Re: SBS Wireless policy
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Dec 2006 12:07:12 -0500
I have a few ideas I can run by you that may or may not help. Referring
back to Owen's document:
You need to make changes in the ISA RPC settings to allow certificate
enrollment on the client PC (laptop). Also, auto-enrollment needs to happen
when the client PC is connected to the wired network. The laptop obviously
needs the correct certificate installed before it can connect successfully
over wireless, and your laptop appears not to have the cert. This alone
will prevent a successful connection. Auto-enrollment should log a success
shortly after you connect to the wired network and log in.
Your EAP type should not be "undetermined," it should be "Smart Card or
other certificate." I'm not sure if this is because the connection is
failing, or if it's a configuration thing in your IAS Remote Access Policy.
Again, verify your settings against the document - this setting is in the
entry you created under "Remote Access Policy" in IAS.
I'm not sure why you're getting an error referring to the user account
settings. With Owen's method, it's the client PC that is authenticating to
IAS - it'll actually connect even if you just start the computer without
ever attempting to log into a user account. Still, I'd go into AD Users and
Computers and check the remote (dial-in) settings for the laptop, the user
account, and the SBS. All should be set to "Control access through Remote
Access Policy."
I'm not sure you're going to be able to use WPA and AES. This would be a
question for Owen, but anyway it only works if WPA with AES is supported
throughout all your hardware and software. If all else fails, I would try
WPA and TKIP to see if that changes anything. You'll have to change this in
both the WAP and in the wireless GPO, plus possibly somewhere else I'm
forgetting. I tried to use WPA with AES and ran into failed connection
issues that I believe were caused by my WAP not supporting that exact
configuration (I believe the WPA standard technically calls for TKIP, and
that WPA2 is required for AES, but that some access points support it either
way. Mine apparently does not).
If you get the certificate to enroll properly and still can't connect after
that and verifying the settings in AD, please go through the document
carefully and verify that all your settings match. Post back with anything
you have questions about.
"Andy" <ajj3085@xxxxxxxxxxxx> wrote in message
news:1165458122.750729.232070@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm using the document Owen wrote (Configuring Secure Wireless Network
Access with Microsoft® Windows® Small Business Server 2003) and I'm
having problems.
I have a Linksys router connected to my cable modem. My sbs server
(vortex) is connected to the other wired computers through the linksys.
In addition, I have a DI-634M router, being used as just an access
point.
I've configured everything as per the document, but I'm having
problems. I had tried before using WEP but now I'm using WPA and AES
encryption with the new access point. I had uninstalled Certificate
Authority and IAS and deleted all group policy objects and started over
after getting the new access point up and running and started from
scratch.
Vortex is the SBS server, hellknight is the laptop, di-634m is the
access point.
The message on the server is from IAS:
User host/hellknight.hellmouth.local was denied access.
Fully-Qualified-User-Name =
hellmouth.local/MyBusiness/Computers/SBSComputers/hellknight
NAS-IP-Address = 192.168.0.254
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-0F-3D-AA-09-5B
Client-Friendly-Name = di-634m
Client-IP-Address = 192.168.0.254
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access
permission for the user account was denied. To allow remote access,
enable remote access permission for the user account, or, if the user
account specifies that access is controlled through the matching remote
access policy, enable remote access permission for that remote access
policy.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Heres logs from the laptop (hellknight):
Userenv:
Windows cannot obtain the domain controller name for your computer
network. (The specified domain either does not exist or could not be
contacted. ). Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Autoenrollment:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b). The specified domain either does not
exist or could not be contacted.
Enrollment will not be performed.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Any ideas what might be wrong? Any settings that could be stopping the
server from being found? My SBS server is also my primary DNS and DHCP
server for the clients (and I think SBS uses itself as a DNS server as
well).
Thanks
Andy
.
- Follow-Ups:
- Re: SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- References:
- SBS Wireless policy
- From: Andy
- SBS Wireless policy
- Prev by Date: Re: What is the Best Firewall Between Norton & ZoneAlarm
- Next by Date: Re: Wireless Access Point
- Previous by thread: SBS Wireless policy
- Next by thread: Re: SBS Wireless policy
- Index(es):
Relevant Pages
|
