Re: 802.1X help needed

Most likely a configuration error.

Possibility #1: Check the Internet Authentication Service wireless
access policy. Be sure "Windows-Groups" is set to match a COMPUTER
group (my docs recommend Domain Computers) and _not_ a USER group (such
as Domain Users).

Possibility #2: Was the wireless GPO re-linked to the right place in
Active Directory? (You had unlinked it earlier.) The recommended
location is My Business\Computers. If the GPO is listed, right-click it
and ensure the pop-up menu says "Link Enabled."

If you need to re-link the GPO, you will also need to connect
hellknight WIRED to push out the GPO.

Possibility #3: In the wireless GPO on the "Edit <your SSID>
Properties" page, "IEEE 802.1x" tab - verify "Authenticate as guest
...." is UNchecked, "Authenticate as computer ..." is checked, and
"Computer Authentication" is set to "Computer only".

Also check the wireless configuration on hellknight to ensure it has
these settings. If not, the GPO is not being applied correctly.

Possibility #4: If none of the preceding is the cause, you need to
verify GPOs are being applied to hellknight. Check hellknight's event
logs to see if you are getting any GPO-related errors.

-- Owen Williams (SBS MVP)

In article <1165028822.027140.60510@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
ajj3085@xxxxxxxxxxxx says...
Ok, looking at the logs gives me some more info..

User host/hellknight.hellmouth.local was denied access.
Fully-Qualified-User-Name =
hellmouth.local/MyBusiness/Computers/SBSComputers/hellknight
NAS-IP-Address = 192.168.0.254
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-0F-3D-AA-09-5B
Client-Friendly-Name = di-634m.hellmouth.local
Client-IP-Address = 192.168.0.254
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access
permission for the user account was denied. To allow remote access,
enable remote access permission for the user account, or, if the user
account specifies that access is controlled through the matching remote
access policy, enable remote access permission for that remote access
policy.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

I thought the computer was being authenticated, so I don't know how I
can enable remote access for the computer account. Any ideas?
.

Relevant Pages

  • Re: Sporadic IAS Authentication problems
    ... * Some times however, a physical reboot of the client laptop is required, ... *The remote access policy in IAS is set to grant access to the group 'Domain ... Proxy-Policy-Name = Use Windows authentication for all users ...
    (microsoft.public.internet.radius)
  • Cisco login and Windows 2003 SP1 IAS radius
    ... I have a Cisco router running with the following commands: ... aaa authentication login default group radius local ... This is the only Remote Access Policy I have, ... Fragment offset: 0 ...
    (comp.dcom.sys.cisco)
  • Re: Cisco login and Windows 2003 SP1 IAS radius
    ... aaa authentication login default group radius local ... This is the only Remote Access Policy I have, ... Time delta from previous packet: ... Fragment offset: 0 ...
    (comp.dcom.sys.cisco)
  • Re: Cisco login and Windows 2003 SP1 IAS radius
    ... aaa authentication login default group radius local ... This is the only Remote Access Policy I have, ... Time delta from previous packet: ... Fragment offset: 0 ...
    (comp.dcom.sys.cisco)
  • Re: Sporadic IAS Authentication problems
    ... ,1,4154,Use Windows authentication for all ... enabled on the matching remote access policy. ... That client laptop was able to authenicate and use ...
    (microsoft.public.internet.radius)
Loading