RE: ISA bug blocking IAS authentication?

I contacted Microsoft Support and here is their response in case anyone else
has this problem:

Based on the problem description, the issue you're experiencing is as follows:

ISA, IAS and VPN are on the same SBS2003 server. The VPN connection works
fine but the wireless radius authentication fails. You may probably receive
the error "The request was discarded by a third-party extension DLL file"
from the event log. If you remove vpnplgin.dll and restart the server, the
wireless radius authentication works but the VPN connection fails.

If I have misunderstood your concern please let me know.

Personally, I really appreciate your time and efforts on researching of this
issue and providing those links for my references. I would like to let you
know that our develop team is aware of this issue and they are looking into
it. What appears to be happening is that when the access-accept is sent, not
all RADIUS attributes are sent this causes the vpnplgin.dll (ISA 2004 VPN
plug-in) to close the connection. Hence clients are rejected.

Currently, we have three workarounds for the wireless connection in this
situation.

Method 1
---------------
Remove the vpnplgin dll from the list of authorization dlls via the
registry. However, this caused the VPN connection failure based on your
description. So, please move to the following two methods.

Method 2 (Server base solution that requires a 2nd server)
-----------------
Separate IAS from the ISA server. So, you need to make a second server as
your IAS server. If you have a second server on your environment, this is the
recommended method.

Method 3 (Client based solution)
------------------
Implement WPA with shared keys on your clients. The preshared key is
configured on the wireless AP and each wireless client. For more information,
you can refer to the following articles.

Configuring Windows XP IEEE 802.11 Wireless Networks for the Home and Small
Business
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifisoho.mspx

The Cable Guy - March 2003
http://www.microsoft.com/technet/community/columns/cableguy/cg0303.mspx

In the meantime, I'm contacting the ISA team to see if we can get a hotfix
for this. I will keep you update once I have any further news. If you have
any questions or supplemental information, please feel free to let me know. I
will contact you again in two business days via e-mail if I do not receive
your response.



Method 1 gave me this problem in the first place and Method 3 sounds like it
bypasses RADIUS altogether.
Anyway, I chose method 2 and it seems to be working.


"Ryan" wrote:

I have an SBS 2003 premium running ISA 2004 and everything is fully
patched/updated. This server is also a VPN server and has IAS and
certificate authority running.

The VPN connections aren't using the cerificates but the wireless
connections are.

I have a wireless access point and I was connecting using wpa2 and radius
athentication. That is.. until today.

My wireless setup wasn't working until I did some research and found this
thread:
http://www.velocityreviews.com/forums/t6608-8021x-authentication-issues.html

This was the fix:
Remove (I just renamed it though) the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\A uthSrv\Parameters]
"AuthorizationDLLs"="C:\Program Files\Microsoft ISA Server\vpnplgin.dll"
Reboot the server..

My wireless clients started authenticating just fine. The problem was now
my VPN clients can't connect anymore. They authenticate but they can't
connect. The error they get is:
"TCP/IP CP reported error 736"

I have since renamed that registry entry to the original and rebooted so my
VPN clients can connect again but now I can no longer connect via wireless.

The Microsoft Rep in thread I mentioned seemed to thing its an ISA bug. Is
there any way I can get both my VPN clients and Wireless clients to conenct
at the same time?
.

Relevant Pages

  • RE: VPN Clients Not Registering in AD DNS
    ... via VPN, the DNS records of the VPN clients are unable to be registered. ... Windows 2003 server? ... please let me know whether the clients get the IP ...
    (microsoft.public.windows.server.sbs)
  • RE: SBS VPN connects but no shares..
    ... VPN clients can no longer access internal resources after you install ... Windows Server 2003 Service Pack 1 on a computer that is running ISA Server ... How to configure a VPN connection to your corporate network in Windows XP ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN issue
    ... I understand that you cannot initialize the VPN ... Could you please let me know if this is a Premium SBS server box with ISA ... To support the PPTP VPN clients behind the ISA server, ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS VPN Strengthening
    ... to my other clients, so a software only configuation would be preferred. ... Have SBS 2003 along with Server 2003 at various sites, ... each location and they would establish the VPN between those offices. ... connect to remote offices you could use a hub and spoke method VPN or use ...
    (microsoft.public.windows.server.sbs)
  • RE: Cant remote desktop to clients connected via VPN
    ... that the VPN connection works well. ... that RDP does not work to clients connected via VPN (to all other clients it ... > the SBS 2003, but from your IP configuration, I found your DNS server is ...
    (microsoft.public.windows.server.sbs)