Issues with IAS/802.1x authentication

From: froowstie (smeg_at_smeg.com)
Date: 10/26/04

• Next message: froowstie: "Re: Issues with IAS/802.1x authentication"
• Previous message: Kristoffer Nørkjær Randløv Jepsen: "Re: Guest Access on a 802.1x Network! Issues! Feature Request!"
• Next in thread: froowstie: "Re: Issues with IAS/802.1x authentication"
• Reply: froowstie: "Re: Issues with IAS/802.1x authentication"
• Reply: Sam Salhi [MSFT]: "Re: Issues with IAS/802.1x authentication"
• Messages sorted by: [ date ] [ thread ]

---

Date: Tue, 26 Oct 2004 16:55:59 +1000

Hey there,

I'm setting up a prototype PKI/802.1x lab environment for a customer so they
can leverage the security features for when decide to implement their new
wireless infrastructure. I've followed the MS Securing Wireless LANs
documentation
(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx)
when building the lab and have the following servers configured:

1) AD01 - W2k3 DC / Root CA / Primary IAS configured
2) AD03 - W2k3 DC / Secondary IAS configured
3) Windows XP client - joined to the domain
4) Cisco Aironet 1200 - Access point - Configured for WEP encryption and
802.1x/EAP authentication

My computer/user certificates seem to be getting deployed correctly and all
the wireless GPOs are working correctly, but the Windows XP SP1 users cannot
seem to connect to the network. When I check the eventlog I find the IAS
server is throwing up a heap of authentication errors, see below;

User Test3@NEWCREST.COM.AU was denied access.
Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
NAS-IP-Address = 192.168.1.100
NAS-Identifier = Commander
Called-Station-Identifier = 000d.bd01.15b0
Calling-Station-Identifier = 0002.2d29.2f60
Client-Friendly-Name = Cisco Wireless AP
Client-IP-Address = 192.168.1.100
NAS-Port-Type = Virtual
NAS-Port = 421
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for
the user account was denied. To allow remote access, enable remote access
permission for the user account, or, if the user account specifies that
access is controlled through the matching remote access policy, enable
remote access permission for that remote access policy.

I'm not that strong with IAS, so I may have missed something in the setup.
But I've basically setup a Remote Access Policy that allows all Wireless
users as long as they have the correct certificate (as specified thru the
EAP Methods menu|)

So, has anyone seen this error when configuring 802.1x? The Test3 user
account's Remote Access permissions are set to Control access through Remote
Access Policy so I don't know why it's saying the account doesn't have RAS
access when it does.. Or does it mean that the Remote Access Policy has
denied access to the users account for some unknown reason?

Thoughts, comments?

Cheers, James.

P.S - When I manually grant the user dial-in permissions (through AD Users
and Computers), the IAS error changes to this:

User Test1@NEWCREST.COM.AU was denied access.
 Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
 NAS-IP-Address = 192.168.1.100
 NAS-Identifier = Commander
 Called-Station-Identifier = 000d.bd01.15b0
 Calling-Station-Identifier = 0002.2d29.2f60
 Client-Friendly-Name = Cisco Wireless AP
 Client-IP-Address = 192.168.1.100
 NAS-Port-Type = Virtual
 NAS-Port = 287
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Connections to other access servers
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 66
 Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.

---

• Next message: froowstie: "Re: Issues with IAS/802.1x authentication"
• Previous message: Kristoffer Nørkjær Randløv Jepsen: "Re: Guest Access on a 802.1x Network! Issues! Feature Request!"
• Next in thread: froowstie: "Re: Issues with IAS/802.1x authentication"
• Reply: froowstie: "Re: Issues with IAS/802.1x authentication"
• Reply: Sam Salhi [MSFT]: "Re: Issues with IAS/802.1x authentication"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Sporadic IAS Authentication problems ... Windows authentication for all users,4129,DOMAIN1\sheshadrid,4149,Wireless ... enabled on the matching remote access policy. ... client laptop was able to authenicate and use the wireless network just fine ... (microsoft.public.internet.radius) Re: Sporadic IAS Authentication problems ... against a Windows 2003 Server as a radius server. ... WPA / TKIP as well as PEAP authentication modes. ... Reason = The connection attempt failed because remote access ... (microsoft.public.internet.radius) Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment) ... go to the "Remote Access Policies" and double-click the policy you ... click Edit Profile and select the Authentication tab. ... Authentication-Provider = Windows ... (microsoft.public.windows.server.active_directory) Re: Issues with IAS/802.1x authentication ... the Nas-Port-Type attribute correctly to the IAS server, ... > As soon as I modified the IAS Remote Access Policy and removed this policy ... >> server is throwing up a heap of authentication errors, ... (microsoft.public.internet.radius) Re: Sporadic IAS Authentication problems ... against a Windows 2003 Server as a radius server. ... Proxy-Policy-Name = Use Windows authentication for all users ... Reason = The connection attempt failed because remote access permission ... (microsoft.public.internet.radius)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Internet  > microsoft.public.internet.radius  > 2004-10