Re: 802.1x authentication for wireless issues w/ ISA 2004

The wireless config on both laptops show the same settings as were defined in
the group policy for the prefered network section. I will start to look at
the other fields that were troubling next.

I found where "Proxy-Policy-Name = Use Windows authentication for all users"
comes from. This is found in IAS under Connection Request Policies (not
remote access policies). If I edit the name of this policy, then that is
what shows up in the Proxy-Policy-Name field. When I edit the profile of
this policy there are two options to choose from. One is to authenticate on
this server and the other is to Accept users without validating credentials.
If is select Authenticate on this server i will see an infomation event
saying that a LDAP connection was established with AD. The authentication
events stop and so do the error events from the WAP but still no connection.
If I select the Accept without validation (the way i found it) the events
start again and of course still no access.

So, which one of these do you have checked, and if i go to the other server
that has the RAS on it, what policies do you see listed under that "remote
access poicies" section? I don't see the poicy i created on the IAS server
computer listed here. WHen both IAS and RAS were on the same computer, the
policies matched. Makes me think that the two are not communicating the way
they should.

Dave, do you have IAS installed on the SBS server and the second server, or
just on the second server only? Mine is only on the second server and not on
the SBS as well. SBS has only the RAS.

I really appologize for all the trouble and I'm sorry to have been taking up
so much of your time. i do feel like we are making slow and steady progress
though and I am very greatful for all your advice.
--
Many thanks,

JP


"Owen Williams [SBS MVP]" wrote:

In article <F8B6D665-521C-4D5C-80E2-C7E19F211D0B@xxxxxxxxxxxxx>,
JP@xxxxxxxxxxxxxxxxxxxxxxxxx says...

No errors in the group policy update.

And you verified the wireless config on the two laptops is correct
(i.e., matches the GPO config), right?

I rebuitl my cert authority completly
from scratch and the certs rolled out as expected. Still no wireless
connection. Just the connect and reconnect over and over on two different
laptops that are extremely different.

If the wireless configs look correct, the fact the two laptops are
different (and I assume you mean different manufacturers/models/wireless
NICs) suggests we need to find a "common element." This would include:

* The WAP(s)
* The wired network (WAP <-> Switch <-> Servers)
* The server(s)
* IAS
* ISA [have you tried _temporarily_ disabling ISA?]

I was happy to see the event log you sent of a succesful connection. I
think this may hold the key.

Me, too.

THe part on my event that troubles me is below:

Proxy-Policy-Name = Use Windows authentication for all users

This is normal - it appears in all of the IAS "access granted" events I
have seen from working secure wireless networks. I thought I knew where
it was set but I can't find it after a quick look. (And I have never
had to explicitly set it.) I vaguely recall it may only be changeable
when ISA2000/04 is running and, since I don't use them, I am not seeing
any other choices. Regardless, the setting is correct and you should
not need to change it.

Authentication-Provider = <none>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>

These are a problem - or at least suspicious - as my previous post
indicated.

Where is a proxy policy comming from? It seems like we are trying to only
authenticate the computer and this is trying to authenticate the user and not
very well at that.

I believe the term "user" in the message is rather loose and also
applies to computers in this context.

-- Owen Williams (SBS MVP)

.