Re: Sporadic IAS Authentication problems

sherlockj@xxxxxxxxx wrote in
news:1160576927.310021.53250@xxxxxxxxxxxxxxxxxxxxxxxxxxx:

I'm having a problem with authentication and I can't figure it out.

I have Cisco Aironet 1100's for my AP's and I have them authenticate
against a Windows 2003 Server as a radius server. To do that, I'm using
IAS 2003 to authenticate against internal certificate. Using WPA / TKIP
as well as PEAP authentication modes. Client workstations are, for the
most part, IBM Thinkpad T series laptops.

Anyway, When a user connects to my wireless network, it authenticates
their windows user and computer account and grants them access to my
network as designed. HOwever, sporadically, it drops their connection
while it appears to 'reauthenticate' them, for no reason that I can
discern.

I've looked in the event viewer on the IAS server (which is also a
domain controller) and I see these messages below (the first two are
messages i've seen when the user is 'dropped' from my network', the
later is a typical 'success' message).


FAIL:

Access request for user DOMAIN1\doej was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Called-Station-Identifier = 0017.5aa1.f1f0
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33971
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the
session timed out.

User host/doej.domain1.com was denied access.
Fully-Qualified-User-Name = domain1.com/Computers/doej
NAS-IP-Address = 192.168.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 192.168.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 30524
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission
for the user account was denied. To allow remote access, enable remote
access permission for the user account, or, if the user account
specifies that access is controlled through the matching remote access
policy, enable remote access permission for that remote access policy.



SUCCESS:

User DOMAIN1\doej was granted access.
Fully-Qualified-User-Name = domain1.com/Users/John Doe
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
Calling-Station-Identifier = 0013.ce45.3f7d
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33984
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to the Intranet
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)



Any ideas?!?

Thanks

Josh



In regard to the first error, this sounds like an AP configuration issue.
Make sure the shared secrets are the same on the AP and in IAS and check
other configuration settings. I asked the product team and they said they
felt this was probably the case. Is IAS installed on a DC? For WS03 this is
a recommended configuration so I am curious if that is how you have your
configuration. (If you don't it probably isn't a problem unless the IAS
server is having problems communicating with the DC.)

For the second error -- do you have more than one DC? It looks like user
account dial-in properties are not configured to allow access or to control
access through remote access policy. For the users who are lsoing
connections and have this problem, check the dial-in properties on the user
account in AD Users and Computers and make sure Remote Access Permission is
configured to Allow access or Control Access Through Remote Access Policy.

HTH

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: EAP-TLS with windows CE
    ... The AP was sending out an Identity Request every second, ... request to the identification server. ... When the server asks the Windows CE device to identify itself, ... I could easily steal your authentication information. ...
    (microsoft.public.windowsce.platbuilder)
  • Re: server authentication & ASP authentication
    ... on to the client workstation with an authorized Windows account. ... SQL Server with Windows authentication. ...
    (microsoft.public.sqlserver.security)
  • Re: ADFS Development Issues
    ... site to be automatically authenticated by our windows application so ... based on redirects and possibly uses forms-based authentication to collect ... web service proxies don't handle this type of thing ... the server based on how it needs to work. ...
    (microsoft.public.windows.server.active_directory)
  • Re: VPN Problem - Error 930 and Event 20073
    ... Does the account have read-write permissions in the Active directory service ... > There was a Windows 2000 member server running before the upgrade that ... > did not respond to authentication requests in a timely fashion. ... > Routing and Remote Access Server Stops Authenticating Dial-Up ...
    (microsoft.public.win2000.ras_routing)
  • Re: Change in ASP.Net authentication between Win2000 and Win2003
    ... > is turning on/off Kerberos is occuring. ... It control how IE deals with "Authentication: ... when you put IIS6 in a domain and have "Integrated Windows Authentication" ...
    (microsoft.public.windows.server.security)
Loading