Re: SBS Wireless policy

In article <1166574189.226423.184030@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, ajj3085
@alum.rit.edu says...

See @ end ...

Tried a bit of experimenting. I was able to get IAS to auth my laptop,
but NOT how it should be authed.

Here's what I did. I went to the last policy, 'Connections to other
access servers.' I clicked Edit Profile, went to the authentication
tab and deselected everything. I clicked EAP Methods and added Smart
card or cert, and selected the certificate as I did per your
instructions. I clicked OK until I was back at the Connections to
other access servers Properties window, and selected GRANT remote
access permission.

I then setup the WAP to use WPA-EAP and the raduis server. Finally, I
enabled the wireless connection on the laptop and success! There are
some oddities in the success log though, which I think is the problem
I'm hitting setting things up the 'right' way. Here's the success log
(note the not present values for some key fields):

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 12/19/2006
Time: 7:14:39 PM
User: N/A
Computer: VORTEX
Description:
User host/hellknight.hellmouth.local was granted access.
Fully-Qualified-User-Name =
hellmouth.local/MyBusiness/Computers/SBSComputers/hellknight
NAS-IP-Address = 192.168.0.254
NAS-Identifier = <not present>
Client-Friendly-Name = di-634m
Client-IP-Address = 192.168.0.254
Calling-Station-Identifier = 00-0F-3D-AA-09-5B
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate

Can it be that for some reason IAS isn't reconizing the WAP as a
wireless device? Any other ideas?

I think the confirms that something is wacky with the way IAS is
working, and not the certficates. Before I changed the Authentication
tab I just set the policy to Grant access, and access was still denied.
That's when it occured to me to setup the Authentication tab as I
would in the proper policy.. and it worked.

I agree IAS isn't recognizing the WAP. Or, more correctly, that the WAP is
probably not providing IAS with criteria which will match the Wireless policy.
In other words, I'm more inclined to suspect a problem with the WAP than with
IAS. For example, the WAP's implementation of the RADIUS protocols may not be
100% standard. Too bad there are no "D-Link" entries in that drop-down which
normally specifies "RADIUS Standard" ...

Your modification works because the final policy _always_ matches, so that
policy is applied. Essentially, you found a way to get around the failure to
match the correct policy. At that point, the authentication methods are
applied, and - since you can connect - those appear to be configured correctly,
which confirms what you have been saying about dilligently checking all of
those settings. [FYI, for the authentication stuff the WAP acts only as a
middleman, just passing packets between the wireless client and the SBS.]

So, bottom line, I'm inclined to suspect an issue with the D-Link. Your
fleeting success with the previous WAP may indicate (speculating here) that WAP
was OK (at least in a RADIUS sense) but that another item in the configuration
was off, which you have since corrected.

The down side of what you've done is that authentication is now based only on
the certs and not on the computer account being in Domain Computers. In other
words, you've gone from two-factor to one-factor authentication. Since these
are certs rather than passwords, that's probably not a show stopper, but it is
somewhat less secure and something to think about. For example, if your laptop
was lost or stolen could the certs be moved to a different device (which does
not have an account on your SBS)?

-- Owen Williams [SBS MVP]
.

Relevant Pages

  • Re: SBS Wireless policy
    ... I was able to get IAS to auth my laptop, ... I clicked Edit Profile, went to the authentication ... I clicked OK until I was back at the Connections to ... tab I just set the policy to Grant access, ...
    (microsoft.public.windows.server.sbs)
  • Re: Slow printer "reconnection?"
    ... I might have found something is Group Policy that relates to my issue. ... "Allow Print Spooler to accept client connections" ...
    (microsoft.public.windows.server.sbs)
  • Re: Issues with IAS/802.1x authentication
    ... from the event below you need to modify the policy on IAS server (the policy ... name from the event below is:"Connections to other access servers". ... and select "Grant remote access permission" ... When I check the eventlog I find the IAS> server is throwing up a heap of authentication errors, ...
    (microsoft.public.internet.radius)
  • Re: Wireless Re-Authentication
    ... Change the policy to something like windows groups and see what happens. ... > Reason = The authentication request was not processed because it contained> a Remote Authentication Dial-In User Service message that was not ... > The connection request policy in the IAS settings contains the NAS types> 802.11 and "other" as the only attribues. ...
    (microsoft.public.internet.radius)
  • Policy for my websense filter
    ... Wondering how can I set up my ISA Policy for my websense filter, ... Enabled Integrated Authentication in my ISA and IE 6.0/7.0 ...
    (microsoft.public.isa)