Re: Sporadic IAS Authentication problems
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Oct 2006 11:14:01 -0700
=?Utf-8?B?Sm9zaA==?= <Josh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:7CE0E4CE-BC21-48FA-8DCD-A3AF5C68A26D@xxxxxxxxxxxxx:
James,
I've searched around quite a bit in this forum, and figured out how to
enable tracing to help pin down the problem. I turned up tracing and
have some good data for you. (as well as my thoughts on it at the
bottom)
IAS LOG:
SUCCESS:
10.1.1.10,DOMAIN1\sheshadrid,10/23/2006,11:20:12,IAS,CHIDC007,4128,CHIW
AP003,12,1400,30,000f.34fc.4070,31,0016.6f2d.097b,6,1,61,19,5,91701,4,1
0.1.1.10,32,CHIWAP003,4108,10.1.1.10,4116,0,4155,1,4154,Use Windows
authentication for all users,25,311 1 172.16.3.47 10/11/2006 19:36:44
252644,4129,DOMAIN1\sheshadrid,4149,Wireless access to the
Intranet,4132,Secured password (EAP-MSCHAP
v2),4127,11,4130,mycompany.com/Chicago/Dinesh Sheshadri,4136,1,4142,0
10.1.1.10,DOMAIN1\sheshadrid,10/23/2006,11:20:12,IAS,CHIDC007,4128,CHIW
AP003,25,311 1 172.16.3.47 10/11/2006 19:36:44 252644,4132,Secured
password (EAP-MSCHAP
v2),4127,11,8100,0,4108,10.1.1.10,4116,0,4120,0x014945444F4D41494E,4155
,1,4154,Use Windows authentication for all
users,4129,DOMAIN1\sheshadrid,4149,Wireless access to the
Intranet,6,2,4130,mycompany.com/Chicago/Dinesh Sheshadri,4136,2,4142,0
FAIL:
10.1.1.220,host/mantasf.mycompany.com,10/23/2006,11:20:18,IAS,CHIDC007,
12,1400,30,0017.5a4f.6200,31,000c.f140.bfc4,6,1,61,19,5,48603,4,10.1.1.
220,32,CHIWAP005,4108,10.1.1.220,4116,0,4128,CHIWAP005,4155,1,4154,Use
Windows authentication for all users,25,311 1 172.16.3.47 10/11/2006
19:36:44
252645,4130,mycompany.com/Computers/MANTASF,4129,DOMAIN1\MANTASF$,4127,
5,4149,Connections to other access servers,4136,1,4142,0
10.1.1.220,host/mantasf.mycompany.com,10/23/2006,11:20:18,IAS,CHIDC007,
25,311 1 172.16.3.47 10/11/2006 19:36:44
252645,4130,mycompany.com/Computers/MANTASF,4149,Connections to other
access servers,4127,5,4129,DOMAIN1\MANTASF$,4154,Use Windows
authentication for all
users,4155,1,4128,CHIWAP005,4116,0,4108,10.1.1.220,4136,3,4142,66
Event viewer for failure:
User host/mantasf.mycompany.com was denied access.
Fully-Qualified-User-Name = mycompany.com/Computers/MANTASF
NAS-IP-Address = 10.1.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 000c.f140.bfc4
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 10.1.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 48604
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is
not
enabled on the matching remote access policy.
IASSAM Log (failure):
[2652] 10-23 11:20:18:432: Creating EAP session
[2652] 10-23 11:20:18:432: NT-SAM Names handler received request with
user identity host/mantasf.mycompany.com.
[2652] 10-23 11:20:18:432: Successfully cracked username.
[2652] 10-23 11:20:18:432: SAM-Account-Name is "DOMAIN1\MANTASF$".
[2652] 10-23 11:20:18:432: NT-SAM Authentication handler received
request for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:18:432: Validating Windows account
DOMAIN1\MANTASF$. [2652] 10-23 11:20:18:432: Sending LDAP search to
chidc007.mycompany.com. [2652] 10-23 11:20:18:432: Successfully
validated windows account. [2652] 10-23 11:20:18:432: NT-SAM User
Authorization handler received request for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:18:432: Using native-mode dial-in parameters.
[2652] 10-23 11:20:18:432: Sending LDAP search to
chidc007.mycompany.com. [2652] 10-23 11:20:18:432: Successfully
retrieved per-user attributes. [2652] 10-23 11:20:18:432: Saving the
response [5724] 10-23 11:20:20:714: Creating EAP session
[5724] 10-23 11:20:20:714: NT-SAM Names handler received request with
user identity host/mantasf.mycompany.com.
[5724] 10-23 11:20:20:729: Successfully cracked username.
[5724] 10-23 11:20:20:729: SAM-Account-Name is "DOMAIN1\MANTASF$".
[5724] 10-23 11:20:20:729: NT-SAM Authentication handler received
request for DOMAIN1\MANTASF$.
[5724] 10-23 11:20:20:729: Validating Windows account
DOMAIN1\MANTASF$. [5724] 10-23 11:20:20:729: Sending LDAP search to
chidc007.mycompany.com. [5724] 10-23 11:20:20:729: Successfully
validated windows account. [5724] 10-23 11:20:20:729: NT-SAM User
Authorization handler received request for DOMAIN1\MANTASF$.
[5724] 10-23 11:20:20:729: Using native-mode dial-in parameters.
[5724] 10-23 11:20:20:729: Sending LDAP search to
chidc007.mycompany.com. [5724] 10-23 11:20:20:729: Successfully
retrieved per-user attributes. [5724] 10-23 11:20:20:729: Saving the
response [2652] 10-23 11:20:20:964: Creating EAP session
[2652] 10-23 11:20:20:964: NT-SAM Names handler received request with
user identity host/mantasf.mycompany.com.
[2652] 10-23 11:20:20:964: Successfully cracked username.
[2652] 10-23 11:20:20:964: SAM-Account-Name is "DOMAIN1\MANTASF$".
[2652] 10-23 11:20:20:964: NT-SAM Authentication handler received
request for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:20:964: Validating Windows account
DOMAIN1\MANTASF$. [2652] 10-23 11:20:20:964: Sending LDAP search to
chidc007.mycompany.com. [2652] 10-23 11:20:20:964: Successfully
validated windows account. [2652] 10-23 11:20:20:964: NT-SAM User
Authorization handler received request for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:20:964: Using native-mode dial-in parameters.
[2652] 10-23 11:20:20:964: Sending LDAP search to
chidc007.mycompany.com. [2652] 10-23 11:20:20:964: Successfully
retrieved per-user attributes. [2652] 10-23 11:20:20:964: Saving the
response
IASSAM Log (success):
[2652] 10-23 11:27:41:008: Creating EAP session
[2652] 10-23 11:27:41:008: NT-SAM Names handler received request with
user identity DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Username is already an NT4 account name.
[2652] 10-23 11:27:41:008: SAM-Account-Name is "DOMAIN1\sheshadrid".
[2652] 10-23 11:27:41:008: NT-SAM Authentication handler received
request for DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Validating Windows account
DOMAIN1\sheshadrid. [2652] 10-23 11:27:41:008: Sending LDAP search to
chidc007.mycompany.com. [2652] 10-23 11:27:41:008: Successfully
validated windows account. [2652] 10-23 11:27:41:008: NT-SAM User
Authorization handler received request for DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Using native-mode dial-in parameters.
[2652] 10-23 11:27:41:008: Sending LDAP search to
chidc007.mycompany.com. [2652] 10-23 11:27:41:008: Successfully
retrieved per-user attributes. [2652] 10-23 11:27:41:008: Allowed EAP
type: 25 [2652] 10-23 11:27:41:008: Setting max. packet length to
1396. [2652] 10-23 11:27:41:008: Processing output from EAP DLL.
[2652] 10-23 11:27:41:008: EAPACTION_Send
etc
The successful authenticate also populates the RASTLS logfile.
However, the failure attempt here did not populate that log file, as
it appears it does not reach that point of the authenication process.
For whatever reason, that failed authenication didn't recognize the
packet as coming from a domain logged in user, correct? The packets
appear to be coming from: host/mantasf.mycompany.com instead of
DOMAIN1\mantasf. That client laptop was able to authenicate and use
the wireless network just fine before and after this error message.
The 're-authenication' process that was triggered somehow didn't
recognize the request as coming from a windows machine/logged on user?
What would change that state?
Further, in the IASSAM log, it seems to get in a loop where it keeps
trying to start the EAP validation, but it stops before getting to
that line: Allowed EAP type: 25, which you can see in the successful
authenication below that.
My guess there is that because the request is coming in as someone
'not' on my domain (even though they really are), IAS is using a
different remote access policy (Connections to other access servers)
and the process breaks down.
Does that make sense and/or help?
Josh
"Josh" wrote:
James,
Thanks for investigating. I'm going to try and be as detailed as
possible and give you more info to help.
Here it is:
* All the AP's have the same configuration, so I'm not sure that its
a config issue.
* Wireless clients are able to connect just fine for 1-2 days at a
time, and suddenly, for no reason I can tell, they are dropped with
one of those error messages in the log and unable to reconnect.
* To get them to reconnect, sometimes all they need to do is manually
drop their connection to my network and then double click on it and
reconnect. * Some times however, a physical reboot of the client
laptop is required, with the user 'plugged in' to the network, rather
than using wireless. Then I re-enable wireless and they can connect
again for a while. This seems to occur more on my users that
'travel' outside the office more often. *IAS is installed on a DC and
it is on W2k3 Server (with SP1). The clients are all XP with SP2
*I do have multiple DC's and I have the AP's pointed at one DC for
radius, with another DC listed as a backup radius server. (note: not
a radius pool, but rather a backup in the event of the radius server
being unreachable) *The remote access policy in IAS is set to grant
access to the group 'Domain Users' (for my domain)
*The Dial-in Tab for all users in AD is set to 'control access
through remote access policy'
*The policy and client laptops won't change, yet a client will be
able to connect fine for say a week, then suddenly start getting an
error like this. So I'm guessing its not an access issue or a policy
issue, but rather a configuration or performance issue?
I just saw your followup post regarding bugfix/sp1 and I'll reply to
that in a second as well.
Thanks again
Josh
"James McIllece [MS]" wrote:
sherlockj@xxxxxxxxx wrote in
news:1160576927.310021.53250@xxxxxxxxxxxxxxxxxxxxxxxxxxx:
I'm having a problem with authentication and I can't figure it
out.
I have Cisco Aironet 1100's for my AP's and I have them
authenticate against a Windows 2003 Server as a radius server. To
do that, I'm using IAS 2003 to authenticate against internal
certificate. Using WPA / TKIP as well as PEAP authentication
modes. Client workstations are, for the most part, IBM Thinkpad T
series laptops.
Anyway, When a user connects to my wireless network, it
authenticates their windows user and computer account and grants
them access to my network as designed. HOwever, sporadically, it
drops their connection while it appears to 'reauthenticate' them,
for no reason that I can discern.
I've looked in the event viewer on the IAS server (which is also
a domain controller) and I see these messages below (the first
two are messages i've seen when the user is 'dropped' from my
network', the later is a typical 'success' message).
FAIL:
Access request for user DOMAIN1\doej was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Called-Station-Identifier = 0017.5aa1.f1f0
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33971
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the
session timed out.
User host/doej.domain1.com was denied access.
Fully-Qualified-User-Name = domain1.com/Computers/doej
NAS-IP-Address = 192.168.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 192.168.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 30524
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access
permission for the user account was denied. To allow remote
access, enable remote access permission for the user account, or,
if the user account specifies that access is controlled through
the matching remote access policy, enable remote access
permission for that remote access policy.
SUCCESS:
User DOMAIN1\doej was granted access.
Fully-Qualified-User-Name = domain1.com/Users/John Doe
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
Calling-Station-Identifier = 0013.ce45.3f7d
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33984
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to the Intranet
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
Any ideas?!?
Thanks
Josh
In regard to the first error, this sounds like an AP configuration
issue. Make sure the shared secrets are the same on the AP and in
IAS and check other configuration settings. I asked the product
team and they said they felt this was probably the case. Is IAS
installed on a DC? For WS03 this is a recommended configuration so
I am curious if that is how you have your configuration. (If you
don't it probably isn't a problem unless the IAS server is having
problems communicating with the DC.)
For the second error -- do you have more than one DC? It looks like
user account dial-in properties are not configured to allow access
or to control access through remote access policy. For the users
who are lsoing connections and have this problem, check the dial-in
properties on the user account in AD Users and Computers and make
sure Remote Access Permission is configured to Allow access or
Control Access Through Remote Access Policy.
HTH
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
rights.
Thanks for this additional information. I have forwarded to the product
team and hopefully they will have additional suggestions for you to resolve
this issue. I'll get back when I hear something from them...
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- Sporadic IAS Authentication problems
- From: sherlockj
- Re: Sporadic IAS Authentication problems
- From: James McIllece [MS]
- Re: Sporadic IAS Authentication problems
- From: Josh
- Re: Sporadic IAS Authentication problems
- From: Josh
- Sporadic IAS Authentication problems
- Prev by Date: Re: Sporadic IAS Authentication problems
- Next by Date: Re: troubleshooting 802.1x authentication...
- Previous by thread: Re: Sporadic IAS Authentication problems
- Next by thread: Re: Sporadic IAS Authentication problems
- Index(es):
Relevant Pages
|
Loading
