Re: 802.1x authentication for wireless issues w/ ISA 2004

I have IAS installed on the SBS, exactly as in Owen's doc. I have a
separate RADIUS server (Cryptocard) installed on a member server for
2-factor authentication for VPN, but that one doesn't do anything on the LAN
or with wireless.

In the "Use Windows authentication for all users" policy (which is the only
policy in that section), I have "Authenticate requests on this server"
checked. I don't recall ever messing with this policy - if it's not in
Owen's doc, I didn't change it.

On the client PC, have you checked for auto-enrollment errors in the
application log? That would indicate a certificate problem, and normally if
you're going to have them, they'll appear shortly after login when connected
to the wired LAN. When I had everything configured properly but had a
certificate problem, IAS would log a warning for unknown username or bad
password - a warning, not an error, with event ID 2.

Where are you looking when you refer to RAS policies? All that's set in
ISA, right? For wireless, I didn't have to do anything in ISA other than to
disable the strict RPC compliance. That was technically a certificate
auto-enrollment issue rather than anything directly to do with IAS or the
wireless config.

"JP" <JP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AAB5EBC6-54AE-4D96-A76D-7A9D92337585@xxxxxxxxxxxxxxxx
The wireless config on both laptops show the same settings as were defined
in
the group policy for the prefered network section. I will start to look
at
the other fields that were troubling next.

I found where "Proxy-Policy-Name = Use Windows authentication for all
users"
comes from. This is found in IAS under Connection Request Policies (not
remote access policies). If I edit the name of this policy, then that is
what shows up in the Proxy-Policy-Name field. When I edit the profile of
this policy there are two options to choose from. One is to authenticate
on
this server and the other is to Accept users without validating
credentials.
If is select Authenticate on this server i will see an infomation event
saying that a LDAP connection was established with AD. The authentication
events stop and so do the error events from the WAP but still no
connection.
If I select the Accept without validation (the way i found it) the events
start again and of course still no access.

So, which one of these do you have checked, and if i go to the other
server
that has the RAS on it, what policies do you see listed under that "remote
access poicies" section? I don't see the poicy i created on the IAS
server
computer listed here. WHen both IAS and RAS were on the same computer,
the
policies matched. Makes me think that the two are not communicating the
way
they should.

Dave, do you have IAS installed on the SBS server and the second server,
or
just on the second server only? Mine is only on the second server and not
on
the SBS as well. SBS has only the RAS.

I really appologize for all the trouble and I'm sorry to have been taking
up
so much of your time. i do feel like we are making slow and steady
progress
though and I am very greatful for all your advice.
--
Many thanks,

JP


"Owen Williams [SBS MVP]" wrote:

In article <F8B6D665-521C-4D5C-80E2-C7E19F211D0B@xxxxxxxxxxxxx>,
JP@xxxxxxxxxxxxxxxxxxxxxxxxx says...

No errors in the group policy update.

And you verified the wireless config on the two laptops is correct
(i.e., matches the GPO config), right?

I rebuitl my cert authority completly
from scratch and the certs rolled out as expected. Still no wireless
connection. Just the connect and reconnect over and over on two
different
laptops that are extremely different.

If the wireless configs look correct, the fact the two laptops are
different (and I assume you mean different manufacturers/models/wireless
NICs) suggests we need to find a "common element." This would include:

* The WAP(s)
* The wired network (WAP <-> Switch <-> Servers)
* The server(s)
* IAS
* ISA [have you tried _temporarily_ disabling ISA?]

I was happy to see the event log you sent of a succesful connection. I
think this may hold the key.

Me, too.

THe part on my event that troubles me is below:

Proxy-Policy-Name = Use Windows authentication for all users

This is normal - it appears in all of the IAS "access granted" events I
have seen from working secure wireless networks. I thought I knew where
it was set but I can't find it after a quick look. (And I have never
had to explicitly set it.) I vaguely recall it may only be changeable
when ISA2000/04 is running and, since I don't use them, I am not seeing
any other choices. Regardless, the setting is correct and you should
not need to change it.

Authentication-Provider = <none>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>

These are a problem - or at least suspicious - as my previous post
indicated.

Where is a proxy policy comming from? It seems like we are trying to
only
authenticate the computer and this is trying to authenticate the user
and not
very well at that.

I believe the term "user" in the message is rather loose and also
applies to computers in this context.

-- Owen Williams (SBS MVP)



.