Re: Oddball IAS Issue - sees login ID as MAC and fails to auth wir

Yes - a Cisco WLAN 4400 controller and two models of Cisco AP's.

Initially I thought the Cisco or Airtight controller was denying access at a
MAC level but this wasn't the case - it was IAS.

"S. Pidgorny <MVP>" wrote:

Using Cisco wireless controllers or just access points?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Raj" <Raj@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:787A7418-BBFB-4A9E-97C1-9E278E3971E7@xxxxxxxxxxxxxxxx
We have a strange situation whereby some wireless clients are connecting
AOK
but some aren't.

The ones that work show up in the IAS log as -

User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

The ones that don't work show up in the IAS log as -

User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.

So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS
is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.

This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?

Cheers,
Raj.



.

Relevant Pages

  • Re: PEAPAuthentication problem
    ... > Having a rather perplexing PEAP Authentication issue... ... > Cisco 802.11a/b/g Cards ... > The problems is that the requests are coming in just fine and hitting the> correct IAS policy, but we are getting a reject for Reason-Code 23 which I ...
    (microsoft.public.internet.radius)
  • [NEWS] Cisco Wireless ARP Storm Vulnerabilities
    ... Cisco Wireless ARP Storm Vulnerabilities ... Cisco 4100 Series Wireless LAN Controllers ... Cisco Airespace 3500 Series WLAN Controller ... to obtain their IP addresses from a DHCP server. ...
    (Securiteam)
  • IAS server akzeptiert nicht Anmeldung
    ... Ich versuche eine "802.1X Port Authentication with Microsoft's Active ... sprich den IAS "Internet Authentification Server" als radius server ... Ich starte auf dem Computer das wLan, ...
    (microsoft.public.de.german.windows.server.networking)
  • Probleme mit WindowsXP und Cisco
    ... Zwei 1200er AccessPoints von Cisco WLAN ... In den WindowsXP-Clients PCI-WlanKarten von Cisco ... Sobald die Rechner "nur" via Wlan im Netz sind, ...
    (microsoft.public.de.german.windows.server.networking)
  • IAS Server Event ID 3: Reason Code 5 - WLAN Authentication failure
    ... I recenty configured a test WLAN to use RADIUS/CA/AD authentication. ... Reason = The user account domain cannot be accessed. ... Certificates are on the client machines in question in Trusted Root ...
    (microsoft.public.internet.radius)