Re: Sporadic IAS Authentication problems

James,

Thanks for investigating. I'm going to try and be as detailed as possible
and give you more info to help.

Here it is:
* All the AP's have the same configuration, so I'm not sure that its a
config issue.
* Wireless clients are able to connect just fine for 1-2 days at a time, and
suddenly, for no reason I can tell, they are dropped with one of those error
messages in the log and unable to reconnect.
* To get them to reconnect, sometimes all they need to do is manually drop
their connection to my network and then double click on it and reconnect.
* Some times however, a physical reboot of the client laptop is required,
with the user 'plugged in' to the network, rather than using wireless. Then
I re-enable wireless and they can connect again for a while. This seems to
occur more on my users that 'travel' outside the office more often.
*IAS is installed on a DC and it is on W2k3 Server (with SP1). The clients
are all XP with SP2
*I do have multiple DC's and I have the AP's pointed at one DC for radius,
with another DC listed as a backup radius server. (note: not a radius pool,
but rather a backup in the event of the radius server being unreachable)
*The remote access policy in IAS is set to grant access to the group 'Domain
Users' (for my domain)
*The Dial-in Tab for all users in AD is set to 'control access through
remote access policy'
*The policy and client laptops won't change, yet a client will be able to
connect fine for say a week, then suddenly start getting an error like this.
So I'm guessing its not an access issue or a policy issue, but rather a
configuration or performance issue?

I just saw your followup post regarding bugfix/sp1 and I'll reply to that in
a second as well.

Thanks again

Josh

"James McIllece [MS]" wrote:

sherlockj@xxxxxxxxx wrote in
news:1160576927.310021.53250@xxxxxxxxxxxxxxxxxxxxxxxxxxx:

I'm having a problem with authentication and I can't figure it out.

I have Cisco Aironet 1100's for my AP's and I have them authenticate
against a Windows 2003 Server as a radius server. To do that, I'm using
IAS 2003 to authenticate against internal certificate. Using WPA / TKIP
as well as PEAP authentication modes. Client workstations are, for the
most part, IBM Thinkpad T series laptops.

Anyway, When a user connects to my wireless network, it authenticates
their windows user and computer account and grants them access to my
network as designed. HOwever, sporadically, it drops their connection
while it appears to 'reauthenticate' them, for no reason that I can
discern.

I've looked in the event viewer on the IAS server (which is also a
domain controller) and I see these messages below (the first two are
messages i've seen when the user is 'dropped' from my network', the
later is a typical 'success' message).


FAIL:

Access request for user DOMAIN1\doej was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Called-Station-Identifier = 0017.5aa1.f1f0
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33971
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the
session timed out.

User host/doej.domain1.com was denied access.
Fully-Qualified-User-Name = domain1.com/Computers/doej
NAS-IP-Address = 192.168.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 192.168.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 30524
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission
for the user account was denied. To allow remote access, enable remote
access permission for the user account, or, if the user account
specifies that access is controlled through the matching remote access
policy, enable remote access permission for that remote access policy.



SUCCESS:

User DOMAIN1\doej was granted access.
Fully-Qualified-User-Name = domain1.com/Users/John Doe
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
Calling-Station-Identifier = 0013.ce45.3f7d
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33984
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to the Intranet
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)



Any ideas?!?

Thanks

Josh



In regard to the first error, this sounds like an AP configuration issue.
Make sure the shared secrets are the same on the AP and in IAS and check
other configuration settings. I asked the product team and they said they
felt this was probably the case. Is IAS installed on a DC? For WS03 this is
a recommended configuration so I am curious if that is how you have your
configuration. (If you don't it probably isn't a problem unless the IAS
server is having problems communicating with the DC.)

For the second error -- do you have more than one DC? It looks like user
account dial-in properties are not configured to allow access or to control
access through remote access policy. For the users who are lsoing
connections and have this problem, check the dial-in properties on the user
account in AD Users and Computers and make sure Remote Access Permission is
configured to Allow access or Control Access Through Remote Access Policy.

HTH

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

.

Relevant Pages

  • Re: Sporadic IAS Authentication problems
    ... ,1,4154,Use Windows authentication for all ... enabled on the matching remote access policy. ... That client laptop was able to authenicate and use ...
    (microsoft.public.internet.radius)
  • Re: Sporadic IAS Authentication problems
    ... Windows authentication for all users,4129,DOMAIN1\sheshadrid,4149,Wireless ... enabled on the matching remote access policy. ... client laptop was able to authenicate and use the wireless network just fine ...
    (microsoft.public.internet.radius)
  • Re: Issues with IAS/802.1x authentication
    ... the Nas-Port-Type attribute correctly to the IAS server, ... > As soon as I modified the IAS Remote Access Policy and removed this policy ... >> server is throwing up a heap of authentication errors, ...
    (microsoft.public.internet.radius)
  • Issues with IAS/802.1x authentication
    ... Windows XP client - joined to the domain ... server is throwing up a heap of authentication errors, ... To allow remote access, enable remote access ... remote access permission for that remote access policy. ...
    (microsoft.public.internet.radius)
  • Re: 802.1x Authentication Prior to Windows Logon
    ... As far as the remote access policy, ... I have a client who I ... have configured a wireless network to use 802.1x authentication. ...
    (microsoft.public.windows.server.networking)