Re: Vista wireless using IAS and WPA-Enterprise



Hi Paul,

Thanks for your reply.

Based on my deep research, it seems to be certificate issue.

At this moment, please check RADIUS server to see if there are lots of
certificates, which may be more than the limit that the IAS server can send
in the list to the wireless clients while authentication. If lots of
certificates exist in RADIUS server, please try to delete the certificates
which are not required. And then reboot the server to remove the cached
certificates which the server has to see if it can help. For more related
information, please refer to:

933430: Clients cannot make connections if you require client certificates
on a Web site or if you use IAS in Windows Server 2003
http://support.microsoft.com/kb/933430/en-us

Hope that helps!

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| Thread-Topic: Vista wireless using IAS and WPA-Enterprise
| thread-index: AcfJOVEUcuDIWd+FTk2zil1LiYAfTA==
| X-WBNR-Posting-Host: 207.46.193.207
| From: =?Utf-8?B?UGF1bCBNY2tlbm5h?= <JazzyJ187@xxxxxxxxxxxxxxxx>
| References: <CB717348-F026-42B2-BED0-6AD0DAF42784@xxxxxxxxxxxxx>
<OvXp5E9xHHA.404@xxxxxxxxxxxxxxxxxxxx>
<EB1DC5EB-D1C7-43D2-943E-755251B9E8B5@xxxxxxxxxxxxx>
<uE4PtN$xHHA.5068@xxxxxxxxxxxxxxxxxxxx>
<44117B87-F9C9-40F4-9597-753F965AB39E@xxxxxxxxxxxxx>
<i#i1t7ByHHA.5836@xxxxxxxxxxxxxxxxxxxxxx>
<5ED8C7EE-1A2C-42BE-BB12-A9858AD4B819@xxxxxxxxxxxxx>
<ylouZoQyHHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Vista wireless using IAS and WPA-Enterprise
| Date: Wed, 18 Jul 2007 05:44:01 -0700
| Lines: 320
| Message-ID: <48856C53-3BE8-49D7-8D48-687C01484770@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 8bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.networking
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.networking:5872
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.networking
|
|
| Thanks for your suggestion.
|
| I've tried turning off autotuninglevel on the Vista machines but with no
| joy, I've also looked at the KB articles none of which seem to relate to
the
| problem i'm having but i've tried the suggestions, Still nothing.
|
| Just to recap when using any 3Com Access Point with a windows Vista
client
| the 3com access point sends data to the IAS server to say it wants to use
EAP
| (even thought vista is configured to use PEAP) authentication, with an XP
| client the 3com box sends it want to use PEAP authentication. If i enable
| EAP-TLS authentication on IAS and install a user certificate on the Vista
| machine and set Vista to use a certificate to log in, the connection
works
| but it's a lot of hassle maintaining and installing certificates for each
| user, i would much rather use PEAP.
|
| Regards
| Paul Mckenna
| ""Ken Zhao [MSFT]"" wrote:
|
| > Hi Paul,
| >
| > Based on my research, if the problem only occurs on Windows Vista
machines,
| > I suggest you perform the following steps on the Vista machines:
| >
| > 1£®Click Start , click All Programs, click Accessories, and then
click
| > Command Prompt.
| > 2£®At the command prompt, type the following command, and then press
ENTER:
| > netsh interface tcp set global autotuninglevel=disabled
| > This command disables the Receive Window Auto-Tuning feature.
| > 3£®Try to make a non-HTTP network connection.
| > Note: If the connectivity problem is resolved, contact the manufacturer
of
| > the firewall device for steps to correct the issue.
| > 4£®At a command prompt, type the following command, and then press
ENTER:
| > netsh interface tcp set global autotuninglevel=normal
| > This command enables Receive Window Auto-Tuning again so that you can
take
| > advantage of the network throughput performance increase it provides.
| >
| > Also I found there are new KB articles already described for this issue
and
| > give the workaround.
| > 934430: Network connectivity may fail when you try to use Windows Vista
| > behind a firewall device
| > http://support.microsoft.com/kb/934430
| >
| > 929868: A Web site sends data very slowly or drops the data completely
when
| > you use Windows Vista Enterprise
| > http://support.microsoft.com/kb/929868
| >
| > 935400: It takes a very long time to download an e-mail message from a
POP3
| > server in Outlook 2007
| > http://support.microsoft.com/kb/935400
| >
| > Hope that helps!
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| > ====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| >
| >
| >
| > --------------------
| > | Thread-Topic: Vista wireless using IAS and WPA-Enterprise
| > | thread-index: AcfIWYuctoKjZd5iSS+80+2oiJEvyg==
| > | X-WBNR-Posting-Host: 207.46.19.197
| > | From: =?Utf-8?B?UGF1bCBNY2tlbm5h?= <JazzyJ187@xxxxxxxxxxxxxxxx>
| > | References: <CB717348-F026-42B2-BED0-6AD0DAF42784@xxxxxxxxxxxxx>
| > <OvXp5E9xHHA.404@xxxxxxxxxxxxxxxxxxxx>
| > <EB1DC5EB-D1C7-43D2-943E-755251B9E8B5@xxxxxxxxxxxxx>
| > <uE4PtN$xHHA.5068@xxxxxxxxxxxxxxxxxxxx>
| > <44117B87-F9C9-40F4-9597-753F965AB39E@xxxxxxxxxxxxx>
| > <i#i1t7ByHHA.5836@xxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: Re: Vista wireless using IAS and WPA-Enterprise
| > | Date: Tue, 17 Jul 2007 03:02:12 -0700
| > | Lines: 217
| > | Message-ID: <5ED8C7EE-1A2C-42BE-BB12-A9858AD4B819@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| > | Newsgroups: microsoft.public.windows.server.networking
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
| > microsoft.public.windows.server.networking:5830
| > | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| > | X-Tomcat-NG: microsoft.public.windows.server.networking
| > |
| > | Hi,
| > |
| > | Thanks for your suggestion I've tried this and it makes no
difference, I
| > | tried setting it to various numbers 1344,1000,64,128 none made any
| > | difference. I have since found out that using another make Access
Point
| > | rather than 3Com and Vista will connect but all 3Com acccess points
i've
| > | tried work fine with XP but not with Vista.
| > |
| > | I'm not sure what else to try.
| > |
| > | Regards
| > | Paul Mckenna
| > |
| > | ""Ken Zhao [MSFT]"" wrote:
| > |
| > | > Hello Paul,
| > | >
| > | > Thank you for using newsgroup!
| > | >
| > | > From your post, I'd like to suggest you try to reduce the EAP
packet
| > size
| > | > of a Remote Authentication Dial-In User Service (RADIUS) server.
You
| > can do
| > | > this by using the Framed-MTU attribute in Internet Authentication
| > Services
| > | > (IAS) of a Microsoft Windows Server 2003-based computer. For more
| > detailed
| > | > steps, please refer to:
| > | > 883389: How to reduce the EAP packet size by using the Framed MTU
| > attribute
| > | > in Windows Server 2003
| > | > http://support.microsoft.com/default.aspx?scid=kb;EN-US;883389
| > | >
| > | > Thanks & Regards,
| > | >
| > | > Ken Zhao
| > | >
| > | > Microsoft Online Support
| > | > Microsoft Global Technical Support Center
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > | > ====================================================
| > | > When responding to posts, please "Reply to Group" via your
newsreader
| > so
| > | > that others may learn and benefit from your issue.
| > | > ====================================================
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > | >
| > | >
| > | >
| > | >
| > | >
| > | > --------------------
| > | > | Thread-Topic: Vista wireless using IAS and WPA-Enterprise
| > | > | thread-index: AcfH9YDU6jOQn/+xSL2/iOe7lK2ZoQ==
| > | > | X-WBNR-Posting-Host: 207.46.193.207
| > | > | From: =?Utf-8?B?UGF1bCBNY2tlbm5h?= <JazzyJ187@xxxxxxxxxxxxxxxx>
| > | > | References: <CB717348-F026-42B2-BED0-6AD0DAF42784@xxxxxxxxxxxxx>
| > | > <OvXp5E9xHHA.404@xxxxxxxxxxxxxxxxxxxx>
| > | > <EB1DC5EB-D1C7-43D2-943E-755251B9E8B5@xxxxxxxxxxxxx>
| > | > <uE4PtN$xHHA.5068@xxxxxxxxxxxxxxxxxxxx>
| > | > | Subject: Re: Vista wireless using IAS and WPA-Enterprise
| > | > | Date: Mon, 16 Jul 2007 15:06:04 -0700
| > | > | Lines: 115
| > | > | Message-ID: <44117B87-F9C9-40F4-9597-753F965AB39E@xxxxxxxxxxxxx>
| > | > | MIME-Version: 1.0
| > | > | Content-Type: text/plain;
| > | > | charset="Utf-8"
| > | > | Content-Transfer-Encoding: 7bit
| > | > | X-Newsreader: Microsoft CDO for Windows 2000
| > | > | Content-Class: urn:content-classes:message
| > | > | Importance: normal
| > | > | Priority: normal
| > | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| > | > | Newsgroups: microsoft.public.windows.server.networking
| > | > | Path: TK2MSFTNGHUB02.phx.gbl
| > | > | Xref: TK2MSFTNGHUB02.phx.gbl
| > | > microsoft.public.windows.server.networking:5812
| > | > | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| > | > | X-Tomcat-NG: microsoft.public.windows.server.networking
| > | > |
| > | > | again I Appreciate your response but this works with XP, XP sends
the
| > | > message
| > | > | to IAS that it wants to use PEAP authentication where as Vista
sends
| > the
| > | > | message to use EAP (which is not configured and is not something
i
| > want
| > | > to
| > | > | use) even though Vista is configured to use PEAP.
| > | > | So although these error message will probably help with someone
who
| > wants
| > | > to
| > | > | use EAP-TLS without having properly configured it. They don't
really
| > shed
| > | > any
| > | > | light on my problem.
| > | > |
| > | > | Thnaks again
| > | > |
| > | > | Regards
| > | > | Paul
| > | > |
| > | > |
| > | > | "Robert L [MVP - Networking]" wrote:
| > | > |
| > | > | > Or this post:.
| > | > | >
| > | > | > IAS Reason-Code = 22 and 97
| > | > | > http://chicagotech.net/netforums/viewtopic.php?t=1063
| > | > | >
| > | > | > Bob Lin, MS-MVP, MCSE & CNE
| > | > | > Networking, Internet, Routing, VPN Troubleshooting on
| > | > http://www.ChicagoTech.net
| > | > | > How to Setup Windows, Network, VPN & Remote Access on
| > | > http://www.HowToNetworking.com
| > | > | > "Paul Mckenna" <JazzyJ187@xxxxxxxxxxxxxxxx> wrote in message
| > | > news:EB1DC5EB-D1C7-43D2-943E-755251B9E8B5@xxxxxxxxxxxxxxxx
| > | > | >
| > | > | > Thanks for your quick response, It's my fault i posted the
wrong
| > | > error
| > | > | > message.. The actual failure is
| > | > | >
| > | > | > User DOMAIN\Paul was denied access.
| > | > | > Fully-Qualified-User-Name = domain.local/Technical/Paul
Mckenna
| > | > | > NAS-IP-Address = 192.168.100.126
| > | > | > NAS-Identifier =
| > | > | > Called-Station-Identifier = <not present>
| > | > | > Calling-Station-Identifier = <not present>
| > | > | > Client-Friendly-Name = 3com
| > | > | > Client-IP-Address = 192.168.100.126
| > | > | > NAS-Port-Type = Wireless - IEEE 802.11
| > | > | > NAS-Port = 29
| > | > | > Proxy-Policy-Name = Use Windows authentication for all users
| > | > | > Authentication-Provider = Windows
| > | > | > Authentication-Server = <undetermined>
| > | > | > Policy-Name = VPN
| > | > | > Authentication-Type = EAP
| > | > | > EAP-Type = <undetermined>
| > | > | > Reason-Code = 22
| > | > | > Reason = The client could not be authenticated because the
| > | > Extensible
| > | > | > Authentication Protocol (EAP) Type cannot be processed by the
| > server.
| > | > | >
| > | > | > For more information, see Help and Support Center at
| > | > | > http://go.microsoft.com/fwlink/events.asp.
| > | > | >
| > | > | > It seems to be that Vista is sending that it wants to use EAP
| > even
| > | > though
| > | > | > it's configured to use PEAP.
| > | > | >
| > | > | > "Robert L [MVP - Networking]" wrote:
| > | > | >
| > | > | > > I would double check the remote Access Policy. This post
may
| > help,
| > | > | > >
| > | > | > > IAS Reason-Code = 65
| > | > | > >
| > | > | > >
http://www.chicagotech.net/netforums/viewtopic.php?p=1711#1711
| > | > | > >
| > | > | > >
| > | > | > > Bob Lin, MS-MVP, MCSE & CNE
| > | > | > > Networking, Internet, Routing, VPN Troubleshooting on
| > | > http://www.ChicagoTech.net
| > | > | > > How to Setup Windows, Network, VPN & Remote Access on
| > | > http://www.HowToNetworking.com
| > | > | > > "Paul Mckenna" <JazzyJ187@xxxxxxxxxxxxxxxx> wrote in
message
| > | > news:CB717348-F026-42B2-BED0-6AD0DAF42784@xxxxxxxxxxxxxxxx
| > | > | > > Hi,
| > | > | > >
| > | > | > > I've got a problem with Vista not connecting to our
wireless
| > | > network,
| > | > | > > Everything works great with XP but on Vista although
Vista is
| > | > configured to
| > | > | > > use PEAP i get this error message on the server when the
| > Vista PC
| > | > try to
| > | > | > > connect...
| > | > | > >
| > | > | > > User host/Paul07.domain.local was denied access.
| > | > | > > Fully-Qualified-User-Name = domain.local/Computers/PAUL07
| > | > | > > NAS-IP-Address = 192.168.100.126
| > | > | > > NAS-Identifier =
| > | > | > > Called-Station-Identifier = <not present>
| > | > | > > Calling-Station-Identifier = <not present>
| > | > | > > Client-Friendly-Name = 3com
| > | > | > > Client-IP-Address = 192.168.100.126
| > | > | > > NAS-Port-Type = Wireless - IEEE 802.11
| > | > | > > NAS-Port = 29
| > | > | > > Proxy-Policy-Name = Use Windows authentication for all
users
| > | > | > > Authentication-Provider = Windows
| > | > | > > Authentication-Server = <undetermined>
| > | > | > > Policy-Name = Connections to other access servers
| > | > | > > Authentication-Type = EAP
| > | > | > > EAP-Type = <undetermined>
| > | > | > > Reason-Code = 65
| > | > | > > Reason = The connection attempt failed because remote
access
| > | > permission for
| > | > | > > the user account was denied. To allow remote access,
enable
| > | > remote access
| > | > | > > permission for the user account, or, if the user account
| > | > specifies that
| > | > | > > access is controlled through the matching remote access
| > policy,
| > | > enable remote
| > | > | > > access permission for that remote access policy.
| > | > | > >
| > | > | > > For more information, see Help and Support Center at
| > | > | > > http://go.microsoft.com/fwlink/events.asp.
| > | > | > >
| > | > | > > At the moment IAS is only configured to accept PEAP
| > | > authentication, If i
| > | > | > > enable EAP (Which i don't want to use) i get this
message..
| > | > | > >
|

.



Relevant Pages

  • Re: MCSA Elective Choices??
    ... Most likely your employer did this because it actually takes 30-40 hours per week just to maintain accounts for 13,000 people, so rather than share work among a staff of network administrators, your employer has delegated specific functions to individual full-time employees. ... which has 2 more years and we are not going to server 2008 in this contract. ... But Windows Server 2008 may have less to do with your elective than you're thinking. ... 70-620 is a Vista exam. ...
    (microsoft.public.cert.exam.mcsa)
  • Re: Vista wireless using IAS and WPA-Enterprise
    ... certificates, which may be more than the limit that the IAS server can send ... on a Web site or if you use IAS in Windows Server 2003 ... Vista wireless using IAS and WPA-Enterprise ...
    (microsoft.public.windows.server.networking)
  • Re: CA auto-enrollment policies with Windows 2003
    ... Yes you need to have your enterprise CA installed on Windows 2003 Server ... issue computer certificates to domain computers. ... > existing domain controllers we really don't want to also install IIS on ...
    (microsoft.public.windows.group_policy)
  • RE: VPN Problem, PC not Authenticating with Server
    ... is the VPN server, SBS or router? ... Regarding the configuration of L2TP VPN, please also refer to the following ... 818043 L2TP/IPsec NAT-T update for Windows XP and Windows 2000 ... Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)
  • Re: WSS in Vista?
    ... From "Windows Vista Developer Story: ... "Windows Vista and Longhorn Server "Longhorn" deliver a unified Web platform that provides integrated support for Internet Information Services, ASP.NET, Windows Communication Foundation, and Windows ... we routinely run Developer versions of "Server" products on end user OSes. ...
    (microsoft.public.sharepoint.windowsservices)