Re: 802.1x authentication for wireless issues w/ ISA 2004

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I'm glad you figured it out.

Out of curiosity, if you go to the client PC's properties in AD, what's set
on the Dial-in page? Mine are all set to control access through Remote
Access Policy, which is presumably the default. I did not have to add that
"ignore" attribute in IAS.

On the group policy setting, I do have the Validate option checked, and it
points to my SBS. Also, the CA is checked in the trusted certification
authorities section. So it seems like maybe the GPO configuration was to
blame. But I still wonder why it stops working if you stop IAS from
ignoring the dial-in attribute.

By the way, thanks for the detailed update. This will definitely help if
anyone runs into a similar situation in the future.

"JP" <JP@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:419AA244-A705-43A3-97AC-20C6CBF2AACA@xxxxxxxxxxxxxxxx
Dear Dave and Owen,

Eureka!!!!!!

It finally works! I started reading about the authentication process of
the
IAS server in "New features for IAS" Can't remember how I got forwarded
there, but at the end of this message I will paste all the links backwards
from there so you can see the process and other good bits of info along
the
way. It was very helpfull.

I also got some insight from the document I downloaded "Configure Wireless
Networking on Windows Small Business Server 2003" This uses a differnt
process than yours but I was mainly looking for the similarities and the
setting of those parts. The only difference was in how the client looks
at
the certificate. I'll explain later.

What I found was that the Remote Access Policy that we setup in IAS needs
to
have an addational attribute added. So, when you use the "edit profile"
button for this policy, go to the advanced tab. There is an attribute
that
was setup by the wizzard called "Service Type" and then it shows it to be
set
as Radius standard framed. This is fine, but what IAS needs to also be
set
to ignore the user's dial in property attribute. Otherwise it does not
process the access request properly. So click add and find the
"Ignore-User-Dialin-Properties" and set it to True.

In the "connection request policies" The default policy there is fine but
must be set to "Authenticate requests on this server" under its Edit
Profile
area. When it is sent to accept without authentication, that is what
created
all the events I had previously mentioned about the logons and errors
returned from the WAP. (The name of this policy is what was appearing in
the
Proxy-polociy name in the event logs I sent you previously.)

Next thing I did which is what finally relleased the floodgates was to go
back to the SBS group policy and make a change in the prefered network
settings. I noticed in the "Configuring wirless networ..." document that
on
the EAP page they had a check to validate the server certificate, but they
did not list a server to connect to and they did not have a check in
"connect
to these servers". Since IAS is on a different server than the domain
contorller, maybe things were getting confused. Once I pushed this policy
to
the client it connected. I went back and tried to remove the attribute we
added in IAS about the Ignore-Users-Dialin... and it killed the
connection,
so it does seem to be a requirement.

Wnen I look at the IAS log, I now see information that makes some sense.
In
the log as you look accross the line you can see the process. You see the
client IP that is trying to make the connection at the left, as you move
accross you will see the name of your access point then later the name of
the
Connection Request Policy (I changed the name of the default policy so it
is
easy to spot) Then you see it looks at the Remote Access Policy next and
lists its name then you can see it uses a smart card or other cert. On
the
next line it is all similar but instead of the WAP you see the IP of the
IAS
server and then the same follows and the connection is made! Hopefully
this
will help track future problems with other users.

I can't begin to thank both of you enough for taking the time to help me
with this frustrating problem. You always gave me good advice and your
comments always gave me ideas for new things to investigate.

--
Many thanks,

JP

Links from the end backwards of helpful docs:

New features for IAS
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Accepting a connection attempt
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Processing a connection request
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Connection request policies
http://technet2.microsoft.com/WindowsServer/en/library/32ac0173-a684-452c-af39-6fb9031141031033.mspx?mfr=true

Google search:default ias connection request policy
Lead me to the link above

PS:
The SBS document told me to delete the default remote connection policies
in
the IAS and only have the new one we created.

ISA settings are as described in Owens insturctions.







.

Relevant Pages

  • RE: Internet Authentication Service Issues
    ... open IAS server. ... Restart the computer and reconfigure the RRAS and IAS server. ... Microsoft CSS Online Newsgroup Support ... Logging Error - An error occurred while trying to make a connection to ...
    (microsoft.public.windows.server.sbs)
  • Re: 802.1x authentication for wireless issues w/ ISA 2004
    ... I do have the dial in permisions for the users in AD set to use the remote ... and to refer to the remote access policy. ... one place but part of it was in the Accepting a connection article. ... But I still wonder why it stops working if you stop IAS from ...
    (microsoft.public.windows.server.sbs)
  • Remote Desktop Connection does not encrypt with ipsec
    ... I would like to encrypt the rdc connection for terminal services with an ... ipsec connection to make it more secure. ... I have set up a Policy on the terminal server with an ip ...
    (microsoft.public.win2000.security)
  • Certificate Issues w/PEAP on IAS
    ... Subordinate CA server. ... In setting up a Remote Access Policy in IAS to use PEAP, ... "Domain Computer" certificate in the Personal certificates of the IAS Server ...
    (microsoft.public.internet.radius)
  • Re: Cant access network properties on server
    ... you're logged on as local admin, ... > "You do not have sufficient privileges for accessing connection ... I'm logged into the server as administrator. ... > the Local Policy, Domain Policy, and Domain Controller Policy and ...
    (microsoft.public.win2000.general)