Re: Sporadic IAS Authentication problems
- From: Josh <Josh@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Oct 2006 10:05:01 -0700
James,
I've searched around quite a bit in this forum, and figured out how to
enable tracing to help pin down the problem. I turned up tracing and have
some good data for you. (as well as my thoughts on it at the bottom)
IAS LOG:
SUCCESS:
10.1.1.10,DOMAIN1\sheshadrid,10/23/2006,11:20:12,IAS,CHIDC007,4128,CHIWAP003,12,1400,30,000f.34fc.4070,31,0016.6f2d.097b,6,1,61,19,5,91701,4,10.1.1.10,32,CHIWAP003,4108,10.1.1.10,4116,0,4155,1,4154,Use
Windows authentication for all users,25,311 1 172.16.3.47 10/11/2006 19:36:44
252644,4129,DOMAIN1\sheshadrid,4149,Wireless access to the
Intranet,4132,Secured password (EAP-MSCHAP
v2),4127,11,4130,mycompany.com/Chicago/Dinesh Sheshadri,4136,1,4142,0
10.1.1.10,DOMAIN1\sheshadrid,10/23/2006,11:20:12,IAS,CHIDC007,4128,CHIWAP003,25,311
1 172.16.3.47 10/11/2006 19:36:44 252644,4132,Secured password (EAP-MSCHAP
v2),4127,11,8100,0,4108,10.1.1.10,4116,0,4120,0x014945444F4D41494E,4155,1,4154,Use
Windows authentication for all users,4129,DOMAIN1\sheshadrid,4149,Wireless
access to the Intranet,6,2,4130,mycompany.com/Chicago/Dinesh
Sheshadri,4136,2,4142,0
FAIL:
10.1.1.220,host/mantasf.mycompany.com,10/23/2006,11:20:18,IAS,CHIDC007,12,1400,30,0017.5a4f.6200,31,000c.f140.bfc4,6,1,61,19,5,48603,4,10.1.1.220,32,CHIWAP005,4108,10.1.1.220,4116,0,4128,CHIWAP005,4155,1,4154,Use
Windows authentication for all users,25,311 1 172.16.3.47 10/11/2006 19:36:44
252645,4130,mycompany.com/Computers/MANTASF,4129,DOMAIN1\MANTASF$,4127,5,4149,Connections to other access servers,4136,1,4142,0
10.1.1.220,host/mantasf.mycompany.com,10/23/2006,11:20:18,IAS,CHIDC007,25,311
1 172.16.3.47 10/11/2006 19:36:44
252645,4130,mycompany.com/Computers/MANTASF,4149,Connections to other access
servers,4127,5,4129,DOMAIN1\MANTASF$,4154,Use Windows authentication for all
users,4155,1,4128,CHIWAP005,4116,0,4108,10.1.1.220,4136,3,4142,66
Event viewer for failure:
User host/mantasf.mycompany.com was denied access.
Fully-Qualified-User-Name = mycompany.com/Computers/MANTASF
NAS-IP-Address = 10.1.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 000c.f140.bfc4
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 10.1.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 48604
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.
IASSAM Log (failure):
[2652] 10-23 11:20:18:432: Creating EAP session
[2652] 10-23 11:20:18:432: NT-SAM Names handler received request with user
identity host/mantasf.mycompany.com.
[2652] 10-23 11:20:18:432: Successfully cracked username.
[2652] 10-23 11:20:18:432: SAM-Account-Name is "DOMAIN1\MANTASF$".
[2652] 10-23 11:20:18:432: NT-SAM Authentication handler received request
for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:18:432: Validating Windows account DOMAIN1\MANTASF$.
[2652] 10-23 11:20:18:432: Sending LDAP search to chidc007.mycompany.com.
[2652] 10-23 11:20:18:432: Successfully validated windows account.
[2652] 10-23 11:20:18:432: NT-SAM User Authorization handler received
request for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:18:432: Using native-mode dial-in parameters.
[2652] 10-23 11:20:18:432: Sending LDAP search to chidc007.mycompany.com.
[2652] 10-23 11:20:18:432: Successfully retrieved per-user attributes.
[2652] 10-23 11:20:18:432: Saving the response
[5724] 10-23 11:20:20:714: Creating EAP session
[5724] 10-23 11:20:20:714: NT-SAM Names handler received request with user
identity host/mantasf.mycompany.com.
[5724] 10-23 11:20:20:729: Successfully cracked username.
[5724] 10-23 11:20:20:729: SAM-Account-Name is "DOMAIN1\MANTASF$".
[5724] 10-23 11:20:20:729: NT-SAM Authentication handler received request
for DOMAIN1\MANTASF$.
[5724] 10-23 11:20:20:729: Validating Windows account DOMAIN1\MANTASF$.
[5724] 10-23 11:20:20:729: Sending LDAP search to chidc007.mycompany.com.
[5724] 10-23 11:20:20:729: Successfully validated windows account.
[5724] 10-23 11:20:20:729: NT-SAM User Authorization handler received
request for DOMAIN1\MANTASF$.
[5724] 10-23 11:20:20:729: Using native-mode dial-in parameters.
[5724] 10-23 11:20:20:729: Sending LDAP search to chidc007.mycompany.com.
[5724] 10-23 11:20:20:729: Successfully retrieved per-user attributes.
[5724] 10-23 11:20:20:729: Saving the response
[2652] 10-23 11:20:20:964: Creating EAP session
[2652] 10-23 11:20:20:964: NT-SAM Names handler received request with user
identity host/mantasf.mycompany.com.
[2652] 10-23 11:20:20:964: Successfully cracked username.
[2652] 10-23 11:20:20:964: SAM-Account-Name is "DOMAIN1\MANTASF$".
[2652] 10-23 11:20:20:964: NT-SAM Authentication handler received request
for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:20:964: Validating Windows account DOMAIN1\MANTASF$.
[2652] 10-23 11:20:20:964: Sending LDAP search to chidc007.mycompany.com.
[2652] 10-23 11:20:20:964: Successfully validated windows account.
[2652] 10-23 11:20:20:964: NT-SAM User Authorization handler received
request for DOMAIN1\MANTASF$.
[2652] 10-23 11:20:20:964: Using native-mode dial-in parameters.
[2652] 10-23 11:20:20:964: Sending LDAP search to chidc007.mycompany.com.
[2652] 10-23 11:20:20:964: Successfully retrieved per-user attributes.
[2652] 10-23 11:20:20:964: Saving the response
IASSAM Log (success):
[2652] 10-23 11:27:41:008: Creating EAP session
[2652] 10-23 11:27:41:008: NT-SAM Names handler received request with user
identity DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Username is already an NT4 account name.
[2652] 10-23 11:27:41:008: SAM-Account-Name is "DOMAIN1\sheshadrid".
[2652] 10-23 11:27:41:008: NT-SAM Authentication handler received request
for DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Validating Windows account DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Sending LDAP search to chidc007.mycompany.com.
[2652] 10-23 11:27:41:008: Successfully validated windows account.
[2652] 10-23 11:27:41:008: NT-SAM User Authorization handler received
request for DOMAIN1\sheshadrid.
[2652] 10-23 11:27:41:008: Using native-mode dial-in parameters.
[2652] 10-23 11:27:41:008: Sending LDAP search to chidc007.mycompany.com.
[2652] 10-23 11:27:41:008: Successfully retrieved per-user attributes.
[2652] 10-23 11:27:41:008: Allowed EAP type: 25
[2652] 10-23 11:27:41:008: Setting max. packet length to 1396.
[2652] 10-23 11:27:41:008: Processing output from EAP DLL.
[2652] 10-23 11:27:41:008: EAPACTION_Send
etc
The successful authenticate also populates the RASTLS logfile. However, the
failure attempt here did not populate that log file, as it appears it does
not reach that point of the authenication process.
For whatever reason, that failed authenication didn't recognize the packet
as coming from a domain logged in user, correct? The packets appear to be
coming from: host/mantasf.mycompany.com instead of DOMAIN1\mantasf. That
client laptop was able to authenicate and use the wireless network just fine
before and after this error message. The 're-authenication' process that was
triggered somehow didn't recognize the request as coming from a windows
machine/logged on user? What would change that state?
Further, in the IASSAM log, it seems to get in a loop where it keeps trying
to start the EAP validation, but it stops before getting to that line:
Allowed EAP type: 25, which you can see in the successful authenication below
that.
My guess there is that because the request is coming in as someone 'not' on
my domain (even though they really are), IAS is using a different remote
access policy (Connections to other access servers) and the process breaks
down.
Does that make sense and/or help?
Josh
"Josh" wrote:
James,.
Thanks for investigating. I'm going to try and be as detailed as possible
and give you more info to help.
Here it is:
* All the AP's have the same configuration, so I'm not sure that its a
config issue.
* Wireless clients are able to connect just fine for 1-2 days at a time, and
suddenly, for no reason I can tell, they are dropped with one of those error
messages in the log and unable to reconnect.
* To get them to reconnect, sometimes all they need to do is manually drop
their connection to my network and then double click on it and reconnect.
* Some times however, a physical reboot of the client laptop is required,
with the user 'plugged in' to the network, rather than using wireless. Then
I re-enable wireless and they can connect again for a while. This seems to
occur more on my users that 'travel' outside the office more often.
*IAS is installed on a DC and it is on W2k3 Server (with SP1). The clients
are all XP with SP2
*I do have multiple DC's and I have the AP's pointed at one DC for radius,
with another DC listed as a backup radius server. (note: not a radius pool,
but rather a backup in the event of the radius server being unreachable)
*The remote access policy in IAS is set to grant access to the group 'Domain
Users' (for my domain)
*The Dial-in Tab for all users in AD is set to 'control access through
remote access policy'
*The policy and client laptops won't change, yet a client will be able to
connect fine for say a week, then suddenly start getting an error like this.
So I'm guessing its not an access issue or a policy issue, but rather a
configuration or performance issue?
I just saw your followup post regarding bugfix/sp1 and I'll reply to that in
a second as well.
Thanks again
Josh
"James McIllece [MS]" wrote:
sherlockj@xxxxxxxxx wrote in
news:1160576927.310021.53250@xxxxxxxxxxxxxxxxxxxxxxxxxxx:
I'm having a problem with authentication and I can't figure it out.
I have Cisco Aironet 1100's for my AP's and I have them authenticate
against a Windows 2003 Server as a radius server. To do that, I'm using
IAS 2003 to authenticate against internal certificate. Using WPA / TKIP
as well as PEAP authentication modes. Client workstations are, for the
most part, IBM Thinkpad T series laptops.
Anyway, When a user connects to my wireless network, it authenticates
their windows user and computer account and grants them access to my
network as designed. HOwever, sporadically, it drops their connection
while it appears to 'reauthenticate' them, for no reason that I can
discern.
I've looked in the event viewer on the IAS server (which is also a
domain controller) and I see these messages below (the first two are
messages i've seen when the user is 'dropped' from my network', the
later is a typical 'success' message).
FAIL:
Access request for user DOMAIN1\doej was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Called-Station-Identifier = 0017.5aa1.f1f0
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33971
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the
session timed out.
User host/doej.domain1.com was denied access.
Fully-Qualified-User-Name = domain1.com/Computers/doej
NAS-IP-Address = 192.168.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 192.168.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 30524
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission
for the user account was denied. To allow remote access, enable remote
access permission for the user account, or, if the user account
specifies that access is controlled through the matching remote access
policy, enable remote access permission for that remote access policy.
SUCCESS:
User DOMAIN1\doej was granted access.
Fully-Qualified-User-Name = domain1.com/Users/John Doe
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
Calling-Station-Identifier = 0013.ce45.3f7d
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33984
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to the Intranet
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
Any ideas?!?
Thanks
Josh
In regard to the first error, this sounds like an AP configuration issue.
Make sure the shared secrets are the same on the AP and in IAS and check
other configuration settings. I asked the product team and they said they
felt this was probably the case. Is IAS installed on a DC? For WS03 this is
a recommended configuration so I am curious if that is how you have your
configuration. (If you don't it probably isn't a problem unless the IAS
server is having problems communicating with the DC.)
For the second error -- do you have more than one DC? It looks like user
account dial-in properties are not configured to allow access or to control
access through remote access policy. For the users who are lsoing
connections and have this problem, check the dial-in properties on the user
account in AD Users and Computers and make sure Remote Access Permission is
configured to Allow access or Control Access Through Remote Access Policy.
HTH
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
- Follow-Ups:
- Re: Sporadic IAS Authentication problems
- From: James McIllece [MS]
- Re: Sporadic IAS Authentication problems
- From: James McIllece [MS]
- Re: Sporadic IAS Authentication problems
- References:
- Sporadic IAS Authentication problems
- From: sherlockj
- Re: Sporadic IAS Authentication problems
- From: James McIllece [MS]
- Re: Sporadic IAS Authentication problems
- From: Josh
- Sporadic IAS Authentication problems
- Prev by Date: Re: Sporadic IAS Authentication problems
- Next by Date: Re: Sporadic IAS Authentication problems
- Previous by thread: Re: Sporadic IAS Authentication problems
- Next by thread: Re: Sporadic IAS Authentication problems
- Index(es):
Relevant Pages
|
Loading
