‎04-15-2010
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Hi Fahad,

 

Basic steps are as below:

 

1. Add radius client in IC with right secret_key that you configured in switch.

2. Map radius client to Location group, assign a sign in URL.

3. Sign in URL should have a realm containing your authentication server, and have role mapping rules.

 

More details on how to configure above, please refer IC administration guide.

 

http://www.juniper.net/techpubs/software/uac/4.1xguides/j-ic-uac-4.1-adminguide.pdf

 

http://www.juniper.net/techpubs/software/uac/4.1xguides/j-ic-uac-4.1-deployment.pdf

 

 

For your use-case, please contact your SE or engage PS(professional services) team.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Contributor
Fahad_khan
Posts: 152
Registered: ‎10-21-2008
0

Re: EAP-PEAP/TTLS and MSCHAPV2 with Windows 2008 R2

Dear Raveen,

 

Thank you so much for the post. I have been going through the Admin guide. Its a great resource.

 

Is there any catch with Single Sign-on ? how to use machine authentication with certficates???

 

By the way, why would we browse the forums like JNET, if we always need expensive professional services :smileywink:

JNET has some real champions like you and we appreciate your support :smileyhappy:

 

Thanks and regards,

Muhammad Fahad Khan
JNCIE-M/T # 756
Network Consultant
IBM Pakistan
+92-301-8247638 begin_of_the_skype_highlighting              +92-301-8247638      end_of_the_skype_highlighting
+92-321-2370510 begin_of_the_skype_highlighting              +92-321-2370510      end_of_the_skype_highlighting
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.