Probleme mit L-54g und Autentifizierung über Microsoft NPS

[msroedel]

Hallo ihr,
wir haben hier ein WLAN mit drei L-54g APs aufgebaut, die Ihre Benutzerdaten per Radius von einem NPS-Server holen. Die Sicherheit wird über PEAP/MSCHAPv2 gewährleistet. Prinzipiell tut das Ganze sehr gut, wir haben 'nur' Probleme mit Windows 7 Clients. Alle anderen Betriebssyteme (IOS, Android, XP, Win8) erlauben ein problemloses Anmelden.
Bei Win7 tritt nach der manuellen Einrichtung des WLANs und der Eingabe der Benutzerdaten eine Fehlermeldung auf:
"Es konnte keine Verbindung mit ab-wlan hergestellt werden"
Bei der Konfiguration des WLANs im Win7 wurde nach diesem Link vorgegangen:
http://www.hs-fulda.de/fileadmin/DVZ/Do ... _Vista.pdf ,
allerdings wurde das Überprüfen der Serverzertifikate deaktiviert. Die Zertifikate stammen von unserer Enterprise CA, sind sind also für externe Rechner nicht vertrauenswürdig.
Hat jemand einen Tipp für mich?

Besten Dank für eure Hilfe,

Markus


Der Trace auf dem L-54g sieht so aus:


[Sysinfo] 2013/11/07 11:00:52,796
Result of command: "sysinfo"

DEVICE: LANCOM L-54g Wireless
HW-RELEASE: F
SERIAL-NUMBER: 169701****
MAC-ADDRESS: 00a05****
IP-ADDRESS: 10.1.7.40
IP-NETMASK: 255.255.255.0
INTRANET-ADDRESS: 0.0.0.0
INTRANETMASK: 0.0.0.0
VERSION: 8.82.0100RU1 / 28.08.2013
NAME: ab-ap3
CONFIG-STATUS: 1056;0;42b52c80bd7bd98c3275ff4cec12480698b58398.12592403092013.59
FIRMWARE-STATUS: 1;1.3;1.10;8.82Rel.01082013.2;8.82RU1.28082013.3
HW-MASK: 00001100000000000000000000000010
FEATUREWORD: 00000001000000000100000000010000
REGISTERED-WORD: 00000001000000000100000000010000
FEATURE-LIST: 04/F
FEATURE-LIST: 0e/F
FEATURE-LIST: 18/F
FEATURE-LIST: 2b/F
TIME: 11005207112013
HTTP-PORT: 80
HTTPS-PORT: 443
TELNET-PORT: 23
TELNET-SSL-PORT: 992
SSH-PORT: 22
LOCATION: 2.OG
COUNTRY-CODE: 0/0 (NA)
COMMENT:
EXTENDED-NAME: LANCOM L-54g Wireless

[EAP] 2013/11/07 11:01:00,327 Devicetime: 2013/11/07 11:01:00,446
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 1
EAP: Length = 5
EAP: Type = 1 (Identity)

[EAP] 2013/11/07 11:01:00,327 Devicetime: 2013/11/07 11:01:00,446
EAP: Create station 44:33:4c:13:47:02

[EAP] 2013/11/07 11:01:00,343 Devicetime: 2013/11/07 11:01:00,456
***Received EAP packet on WLAN-1:
-->EAPOL Header
Protocol Version : 1
Packet Type : Start
Packet Length : 0
Packet Trailer : 00 .
-->forwarding non-802.11i key packet to 802.1x

[EAP] 2013/11/07 11:01:00,343 Devicetime: 2013/11/07 11:01:00,456
EAP: RX <- 44:33:4c:13:47:02 - received EAPOL frame from supplicant
EAP: Packet Type = 1 (EAPOL-Start)
EAP: Packet Length = 0

[EAP] 2013/11/07 11:01:00,343 Devicetime: 2013/11/07 11:01:00,456
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 1
EAP: Length = 5
EAP: Type = 1 (Identity)


[RADIUS-Server] 2013/11/07 11:01:07,124 Devicetime: 2013/11/07 11:01:07,260
Checking for dead accounting sessions:


[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,940
***Received EAP packet on WLAN-1:
-->EAPOL Header
Protocol Version : 1
Packet Type : Packet
Packet Length : 12
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 1
EAP Packet Len : 12
EAP Packet Type : Identity
Identity String : Testclient
-->forwarding non-802.11i key packet to 802.1x

[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,940
EAP: RX <- 44:33:4c:13:47:02 - received EAPOL frame from supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 12
EAP: Code = 2 (Response)
EAP: Ident = 1
EAP: Length = 12
EAP: Type = 1 (Identity)

[RADIUS-Client] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,941
Send RADIUS Authentication Request Id 35 to 10.1.7.1 Backup-Step 1 Retry 0 Auth b178bcde6f97ebd5cae55229b45a2d36

[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,940
EAP: TX -> 10.1.7.1/1812 - sending EAP frame to RADIUS server
EAP: (01) User-Name = "Testclient"
EAP: (06) Service-Type = 2
EAP: (04) NAS-IP-Address = 0.0.0.0
EAP: (05) NAS-Port = 8
EAP: (87) NAS-Port-Id = "8"
EAP: (30) Called-Station-Id = "00-A0-57-15-BC-AA:ab-wlan"
EAP: (31) Calling-Station-Id = "44-33-4C-13-47-02"
EAP: (77) Connect-Info = "CONNECT 54 Mbps 802.11g"
EAP: (32) NAS-Identifier = "ab-ap3"
EAP: (61) NAS-Port-Type = 19
EAP: (12) Framed-MTU = 1500
EAP: (79) EAP-Message[Len=12] = 02 01 00 0c 01 ...
EAP: (80) Message-Authenticator = ...
EAP: Packet Type = Access-Request
EAP: Request transmission succeeded

[RADIUS-Client] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,950
Received RADIUS Challenge Id 35 from 10.1.7.1
-->found corr. request 35 to IP 10.1.7.1:1812, secret <*****>, authenticator b178bcde6f97ebd5cae55229b45a2d36
-->trigger requester

[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,951
EAP: RX <- 10.1.7.1:1812 - received EAP frame from RADIUS server
EAP: (27) Session-Timeout = 30
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (80) Message-Authenticator = ...
EAP: (79) EAP-Message[Len=6] = 01 02 00 06 19
EAP: Packet Type = Access-Challenge

[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,951
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 6
EAP: Code = 1 (Request)
EAP: Ident = 2
EAP: Length = 6
EAP: Type = 25 (EAP-PEAP)

[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,963
***Received EAP packet on WLAN-1:
-->EAPOL Header
Protocol Version : 1
Packet Type : Packet
Packet Length : 105
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 2
EAP Packet Len : 105
EAP Packet Type : PEAP
--> EAP/PEAP Packet
PEAP Flags : LenPresent Version 0
TLS Record(s) Len : 95
--> SSL/TLS Record
Record Content Type : Handshake
Record Length : 90
Protocol Version : TLSv1
Handshake Msg Type : Client Hello
Message Length : 86
-->SSL/TLS Client Hello
Protocol Version : TLSv1
Client Random : 52 7b 64 ed f1 f0 36 49 R{d...6I
a4 b2 94 b5 db ab 37 45 ......7E
62 d6 a2 7c cf a8 8c 96 b..|....
60 f4 fe ab 6f 13 01 08 `...o...
Cipher Suites : TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
Compression Methods : NULL
Reneg. Info :
Elliptic Curves : secp256r1
secp384r1
EC-Point Formats : uncompressed
-->forwarding non-802.11i key packet to 802.1x

[EAP] 2013/11/07 11:01:17,890 Devicetime: 2013/11/07 11:01:17,964
EAP: RX <- 44:33:4c:13:47:02 - received EAPOL frame from supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 105
EAP: Code = 2 (Response)
EAP: Ident = 2
EAP: Length = 105
EAP: Type = 25 (EAP-PEAP)

[RADIUS-Client] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:17,965
Send RADIUS Authentication Request Id 155 to 10.1.7.1 Backup-Step 1 Retry 0 Auth 6d160b2532192c168be55229b4da6d16

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:17,964
EAP: TX -> 10.1.7.1:1812 - sending EAP frame to RADIUS server
EAP: (01) User-Name = "Testclient"
EAP: (06) Service-Type = 2
EAP: (04) NAS-IP-Address = 0.0.0.0
EAP: (05) NAS-Port = 8
EAP: (87) NAS-Port-Id = "8"
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (30) Called-Station-Id = "00-A0-57-15-BC-AA:ab-wlan"
EAP: (31) Calling-Station-Id = "44-33-4C-13-47-02"
EAP: (77) Connect-Info = "CONNECT 54 Mbps 802.11g"
EAP: (32) NAS-Identifier = "ab-ap3"
EAP: (61) NAS-Port-Type = 19
EAP: (12) Framed-MTU = 1500
EAP: (79) EAP-Message[Len=105] = 02 02 00 69 19 ...
EAP: (80) Message-Authenticator = ...
EAP: Packet Type = Access-Request
EAP: Request transmission succeeded

[RADIUS-Client] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:17,995
Received RADIUS Challenge Id 155 from 10.1.7.1
-->found corr. request 155 to IP 10.1.7.1:1812, secret <*****>, authenticator 6d160b2532192c168be55229b4da6d16
-->trigger requester

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:17,996
EAP: RX <- 10.1.7.1:1812 - received EAP frame from RADIUS server
EAP: (27) Session-Timeout = 30
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (80) Message-Authenticator = ...
EAP: (79) EAP-Message[Len=1496] = 01 03 05 d8 19
EAP: Packet Type = Access-Challenge

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:17,996
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 1496
EAP: Code = 1 (Request)
EAP: Ident = 3
EAP: Length = 1496
EAP: Type = 25 (EAP-PEAP)

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,017
***Received EAP packet on WLAN-1:
-->EAPOL Header
Protocol Version : 1
Packet Type : Packet
Packet Length : 6
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 3
EAP Packet Len : 6
EAP Packet Type : PEAP
--> EAP/PEAP Packet
PEAP Flags : Version 0
-->forwarding non-802.11i key packet to 802.1x

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,018
EAP: RX <- 44:33:4c:13:47:02 - received EAPOL frame from supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 6
EAP: Code = 2 (Response)
EAP: Ident = 3
EAP: Length = 6
EAP: Type = 25 (EAP-PEAP)

[RADIUS-Client] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,019
Send RADIUS Authentication Request Id 139 to 10.1.7.1 Backup-Step 1 Retry 0 Auth e5d269148ac54221b058ac562b35ba5d

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,018
EAP: TX -> 10.1.7.1:1812 - sending EAP frame to RADIUS server
EAP: (01) User-Name = "Testclient"
EAP: (06) Service-Type = 2
EAP: (04) NAS-IP-Address = 0.0.0.0
EAP: (05) NAS-Port = 8
EAP: (87) NAS-Port-Id = "8"
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (30) Called-Station-Id = "00-A0-57-15-BC-AA:ab-wlan"
EAP: (31) Calling-Station-Id = "44-33-4C-13-47-02"
EAP: (77) Connect-Info = "CONNECT 54 Mbps 802.11g"
EAP: (32) NAS-Identifier = "ab-ap3"
EAP: (61) NAS-Port-Type = 19
EAP: (12) Framed-MTU = 1500
EAP: (79) EAP-Message[Len=6] = 02 03 00 06 19 ...
EAP: (80) Message-Authenticator = ...
EAP: Packet Type = Access-Request
EAP: Request transmission succeeded

[RADIUS-Client] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,030
Received RADIUS Challenge Id 139 from 10.1.7.1
-->found corr. request 139 to IP 10.1.7.1:1812, secret <*****>, authenticator e5d269148ac54221b058ac562b35ba5d
-->trigger requester

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,031
EAP: RX <- 10.1.7.1:1812 - received EAP frame from RADIUS server
EAP: (27) Session-Timeout = 30
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (80) Message-Authenticator = ...
EAP: (79) EAP-Message[Len=1445] = 01 04 05 a5 19
EAP: Packet Type = Access-Challenge

[EAP] 2013/11/07 11:01:17,905 Devicetime: 2013/11/07 11:01:18,031
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 1445
EAP: Code = 1 (Request)
EAP: Ident = 4
EAP: Length = 1445
EAP: Type = 25 (EAP-PEAP)

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,100
***Received EAP packet on WLAN-1:
-->EAPOL Header
Protocol Version : 1
Packet Type : Packet
Packet Length : 343
-->EAP Header
EAP Packet Code : Response
EAP Packet Id : 4
EAP Packet Len : 343
EAP Packet Type : PEAP
--> EAP/PEAP Packet
PEAP Flags : LenPresent Version 0
TLS Record(s) Len : 333
--> SSL/TLS Record
Record Content Type : Handshake
Record Length : 269
Protocol Version : TLSv1
Handshake Msg Type : Certificate
Message Length : 3
-->SSL/TLS Certificate(s)
Total Length : 0
Handshake Msg Type : Client Key Exchange
Message Length : 258
Message Body : 01 00 95 fc 65 29 bf df ....e)..
6d 6e 97 64 f0 89 30 58 mn.d..0X
40 67 0d b9 8e 54 ba 2e @g...T..
bf 85 79 36 6a b4 ad c2 ..y6j...
98 d7 26 99 81 11 1b 6a ..&....j
ef 06 1d a3 1c c2 7b b3 ......{.
94 f7 b3 69 13 00 a4 62 ...i...b
b5 d9 3d ff c7 3b aa bd ..=..;..
47 1c b8 a0 34 29 0d ec G...4)..
08 f7 c0 52 8d 88 a2 03 ...R....
85 6c 16 8d 26 9a 0e f6 .l..&...
82 df e0 4c f6 23 11 7e ...L.#.~
c1 57 99 2e 25 94 9c bb .W..%...
41 ee f6 98 24 ba 17 6d A...$..m
21 54 b5 f6 6f 2e 1b f9 !T..o...
8d eb 66 d7 5c 2c 90 7f ..f.\,..
8e 15 e1 12 04 d8 c5 e2 ........
e9 f3 af a2 62 b9 83 14 ....b...
46 be f3 d5 af 9f fe 1c F.......
05 90 c0 0c 10 79 62 81 .....yb.
d8 20 80 d3 0f cc 8a cc . ......
f4 e8 50 7e 6a b6 bd 9b ..P~j...
a4 56 3e bc a0 3b 7b 1c .V>..;{.
b3 9d 16 b6 59 01 4a 77 ....Y.Jw
93 23 65 1c 1f 00 f8 10 .#e.....
9c 51 dd ab 36 62 98 00 .Q..6b..
8f 88 e1 8d aa 0c 69 8a ......i.
81 de ac 7a 3d 93 2a 6d ...z=.*m
b9 2a 2f 45 25 53 20 ec .*/E%S .
2a 8d a9 d9 25 44 39 bf *...%D9.
47 57 af f4 c6 32 72 81 GW...2r.
53 a1 12 41 16 37 54 24 S..A.7T$
c1 cd ..
--> SSL/TLS Record
Record Content Type : Change Cipher Spec
Record Length : 1
Protocol Version : TLSv1
Payload : 01 .
--> SSL/TLS Record
Record Content Type : Handshake
Record Length : 48
Protocol Version : TLSv1
Encrypted Payload : 86 d5 b7 cf b8 47 12 98 .....G..
21 84 15 d4 63 fa 18 6b !...c..k
3f b1 e3 92 65 cb a6 67 ?...e..g
b2 3f 7a d9 61 cf b4 19 .?z.a...
c5 b1 58 04 49 0d d2 75 ..X.I..u
1b 7d 37 94 3c 05 54 29 .}7.<.T)
-->forwarding non-802.11i key packet to 802.1x

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,102
EAP: RX <- 44:33:4c:13:47:02 - received EAPOL frame from supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 343
EAP: Code = 2 (Response)
EAP: Ident = 4
EAP: Length = 343
EAP: Type = 25 (EAP-PEAP)

[RADIUS-Client] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,103
Send RADIUS Authentication Request Id 14 to 10.1.7.1 Backup-Step 1 Retry 0 Auth 87e3d148249249040201a05028140a85

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,102
EAP: TX -> 10.1.7.1:1812 - sending EAP frame to RADIUS server
EAP: (01) User-Name = "Testclient"
EAP: (06) Service-Type = 2
EAP: (04) NAS-IP-Address = 0.0.0.0
EAP: (05) NAS-Port = 8
EAP: (87) NAS-Port-Id = "8"
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (30) Called-Station-Id = "00-A0-57-15-BC-AA:ab-wlan"
EAP: (31) Calling-Station-Id = "44-33-4C-13-47-02"
EAP: (77) Connect-Info = "CONNECT 54 Mbps 802.11g"
EAP: (32) NAS-Identifier = "ab-ap3"
EAP: (61) NAS-Port-Type = 19
EAP: (12) Framed-MTU = 1500
EAP: (79) EAP-Message[Len=343] = 02 04 01 57 19 ...
EAP: (80) Message-Authenticator = ...
EAP: Packet Type = Access-Request
EAP: Request transmission succeeded

[RADIUS-Client] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,138
Received RADIUS Challenge Id 14 from 10.1.7.1
-->found corr. request 14 to IP 10.1.7.1:1812, secret <*****>, authenticator 87e3d148249249040201a05028140a85
-->trigger requester

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,138
EAP: RX <- 10.1.7.1:1812 - received EAP frame from RADIUS server
EAP: (27) Session-Timeout = 30
EAP: (24) State = 62 a2 07 ba 00 00 01 37 00 01 17 00 fe 80 00 00 00 00 00 00 20 1d 63 de f0 d3 82 72 00 00 00 04 44
EAP: (80) Message-Authenticator = ...
EAP: (79) EAP-Message[Len=69] = 01 05 00 45 19
EAP: Packet Type = Access-Challenge

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,140
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 69
EAP: Code = 1 (Request)
EAP: Ident = 5
EAP: Length = 69
EAP: Type = 25 (EAP-PEAP)

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,177
EAP: Delete station 44:33:4c:13:47:02

[EAP] 2013/11/07 11:01:18,077 Devicetime: 2013/11/07 11:01:18,178
EAP: Delete station 44:33:4c:13:47:02 failed (station not found)

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,746
EAP: Delete station 44:33:4c:13:47:02 failed (station not found)

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,747
EAP: Delete station 44:33:4c:13:47:02 failed (station not found)

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,748
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 1
EAP: Length = 5
EAP: Type = 1 (Identity)

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,748
EAP: Create station 44:33:4c:13:47:02

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,757
***Received EAP packet on WLAN-1:
-->EAPOL Header
Protocol Version : 1
Packet Type : Start
Packet Length : 0
Packet Trailer : 00 .
-->forwarding non-802.11i key packet to 802.1x

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,757
EAP: RX <- 44:33:4c:13:47:02 - received EAPOL frame from supplicant
EAP: Packet Type = 1 (EAPOL-Start)
EAP: Packet Length = 0

[EAP] 2013/11/07 11:01:19,624 Devicetime: 2013/11/07 11:01:19,757
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 1
EAP: Length = 5
EAP: Type = 1 (Identity)


[RADIUS-Server] 2013/11/07 11:01:37,124 Devicetime: 2013/11/07 11:01:37,260
Checking for dead accounting sessions:


[EAP] 2013/11/07 11:01:49,093 Devicetime: 2013/11/07 11:01:49,230
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 1
EAP: Length = 5
EAP: Type = 1 (Identity)


[RADIUS-Server] 2013/11/07 11:02:07,124 Devicetime: 2013/11/07 11:02:07,260
Checking for dead accounting sessions:


[EAP] 2013/11/07 11:02:19,108 Devicetime: 2013/11/07 11:02:19,230
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 1
EAP: Length = 5
EAP: Type = 1 (Identity)

[EAP] 2013/11/07 11:02:19,108 Devicetime: 2013/11/07 11:02:19,230
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 4
EAP: Code = 4 (Failure)
EAP: Ident = 1
EAP: Length = 4

[EAP] 2013/11/07 11:02:19,108 Devicetime: 2013/11/07 11:02:19,230
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 2
EAP: Length = 5
EAP: Type = 1 (Identity)


[RADIUS-Server] 2013/11/07 11:02:37,124 Devicetime: 2013/11/07 11:02:37,260
Checking for dead accounting sessions:


[EAP] 2013/11/07 11:02:49,092 Devicetime: 2013/11/07 11:02:49,230
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 2
EAP: Length = 5
EAP: Type = 1 (Identity)


[RADIUS-Server] 2013/11/07 11:03:07,123 Devicetime: 2013/11/07 11:03:07,260
Checking for dead accounting sessions:


[EAP] 2013/11/07 11:03:19,092 Devicetime: 2013/11/07 11:03:19,230
EAP: TX -> 44:33:4c:13:47:02 - sending EAPOL frame to supplicant
EAP: Packet Type = 0 (EAP-Packet)
EAP: Packet Length = 5
EAP: Code = 1 (Request)
EAP: Ident = 2
EAP: Length = 5
EAP: Type = 1 (Identity)

[Bernie137]

Hi,

ich hatte seinerzeit noch das eingestellt.

Viele Grüße
Heiko

[msroedel]

Danke für den Tipp,
aber das hatte ich auch schon probiert; auch die Variante, dort nur Benutzerauth. einzustellen. Leider ohne Erfolg. Hab auch schon lang rumgegoogelt, ob in Win7 irgendwas 'anders' ist, als bei XP oder Win8. Leider bisher ohne Erfolg. Ich teste hier mit Domain-Computern, könnte evtl. noch sein, dass die bei uns automatisch verteilten Computer- und Userzertifikate da mit reinspucken?

Viele Grüße,
Markus

[Bernie137]

Hallo Markus,

also wenn es per Domain ist, dann würde ich mir nicht die Mühe machen und die Profile von Hand einrichten. Dafür gibt es GPOs und damit habe ich es prima am Laufen - W2k8R2 Domain + W2k8R2 IAS + L-54(a)g`s + Win7/WinXP. Schau doch mal in diese Anleitung...http://www.it-training-grote.de/downloa ... P-Cert.pdf Weiter unten sind die GPOs erklärt. In der GPO hab ich es eingestellt wie im Bild. Der riesen Vorteil an der Sache ist, die WLAN-Verbindung steht schon, bevor sich ein User anmeldet - egal ob Domainuser oder lokaler User, eben wie mit Kabel.

Also Unterschied ist: Microsoft: Smartcard- oder anderes Zertifikat, nix mit PEAP/MSCHAPv2 und dann vielleicht noch Kennung eingeben.

Viele Grüße
Heiko

[Bernie137]

Was den Trace anbelangt, kann ich nichts erkennen, was nicht stimmt. Aber was steht denn im Event Log des IAS Servers? Und lade Dir mal die Testversion vom IASviewer, damit erkennst besser, was passiert: http://www.deepsoftware.ru/iasviewer/

Viele Grüße
Heiko

PS: Du könntest 2 Richtlinien im IAS betreiben, eine für managed (Windows)Clients und eine Richtlinie für andere Clients (die hast ja schon)

[msroedel]

Hallo Heiko,
ich habs gefunden: es lag am Zertifikat des NPS-Servers. Ich hatte das normale, bei uns automatisch verteilte Maschinenzertifikat in den PEAP Einstellungen verwendet. Offensichtlich gibts ein Problem, weil beim Verwendungszweck des Zertifikats nur Server- und Clientautentifizierung eingetragen sind, kein IPSEC.
Ich hab jetzt ein neues Zeritifikat generiert mit einem SAN Eintrag für npsserver und npsserver.domain.de, das als erweiterte Verwendung auch IPSEC aktiviert hat. Damit klappt jetzt die Verbindung!
Wie es aussieht, prüft Win7 trotz Deaktivieren des Hakens bei 'Serverzertifikat überprüfen' doch noch das Zertifikat des NPS-Servers. Alle anderen Betriebssystem hatten den Fehler wohl ignoriert.
Einen Patch in dieser Richtung gibts auch: http://support.microsoft.com/kb/2494172 , der hatte bei mir aber nichts gebracht.

Danke für deine Hilfe!

Viele Grüße,
Markus

[Bernie137]

Hallo Markus,

schön, dass Du es gefunden hast. Jedoch wundert mich, dass es an IPSEC gelegen haben soll. Ich habe auch nur ein Zertifikat im IAS/NPS für Client- und Serverauthentifizierung. Und was anderes ist es ja nicht. Verschlüsselt wird doch das WLAN m.E. mit WPA2 anstatt PSK halt Zertifikat, nicht mit IPSEC?

Viele Grüße
Heiko

[msroedel]

...wie immer blöd, wenn man gleich zwei Dinge ändert. Ist durchaus möglich, dass der 2. DNS Name ohne die Domäne dran das Ausschlaggebende ist. Noch ungetestet ist jetzt der Fall eines fremden Clients, der unserer internen CA nicht vertraut. Kann gut sein, dass es da auch wieder hakt. Werde berichten.
Der Loganalyser ist nettes Tool - danke für den Tipp!

Markus