Self Assigned IP even though I am Authenticated via PEAP(MSCHAPv2) to WPA2

Similar Messages

• IPhone does not come up as a device on my PC when ITunes loads even though it is connected via USB

  IPhone does not come up as a device on my PC when ITunes loads even though it is connected via USB

  Hi ICF Vic,
  Thanks for visiting Apple Support Communities.
  You can use our iPhone Troubleshooting Assistant to resolve the connection issue you're seeing:
  iPhone not appearing in iTunes
  http://www.apple.com/support/iphone/assistant/itunes/
  All the best,
  Jeremy

• In the context of restoring a drive from a backup, i copied /etc/sudoers from my backup. Now it does not work due to the permissions not being correct (even though it was copied via sudo cp -rp)

  In the context of restoring a drive from a backup, i copied /etc/sudoers from my backup. Now it does not work due to the permissions not being correct (even though it was copied via sudo cp -rp)

  Most likely you have Office 2004 which are PPC-only applications and will not work in Lion. Upgrade to Office 2011. Other alternatives are:
  Apple's iWork suite (Pages, Numbers, and Keynote.)
  Open Office (Office 2007-like suite compatible with OS X.)
  NeoOffice (similar to Open Office.)
  LibreOffice (a new direction for the Open Office suite.)

• 802.1x wired authentication via PEAP, MD5

  Hi everyone,
  Thank you for taking the time for reading this, I am implementing a security solution and wanted to take th benefit of implementing 802.1x over wire. I have been searching a bit but no much info from start to finish on how to implementing this solution,
  i would really appreciate if someone could point me some where  to find  detailed instruction on how to do this, as so far i have been configuring in multiple way bit no result out of it. Still a orange port color on my switch, that means the first
  hop of security work but the next no.
  Thank you in advance to read this.

  Hi,
  According to your description, my understanding is that you want to deploy 802.1x wired authentication via PEAP, MD5 and need instructions about this.
  Some articles and just for your reference:
  802.1X Authenticated Wired Access Overview
  https://technet.microsoft.com/en-us/library/hh831831.aspx
  802.1X Authenticated Wired Access Design Guide
  https://technet.microsoft.com/library/dd378864(WS.10).aspx
  IEEE 802.1X Wired Authentication
  https://technet.microsoft.com/en-us/magazine/2008.02.cableguy.aspx
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• My ipad1 won't play movies on my tv even though it is connected via VGA adapter,

  Why won't my ipad 1 play movies on my tv via the ipad VGA adapter?

  Make sure you are not set to Work Offline in File menu.
  There is a possibility that your connection dropped even briefly, more so if using wireless. Make sure Firefox is not set to "[v] Work Offline" in File menu just above Exit.
  By default, Firefox 3.5 and 3.6 will automatically use offline mode if there is no network connection. Under certain conditions, after the connection is reestablished it may remain in offline mode without the user's knowledge. Firefox 4 and newer prevents this behavior by default. To prevent this behavior in versions 3.5 and 3.6, add an entry to the '''about:config''' options, as follows.
  * Type '''about:config''' in Location (address) bar
  * Right-click on the about:config page to open the right-click context menu and use "New > Boolean" to create a new Boolean preference. Name: '''network.manage-offline-status'''. Value: '''false'''
  http://kb.mozillazine.org/Error_loading_any_website#Work_Offline_Setting

• New iPad Air won't go to app store, even though it's verified via email

  I just got an iPad Air today, and I created an apple ID, and verified it through my email, but every time I go to the app store or messaging on the iPad, it says my account is not verified. I've verified the account several times through my email. Any suggestions?

  You can connect via a cable or wireless using an Apple TV.
  http://ipad.about.com/od/iPad_Guide/a/How-To-Connect-Your-Ipad-To-Your-Tv.htm
  Connect an iPad to a Television or Projector
  http://www.everymac.com/systems/apple/ipad/ipad-faq/how-to-connect-ipad-to-tv-te levision-projector.html
  iPad Accessories: Connections for a TV or Projector
  http://www.dummies.com/how-to/content/ipad-accessories-connections-for-a-tv-or-p rojector.html
  You may be interested in AirPlay on the Apple TV:
  Apple - AirPlay - Play content from iOS devices on Apple TV
  http://www.apple.com/airplay/
  Alternately, there are Apple Digital AV Adapters for hardwired connections:
  iOS: About Apple Digital AV Adapters
  http://support.apple.com/kb/ht4108
   Cheers, Tom

• Authentication via RADIUS : MSCHAPv2 Error 691

  Hello All,
  I am working on setting up authentication into an Acme Packet Net-Net 3820 (SBC) via RADIUS. The accounting side of things is working just fine with no issues. The authentication side of things is another matter. I can see from a packet capture that the access-request
  messages are in fact getting to the RADIUS server at which point the RADIUS server starts communicating with the domain controllers. I then see the chain of communication going back to the RADIUS and then finally back to the SBC. The problem is the response
  I get back is always an access-reject message with a reason code of 16 (Authentication failed due to a user credentials mismatch. Either the user name provided does not match an existing user account or the password was incorrect). This is confirmed by looking
  at the security event logs where I can see events 4625 and 6273. See the events below (Note: The names and IPs have been changed to protect the innocent):
  Event ID: 6273
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  real_domain
  Fully Qualified Account Name:
  real_domain\real_username
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  Calling Station Identifier:
  NAS:
  NAS IPv4 Address:
  10.0.0.10
  NAS IPv6 Address:
  NAS Identifier:
  radius1.real_domain
  NAS Port-Type:
  NAS Port:
  101451540
  RADIUS Client:
  Client Friendly Name:
  sbc1mgmt
  Client IP Address:
  10.0.0.10
  Authentication Details:
  Connection Request Policy Name:
  SBC Authentication
  Network Policy Name:
  Authentication Provider:
  Windows
  Authentication Server:
  RADIUS1.real_domain
  Authentication Type:
  MS-CHAPv2
  EAP Type:
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the SQL data store and the local log file.
  Reason Code:
  16
  Reason:
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  Event ID: 4625
  An account failed to log on.
  Subject:
  Security ID:
  SYSTEM
  Account Name:
  RADIUS1$
  Account Domain:
  REAL_DOMAIN
  Logon ID:
  0x3E7
  Logon Type: 3
  Account For Which Logon Failed:
  Security ID:
  NULL SID
  Account Name:
  real_username
  Account Domain:
  REAL_DOMAIN
  Failure Information:
  Failure Reason:
  Unknown user name or bad password.
  Status:
  0xC000006D
  Sub Status:
  0xC000006A
  Process Information:
  Caller Process ID:
  0x2cc
  Caller Process Name:
  C:\Windows\System32\svchost.exe
  Network Information:
  Workstation Name:
  Source Network Address:
  Source Port:
  Detailed Authentication Information:
  Logon Process:
  IAS
  Authentication Package:
  MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
  Transited Services:
  Package Name (NTLM only):
  Key Length:
  0
  This event is generated when a logon request fails. It is generated on the computer where access was attempted.
  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
  The Process Information fields indicate which account and process on the system requested the logon.
  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
  The authentication information fields provide detailed information about this specific logon request.
  - Transited services indicate which intermediate services have participated in this logon request.
  - Package name indicates which sub-protocol was used among the NTLM protocols.
  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
  So at first glance it would seem that the issue is merely a case of an invalid username or mismatched password. This is further confirmed in the packet capture where I can see the MSCHAPv2 response has an error code of 691 (Access denied because username or
  password, or both, are not valid on the domain). The thing is I know I am using a valid username and I have tried many usernames including new ones I created just for troubleshooting. I don't know how many times I have reset the password in an attempt to ensure
  it is not a mismatch password. I have even made sure to use passwords that are fairly short and contain only letters to ensure there was no terminal encoding issues (we connect to the SBC via SSH clients). I have also done this same thing with the shared secret
  used during communication between the SBC and the RADIUS server. I have tried prefixing the username with the domain name at login (though I don't think that should be necessary). I have also tried using the full UPN of the user to login. I have tried several
  RADIUS testing clients (NTRadPing, RadiusTest, etc.), but they either don't support MSCHAPv2 or only support EAP-MSCHAPv2. I have even created my own client using PHP's PECL RADIUS module. Still it always seems to fail with the MSCHAPv2 authentication with
  an error code of 691. Does anyone have any ideas as to why I always get an invalid username or bad password response when I have done everything possible to ensure that is not the case?
  Here are the specs for our RADIUS configuration:
  Windows Server 2012 R2
  SQL Server 2012 Back End Database for accounting.
  The server has been authorized on the domain and is a member of the "RAS and IAS Servers" group. For which that group does have access to the accounts we are testing with.
  The accounts we are testing with do have the "Control access through NPS Network Policy" option checked under their "Dial-in" property tab.
  RADIUS clients configured to simply match on the IP address which you can see from the events above that it is applying the client friendly name.
  Connection Request Policy: The "SBC Authenication" policy is being applied as seen above. The only condition is a regex expression that does successfully match the friendly name.
  Network Policy: As seen in events above, none are getting applied. For troubleshooting purposes I have created a Network Policy that is set to "1" for the processing order and its only condition is a Day and Time Restriction currently set to any
  time, any day.
  The authentication method is set to only MSCHAPv2 or MSCHAPv2 (User can change password after it has expired). I have tried adding this to just the Network Policy and I have also tried adding this to the Connection Request Policy and setting it to override
  the authentication method of the Network Policy.
  We do have other RADIUS servers in our domain that use PEAP to authenticate wireless clients and they all work fine. However, we need this to work with MSCHAPv2 only (No EAP).
  All other configurations are set to the defaults.
  The only other things of note to consider is the fact that in the events above you can see that the Security ID is "NULL SID". Now I know this is common especially among failed logons but given that this issue is stating an invalid username or
  bad password, perhaps it matters in this case. Also, this server has been rebuilt using the same computer account in Active Directory. I do not know if it would have worked before the rebuild. Essentially we built this server and only got as far as authorizing
  the server to the domain and adding SQL when we decided to separate out the SQL role onto another server. Rather than uninstalling SQL we just rebuilt the machine. However, before reinstalling Windows I did do a reset on the computer account. I don't think
  this should matter but thought I would point it out if there is some weird quirk where reusing the same SID of a previously authorized NPS server would cause an issue.
  All in all it is a fairly basic setup and hopefully I have provided enough information for someone to get an idea of what might be going on. I hope this was the right forum to post this too, I figured there would be a higher number of RADIUS experts here than
  any of the other categories. Apologies if my understanding of this seems a bit basic, after all, when it comes to RADIUS servers I guess you could say I'm the new guy here.

  Update 1:
  In an attempt to further troubleshoot this issue I have tried bringing up additional servers for testing. Here are the additional tests I have performed.
  Multiple Domains
  I have now tried this in 3 different isolated domains. Both our test and production domains as well as my private home domain which has very little in the way of customizations aside from the modifications made for Exchange and ConfigMgr. All have the same
  results described above.
  VPN Service
  Using Windows Server 2012 R2 we brought up a separate server to run a standard VPN setup. The intent was to see if we could use RADIUS authentication with the VPN and if that worked we would know the issue is with the SBCs. However, before we could even
  configure it to use RADIUS we just attempted to make sure it worked with standard Windows Authentication on the local VPN server. Interestingly, it too fails with the same events getting logged as the RADIUS servers. The client machine being a Windows 8.1
  workstation. Again I point out that we have working RADIUS servers used specifically for our wireless environment. The only difference between those RADIUS servers and the ones I am having problems with is that the working wireless servers are using PEAP instead
  of MSCHAPv2.
  FreeRADIUS
  Now I'm no Linux guru but I believe I have it up and running. I am able to use ntlm_auth to authenticate users when logged on to the console. However, when the radiusd service tries to use ntlm_auth to do essentially the same thing it fails and returns the
  same message I've been getting with the Windows server (E=691). I have the radiusd service running in debug mode so I can see more of what is going on. I can post the debug info I am getting if requested. The lines I am seeing of particular interest however
  are as follows:
  (1) ERROR: mschap : Program returned code (1) and output 'Logon failure (0xc000006d)'
  (1) mschap : External script failed.
  (1) ERROR: mschap : External script says: Logon Failure (0xc000006d)
  (1) ERROR: mschap : MS-CHAP2-Response is incorrect
  The thing to note here is that while we are essentially still getting a "wrong password" message, the actual status code (0xc000006d) is slightly different than what I was getting on the Windows Servers which was (0xc000006a). From this document
  you can see what these codes mean:
  NTSTATUS values . The good thing about this FreeRADIUS server is that I can see all of the challenge responses when it is in debug mode. So if I can wrap my head around how a MSCHAPv2 response is computed I can compare it to see if this is simply a miscomputed
  challenge response. Update: Was just noticing that the 6a code is just the sub-status code for the 6d code. So nothing different from the Windows Servers, I still wonder if there is a computation error with the challenge responses though.
  Currently, I am working on bringing up a Windows Server 2008 R2 instance of a RADIUS server to see if that helps at all. However, I would be surprised if something with the service broke between W2K8 R2 and W2K12 R2 without anyone noticing until now. If this
  doesn't work I may have to open a case with Microsoft. Update: Same results with W2K8 R2.

• Bizarre WiFi Connectivity Issue; Self-Assigned IPs, Static IP Doesn't work

  The short and sweet of the problem: Macs/Apple Devices are pulling self-assigned IP addresses when connecting to a Linksys EA6900/AC1900 router.
  Here’s the detail: I am working at an office with 1 Airport Extreme and 1 Linksys EA6900/AC1900, both are configured for Bridge Mode and both use WPA. DHCP is being handled by a Watchguard XTM5 series firewall.
  When Macs (and often iPhones) connect to the Linksys (on 2.4 or 5Ghz) they get a self-assigned IP address. If you enter a manual address you still do not have any connectivity. However, if you connect to the Extreme you will instantly get an IP address, and if you switch to the Linksys your DHCP address will carry over and you will retain connectivity. This problem does not happen to the Windows machines in the office- they all connect to all base stations without any issue. Total users on the network range from 5 to 20 WiFi users at any given time plus and AppleTV (also affected).
  More info: When there are between 5-10 people in the conference room for a morning meeting the Macs will all revert to self-assigned addresses (even if they were working before). The workaround has been to connect to the Extreme, but there are occasions when this occurs that the Extreme will also not seem to pass the DHCP addresses from the firewall; addresses become self-assigned and you lose all internet. To make matters more odd, this behavior seems to really only affect the network during business hours; after hours the Linksys works pretty much normally and any device can connect without issue.
  Things I’ve done: Run Wireshark and located a number of rogue devices that were handing out overlapping DHCP addresses. Identified machines that were ARP storming and removed them. Expanded the DHCP pool so that we aren’t running out of addresses and confirmed that we had enough by checking the logs.
  More things I’ve done: Used Netspot to check signal strength and channel overlap and isolation. I have mapped the signal strength by location and we have strong signals to the various locations (the Linksys AP is 7 feet from the conference room). I have checked that the firmware is the most recent version.
  I can’t find any logical reason for the Macs (and pretty much only the Macs/Apple devices) to not be picking up DHCP info through the bridge mode devices. I would tell them to get another Extreme but they are going to be deploying a Cisco Meraki system soon and I suspect that this problem will persist since the Linksys was put in place because the last AP displayed the same behavior with the Macs picking up self-assigned IPs. Affected Macs range from 2010 era MBP and Air to 2013 MBP and Air and they are running OSX 10.8 through 10.10.
  As for the history of this network, I just walked into this company and know very little about how well it worked before, but apparently it has always been flaky according to the staff.

  I agree that something isn't right; I am going to cut over DHCP services from the Watchguard to the newly deployed OS X Server tonight and see  if that changes anything.
  On the other hand, faulty DHCP server/client settings doesn't explain why applying a static IP still leaves you with no connectivity. I think that clue is also fairly important but I can't figure out what would be blocking connectivity on a static IP setup.

• Self-assigned IP, no IP, no authentication server!

  As most people in threads related to this problem have stated, this issue presented without provocation. The Internet stopped working during a thunderstorm, turned back on, and my computer is the only one having problems in the house. That being said, I've been browsing through countless solutions to no avail. But first, the problem.
  The wi-fi status symbol in the menu bar constantly displays the "searching" icon. When I click on Network Preferences and try to join my network (if it even shows up), the wifi bar on the left toolbar displays a yellow circle, and wavers between "no IP address" and "self-assigned IP". I'll also see "802.1x:default authenticating". It always end up with "authentication server is not responding".
  I've tried deleting my network from keychain access, I've tried creating a new location and renewing the dhcp lease, and I've restarted my computer multiple times during the process. Nothing seems to be working. Any ideas?

  It's trying to authenticate to a RADIUS server. If you haven't set that up or don't know what it means, delete the Wi-Fi connection in the Network preference pane and recreate it with the same settings. If you have set up a RADIUS server, it isn't working or isn't reachable.

• Airport has self-assigned IP address, authentication step fails

  I am a computing consultant at a Pennsylvania university and am trying to configure the airport service on a 15" MacBook Pro (pre-unibody style ~2007) running 10.6.5.
  We are trying to connect to a WPA2 Enterprise wireless network that requires username and password authentication before assigning an IP address. We configure Macs all the time here and they all work very well, in fact my own personal Macs haven't ever given me trouble. But the machine I'm working on at the moment just cannot obtain a correct IP address. We know for sure this is not a network or user account credential problem. It must be on the client computer side.
  I have tried removing all old user profiles and certificates from the Keychain (our network grants a certificate automatically for new connections), I deleted preference files from the /Library/Preferences/SystemConfiguration folder, I have removed the Airport service from Network Connections, rebooted the machine and performed 3 PRAM resets just for good measure, re-added the Airport service and tried a fresh configuration. I also created and entirely different user account and tried configuring. The only thing I have not tried is reinstalling the OS which I'm really trying to avoid because I'd like to learn what is actually causing this problem. None of the above attempts have been successful.
  Has anyone encountered this before in an enterprise environment? Does anyone have any ideas that I should try?
  Thanks in advance!

  Something like one year ago or so, i had to reinstall the OS cuz i wasn't able to make the iPhone recognized over usb for the tethering conenction...
  only AFTER i found out it was related to the OS booting in 64 bits, not just 32 and using the 64 capability for those programs who required it.
  I had to deal with self assigned ip too, while sharing internet conenction from airport through ethernet to another mac, but i dunno if that should help you.

• Users stills appear to have transactions assigned even though roles have been removed.

  Hi,
  I'm currently looking at a number of users with access to sensitive transactions (e.g. SCC4).
  When looking at a combination of the AGR_ROLES and AGR_TCODES tables I can see there is currently only one active role and one active user assigned this access which would fall in line with what was to be expected based on the population I am looking at (we're not concentrating on auth object level for now).
  However when I go through SUIM and filter on users by complex criteria and enter transaction code SCC4, about 20-30 users pop up (this is how many people used to be assigned access to SCC4).
  When access was removed for these 20-30 users, it was done at 'role level' so my question is, even if roles have been removed, when looking through SUIM would a user still appear to have transactions associated with that role assigned - if so, why does this happen? I assumed once a role is removed it would removed the underlying transactions etc with it?
  My assumption at the moment is that even though SUIM is showing users still have access to SCC4 they can't actually use it as the role it was associated with has been removed.
  Any help/clarity on this would be greatly appreciated.

  Hi Johnny,
  Please do perform the User comparison.
  Goto PFCG  -> Role Name -> user comparision
  then check in SUIM still user is having that Tcode or not .
  for detail
  Go to SUIM
  Roles by complex selection criteria -> put Tcode there
  it will give you Roles name having that tcode . and then you go to that Role and you will get list of Users in PFCG (User assignment Tab) .
  same goes with User
  SUIM - Users  by complex selection criteria - > put tcode -> Profiles associated with - > roles assosiated with it .
  But i suggest after you make any changes to Role / Profile you please do user comparision .
  Regards
  Dishant Pathak

• Why does my iphone phone by it self ?even though its password protected, switched off, and has a hard cover over the screen.

  why does my iphone phone by it self ?even though its password protected, switched off, and has a hard cover over the screen.

  the phone started to phone by itself  only numbers in my addressbook, now its phoning random people, has any one any ideas?  also i find it pure cheek from apple that i paid for a phone that cost 100,s € and i have to pay for tech support.

• TS1424 my dad gave me his mac. we deleted and reinstalled mac os and everything works great except for when i go to update garageband it says that it is still assigned to my dads itunes id even though he is no longer using a mac. what do i do?

  my dad gave me his mac. we deleted and reinstalled mac os and everything works great except for when i go to update garageband it says that it is still assigned to my dads itunes id even though he is no longer using a mac. what do i do?

  thank u 4 yr help , i have managed to do it after all. i downloaded the iphone 3gs ios 4.2 manual and it explained everything i had to do on there ... all i had to do was put my sim into phone ,then connect usb lead and then open my i tunes , i clicked on my iphone and went into summery and straight away it synchronized my phone and yay up popped my sim card and ready to use ('',) many thanks though 4 yr help wendy

• Charged for failed self install even though it was outside cable issue

  Recently I moved and opted for self-install. I did all the set up correctly on my end but was still not getting internet service. I called and a technician was sent out and the technician also couldn't set it up because he determined the issue was with the outside line. He told me another technician would need to come out, at no charge to me, to run a new wire into the apartment for me to get service. The second technician came out a week later and did the work and again, no mention of charges for services was given or indicated on the receipt I was left with and signed. Sure enough I check my bill this month and there is a failed self-install fee of $100! I talked to customer service in chat and they said the best they could do is $30 even though I was told I would NOT be charged for the 2nd technician. I was also told that $50 service charges are mandatory whenever someone comes out, even though this specific charge is for a bogus failed self-install and not for a generic service visit. It wouldn't be so much of an issue if the first technician had just said "by the way it will cost $100 for the 2nd technician to install the new wiring from the cable box" instead of telling me it would be free. Why can't the technicians and service reps just be up front from the begining? This has been very frustrating. I still don't see the $30 credit and I should be getting a FULL credit because charge is completely bogus and the technicians should be trained to explain in advance all fees for services 
  BEFORE I authorize service.

  @rick_a_shae
  I am sorry for your troubles. I have sent you a private message to assist you further.

• I can't connect to my school's free wifi. i was able to do it before but not anymore i get the self assign ip agrees message .it has no password only a pop up window before you connect to agree to school terms for wifi use. i don't get that window anymore

  I can't connect to my school's free wifi. i was able to do it before but not anymore i get the self assign ip addrees message .it has no password only a pop up window before you connect to agree to school terms for wifi use. i don't get that window anymore. i tried everything I can think of. It is a 2010 macbook pro but i recentrly updated to osx lion and even with lion it was working fine so I nkow it is not the update. also Im able to connect to other internets at home it works great. starbucks too.  but i became so frustated that i reset my computer to manufactuter setting and reinstall snow leopard on it. still I cant connect. I need help please i have been searching all over the web for help and i see people has been having this same problem for years now.. oh yeah and i know it is not the internet cuz there are other macs connecting to it without a single problem so i think it is an isolated problem plase help....i have follow many advises such as delete the internet from your prefered netwoks. restar your commputer etc etc.

  Be sure Safari does not have the Block Pop-Up Windows preference set.
  Where I work now there are several unencrypted VLANs that require authentication, and Safari promptly pops up a window for me to register every time.