Re: 802.1x Wired Auth and Authentication
- From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 18 Aug 2008 11:36:38 -0700
Frankly I don't know, I don't have any experience with third-party
extension dlls. But it sounds to me like you didn't even install an
extension dll, is that the case?
Could another person have installed a dll on your test machine?
If not, and if there is no dll installed, there is some other problem.
=?Utf-8?B?ZG91YmxlSA==?= <heath@xxxxxxxxxxxxxx> wrote in
news:61C0F042-DA5F-44D3-BB75-475C3EEF88AB@xxxxxxxxxxxxx:
How do I see where/what the IAS auth extension is? I'm using AD W2K3
and have Cert Service and issues user and computer cert to my test
user and test laptop.
Thanks
"James McIllece [MS]" wrote:
Reason code 21 means that an IAS extension dynamic link library (DLL)
that is installed on the NPS or IAS server rejected the connection
request. This means that you have an IAS authentication extension DLL
installed. You will have to examine documentation for your extension
dll to understand why the dll rejected the auth request.
What user accounts database are you using?
Also, are you using a private CA? I assume you have issued a server
cert to your IAS or NPS server and you've issued user certificates to
users.
Keep in mind that neither EAP-TLS or PEAP-TLS provide dual
authentication, where both the user and computer are authenticated on
the same connection attempt. So even if you deploy both user and
computer certificates, you're only going to have either the user or
the computer authenticated.
=?Utf-8?B?ZG91YmxlSA==?= <heath@xxxxxxxxxxxxxx> wrote in
news:5145C9ED-8659-4CA9-A1B5-94C812EFF1A6@xxxxxxxxxxxxx:
Ok Thanks. So I'm configured for EAP-TLS auth. User auth works, but
computer auth does not. I am getting errors on both the IAS server
and Client. Here are the errors....
==========
IAS Server
==========
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/14/2008
Time: 11:33:45 AM
User: N/A
Computer: IAS1
Description:
User host/laptoptest.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\LAPTOPTEST$
NAS-IP-Address = 192.168.73.2
NAS-Identifier = CORE2
Called-Station-Identifier = 00-17-08-cc-2f-00
Calling-Station-Identifier = 00-17-a4-d7-6b-45
Client-Friendly-Name = CORE2
Client-IP-Address = 192.168.73.2
NAS-Port-Type = Ethernet
NAS-Port = 93
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Extension
EAP-Type = <undetermined>
Reason-Code = 21
Reason = The request was rejected by a third-party extension DLL
file.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
==========
Client
==========
Event Type: Information
Event Source: Dot3Svc
Event Category: None
Event ID: 15514
Date: 8/14/2008
Time: 9:37:53 AM
User: N/A
Computer: LAPTOPTEST
Description:
Wired 802.1X Authentication failed.
Network Adapter: Broadcom NetXtreme Gigabit Ethernet - Packet
Scheduler
Miniport
Interface GUID: {66cf62ec-9e70-44a2-b29a-fbe95796c647}
Peer Address: 001708CC2F00
Local Address: 0017A4D76B45
Connection ID: 0x00000004
Identity: host/laptoptest.domain.com
User: -
Domain: -
Reason: 327685
Reason Text: The authentication failed because there is a problem
with the
user account
Error Code: 1078067472
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Any ideas?
"James McIllece [MS]" wrote:
You can use PEAP-TLS or EAP-TLS for computer auth; you cannot use
PEAP-MS- CHAP v2 for computer authentication, however, because
user credentials (user name and password) are required for
PEAP-MS-CHAP v2.
If you are using Windows Server 2003, information about PEAP and
EAP is in the IAS Help.
If you are using Windows Server 2008, information about PEAP and
EAP is in the Network Policy Server (NPS) Help.
James McIllece, Microsoft
Please do not send email directly to this alias. This is my
online account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers
no rights.
=?Utf-8?B?ZG91YmxlSA==?= <heath@xxxxxxxxxxxxxx> wrote in
news:49688317-1509-40E4-A2D1-62A9869BB16F@xxxxxxxxxxxxx:
Hello,
I've posted this same sort of question over in the AD group, but
feel my issue may be better suited here.
I am confused on the Authentication I need to implement (PEAP
with MSCHAPv2 or EAP-TLS) for computer authentication. Clients
are WXP SP3 and currently I have EAP-TLS configured and my test
user is able to authenticate against my W2K3 IAS server. Can I
use PEAP for computer auth or must it be EAP-TLS?
.
- Follow-Ups:
- Re: 802.1x Wired Auth and Authentication
- From: doubleH
- Re: 802.1x Wired Auth and Authentication
- References:
- 802.1x Wired Auth and Authentication
- From: doubleH
- Re: 802.1x Wired Auth and Authentication
- From: James McIllece [MS]
- Re: 802.1x Wired Auth and Authentication
- From: doubleH
- Re: 802.1x Wired Auth and Authentication
- From: James McIllece [MS]
- Re: 802.1x Wired Auth and Authentication
- From: doubleH
- 802.1x Wired Auth and Authentication
- Prev by Date: levofloxacin antibiotic Ouzbékistan making ampicillin cheap antibiotic s aureus antibiotic ampicillin strep throat
- Next by Date: Re: 802.1x Wired Auth and Authentication
- Previous by thread: Re: 802.1x Wired Auth and Authentication
- Next by thread: Re: 802.1x Wired Auth and Authentication
- Index(es):
Relevant Pages
|
