Radius Server - Issues with IAS/802.1x authentication

This is Interesting: Free IT Magazines  
Home > Archive > Radius Server > January 2005 > Issues with IAS/802.1x authentication





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Issues with IAS/802.1x authentication
froowstie

2004-10-26, 2:47 am

Hey there,

I'm setting up a prototype PKI/802.1x lab environment for a customer so they
can leverage the security features for when decide to implement their new
wireless infrastructure. I've followed the MS Securing Wireless LANs
documentation
(http://www.microsoft.com/technet/pr...oy/ed80211.mspx)
when building the lab and have the following servers configured:

1) AD01 - W2k3 DC / Root CA / Primary IAS configured
2) AD03 - W2k3 DC / Secondary IAS configured
3) Windows XP client - joined to the domain
4) cisco Aironet 1200 - Access point - Configured for WEP encryption and
802.1x/EAP authentication

My computer/user certificates seem to be getting deployed correctly and all
the wireless GPOs are working correctly, but the Windows XP SP1 users cannot
seem to connect to the network. When I check the eventlog I find the IAS
server is throwing up a heap of authentication errors, see below;

User Test3@NEWCREST.COM.AU was denied access.
Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
NAS-IP-Address = 192.168.1.100
NAS-Identifier = Commander
Called-Station-Identifier = 000d.bd01.15b0
Calling-Station-Identifier = 0002.2d29.2f60
Client-Friendly-Name = cisco Wireless AP
Client-IP-Address = 192.168.1.100
NAS-Port-Type = Virtual
NAS-Port = 421
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for
the user account was denied. To allow remote access, enable remote access
permission for the user account, or, if the user account specifies that
access is controlled through the matching remote access policy, enable
remote access permission for that remote access policy.

I'm not that strong with IAS, so I may have missed something in the setup.
But I've basically setup a Remote Access Policy that allows all Wireless
users as long as they have the correct certificate (as specified thru the
EAP Methods menu|)

So, has anyone seen this error when configuring 802.1x? The Test3 user
account's Remote Access permissions are set to Control access through Remote
Access Policy so I don't know why it's saying the account doesn't have RAS
access when it does.. Or does it mean that the Remote Access Policy has
denied access to the users account for some unknown reason?

Thoughts, comments?

Cheers, James.

P.S - When I manually grant the user dial-in permissions (through AD Users
and Computers), the IAS error changes to this:

User Test1@NEWCREST.COM.AU was denied access.
Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
NAS-IP-Address = 192.168.1.100
NAS-Identifier = Commander
Called-Station-Identifier = 000d.bd01.15b0
Calling-Station-Identifier = 0002.2d29.2f60
Client-Friendly-Name = cisco Wireless AP
Client-IP-Address = 192.168.1.100
NAS-Port-Type = Virtual
NAS-Port = 287
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not
enabled on the matching remote access policy.


froowstie

2004-10-26, 2:47 am

Hmmm, well I fixed it, but I'm a little confused as to why it works.

As soon as I modified the IAS Remote Access Policy and removed this policy
condition:

NasPortType = Wireless - IEEE 802.11 or NasPortType = Wireless - Other

.... the users started authenticating via their EAP certtificates. The wierd
thing is that that condition was created as per the MS Securing Wireless
LANs documentation... oh well. Seems to be working now.

Regards, James.


"froowstie" <smeg@smeg.com> wrote in message
news:uLYmWjyuEHA.2096@tk2msftngp13.phx.gbl...
> Hey there,
>
> I'm setting up a prototype PKI/802.1x lab environment for a customer so
they
> can leverage the security features for when decide to implement their new
> wireless infrastructure. I've followed the MS Securing Wireless LANs
> documentation
>
(http://www.microsoft.com/technet/pr...oy/ed80211.mspx)
> when building the lab and have the following servers configured:
>
> 1) AD01 - W2k3 DC / Root CA / Primary IAS configured
> 2) AD03 - W2k3 DC / Secondary IAS configured
> 3) Windows XP client - joined to the domain
> 4) cisco Aironet 1200 - Access point - Configured for WEP encryption and
> 802.1x/EAP authentication
>
> My computer/user certificates seem to be getting deployed correctly and
all
> the wireless GPOs are working correctly, but the Windows XP SP1 users
cannot
> seem to connect to the network. When I check the eventlog I find the IAS
> server is throwing up a heap of authentication errors, see below;
>
> User Test3@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 421
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 65
> Reason = The connection attempt failed because remote access permission
for
> the user account was denied. To allow remote access, enable remote access
> permission for the user account, or, if the user account specifies that
> access is controlled through the matching remote access policy, enable
> remote access permission for that remote access policy.
>
> I'm not that strong with IAS, so I may have missed something in the setup.
> But I've basically setup a Remote Access Policy that allows all Wireless
> users as long as they have the correct certificate (as specified thru the
> EAP Methods menu|)
>
> So, has anyone seen this error when configuring 802.1x? The Test3 user
> account's Remote Access permissions are set to Control access through
Remote
> Access Policy so I don't know why it's saying the account doesn't have RAS
> access when it does.. Or does it mean that the Remote Access Policy has
> denied access to the users account for some unknown reason?
>
> Thoughts, comments?
>
> Cheers, James.
>
> P.S - When I manually grant the user dial-in permissions (through AD Users
> and Computers), the IAS error changes to this:
>
> User Test1@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 287
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 66
> Reason = The user attempted to use an authentication method that is not
> enabled on the matching remote access policy.
>
>


Sam Salhi [MSFT]

2004-10-26, 2:47 am

What's happening is basically IAS is set to deny access in the matching
policy
from the event below you need to modify the policy on IAS server (the policy
name from the event below is :"Connections to other access servers". Just
double click it, and select "Grant remote access permission"

Good luck

Let us know if this helps


--
========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
========================================
=====

"froowstie" <smeg@smeg.com> wrote in message
news:uLYmWjyuEHA.2096@tk2msftngp13.phx.gbl...
> Hey there,
>
> I'm setting up a prototype PKI/802.1x lab environment for a customer so
> they
> can leverage the security features for when decide to implement their new
> wireless infrastructure. I've followed the MS Securing Wireless LANs
> documentation
> (http://www.microsoft.com/technet/pr...oy/ed80211.mspx)
> when building the lab and have the following servers configured:
>
> 1) AD01 - W2k3 DC / Root CA / Primary IAS configured
> 2) AD03 - W2k3 DC / Secondary IAS configured
> 3) Windows XP client - joined to the domain
> 4) cisco Aironet 1200 - Access point - Configured for WEP encryption and
> 802.1x/EAP authentication
>
> My computer/user certificates seem to be getting deployed correctly and
> all
> the wireless GPOs are working correctly, but the Windows XP SP1 users
> cannot
> seem to connect to the network. When I check the eventlog I find the IAS
> server is throwing up a heap of authentication errors, see below;
>
> User Test3@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 421
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 65
> Reason = The connection attempt failed because remote access permission
> for
> the user account was denied. To allow remote access, enable remote access
> permission for the user account, or, if the user account specifies that
> access is controlled through the matching remote access policy, enable
> remote access permission for that remote access policy.
>
> I'm not that strong with IAS, so I may have missed something in the setup.
> But I've basically setup a Remote Access Policy that allows all Wireless
> users as long as they have the correct certificate (as specified thru the
> EAP Methods menu|)
>
> So, has anyone seen this error when configuring 802.1x? The Test3 user
> account's Remote Access permissions are set to Control access through
> Remote
> Access Policy so I don't know why it's saying the account doesn't have RAS
> access when it does.. Or does it mean that the Remote Access Policy has
> denied access to the users account for some unknown reason?
>
> Thoughts, comments?
>
> Cheers, James.
>
> P.S - When I manually grant the user dial-in permissions (through AD Users
> and Computers), the IAS error changes to this:
>
> User Test1@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 287
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 66
> Reason = The user attempted to use an authentication method that is not
> enabled on the matching remote access policy.
>
>


Sam Salhi [MSFT]

2004-10-26, 2:47 am

A possible reason for this might be that the cisco 1200 AP is not sending
the Nas-Port-Type attribute correctly to the IAS server, so IAS wasn't able
to Match the access request with this first policy and was matching the user
with another policy (mentioned below in the event) which had Deny remote
access permission set. My previous post was to fix that issue

--
========================================
=====
This posting is provided "AS IS" with no warranties, and confers no
rights.
========================================
=====

"froowstie" <smeg@smeg.com> wrote in message
news:u9mKEUzuEHA.3200@TK2MSFTNGP14.phx.gbl...
> Hmmm, well I fixed it, but I'm a little confused as to why it works.
>
> As soon as I modified the IAS Remote Access Policy and removed this policy
> condition:
>
> NasPortType = Wireless - IEEE 802.11 or NasPortType = Wireless - Other
>
> ... the users started authenticating via their EAP certtificates. The
> wierd
> thing is that that condition was created as per the MS Securing Wireless
> LANs documentation... oh well. Seems to be working now.
>
> Regards, James.
>
>
> "froowstie" <smeg@smeg.com> wrote in message
> news:uLYmWjyuEHA.2096@tk2msftngp13.phx.gbl...
> they
> (http://www.microsoft.com/technet/pr...oy/ed80211.mspx)
> all
> cannot
> for
> Remote
>
>


Marcos

2005-01-20, 5:57 pm

Hi. everyone,

Maybe You have a mismatch authentication configuration between client and
remote access policy (The user attempted to use an authentication method that
is not enabled on the matching remote access policy).

In the Properties of "My network places" tab Authentication, verify that
the authentication type (PEAP with MSchap v2 or EAP-TLS) match with the
remote access policy on the IAS.

Greetings.

Marcos

"froowstie" wrote:

> Hey there,
>
> I'm setting up a prototype PKI/802.1x lab environment for a customer so they
> can leverage the security features for when decide to implement their new
> wireless infrastructure. I've followed the MS Securing Wireless LANs
> documentation
> (http://www.microsoft.com/technet/pr...oy/ed80211.mspx)
> when building the lab and have the following servers configured:
>
> 1) AD01 - W2k3 DC / Root CA / Primary IAS configured
> 2) AD03 - W2k3 DC / Secondary IAS configured
> 3) Windows XP client - joined to the domain
> 4) cisco Aironet 1200 - Access point - Configured for WEP encryption and
> 802.1x/EAP authentication
>
> My computer/user certificates seem to be getting deployed correctly and all
> the wireless GPOs are working correctly, but the Windows XP SP1 users cannot
> seem to connect to the network. When I check the eventlog I find the IAS
> server is throwing up a heap of authentication errors, see below;
>
> User Test3@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test3
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 421
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 65
> Reason = The connection attempt failed because remote access permission for
> the user account was denied. To allow remote access, enable remote access
> permission for the user account, or, if the user account specifies that
> access is controlled through the matching remote access policy, enable
> remote access permission for that remote access policy.
>
> I'm not that strong with IAS, so I may have missed something in the setup.
> But I've basically setup a Remote Access Policy that allows all Wireless
> users as long as they have the correct certificate (as specified thru the
> EAP Methods menu|)
>
> So, has anyone seen this error when configuring 802.1x? The Test3 user
> account's Remote Access permissions are set to Control access through Remote
> Access Policy so I don't know why it's saying the account doesn't have RAS
> access when it does.. Or does it mean that the Remote Access Policy has
> denied access to the users account for some unknown reason?
>
> Thoughts, comments?
>
> Cheers, James.
>
> P.S - When I manually grant the user dial-in permissions (through AD Users
> and Computers), the IAS error changes to this:
>
> User Test1@NEWCREST.COM.AU was denied access.
> Fully-Qualified-User-Name = NEWCREST.COM.AU/Melbourne/IM Users/Test1
> NAS-IP-Address = 192.168.1.100
> NAS-Identifier = Commander
> Called-Station-Identifier = 000d.bd01.15b0
> Calling-Station-Identifier = 0002.2d29.2f60
> Client-Friendly-Name = cisco Wireless AP
> Client-IP-Address = 192.168.1.100
> NAS-Port-Type = Virtual
> NAS-Port = 287
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 66
> Reason = The user attempted to use an authentication method that is not
> enabled on the matching remote access policy.
>
>
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com