Re: Issues with IAS/802.1x authentication

From: Sam Salhi [MSFT] (samers_at_online.microsoft.com)
Date: 10/26/04 

Date: Tue, 26 Oct 2004 01:26:37 -0700

What's happening is basically IAS is set to deny access in the matching
policy
from the event below you need to modify the policy on IAS server (the policy
name from the event below is :"Connections to other access servers". Just
double click it, and select "Grant remote access permission"

Good luck

Let us know if this helps 

-- 
      =============================================
  This posting is provided "AS IS" with no warranties, and confers no 
rights.
      =============================================
"froowstie" <smeg@smeg.com> wrote in message 
news:uLYmWjyuEHA.2096@tk2msftngp13.phx.gbl...
> Hey there,
>
> I'm setting up a prototype PKI/802.1x lab environment for a customer so 
> they
> can leverage the security features for when decide to implement their new
> wireless infrastructure. I've followed the MS Securing Wireless LANs
> documentation
> (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx)
> when building the lab and have the following servers configured:
>
> 1) AD01 - W2k3 DC / Root CA / Primary IAS configured
> 2) AD03 - W2k3 DC / Secondary IAS configured
> 3) Windows XP client - joined to the domain
> 4) Cisco Aironet 1200 - Access point - Configured for WEP encryption and
> 802.1x/EAP authentication
>
> My computer/user certificates seem to be getting deployed correctly and 
> all
> the wireless GPOs are working correctly, but the Windows XP SP1 users 
> cannot
> seem to connect to the network. When I check the eventlog I find the IAS
> server is throwing up a heap of authentication errors, see below;
>
> User Test3@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = Cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 421
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 65
> Reason = The connection attempt failed because remote access permission 
> for
> the user account was denied. To allow remote access, enable remote access
> permission for the user account, or, if the user account specifies that
> access is controlled through the matching remote access policy, enable
> remote access permission for that remote access policy.
>
> I'm not that strong with IAS, so I may have missed something in the setup.
> But I've basically setup a Remote Access Policy that allows all Wireless
> users as long as they have the correct certificate (as specified thru the
> EAP Methods menu|)
>
> So, has anyone seen this error when configuring 802.1x? The Test3 user
> account's Remote Access permissions are set to Control access through 
> Remote
> Access Policy so I don't know why it's saying the account doesn't have RAS
> access when it does.. Or does it mean that the Remote Access Policy has
> denied access to the users account for some unknown reason?
>
> Thoughts, comments?
>
> Cheers, James.
>
> P.S - When I manually grant the user dial-in permissions (through AD Users
> and Computers), the IAS error changes to this:
>
> User Test1@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = Cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 287
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 66
> Reason = The user attempted to use an authentication method that is not
> enabled on the matching remote access policy.
>
>

Relevant Pages

  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... go to the "Remote Access Policies" and double-click the policy you ... click Edit Profile and select the Authentication tab. ... Authentication-Provider = Windows ...
    (microsoft.public.windows.server.active_directory)
  • Re: Etablishing a enterprise solution for guest and employee access
    ... The problem I see is guest computers or guest users have no credentials to ... the radius server never gets an authentication request to match ... the guest remote access policy's profile ... ... > policy example topic. ...
    (microsoft.public.internet.radius)
  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... so I simple copy the settings to another IAS server and register in AD then the new one will be a failover? ... Registering IAS with AD effectively tells AD not to accept External Authentication requests from other sources. ... You can have multiple IAS servers registered at the same time, so you can tell your Concentrator to follow a chain of servers if the first one doesn't respond. ... At the bottom of the properties window, select "Grant remote access permission" and then click OK. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Services fail on startup after service pack 1
    ... client after authentication" right in Domain Controllers security ... the Domain security Policy it is not configured at all. ... I will role back our test servers and try again with these configured ...
    (microsoft.public.windows.server.active_directory)
  • Re: Account Lockout threshold
    ... All are window 2000 advanced servers with Service pack 3, ... Domain Contoller Security Policy - Account lockout threshold ...
    (microsoft.public.security)