IAS and EAP-TLS - Event log message (client cannot authenticate)
From: Tom Ranson (tr_at_imap.cc)
Date: 01/27/05
- Next message: Tmccabe: "Re-Authentication Woes"
- Previous message: Niklas: "IAS SessionID"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 27 Jan 2005 06:00:46 -0800
I have a Win2k3 Std Edition server configured as a single
DC, running own CA (with own server identification root
certificate installed), IAS, DHCP and DNS to support a sub
50 user wireless network using EAP-TLS certificates
(client and server). At this time the system is still in
testing using only 1 AP (Dlink AP2000) configured for
RADIUS- shared secrets match between IAS and AP. The
system has worked perfectly using PEAP with MS-CHAP-v2,
but now we need to impliment EAP-TLS.
Event Viewer logs the following IAS warning messages when
a Windows XP SP2 client (with root and personal
certificates installed- generated by own CA- certificate
is definatly in date) tries to authenticate:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 27/01/2005
Time: 13:26:59
User: N/A
Computer: WIRELESS
Description:
User xxxxxx@xxxxxx was denied access.
Fully-Qualified-User-Name =
xxxxxx/Wireless/Administrators/xxxxxxx
NAS-IP-Address = 192.168.0.10
NAS-Identifier = ICT Services
Called-Station-Identifier = 00-0d-88-87-a7-f5
Calling-Station-Identifier = 00-d0-59-bd-7b-e1
Client-Friendly-Name = ICT Services office
Client-IP-Address = 192.168.0.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all
users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Certificates
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 262
Reason = The supplied message is incomplete. The
signature was not verified.
The XP (with SP2) client is configured as follows:
Association
-------------
Authentication: Open
Encryption: WEP
Key provided automatically.
Authentication
----------------
Enable 802.1x authentication
EAP type: Smart card or other certificate
Both authenticate as guest or computer options are
disabled.
Smart card or other Certificate Properties
------------------------------------------------
When connecting: User a certificate on this computer + use
simple certificate selection.
Validate server certificate is enabled.
Trusted Root Certification Authorities: only our own
internal root certificate is selected, and is definatly
valid.
An interesting point is that I can get the client to
authenticate initially, but as soon as the client has been
rebooted once it refuses to connect and gives the above
error log in the IAS events.
Please help!
- Next message: Tmccabe: "Re-Authentication Woes"
- Previous message: Niklas: "IAS SessionID"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
