WPA with EAP-TLS not working with IAS

15 pts.
Tags:
Active Directory
Software
Wireless
Using win2003 domain controller with IAS to authenticate wireless users. Certificate server configured to hand out workstation and user certificates automatically. AP is cisco 1200. Got nowhere until I manually added a certificate under current user/personal/certificates. Then got this error from IAS: Event Source: IAS Event Category: None Event ID: 2 Date: 5/1/2007 Time: 11:28:41 AM User: N/A Computer: TESTDC Description: User staff1@test.org was denied access. Fully-Qualified-User-Name = test.org/Users/staff1 NAS-IP-Address = xxx.yyy.zzz.211 NAS-Identifier = 18001_testap Called-Station-Identifier = 000d.bd6f.aac9 Calling-Station-Identifier = 000e.350b.9a5a Client-Friendly-Name = testap Client-IP-Address = xxx.yyy.zzz.211 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 2208 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = wstaff Authentication-Type = EAP EAP-Type = Smart Card or other certificate Reason-Code = 16 Reason = Authentication was not successful because an unknown user name or incorrect password was used. Looked this up on the internet and discovered I should set the client to "always wait for the network at computer startup and login" After making this change the IAS message is now: Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 5/1/2007 Time: 12:03:28 PM User: N/A Computer: TESTDC Description: User host/HP-LAPTOP.test.org was denied access. Fully-Qualified-User-Name = TESTHP-LAPTOP$ NAS-IP-Address = xxx.yyy.zzz.211 NAS-Identifier = 18001_testap Called-Station-Identifier = 000d.bd6f.aac9 Calling-Station-Identifier = 000e.350b.9a5a Client-Friendly-Name = testap Client-IP-Address = xxx.yyy.zzz.211 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 2209 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = <undetermined> Authentication-Type = EAP EAP-Type = <undetermined> Reason-Code = 48 Reason = The connection attempt did not match any remote access policy. So either the system tries to authenticate before I log in or after the cached login is finished. Any suggestions? Thanks rt

Answer Wiki

Thanks. We'll let you know when a new response is added.

Purely guessing here, but that’s how a lot of troubleshooting starts… :-)

Do any of the logs (you ARE logging?) show the full user name? I’ve seen some cases where the user’s name was pre-pended with their local machine name instead of standing alone or being prepended with the domain name.

Failing log info, then start sniffing the authentication traffic.

My gut instinct (especially when using IAS to pass through authentication credentials) is to suspect a windows-like name issue. When you’re doing stand-alone RADIUS, this is not seen as often.

Good luck,

Bob

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    Bob: Thanks for the suggestion. Since I posted this, I discovered IAS wasn't bound to the server certificate for some reason. Removing and re-installing IAS didn't help. I have just finished rebuilding the server from scratch and this problem seems to have gone away. This morning I will finish configuring the server and start another series of login attempts. rt
    15 pointsBadges:
    report
  • Astronomer
    Bob: It seems rebuilding the server fixed it. I have now logged in using an account in the test domain and got the right DHCP address. I was also able to ping the test domain DC by name. I will continue my tests using other accounts and the guest login, (this last account needs to be authenticated but doesn't have to be encrypted, I don't want to use certificates and want minimal configuration for guest laptops coming in), these don't work yet. The way I found the IAS problem was by: opening IAS, right clicking on the remote access policy of interest, selecting properties, clicking edit profile, clicking the authentication tab, selecting the EAP Mothods button, and clicking edit for smart card or other certificate. Now it shows certificate issued to testdc.test.org. Before, it couldn't find a certificate.
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following