Re: IAS and workgroup computers.

Hi Bill, and thank you for your reply.

IAS can return three responds to authentication equests: Accepet, Reject and
Drop.
In this case IAS drops the request, but I would like it to reject it.

Do you understand?

Thanks,
--
Guy Melamed
MCSE: Messgaing (2000/2003)

"Bill Grant" wrote:

I am not sure what you want to do. IAS is accepting valid requests and is
rejecting invalid ones. What exactly is your problem? Do you want to somehow
stop the AP from sending you a notification when this happens?

"Guy Melamed" <guy.melamed@xxxxxxxxxxxxxx> wrote in message
news:62F7C238-3372-40BE-91E6-FD206EE29C91@xxxxxxxxxxxxxxxx
Hi,

I have setup a IAS on my Windows 2003 SP1 domain controller.
I configured the IAS with a policy that grants wireless access to PEAP
protocol with mschap v2 and a certificate.
The policy and the wireless works fine for computers in my domain.
When workgroup computers try to access the wireless AP, the IAS sees that
it
cannot authenticate the credentials, and send a reject for the
authentication
request (I can see it in the event viewer).
As a result, my AP sends me a notification that the radius server is not
responding.
I have tried to add a policy in the IAS, that denies access to all
authentication methods and but that did not help. I still get the same
behaviour.
I even tried to set a policy that denies all ("*") NAS-Identifiers, but
thid
didn't help either.

Here is an example of the event:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 09/01/2007
Time: 12:43:45
User: N/A
Computer: XXXXXX
Description:
Access request for user XXXX\XXXX was discarded.
Fully-Qualified-User-Name = XXXX\XXXX
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Identifier = AP_FL7_E
Called-Station-Identifier = 0011.932e.6d61
Calling-Station-Identifier = 0013.ce50.28e3
Client-Friendly-Name = A.P - FL7 E
Client-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 38993
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 5
Reason = The user account domain cannot be accessed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....


Does anyone know how can I configure the IAS to reject these
authentication
requests?

Reagrds,

--
Guy Melamed
MCSE: Messgaing (2000/2003)




.

Relevant Pages

  • RE: check group membership in Connection Request Policy
    ... IAS is not able to do authentication, since digital certificates are used on ... the request is matched against a CRP (based on certain rules a CRP ... I am intereseted in your custom IAS extension. ...
    (microsoft.public.internet.radius)
  • Re: Machine Authentication not working with wireless clients and I
    ... Guys, are you saying that to do Machine Auth over PEAP-MSCHAPV2, IAS needs to ... The account used is a computer account. ... authentication, just the same error as before, about invalid account. ... What I would do is create a group of wireless enabled computers. ...
    (microsoft.public.internet.radius)
  • Re: IAS and workgroup computers.
    ... IAS can return three responds to authentication equests: ... In this case IAS drops the request, but I would like it to reject it. ... The policy and the wireless works fine for computers in my domain. ...
    (microsoft.public.windows.server.networking)
  • Re: RADIUS (IAS) and Cisco Concentrator? (PDF Attachment)
    ... The order the radius statements in IOS will determine the order the ... IAS servers are checked. ... RADIUS client what policy to use? ... I'm not sure what this is, but if it refers to a secure authentication ...
    (microsoft.public.windows.server.active_directory)
  • RE: check group membership in Connection Request Policy
    ... The access request does not contain a valid user password, ... Authentication is done at the VPN3000, ... So what data does the VPN3000 send to the IAS? ... a custom IAS extension would be really a solution. ...
    (microsoft.public.internet.radius)