IAS/RADIUS question

---

• From: "Manos" <zaffodb@xxxxxxxxxxx>
• Date: Tue, 9 May 2006 15:01:27 +0300

---

Hello all,

In our organization we have two separate *forests*,
whose root domains are: one.foo.com and two.foo.com.

one.foo.com runs on a pair of identical WS 2003
Enterprise / SP1 systems, while two.foo.com runs
on a single WS2003 Enterprise R2 system.

Our goal is to enable user authentication for both
domains through an IAS/RADIUS server installed
on two.foo.com.

We have established an 1-way trust on each side as follows:
[one.foo.com]
* 1-way incoming external trust with two.foo.com
[two.foo.com]
* 1-way outgoing external trust with one.foo.com
Authentication scope is set to 'Domain-wide
authentication' on two.foo.com, for testing purposes.

The problem we are experiencing can be described as follows:

When a user of one.foo.com attempts to authenticate
(e.g via wi-fi) through two.foo.com, we get the
following error events in the log:

------------------
EventID 5052
Source IAS
Desc
There is no domain controller available for domain ONE.
------------------
EventID 3
Source IAS
Desc
Access request for user ONE\someuser was discarded.
....
Reason-Code=5
Reason=The user account domain cannot be accessed
------------------

The error described above only occurs when users
of domain two.foo.com try to authenticate; users
in one.foo.com authenticate successfully through
the IAS server.

Digging into docs, we found that there are two
different potential solutions, based on different
design paradigms, as stated in
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

a) The trust type should be two-way, yet this *seems* to be
the case where the two domains belong to the same forest

b) Both domains should be equipped with a pair of
IAS servers each and a RADIUS proxy should be
used to route the authentication requests to
the appropriate one.

We have not tried any of the above solutions yet,
since we prefer to make sure that we are thinking
in the correct way.
Any help would be greatly appreciated.

Thanks in advance,

Manos


.

---

• Follow-Ups:
  • Re: IAS/RADIUS question
    • From: Thomas K

• Prev by Date: Re: Some basic advice needed: RADIUS "light"
• Next by Date: Re: IAS/RADIUS question
• Previous by thread: Some basic advice needed: RADIUS "light"
• Next by thread: Re: IAS/RADIUS question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: 802.1x Wired Auth and Authentication ... So I'm configured for EAP-TLS auth. ... I am getting errors on both the IAS server and Client. ... Wired 802.1X Authentication failed. ... (microsoft.public.internet.radius) IAS to authenticate CISCO VPN traffic ... I just closed a TAC with CISCO about this issue and they are pointing to the ... I have a cisco router configured with a group VPN key, and a IAS server ... CiscoRouter wuth the correct shared secret and I have set the Client Vendor ... Within this profile Under authentication and encryption I have tried ... (microsoft.public.internet.radius) Re: WLAN authentication sometimes fail ... But what I did was to disable server authentication in the client settings. ... My IAS server has two certificates installed, one wildcard certificate from a trusted root and one from our internal CA. ... The PEAP settings on the IAS server were set to use the wildcard certificate and my laptop had both installed as trusted root CAs. ... I have set up a wireless network in our office. ... (microsoft.public.internet.radius) Re: IAS Errors ... that the account is locked out. ... Netbios domain resolution form of authentication. ... Same PDC emulator and IAS server computer name ... (microsoft.public.internet.radius) Re: IAS server stops authenticating workstations and users ... authentication process promptly stopped, the service was still ... The IAS server stopped logging. ... the authentication process has resumed. ... (microsoft.public.internet.radius)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)