Re: IAS Errors
- From: Tim <Tim@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Apr 2009 12:28:06 -0700
Yeah already checked that. On most occasions the Netbios type of resolution
always fails versus the DNS FQDN name spelled out style succeeds in a good
VPN connection. I should have added that very rarely does the error state
that the account is locked out. I wonder if there's a way to avoid the
Netbios domain resolution form of authentication.
"Wayne Tilton" wrote:
=?Utf-8?B?VGlt?= <Tim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in.
news:825D0AE0-9572-4F7A-8904-1DC115F4DCB4@xxxxxxxxxxxxx:
I have 8 VPN users authenticating through a CheckPoint firewall over
RADIUS to one of 2 IAS Servers both of which are domain controllers.
Simply put when people succeed and 7 of them do, the following or
similar message gets put in the system log of the IAS server...
"Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 3/17/2009
Time: 10:46:50 AM
User: N/A
Computer: PDC Emulator & IAS Server computer name
Description:
User jonesm was granted access.
Fully-Qualified-User-Name = internal.domainname/Users/Margaret Jones
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Our Standard RADIUS Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00"
Note the Fully-Qualified-User-Name and correct Policy-Name being
present. The user name smells like DNS being resolved and this makes
sense to me. Now here's what happens to the one user that has 50%
success and 50% failure.
"Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/16/2009
Time: 7:43:09 PM
User: N/A
Computer: Same PDC emulator and IAS server computer name
Description:
User doed was denied access.
Fully-Qualified-User-Name = domainnetbiosname\doed
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 36
Reason = The user account is currently locked and cannot be
authenticated.
Only a person with administrative rights for either the computer or
the domain can unlock the user account.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 75 07 07 80"
Note the netbios resolution and lack of Policy Name. Why in the world
would this happen? No they are not really locked out. The message is
absolutely LYING! Thoughts?
Don't be so sure the account isn't 'locked'. We have an extensive
EAP/TLS wireless deployment and about half a dozen times over the last
couple of years we've had issues with users who got this error yet
looking at their account in AD U&C they don't show locked. However,
looking at the userAccountControl attribute showed it set to 528 (Normal
Account + Lockout). Resetting userAccountControl to 512 as resolved the
issue every time.
HTH
Wayne Tilton
- References:
- IAS Errors
- From: Tim
- Re: IAS Errors
- From: Wayne Tilton
- IAS Errors
- Prev by Date: Re: "Using ADAM for 802.1x with NPS" & "
- Next by Date: IAS Server Event ID 3: Reason Code 5 - WLAN Authentication failure
- Previous by thread: Re: IAS Errors
- Next by thread: RE: Wanted: Small switch, 802.1x & Network Policy Server compatible
- Index(es):
Relevant Pages
|
