question

BenFaltys-4689 avatar image
0 Votes"
BenFaltys-4689 asked BenFaltys-4689 answered

Server 2019 NPS & PEAP

We've recently moved a bunch of network switches to use RADIUS authentication instead of local accounts. Currently, we're using EAP-MD5-Challenge as that is all the switches support. However, I recently got a copy of the newest firmware which adds PEAP. I'm certainly not an expert in the various EAP protocols. When I attempt to login to my test switch I see an event on the server for a failed login which shows an account name "anonymous" with a denied access event. From what I can tell, PEAP can use an anonymous outer identity. My assumption is that the server would then strip that to get the inner identity with the actual user name/password. In this case that doesn't seem to be happening. The switch vendor is also looking into this, but I want to be sure I understand how this should work and it would also be nice to know if I should see an event with the actual user instead of anonymous.

86981-image.png


86967-image.png


windows-server
image.png (18.1 KiB)
image.png (8.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

CandyLuo-MSFT avatar image
0 Votes"
CandyLuo-MSFT answered

Hi,

Thanks for your posting here. Please understand, due to limit resource, we have no such switch device to test in our lab. It is hard for us to reproduce the phenomenon. In your case, we might need to trace and monitor logs to analyze the cause. However, analysis of traffic is beyond our forum support level and due to forum security policy, we have no such channel to collect user log information. So we recommend you open a case with MS Professional tech support service, they will help you open a phone or email case to Microsoft, so that you would get a technical support on a one-to-one basis while ensuring private information.

Here is the link:

https://support.microsoft.com/en-us/gp/customer-service-phone-numbers

Best Regards,
Candy


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BenFaltys-4689 avatar image
0 Votes"
BenFaltys-4689 answered

I was mostly curious as to what I should see on the NPS side when PEAP authentication occurs correctly. I've located one such event and the NPS log shows the actual domain\username instead of domain\anonymous.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.