RE: IAS server blues (Can't get 802.1x to work)

From: Steve Halvorson <steveh@xxxxxxxxxxxxxx>
Date: Tue, 20 May 2008 09:08:01 -0700

Updated Information....
I am no longer getting the "23" error. I repulled the certificates for the
clients.
However, that does not mean that we are up and functioning yet. I am now
having a problem with pulling DHCP once the system has completed a reboot.
Pulling an IP address during reboot appears to work correctly, but when the
Intel adapter attempts to refresh the IP address it fails as if it cannot
talk to the DHCP server. Applying a static IP address to the machine appears
to make the wireless connection function properly. I believe it is getting
an initial IP address from DHCP because the utlility bxinfo displays an IP
address on the desktop.

Any Ideas what could be causing this issue?

This is a Intel PRO 2200 BG Adapter running on Windows XP SP2
--
Steve Halvorson
Preferred Credit, Inc

"Steve Halvorson" wrote:

I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP
Switch and DWL 3140 Access points. The connection initiates and then fails
on authentication. This is 802.1x with WPA, EAP and AES. Certificate
services have been deployed to authenticate the machines as well as the users
and it appears that the certificates are deploying correctly. The event
viewer shows...

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/8/2008
Time: 11:53:16 AM
User: N/A
Computer: RAD1
Description:
User Max was denied access.
Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J.
Smart
NAS-IP-Address = 0.0.0.0
NAS-Identifier = DWL-3140_WLS_SW
Called-Station-Identifier = 00-1e-58-2c-0a-72
Calling-Station-Identifier = 00-16-6f-07-69-d5
Client-Friendly-Name = AP_8
Client-IP-Address = 10.1.0.197
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 27 03 09 80 '..€

--
IAS Log Sample
0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0
0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use
Windows authentication for all
users,4129,MyDomain\Max,4127,5,4149,Connections to other access
servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other
certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
Smart,4136,1,4142,0
0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28
05/08/2008 13:41:55 108,4132,Smart Card or other
certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
Smart,4149,Connections to other access
servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication
for all users,4129,MyDomain\Max,4136,3,4142,23
The log files for IAS show similar

This was setup using the "Secure Wireless Access Point Configuration" guide.

I found the guide for interpreting IAS logs but just my luck Unknown error
23 is just that - unknown (someday I hope to get a known error) This appears
to be an authentication failure note that in the IAS log code 4136 has the
value of 3 which is user access denied. I need to figure out why the user
access is being denied. any help will be greatly apprecated.

Steve

Follow-Ups:
- RE: IAS server blues (Can't get 802.1x to work)
  - From: Miles Li [MSFT]

References:
- IAS server blues (Can't get 802.1x to work)
  - From: Steve Halvorson

Prev by Date: simple networking question
Next by Date: Mounting Network Shares as Folders
Previous by thread: Re: IAS server blues (Can't get 802.1x to work)
Next by thread: RE: IAS server blues (Can't get 802.1x to work)
Index(es):
- Date
- Thread

Relevant Pages

Re: Weird IAS error with EAP-TLS
... computer certificates to authenticate Wireless clients a while back. ... NT-SAM Authentication handler received request for TEST\LAPTOP$. ...
(microsoft.public.internet.radius)
Re: Stronger password based HTTP client authentication?
... > That is as far as the SSL authentication goes. ... Well, SSL is able to authenticate the clients, too, with client X.509 ... it is not always feasible to distribute certificates to clients. ...
(comp.security.misc)
Weird IAS error with EAP-TLS
... computer certificates to authenticate Wireless clients a while back. ... Proxy-Policy-Name = Use Windows authentication for all users ... NT-SAM Authentication handler received request for TEST\LAPTOP$. ... I've made sure that the certificates listed on http://support.microsoft.com/kb/293781/ ...
(microsoft.public.internet.radius)
Re: Authenticating clients
... This can be done via certificates generated by client and verified by ... client and server authentication and encryption/decryption services to any ... > I have a client/server remoting setup, where only certain clients ...
(microsoft.public.dotnet.framework.remoting)
Re: pine program and mail services with FC6 System
... protocols = imap imaps pop3 pop3s ... # Directory where authentication process places authentication UNIX sockets ... # chroot login process to the login_dir. ... # what most of your IMAP clients are. ...
(Fedora)