Re: Re-Authentication Woes

From: Mark Gamache (mark.gamache_at_css-security.com)
Date: 01/27/05 

Date: Thu, 27 Jan 2005 15:40:32 -0800

Are there any other policies in your remote access policy list? You are
likely going to need to use the netsh command to turn on ras aaaa logging to
see what exactly is happening. It appears that the IAS server isn't seeing
your EAP type. are you using PEAP or TLS?

Assuming that it is acceptable to add all your computers to the group, just
add the group Domain Computers. It contains all domain machines except
Domain Controllers. The other option is to add the computers themselves.
In the dialog that lets you add members, you have to select the Object Types
button before trying to add computers. It will allow you to select computer
accounts as they are not searched by default. 

-- 
Mark Gamache
Certified Security Solutions
"Tmccabe" <Tmccabe@discussions.microsoft.com> wrote in message 
news:57C17A2E-89B4-4072-9E17-0302B5DFB7EC@microsoft.com...
> Hi Mark-Thanks for responding.
> The Wifi policy inside IAS included the user group "wireless" and the NAS
> type IEEE 802.11 and "Wireless-other"
>
> As for the machines being part of the "wireless user group - I have never
> heard of that - how does one add a computer to a user group ?
>
> "Mark Gamache" wrote:
>
>> The long logon with wireless is probably due to not having machine certs, 
>> or
>> not having the machine accounts part of the wireless user group.  When 
>> the
>> machine comes up and no one is logged in, it attempts to authenticate in 
>> the
>> context of the machine account.  If the machine account is denied access, 
>> it
>> can take a while trying to find a connection causing delays in boot.
>>
>> As for the re auth errors.  I'd take a close look at your remote access
>> policy.  Does the IAS server you are using have RA policy of just 
>> wireless
>> or does it support other NAS types?
>>
>> -- 
>> Mark Gamache
>> Certified Security Solutions
>>
>>
>> "Tmccabe" <Tmccabe@discussions.microsoft.com> wrote in message
>> news:78444D73-5D4D-49EE-9F8D-DFADD925BC5E@microsoft.com...
>> > We have several Cisco 1100 WAPs in our branch offices and we use a
>> > centrally
>> > located 2003 Standard Server in one city running IAS and Cert services 
>> > for
>> > PEAP authentication for wireless access.
>> >
>> > The WAPS are pointed to the IAS and Cert server and seem to be working
>> > somewhat OK. It takes a long time to logon to the network via wireless 
>> > (Im
>> > running SP2) and I also get this re-authentication thing going on with 
>> > no
>> > apparent pattern.
>> >
>> > The connection seems to drop and the wireless NIC info tells me that 
>> > its
>> > trying to re-authenticate. After quite some time the wireless NIC show
>> > connectivity again and the system log on the IAS and Cert server shows 
>> > the
>> > follwing entry several times a minute.
>> >
>> > "User domain\lshauf was denied access.
>> > Fully-Qualified-User-Name = domain\lshauf
>> > NAS-IP-Address = 10.25.1.2
>> > NAS-Identifier = NBF_AP1
>> > Called-Station-Identifier = 0012.00d6.e5b0
>> > Calling-Station-Identifier = 000e.354c.fe9c
>> > Client-Friendly-Name = NBF_AP1
>> > Client-IP-Address = 10.25.1.2
>> > NAS-Port-Type = Wireless - IEEE 802.11
>> > NAS-Port = 186579
>> > Proxy-Policy-Name = Wireless
>> > Authentication-Provider = Windows
>> > Authentication-Server = <undetermined>
>> > Policy-Name = <undetermined>
>> > Authentication-Type = EAP
>> > EAP-Type = <undetermined>
>> > Reason-Code = 48
>> > Reason = The connection attempt did not match any remote access policy. 
>> > "
>> >
>> > After a bunch of these entries in the system log the user gets
>> > re-aunthenticated. It can happen a few times a day to several time a 
>> > day.
>> > It
>> > happens in all our branches.
>> >
>>
>>
>>
Quantcast