Re: 802.1x authentication for wireless issues w/ ISA 2004

Dear Dave and Owen,

Eureka!!!!!!

It finally works! I started reading about the authentication process of the
IAS server in "New features for IAS" Can't remember how I got forwarded
there, but at the end of this message I will paste all the links backwards
from there so you can see the process and other good bits of info along the
way. It was very helpfull.

I also got some insight from the document I downloaded "Configure Wireless
Networking on Windows Small Business Server 2003" This uses a differnt
process than yours but I was mainly looking for the similarities and the
setting of those parts. The only difference was in how the client looks at
the certificate. I'll explain later.

What I found was that the Remote Access Policy that we setup in IAS needs to
have an addational attribute added. So, when you use the "edit profile"
button for this policy, go to the advanced tab. There is an attribute that
was setup by the wizzard called "Service Type" and then it shows it to be set
as Radius standard framed. This is fine, but what IAS needs to also be set
to ignore the user's dial in property attribute. Otherwise it does not
process the access request properly. So click add and find the
"Ignore-User-Dialin-Properties" and set it to True.

In the "connection request policies" The default policy there is fine but
must be set to "Authenticate requests on this server" under its Edit Profile
area. When it is sent to accept without authentication, that is what created
all the events I had previously mentioned about the logons and errors
returned from the WAP. (The name of this policy is what was appearing in the
Proxy-polociy name in the event logs I sent you previously.)

Next thing I did which is what finally relleased the floodgates was to go
back to the SBS group policy and make a change in the prefered network
settings. I noticed in the "Configuring wirless networ..." document that on
the EAP page they had a check to validate the server certificate, but they
did not list a server to connect to and they did not have a check in "connect
to these servers". Since IAS is on a different server than the domain
contorller, maybe things were getting confused. Once I pushed this policy to
the client it connected. I went back and tried to remove the attribute we
added in IAS about the Ignore-Users-Dialin... and it killed the connection,
so it does seem to be a requirement.

Wnen I look at the IAS log, I now see information that makes some sense. In
the log as you look accross the line you can see the process. You see the
client IP that is trying to make the connection at the left, as you move
accross you will see the name of your access point then later the name of the
Connection Request Policy (I changed the name of the default policy so it is
easy to spot) Then you see it looks at the Remote Access Policy next and
lists its name then you can see it uses a smart card or other cert. On the
next line it is all similar but instead of the WAP you see the IP of the IAS
server and then the same follows and the connection is made! Hopefully this
will help track future problems with other users.

I can't begin to thank both of you enough for taking the time to help me
with this frustrating problem. You always gave me good advice and your
comments always gave me ideas for new things to investigate.

--
Many thanks,

JP

Links from the end backwards of helpful docs:

New features for IAS
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Accepting a connection attempt
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Processing a connection request
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Connection request policies
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Google search:default ias connection request policy
Lead me to the link above

PS:
The SBS document told me to delete the default remote connection policies in
the IAS and only have the new one we created.

ISA settings are as described in Owens insturctions.





.