Re: IAS with PEAP and Airespace (now Cisco 1000)
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 17 Oct 2005 12:15:48 -0700
Do you happen to have another IAS server that you can test this with? If
so, just aim your RADIUS clients at a different server and see how it
works.
Also, are you using any third party authorization or authentication dlls
with IAS?
I'll ask the dev about the dll name as per your request below. I think
there is a possibility you can just register the dll on the server and you
will be fine...I'll ask him.
"=?Utf-8?B?TG9yaQ==?=" <Lori@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:DCB74EC0-F491-49A8-BE6C-DF1E69EEE91E@xxxxxxxxxxxxx:
> I just double checked, and I'm told that the only updates that are
> installed have been downloaded from the Windows update site (the OS
> was installed from a disk with SP1 included). Is there a specific DLL
> or DLLs that I can check?
>
> Also, we tried a small Linksys router this morning instead of the
> Airespace, with the same error messages and same results.
>
> "James McIllece [MS]" wrote:
>
>> Hi Lori --
>>
>> One of the IAS developers forwarded this comment and question to me
>> about the problems you are experiencing:
>>
>> The rastls log entry "Unauthorized use of PEAP attempted" means that
>> the calling DLL is not signed. Has the customer applied updates from
>> a non-MS source?
>>
>>
>>
>>
>> "=?Utf-8?B?TG9yaQ==?=" <Lori@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> news:FBD3DFA4-D4D3-44C1-936E-C8011D50B67C@xxxxxxxxxxxxx:
>>
>> > For what it's worth, we also tried using EAP-TLS (I changed the
>> > IAS, created a wireless user template on the CA, added computer and
>> > user certificates to the client and changed the authentication to
>> > smart card or other certificate). Unfortunately, it doesn't work
>> > either. The event viewer messages remain exactly the same, the
>> > IASSAM.log is exactly the same with the exception that the Allowed
>> > EAP type is 13 instead of 25, and the RASTLS log shows the
>> > following:
>> >
>> > [5704] 15:39:55:563: EapTlsBegin(DOMAIN\LoriTest)
>> > [5704] 15:39:55:563: SetupMachineChangeNotification
>> > [5704] 15:39:55:563: Verifying caller...
>> > [5704] 15:39:56:375: Unauthorized use of TLS attempted
>> >
>> >
>> >
>> > "James McIllece [MS]" wrote:
>> >
>> >> "=?Utf-8?B?TG9yaQ==?=" <Lori@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
>> >> news:20D63876-9698-4252-85D4-48436B03C422@xxxxxxxxxxxxx:
>> >>
>> >> > I have configured WPA RADIUS authentication with an Airespace AP
>> >> > (now called a Cisco 1000) using IAS on our 2003 server (which is
>> >> > also running the CA). I used the MS Win2003 step-by-step guide
>> >> > for setting up secure wireless access in a test lab
>> >> > (http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a
>> >> > 2-e 113 -415b-b2a9-b6a3d64c48f5&displaylang=en). When I try to
>> >> > connect from any client (our clients are all XP SP2), I receive
>> >> > the following message in the System Log:
>> >> >
>> >> > Source IAS
>> >> > Event ID: 3
>> >> > Access request for user DOMAIN\LoriTest was discarded.
>> >> > Fully-Qualified-User-Name = domain.edu/Staff/Admin &
>> >> > Finance/OCST/Users/Lori Test
>> >> > NAS-IP-Address = 10.15.7.252
>> >> > NAS-Identifier = LowndesAS1
>> >> > Called-Station-Identifier = 00:0B:85:03:18:21:labwireless
>> >> > Calling-Station-Identifier = 00:0E:35:E7:25:A1
>> >> > Client-Friendly-Name = LabAS1
>> >> > Client-IP-Address = 10.15.7.252
>> >> > NAS-Port-Type = Wireless - IEEE 802.11
>> >> > NAS-Port = 25
>> >> > Proxy-Policy-Name = Use Windows authentication for all users
>> >> > Authentication-Provider = Windows
>> >> > Authentication-Server = <undetermined>
>> >> > Reason-Code = 1
>> >> > Reason = An internal error occurred. Check the system event log
>> >> > for
>> >> > additional information.
>> >> >
>> >> > There are no other entries in the System log (other than repeats
>> >> > of this one).
>> >> >
>> >> > The IASSAM.log shows the following:
>> >> >
>> >> > [4804] 10-13 10:33:45:421: Creating EAP session
>> >> > [4804] 10-13 10:33:45:421: NT-SAM Names handler received request
>> >> > with user identity DOMAIN\LoriTest.
>> >> > [4804] 10-13 10:33:45:421: Username is already an NT4 account
>> >> > name. [4804] 10-13 10:33:45:421: SAM-Account-Name is
>> >> > "DOMAIN\LoriTest". [4804] 10-13 10:33:45:421: NT-SAM
>> >> > Authentication handler received request for DOMAIN\LoriTest.
>> >> > [4804] 10-13 10:33:45:421: Validating Windows account
>> >> > DOMAIN\LoriTest. [4804] 10-13 10:33:45:421: Sending LDAP search
>> >> > to fsuad2.domain.edu. [4804] 10-13 10:33:45:421: Successfully
>> >> > validated windows account. [4804] 10-13 10:33:45:421: NT-SAM
>> >> > User Authorization handler received request for DOMAIN\LoriTest.
>> >> > [4804] 10-13 10:33:45:421: Using native-mode dial-in parameters.
>> >> > [4804] 10-13 10:33:45:421: Sending LDAP search to
>> >> > fsuad2.domain.edu. [4804] 10-13 10:33:45:421: Successfully
>> >> > retrieved per-user attributes. [4804] 10-13 10:33:45:421:
>> >> > Allowed EAP type: 25 [4804] 10-13 10:33:45:421: Setting max.
>> >> > packet length to 1296. [4804] 10-13 10:33:45:499: RasEapBegin
>> >> > failed: Access is denied. [4804] 10-13 10:33:45:499: Caught COM
>> >> > exception: Access is denied.
>> >> >
>> >> > And the RASTLS.log shows:
>> >> >
>> >> > 4804] 10:33:45:421: EapPeapBegin
>> >> > [4804] 10:33:45:421: Verifying caller...
>> >> > [4804] 10:33:45:499: Unauthorized use of PEAP attempted
>> >> > [4804] 10:33:45:499: EapPeapBegin done
>> >> >
>> >> > It works if we use WebAuth or WPA-PSK, so the AP is functioning
>> >> > properly. All Cisco can determine from their logs is that the
>> >> > request to the RADIUS server is timing out.
>> >> >
>> >> > I've gone over our configuration many times, and although
>> >> > there's got to be something we're missing, I am completely
>> >> > baffled as to why this isn't working. Any help in deciphering
>> >> > these errors would be great.
>> >> >
>> >> > Thanks,
>> >> > Lori
>> >>
>> >> It sounds like your client computers are either not configured to
>> >> use PEAP or they do not trust the CA that issued the server
>> >> certificate to the IAS server (you *do* have a server cert
>> >> configured in remote access policy, right?).
>> >>
>> >> Other issues to check are that the AP is configured to allow EAP,
>> >> and that the shared secret on the IAS server and the AP are
>> >> identical.
>> >>
>> >> --
>> >> James McIllece, Microsoft
>> >>
>> >> Please do not send email directly to this alias. This is my
>> >> online account name for newsgroup participation only.
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers
>> >> no rights.
>> >>
>>
>>
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- Follow-Ups:
- References:
- IAS with PEAP and Airespace (now Cisco 1000)
- From: Lori
- Re: IAS with PEAP and Airespace (now Cisco 1000)
- From: James McIllece [MS]
- Re: IAS with PEAP and Airespace (now Cisco 1000)
- From: Lori
- Re: IAS with PEAP and Airespace (now Cisco 1000)
- From: James McIllece [MS]
- Re: IAS with PEAP and Airespace (now Cisco 1000)
- From: Lori
- IAS with PEAP and Airespace (now Cisco 1000)
- Prev by Date: Re: PEAP 802.1x IAS - only works if previously logged in over wired connection.
- Next by Date: Re: IAS with PEAP and Airespace (now Cisco 1000)
- Previous by thread: Re: IAS with PEAP and Airespace (now Cisco 1000)
- Next by thread: Re: IAS with PEAP and Airespace (now Cisco 1000)
- Index(es):
Relevant Pages
|
