blog2wp_7697bfce

When MD5 challenge.

Reason-Code=19

Reason=The user could not be authenticated using Challenge Handshake Authentication Protocol(CHAP). Areversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

=====================================================================

Issue: 
How to configure Windows IAS (Internet Authentication Service) with the Perle 833 products using the RADIUS security method.

Solution:

Windows 2000/2003 Server uses the new Active Directory security database. This is very different to the Windows NT Domain security structure. If the Perle is configured to use "NT Domain" Security with Windows 2000 servers or Windows Server 2003 servers then it will fail to authenticate.

The solution is to use a security application, such as RADIUS/IAS that can interact with the Active Directory as the Perle 833's does support RADIUS authentication. IAS is also used by Windows Routing and Remote Access Service for authentication.

Administrators to the Perle 833AS or 833IS products (connections via the Perle Management software or CLI) will be looked up on the RADIUS host and not with the local database unless the RADIUS server is offline then the Perle Manager will retry the authentication and then timeout after 5 minutes, then perform a local database lookup).

Configure the Perle to use RADIUS security.
Configure a Primary Authentication Server (and optional backup) and Primary Accounting Server.
Configure a shared secret that will be matched in the IAS client configuration within IAS.
Disable CHAP, select only PAP authentication initially as the Windows User database does not store passwords in reversible encryption by default. See note at bottom for details on CHAP support.

The example is a simple setup based on a new installation of IAS. Note that if an there is an existing IAS setup then these instructions may not apply exactly as shown.

Using Internet Authentication Service / RADIUS for security:

Add Remove Programs
Add/Remove Windows Components
Networking Services
Internet Authentication Service

Set IAS to access the Active Directory (if using a Domain Controller)
Right click on Internet Authentication Service
Register Service in Active Directory

Add the Perle to the client list:

Right click on Clients
Add New Client
Give a friendly name
Protocol = RADIUS
Client address = Enter the IP address of the Perle
Client-Vendor = RADIUS Standard
Enter the Shared Secret that matches the Perle's configuration

Create a policy to allow Domain Admin users to administer the Perle 833AS/IS ... NOTE: Admin user is not needed in RADIUS for the 833RAS unit:

Right click on Remote Access Policies
Add New Policy
    [Windows 2003 select "Setup a Custom Policy"]
Give a friendly name
Add a new condition

Note on conditions: each policy has conditions that have to be met. If the conditions are not met then IAS will go to the next policy and examine the conditions.

The following example adds two conditions ... the client source IP address is the Perle and the UserID is a member of the Windows "Administrators" group.

IP-Client-Address = Enter the IP address of the Perle
Windows-Group = Administrators
Enable Grant remote access permission
Edit Profile
Select the Authentication (tab)
Enable PAP or CHAP (see below for CHAP details)
Select the Advanced (tab)
Remove Framed-Protocol
Edit Service-Type to value of Administrative

Move this policy so that it appears as the first (top) policy in the Policy List.

Create a policy to allow dialup access to all users that are members of a group (note that Windows may have a default Policy already that will permit any user with Dial In enabled, so this new policy would be optional. If you wish to use a new Policy then ensure that it appears above the default policy):

The below example uses access based on a Group. Only those user's that are members of the Group are allowed access:

Right click on Remote Access Policies
Add New Policy
    [Windows 2003 select "Setup a Custom Policy"]
Give a friendly name
Add a new condition
IP-Client-Address = Enter the IP address of the Perle
Windows Group = Add the applicable Group value
Grant remote access permission
Edit Profile
Authentication (tab)
Enable PAP or CHAP (see below for CHAP details)

Ensure that the service is started.
Ensure that the Active Directory / Local account for the user has Dial In access enabled in their user profile. If your Windows 2000 Domain server is in Native Mode and IAS is registered with the Active Directory then you can set the User Profile -> Dial In setting to use Remote Access Policies.

Additional NOTES:

Reversibly Encrypted Passwords (CHAP) ...

The current user passwords are not stored in a reversibly encrypted form by default and are not automatically changed. You must either manually reset the user password or set the user passwords to be changed the next time the user logs on to the LAN. This must be done for each user who will be authenticating via IAS.

Once the password is changed, it is stored in a reversibly encrypted form. If you set user passwords to be changed the next time a user logs on, the user must log on by using a LAN connection and change the password before they attempt to log on with a remote access connection using CHAP. Users cannot change passwords during the authentication process when using CHAP. The logon attempt will fail.

If the RADIUS configuration in the Perle has CHAP enabled then it will be the preferred method.
NOTE: the Perle will always encrypt the packets that are sent to the RADIUS server even if PAP is being used on the passwords.

To enable reversibly encrypted passwords for a specific user you can modify their User Properties -> Account options -> enable Store Password using Reversible Encryption. You must then reset their password.

To enable reversibly encrypted passwords (CHAP) in a domain (Active Directory server) Group Policy:

Open Active Directory Users and Computers
In the console tree, double-click Active Directory Users and Computers, right-click the domain name, and then click Properties. 
On the Group Policy tab, click Default Domain Policy, and then click Edit. 
In the console tree, click on Windows Settings 
click on Security Settings
click on Accounting Policies
click Password Policy.
In the details pane, double-click "Store password using reversible encryption for all users in the domain"
Click Enabled, and then click OK. 
Reset the user passwords as indicated above.

To enable reversibly encrypted passwords (CHAP) in a domain (stand-alone server) Local Security Policy

Start -> Run -> gpedit.msc
In the console tree, select Computer Configuration -> Windows Settings -> Security Settings -> Account Policy-> Password Policy
Enable "Store password using reversible encryption"

Reversibly Encrypted Passwords can also be enabled on a Per-User basis by enabling it in the User Account profile also.

Check with the Windows Event Viewer -> System Log for troubleshooting.

example message:

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/23/2001
Time: 11:30:39 AM
User: N/A
Computer: PERLE-NLHM5IKIP
Description:
User cyung was denied access.
Fully-Qualified-User-Name = W2K\cyung
NAS-IP-Address = 
NAS-Identifier = PTAC 833AS
Called-Station-Identifier = 
Calling-Station-Identifier = 
Client-Friendly-Name = 833AS
Client-IP-Address = 165.154.128.188
NAS-Port-Type = Async
NAS-Port = 23
Policy-Name = 
Authentication-Type = 
EAP-Type = 
Reason-Code = 19
Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account.

In this example one of two problems is detected.
Reversibly encrypted passwords are not enabled in the group policy or the user password has not been reset after the enabling reversibly encrypted passwords policy

Note: if the shared secret is mismatched then IAS may record a "User Is Granted Access" event or deny access with an "Unknown user or bad password" message. The Manager/Dial in Client will fail to connect; with reason of an unknown user or a bad password.

If the Active Directory user account does not have Dial In enabled then IAS will deny access and record a message stating "Unknown user or bad password"

If something goes wrong and you cannot access the 833IS or 833AS unit via Manager then you disable the IAS service and the Perle will timeout after 5 minutes and then perform a local user list lookup (this access is only available from LAN management and does not apply to dial in connnections). On the 833IS you can also telnet to the unit:

Type 'enable'
Type 'config'
Type 'aaa authentication ppp default local'

** In the most extreme case some Perle customers have reported that the IAS service had to be reinstalled due to a system problem where IAS was not returning the correct information to the Perle **

Related Articles:
1.) Trouble shooting utility for RADIUS