Re: IAS server and access points

Hi again --

Received some suggestions from the product team.

If you're using Vista clients, enable Single Sign On in the wireless GP
profile and the problem with logon scripts not running will be resolved.

Also, the following instructions were provided for you to follow. These
instructions request that you email some data files to me. Please send them
to the email alias wsdocs@xxxxxxxxxxxxxxxxxxxxx (and remove -nospam- from
the address). Here are the instructions:

I think it is unlikely that the machine authentication failure is specific
to certain access points if user authentication succeeds through these same
RADIUS clients. I suspect that the problem is either with the wireless
client authentication mode settings or with the computer account policy
configuration. First have the customer verify that machine authentication
is enabled on both the client supplicant settings and within a relevant IAS
Remote Access Policy. Then, to get a more complete picture of the failure,
please request simultaneous tracing logs from both a failing wireless
client and the IAS server during a machine authentication failure.

1. To capture tracing logs use the following steps:

For Windows Server 2003 and Windows XP:
a) From a command prompt, type ?netsh ras set tracing * enable?
b) Reproduce the machine authentication failure
c) Turn off tracing from a command prompt with ?netsh ras set tracing *
disable?
d) The logs created are contained in the %SystemRoot%\Tracing folder.

On Windows Vista clients:
Run the following commands from an elevated CMD prompt
a) netsh ras set tracing * enable
b) netsh wlan set tracing mode=yes
c) - Run the connection attempt and wait for it to fail -
d) netsh wlan set tracing mode=no (IMPORTANT: Wait for the command to
return control back to the command line)
e) netsh ras set tracing * disable

Please zip up the contents of the %SystemRoot%\tracing directory and either
attach to a reply or copy to a network share.


2. For Windows Vista clients, export the WLAN profiles with the following
command from an elevated command prompt:
Netsh wlan export profile folder=C:
This will output the profiles for each adapter to the specified location as
<adaptername>.xml (such as C:\Wireless Network Connection.xml)

3. If possible, obtain a dump of the wireless access point configuration in
use.


=?Utf-8?B?R2FyeUFTRw==?= <GaryASG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:6E464B66-EC96-4B4A-8995-7CA56BE334A7@xxxxxxxxxxxxx:

Many Thanks

"James McIllece [MS]" wrote:

=?Utf-8?B?R2FyeUFTRw==?= <GaryASG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:38D55B5E-83D8-4DCD-BC9B-7E3279686C6F@xxxxxxxxxxxxx:

Thanks for the reply
I have an update which definitely blames the AP's.

I have actually been in touch with Netgear tech support on this
current problem. I used Ethereal to look at packets arriving on the
IAS server from the access points and Ethereal marked the packets
as Malformed. The problem is I cannot determine what exactly is
malformed about them. I have sent the logs to Netgear and made
steps to return the AP's as not fit for purpose.

What is most frustrating is that this has happened with so many
manufacturers. Although I cannot confirm the previous AP's had the
same problem they just had the same effect.

I do have the validate server certificate selected. I use GP to
push out the wireless policy to all client pc's in a specific
group.

"James McIllece [MS]" wrote:

=?Utf-8?B?R2FyeUFTRw==?= <GaryASG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in news:5C745148-BAF6-4650-9DA8-C2B63820C71F@xxxxxxxxxxxxx:

I am having a problem with some access points that are 802.1x
capable. I use PEAP and passwords to authenticate wireless
clients. Some access points work fine with IAS others can only
authenticate the users as they login they do not authenticate
the computers before login. This prevents our login script from
running. The computers can authenticate once the user is logged
in but this is too late. I get an occassional message on my IAS
server that says "A RADIUS message with the Code field set to 2,
which is not valid, was received on port 1812 from RADIUS client
"access point name." This also appears with code field 4 & 5. I
frequently get no message at all. This has happened with 3com,
netgear, dlink and linksys access points. It also varies with
firmware on some accesss points i.e. old firmware works new
firmware does not. Is this just a problem with the access points
or could it be my network/IAS setup? Any help gratefully
received

If the access points are sending RADIUS messages with invalid
values for the code field, there is nothing wrong with your setup
-- as you have noted, IAS will reject messages with invalid
values.

Without implying that the APs you are using are not compliant with
the RADIUS protocol/RFC's, I can say that whatever APs you're
using must be compliant with the RADIUS protocol and RFCs, and if
you're having problems with APs you should definitely contact the
AP vendor.

As for logon scripts running, do you have all clients configured
to validate the IAS server? (Can't remember the name of this
control on the client, I think it is probably "Validate server
certificate")

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my
online account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers
no rights.



I've pinged the product team about the logon/script issue, if I
receive a response I will let you know.

Thanks --

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.





--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Relevant Pages

  • Re: pine program and mail services with FC6 System
    ... protocols = imap imaps pop3 pop3s ... # Directory where authentication process places authentication UNIX sockets ... # chroot login process to the login_dir. ... # what most of your IMAP clients are. ...
    (Fedora)
  • Wireless 802.1x WPA + 2003 IAS - was working; now broken
    ... Windows XP SP2 laptops with Dell TrueMobile 1300 internal wireless cards ... I'm not sure what changed but now my wireless clients just get stuck at ... has been disabled so the authentication, of course, fails. ... WLAN Mini-PCI Card ...
    (microsoft.public.internet.radius)
  • Serious flaw in Linksys wireless AP password security
    ... version 1) wireless router allows wireless clients to connect and use the ... Changing the "Authentication Type" setting had no effect ... I only verified the problem on firmware 4.50.6. ...
    (Bugtraq)
  • Serious flaw in Linksys wireless AP password security
    ... version 1) wireless router allows wireless clients to connect and use the ... Changing the "Authentication Type" setting had no effect ... I only verified the problem on firmware 4.50.6. ...
    (Bugtraq)
  • Re: Remote site BDCs wont auth clients when T1 to AD 2003 is down LTLM?
    ... Depending on what clients you have if you do not have additional W2K DCs ... Put a W2K DC at every site the you want authentication to continue if the ... 298713 How to Prevent Overloading on the First Domain Controller During ... I have tried forcing the AD controller to do NTLM only- but that ...
    (microsoft.public.security)