Re: Issues with IAS/802.1x authentication

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: froowstie (smeg_at_smeg.com)
Date: 10/26/04 

Date: Tue, 26 Oct 2004 18:23:03 +1000

Hmmm, well I fixed it, but I'm a little confused as to why it works.

As soon as I modified the IAS Remote Access Policy and removed this policy
condition:

NasPortType = Wireless - IEEE 802.11 or NasPortType = Wireless - Other

... the users started authenticating via their EAP certtificates. The wierd
thing is that that condition was created as per the MS Securing Wireless
LANs documentation... oh well. Seems to be working now.

Regards, James.

"froowstie" <smeg@smeg.com> wrote in message
news:uLYmWjyuEHA.2096@tk2msftngp13.phx.gbl...
> Hey there,
>
> I'm setting up a prototype PKI/802.1x lab environment for a customer so
they
> can leverage the security features for when decide to implement their new
> wireless infrastructure. I've followed the MS Securing Wireless LANs
> documentation
>
(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx)
> when building the lab and have the following servers configured:
>
> 1) AD01 - W2k3 DC / Root CA / Primary IAS configured
> 2) AD03 - W2k3 DC / Secondary IAS configured
> 3) Windows XP client - joined to the domain
> 4) Cisco Aironet 1200 - Access point - Configured for WEP encryption and
> 802.1x/EAP authentication
>
> My computer/user certificates seem to be getting deployed correctly and
all
> the wireless GPOs are working correctly, but the Windows XP SP1 users
cannot
> seem to connect to the network. When I check the eventlog I find the IAS
> server is throwing up a heap of authentication errors, see below;
>
> User Test3@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = Cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 421
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 65
> Reason = The connection attempt failed because remote access permission
for
> the user account was denied. To allow remote access, enable remote access
> permission for the user account, or, if the user account specifies that
> access is controlled through the matching remote access policy, enable
> remote access permission for that remote access policy.
>
> I'm not that strong with IAS, so I may have missed something in the setup.
> But I've basically setup a Remote Access Policy that allows all Wireless
> users as long as they have the correct certificate (as specified thru the
> EAP Methods menu|)
>
> So, has anyone seen this error when configuring 802.1x? The Test3 user
> account's Remote Access permissions are set to Control access through
Remote
> Access Policy so I don't know why it's saying the account doesn't have RAS
> access when it does.. Or does it mean that the Remote Access Policy has
> denied access to the users account for some unknown reason?
>
> Thoughts, comments?
>
> Cheers, James.
>
> P.S - When I manually grant the user dial-in permissions (through AD Users
> and Computers), the IAS error changes to this:
>
> User Test1@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = Cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 287
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 66
> Reason = The user attempted to use an authentication method that is not
> enabled on the matching remote access policy.
>
>

Relevant Pages

  • Re: Etablishing a enterprise solution for guest and employee access
    ... How would design the guest remote access policy? ... > you can very simply set up two different remote access policies in IAS, ... > configure IAS to assign the connection to a VLAN in the remote access ...
    (microsoft.public.internet.radius)
  • Re: wireless authentication before logon
    ... granted access to the remote access policy. ... the user account was denied. ... > client tries to authenticate at all. ...
    (microsoft.public.security)
  • Re: HowTo X509 and several user-Groups
    ... While athenticating with certificates the IAS shoud ... When you create a remote access policy in IAS, ...
    (microsoft.public.internet.radius)
  • Re: Re-Authentication Woes
    ... Are there any other policies in your remote access policy list? ... > The Wifi policy inside IAS included the user group "wireless" and the NAS ...
    (microsoft.public.internet.radius)
  • Re: Control access though Remote Access Policy
    ... You are correct that if you have not configured any remote access policies, ... Remote access policy is configured in one of two places, ... IAS is the MSFT implementation of the RADIUS protocol and is ... Internet Authentication Service ...
    (microsoft.public.windows.server.general)