Re: 802.1x Wired Auth and Authentication

Reason code 21 means that an IAS extension dynamic link library (DLL) that
is installed on the NPS or IAS server rejected the connection request.
This means that you have an IAS authentication extension DLL installed. You
will have to examine documentation for your extension dll to understand why
the dll rejected the auth request.

What user accounts database are you using?

Also, are you using a private CA? I assume you have issued a server cert to
your IAS or NPS server and you've issued user certificates to users.

Keep in mind that neither EAP-TLS or PEAP-TLS provide dual authentication,
where both the user and computer are authenticated on the same connection
attempt. So even if you deploy both user and computer certificates, you're
only going to have either the user or the computer authenticated.


=?Utf-8?B?ZG91YmxlSA==?= <heath@xxxxxxxxxxxxxx> wrote in
news:5145C9ED-8659-4CA9-A1B5-94C812EFF1A6@xxxxxxxxxxxxx:

Ok Thanks. So I'm configured for EAP-TLS auth. User auth works, but
computer auth does not. I am getting errors on both the IAS server and
Client. Here are the errors....

==========
IAS Server
==========

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/14/2008
Time: 11:33:45 AM
User: N/A
Computer: IAS1
Description:
User host/laptoptest.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\LAPTOPTEST$
NAS-IP-Address = 192.168.73.2
NAS-Identifier = CORE2
Called-Station-Identifier = 00-17-08-cc-2f-00
Calling-Station-Identifier = 00-17-a4-d7-6b-45
Client-Friendly-Name = CORE2
Client-IP-Address = 192.168.73.2
NAS-Port-Type = Ethernet
NAS-Port = 93
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL
file.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....


==========
Client
==========

Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15514
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: LAPTOPTEST
Description:
Wired 802.1X Authentication failed.

Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet
Scheduler
Miniport
Interface GUID: {66cf62ec-9e70-44a2-b29a-fbe95796c647}
Peer Address: 001708CC2F00
Local Address: 0017A4D76B45
Connection ID: 0x00000004
Identity: host/laptoptest.domain.com
User: -
Domain: -
Reason: 327685
Reason Text: The authentication failed because there is a problem
with the
user account

Error Code: 1078067472


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Any ideas?




"James McIllece [MS]" wrote:

You can use PEAP-TLS or EAP-TLS for computer auth; you cannot use
PEAP-MS- CHAP v2 for computer authentication, however, because user
credentials (user name and password) are required for PEAP-MS-CHAP
v2.

If you are using Windows Server 2003, information about PEAP and EAP
is in the IAS Help.

If you are using Windows Server 2008, information about PEAP and EAP
is in the Network Policy Server (NPS) Help.

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no
rights.

=?Utf-8?B?ZG91YmxlSA==?= <heath@xxxxxxxxxxxxxx> wrote in
news:49688317-1509-40E4-A2D1-62A9869BB16F@xxxxxxxxxxxxx:

Hello,

I've posted this same sort of question over in the AD group, but
feel my issue may be better suited here.

I am confused on the Authentication I need to implement (PEAP with
MSCHAPv2 or EAP-TLS) for computer authentication. Clients are WXP
SP3 and currently I have EAP-TLS configured and my test user is
able to authenticate against my W2K3 IAS server. Can I use PEAP for
computer auth or must it be EAP-TLS?





.

Relevant Pages

  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: enterprise RADIUS
    ... How many clients can the IAS radius servers support? ... IAS scales up from Corporate to large ISP deployments. ... If the VPN server supports EAP (the same authentication protocol used by 802.1x), then install a ACE agent on the IAS server; and configure the agent to use the ACE server. ...
    (microsoft.public.internet.radius)
  • Re: 802.1x Wired Auth and Authentication
    ... How do I see where/what the IAS auth extension is? ... is installed on the NPS or IAS server rejected the connection request. ... This means that you have an IAS authentication extension DLL installed. ...
    (microsoft.public.internet.radius)
  • Re: Authentication forwarding to Active Directory
    ... for the Dot1x machine authentication. ... usually we would use 2 radius server. ... and one for the radius authentication of the components. ... > In order for IAS to query its "local SAM database" instead of AD, ...
    (microsoft.public.internet.radius)
  • Re: enterprise RADIUS
    ... There is no hardcoded limit on RADIUS clients. ... > secondary radius server. ... IAS uses AD for user accounts and AD groups. ... >>> authentication of wireless/VPN/Dial infrastructure. ...
    (microsoft.public.internet.radius)