Troubleshoot PEAP Authentication

Environment:

Wireless PEAP with Windows Active Directory domain authentication is configured. (see http://www.techrepublic.com/article/ultimate-wireless-security-guide-an-introduction-to-peap-authentication/6148543 for the setup detail).

Windows Server 2003 with a self-signed digital certificate as the RADIUS server.

Wireless access managed by the Active Directory “WiFi Users” security group.

Access Point: Cisco WAP4410N with firmware 2.0.5.3

Access Point Configuration:

• Discovery (By Bonjour): Enabled
• Wireless Security Mode: WPA2-Enterprise Mixed (WPA Algorithm: TKIP or AES)
• Primary RADIUS Server: Windows Server 2003 RADIUS server IP address
• Primary RADIUS Server Port: 1812
• Wireless Connection Control (MAC address filter): Disabled

Problem:

The users in the Active Directory “WiFi Users” security group were able to authenticate and access the wireless with the wireless devices (iPhone, iPad, Windows Phone 7.5, Windows XP with SP3, Windows 7, MAC OS X, etc) configured with the PEAP authentication. One day in August 2012, the Windows Server 2003 RADIUS server was updated with the latest Microsoft security updates. Then, only iOS devices (maybe MAC OS X too) can authenticate and access the wireless; all Windows based devices keep getting the connection failure even the configuration and authentication are correct.

Troubleshoot:

The RADIUS server System log shows a warning from source IAS, event ID 2. The user was denied access; Reason-Code = 266; Reason = The message received was unexpected or badly formatted.

Solution:

The scenario 2 in the KB article (http://support.microsoft.com/kb/933430) matches this issue. Use method 3 in the KB article resolved the problem.

Linux “No space left on device” Error

symptom:

a web site is down, but the httpd (in my case lighttpd) service started okay. restarting the service still has the same problem.

touch test_file, get the “No space left on device” error

df –h, show a lot of free disk space

Filesystem            Size  Used Avail Use% Mounted on
/dev/sdb1              10G  2.8G  6.8G  29% /
/dev/sda1              99M   21M   74M  22% /boot
tmpfs                 125M     0  125M   0% /dev/shm

problem:

out of inodes

Filesystem            Inodes   IUsed   IFree IUse% Mounted on
/dev/sdb1             655776  655776       0  100% /
/dev/sda1              26208      38   26170    1% /boot
tmpfs                  31871       1   31870    1% /dev/shm

fix:

find the files of a certain size (e.g. great than three blocks in this example) to locate these files (in my case is the ruby session files in /srv/www/lighttpd/rails/tmp/sessions, the file name is ruby_sess.xxxxxxxx)

find / –size +3 –print

but rm –f ruby_sess.* failed because “bash: /bin/rm: Argument list too long” (see http://en.kioskea.net/faq/1086-unable-to-delete-file-argument-list-too-long)

ls ruby_sess.* | xargs rm get “-bash: /usr/bin/ls: Argument list too long”

find . –type f –name ruby_sess.* | xargs rm get “-bash: /usr/bin/find: Argument list too long”

finally find . –name “ruby_sess.*” | xargs rm worked

Filesystem            Inodes   IUsed   IFree IUse% Mounted on
/dev/sdb1             655776  122320  533456   19% /
/dev/sda1              26208      38   26170    1% /boot
tmpfs                  31871       1   31870    1% /dev/shm

Delete “Account Unknown” Local User Profiles

Issue:

On Windows XP or Server 2003, under Control Panel / System / Advanced / User Profiles / Settings, there are some “Account Unknown” user profile, but the Delete button is grayed out.  And when try to delete the profile from “c:\documents and settings” folder, the error message is “Cannot delete NTUSER.DAT: It is being used by another person or program. Close any programs that might be using the file and try again.”

Solution:

1. Install “User Profile Hive Cleanup Service” (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=6676)
2. Run uphclean.exe
3. Then the “Delete” button becomes available

Note: the User Profile Deletion Utility (delprof.exe) (http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=5405) cannot delete the “Account Unknown” profile, but it is useful to clean up the normal user profile when their account is still active. (delprof.exe /p /c:\\servername)