Re: 802.1x authentication for wireless issues w/ ISA 2004

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

In article <419AA244-A705-43A3-97AC-20C6CBF2AACA@xxxxxxxxxxxxx>,
JP@xxxxxxxxxxxxxxxxxxxxxxxxx says...

JP: Sorry to take so long to respond. My clients have been keeping me hopping
for the past few days

It finally works! I started reading about the authentication process of the
IAS server in "New features for IAS" Can't remember how I got forwarded
there, but at the end of this message I will paste all the links backwards
from there so you can see the process and other good bits of info along the
way. It was very helpfull.

Congratulations! I echo Dave's thanks for providing the details of what you
found, although I'm still thinking through whether _all_ the changes are
relevant to the problems you had. (See below for more info.)

I also got some insight from the document I downloaded "Configure Wireless
Networking on Windows Small Business Server 2003" This uses a differnt
process than yours but I was mainly looking for the similarities and the
setting of those parts. The only difference was in how the client looks at
the certificate. I'll explain later.

Nothing proprietary about the process I document, that's for sure!

What I found was that the Remote Access Policy that we setup in IAS needs to
have an addational attribute added. So, when you use the "edit profile"
button for this policy, go to the advanced tab. There is an attribute that
was setup by the wizzard called "Service Type" and then it shows it to be set
as Radius standard framed. This is fine, but what IAS needs to also be set
to ignore the user's dial in property attribute. Otherwise it does not
process the access request properly. So click add and find the
"Ignore-User-Dialin-Properties" and set it to True.

On my own SBS, Ignore-User-Dialin-Properties was set as you describe. (But I
don't recall setting it!) However, on a client's SBS, it was NOT set and
secure wireless has been working fine for 16 months. (Keep in mind neither of
these uses ISA.)

So, on my SBS I removed everything except the Policy Wizard's Wireless
selection of Service-Type (i.e., the default) and saved the modified policy. I
then disabled my wireless NIC, re-enabled it and ... it immediately associated,
authenticated, and connected to the LAN - no problem.

Like Dave, the Computer accounts (and User accounts, though they are not really
relevant here) on the servers I checked have Dial-in set to use whatever is in
the remote access policy.

That said, Dave and I - and the vast majority of folks using the configuration
- are running IAS on the SBS, not on another server. So, I'm wondering whether
that's why Ignore-User-Dialin-Properties may be relevant to you but not to us.
(I'm still pondering this, taking into consideration your later post with the
additional info about what the setting does.)

In the "connection request policies" The default policy there is fine but
must be set to "Authenticate requests on this server" under its Edit Profile
area.

The servers I've configured are set to "Authenticate requests on this server",
which I believe is the default.

Next thing I did which is what finally relleased the floodgates was to go
back to the SBS group policy and make a change in the prefered network
settings. I noticed in the "Configuring wirless networ..." document that on
the EAP page they had a check to validate the server certificate, but they
did not list a server to connect to and they did not have a check in "connect
to these servers". Since IAS is on a different server than the domain
contorller, maybe things were getting confused. Once I pushed this policy to
the client it connected.

According to the help pop-up for "Connect to these servers", "the server name
specified must exactly match the server name on the certificate." (Specifying
this rather than leaving it blank was one of my additions to the config; it
reduces the possibility that the wireless computer will connect to a bogus
server.) You should check whether the server name on the cert (usually the
FQDN of the SBS) you are using matches what you originally typed in this field.

I went back and tried to remove the attribute we
added in IAS about the Ignore-Users-Dialin... and it killed the connection,
so it does seem to be a requirement.

Perhaps; still thinking about this.

Wnen I look at the IAS log, I now see information that makes some sense. In
the log as you look accross the line you can see the process. You see the
client IP that is trying to make the connection at the left, as you move
accross you will see the name of your access point then later the name of the
Connection Request Policy (I changed the name of the default policy so it is
easy to spot) Then you see it looks at the Remote Access Policy next and
lists its name then you can see it uses a smart card or other cert. On the
next line it is all similar but instead of the WAP you see the IP of the IAS
server and then the same follows and the connection is made!

Yes, the IAS logs are useful, once they have something in them! ;-)

Hopefully this will help track future problems with other users.

Definitely. The ISA2004 bug which forces IAS to be run on a different server
has not been a frequent problem, but when it occurs it has been frustratingly
difficult to solve. You've found a configuration which works.

I can't begin to thank both of you enough for taking the time to help me
with this frustrating problem. You always gave me good advice and your
comments always gave me ideas for new things to investigate.

I think you've done most of the work here, but you're welcome anyway!

-- Owen Williams [SBS MVP]
.

Quantcast