Register

Forgot Password

Site FAQ

Home > IT Answers > Microsoft Windows > WPA with EAP-TLS not working with IAS

astronomer

0 pts.

WPA with EAP-TLS not working with IAS

Active Directory, Wireless, Software

Using win2003 domain controller with IAS to authenticate wireless users. Certificate server configured to hand out workstation and user certificates automatically. AP is cisco 1200. Got nowhere until I manually added a certificate under current user/personal/certificates.

Then got this error from IAS:
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/1/2007
Time: 11:28:41 AM
User: N/A
Computer: TESTDC
Description:
User staff1@test.org was denied access.
Fully-Qualified-User-Name = test.org/Users/staff1
NAS-IP-Address = xxx.yyy.zzz.211
NAS-Identifier = 18001_testap
Called-Station-Identifier = 000d.bd6f.aac9
Calling-Station-Identifier = 000e.350b.9a5a
Client-Friendly-Name = testap
Client-IP-Address = xxx.yyy.zzz.211
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2208
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = wstaff
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Looked this up on the internet and discovered I should set the client to "always wait for the network at computer startup and login"
After making this change the IAS message is now:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/1/2007
Time: 12:03:28 PM
User: N/A
Computer: TESTDC
Description:
User host/HP-LAPTOP.test.org was denied access.
Fully-Qualified-User-Name = TESTHP-LAPTOP$
NAS-IP-Address = xxx.yyy.zzz.211
NAS-Identifier = 18001_testap
Called-Station-Identifier = 000d.bd6f.aac9
Calling-Station-Identifier = 000e.350b.9a5a
Client-Friendly-Name = testap
Client-IP-Address = xxx.yyy.zzz.211
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 2209
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The connection attempt did not match any remote access policy.

So either the system tries to authenticate before I log in or after the cached login is finished. Any suggestions?
Thanks
rt

ASKED: May 1 2007 3:53 PM GMT

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

RELATED QUESTIONS

bobkberg

895 pts.

RATE THIS ANSWER

0
Click to Vote:

Purely guessing here, but that's how a lot of troubleshooting starts... :-)

Do any of the logs (you ARE logging?) show the full user name? I've seen some cases where the user's name was pre-pended with their local machine name instead of standing alone or being prepended with the domain name.

Failing log info, then start sniffing the authentication traffic.

My gut instinct (especially when using IAS to pass through authentication credentials) is to suspect a windows-like name issue. When you're doing stand-alone RADIUS, this is not seen as often.

Good luck,

Bob

Last Answered: May 3 2007 1:27 AM GMT by bobkberg

895 pts.

View History

RSS - Discussions Help

Discuss This Answer:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

astronomer 0 pts. | May 3 2007 11:51AM GMT

Bob:
Thanks for the suggestion. Since I posted this, I discovered IAS wasn’t bound to the server certificate for some reason. Removing and re-installing IAS didn’t help. I have just finished rebuilding the server from scratch and this problem seems to have gone away. This morning I will finish configuring the server and start another series of login attempts.
rt

astronomer 0 pts. | May 3 2007 12:58PM GMT

Bob:
It seems rebuilding the server fixed it. I have now logged in using an account in the test domain and got the right DHCP address. I was also able to ping the test domain DC by name.

I will continue my tests using other accounts and the guest login, (this last account needs to be authenticated but doesn’t have to be encrypted, I don’t want to use certificates and want minimal configuration for guest laptops coming in), these don’t work yet.

The way I found the IAS problem was by: opening IAS, right clicking on the remote access policy of interest, selecting properties, clicking edit profile, clicking the authentication tab, selecting the EAP Mothods button, and clicking edit for smart card or other certificate. Now it shows certificate issued to <a href="http://testdc.test.org" title="http://testdc.test. " target="_blank">testdc.test.org</a>. Before, it couldn’t find a certificate.

Ask a Question

Browse IT Answers by Topic

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map