|
Home > Archive > Radius Server > November 2005 > Is it a must to have DHCP, DC and IAS on the same server?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Is it a must to have DHCP, DC and IAS on the same server?
|
|
| Louis 2005-10-24, 11:03 am |
| I have got a win2003 server running as DC and IAS... but not DHCP.
now, when I connect my WinCE device to it with WPA/802.1x
It can authenticated with server but cannot get IP from server...
Is that because I separate DHCP service from the IAS/DC?
Thanks.
Louis
| |
| James McIllece [MS] 2005-10-24, 11:03 am |
| "Louis" <haha@haha.com> wrote in
news:OZOG#cS1FHA.2212@TK2MSFTNGP15.phx.gbl:
> I have got a win2003 server running as DC and IAS... but not DHCP.
>
> now, when I connect my WinCE device to it with WPA/802.1x
> It can authenticated with server but cannot get IP from server...
>
> Is that because I separate DHCP service from the IAS/DC?
>
> Thanks.
>
> Louis
>
>
>
No, you do not have to install DHCP on the DC/IAS server, it can be on
another server.
If there is a router between the DHCP server and the AP, you need to enable
DHCP message forwarding, though.
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
| Louis 2005-10-24, 11:03 am |
| Thanks for reply.
It's so weird... My PPC still cannot obtain an IP address from the
network...
But a laptop with WinXP Service pack 2 DO able to get IP... without
problem...
While monitoring the network, I found that the PPC do request IP and the
DHCP server DO offer an IP for it...
but still, PPC would wait for timeout and assign an private IP to itself...
Any idea? Please help.
Thanks
"James McIllece [MS]" <jamesmci@online.microsoft.com> 在郵件
news:Xns96F592D9CA0A1jamesmcionlinemicro
s@207.46.248.16 中撰寫...
> "Louis" <haha@haha.com> wrote in
> news:OZOG#cS1FHA.2212@TK2MSFTNGP15.phx.gbl:
>
>
> No, you do not have to install DHCP on the DC/IAS server, it can be on
> another server.
>
> If there is a router between the DHCP server and the AP, you need to
enable
> DHCP message forwarding, though.
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
| James McIllece [MS] 2005-10-24, 11:03 am |
| It will be helpful if you can provide additional details, such as the
following:
-- Type of access point you are using
-- The authentication method you have configured in IAS
-- IAS log entries that show the connection attempt and whether
authentication succeeds or fails
I suspect that you aren't being authenticated. With 802.1X, if
authentication fails, you don't get an IP address. Could be something else,
but that's my first guess.
Also, double-check that you have the same shared secret on the IAS server
and the access point, that the AP is configured to use RADIUS and your IAS
server, and that both devices have the correct IP for the other device.
"Louis" <haha@haha.com> wrote in
news:u7j$O8f1FHA.464@TK2MSFTNGP15.phx.gbl:
> Thanks for reply.
>
> It's so weird... My PPC still cannot obtain an IP address from the
> network...
> But a laptop with WinXP Service pack 2 DO able to get IP... without
> problem...
>
> While monitoring the network, I found that the PPC do request IP and
> the DHCP server DO offer an IP for it...
> but still, PPC would wait for timeout and assign an private IP to
> itself... Any idea? Please help.
>
> Thanks
>
> "James McIllece [MS]" <jamesmci@online.microsoft.com> 在郵件
> news:Xns96F592D9CA0A1jamesmcionlinemicro
s@207.46.248.16 中撰寫...
> enable
> account
> rights.
>
>
>
--
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
| |
|
| Thanks for your reply... I am on a long vaction before..
I am using Asus access point, WL500g
Here's the log.
Can you classify? Seem that the first two are using laptop to connect..
Is that because XP support MSCHAPv2? but not PPC?
Thanks.
192.168.0.203,RVTEST\eappeap,10/15/2005,15:16:08,IAS,PEN,4,192.168.0.203,30,
0011d8604c70,31,000e35b69335,32,0011d860
4c70,5,16,12,1400,61,19,4108,192.168
..0.203,4116,0,4128,CE8021X,4155,1,25,311 1 192.168.0.100 10/15/2005 02:15:25
481,4155,1,4132,Secured password (EAP-MSCHAP
v2),4129,RVTEST\eappeap,4127,11,4130,rvt
est.local/Users/eappeap,4136,1,4142,
0
192.168.0.203,RVTEST\eappeap,10/15/2005,15:16:08,IAS,PEN,25,311 1
192.168.0.100 10/15/2005 02:15:25 481,4132,Secured password (EAP-MSCHAP
v2),4127,11,26,0x0000013711340000201E8C1
A186E6B1919B4457725E4AA5BB8F7B3EDA2D
6FC26DAEA66F9923DAFD09A00000000000000000
0000000000000,26,0x00000137103400002
08B5AA78B8C6E84E75A97AF3786F12B2858B8236
A6BC4A86B5D81FEBD12945D4300000000000
0000000000000000000,8100,0,26,0x00000137
1A2D01533D44354643394330303345454331
4637453236333132354146354443383832354246
31433430354446,26,0x000001370A080152
56544553,4108,192.168.0.203,4116,0,4128,CE8021X,4155,1,4154,Use Windows
authentication for all users,4155,1,4154,Use Windows authentication for all
users,4129,RVTEST\eappeap,4149,EAP-PEAP
Authentication,6,2,4130,rvtest.local/Users/eappeap,4136,2,4142,0
192.168.0.203,rvtest\eappeap,10/15/2005,15:41:21,IAS,PEN,4,192.168.0.203,30,
0011d8604c70,31,00000e62784b,32,0011d860
4c70,5,17,12,1400,61,19,4108,192.168
..0.203,4116,0,4128,CE8021X,4155,1,25,311 1 192.168.0.100 10/15/2005 02:15:25
487,4127,11,4155,1,4129,RVTEST\eappeap,4
130,rvtest.local/Users/eappeap,4136,
1,4142,0
192.168.0.203,rvtest\eappeap,10/15/2005,15:41:21,IAS,PEN,25,311 1
192.168.0.100 10/15/2005 02:15:25
487,4127,11,4130,rvtest.local/Users/eappeap,4149,EAP-PEAP
Authentication,4129,RVTEST\eappeap,4154,
Use Windows authentication for all
users,4155,1,4154,Use Windows authentication for all
users,4108,192.168.0. 203,4116,0,4128,CE8021X,4155,1,4136,3,41
42,16
"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
news:Xns96F676AABABE4jamesmcionlinemicro
s@207.46.248.16...
> It will be helpful if you can provide additional details, such as the
> following:
>
> -- Type of access point you are using
> -- The authentication method you have configured in IAS
> -- IAS log entries that show the connection attempt and whether
> authentication succeeds or fails
>
> I suspect that you aren't being authenticated. With 802.1X, if
> authentication fails, you don't get an IP address. Could be something
else,
> but that's my first guess.
>
> Also, double-check that you have the same shared secret on the IAS server
> and the access point, that the AP is configured to use RADIUS and your IAS
> server, and that both devices have the correct IP for the other device.
>
>
> "Louis" <haha@haha.com> wrote in
> news:u7j$O8f1FHA.464@TK2MSFTNGP15.phx.gbl:
>
>
>
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
|
| some more from the event viewer
~~~~~~~~~~~~~
User rvtest\eappeap was granted access.
Fully-Qualified-User-Name = rvtest.local/Users/eappeap
NAS-IP-Address = 192.168.0.203
NAS-Identifier = 0011d8604c70
Client-Friendly-Name = CE8021X
Client-IP-Address = 192.168.0.203
Calling-Station-Identifier = 0011d8a6bda4
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 63
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = EAP-PEAP Authentication
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
~~~~~~~~~~~~~~~~~~~~`
"Joe" <joe@joe.com> wrote in message
news:uGo1y153FHA.3636@TK2MSFTNGP09.phx.gbl...
> Thanks for your reply... I am on a long vaction before..
>
> I am using Asus access point, WL500g
>
> Here's the log.
> Can you classify? Seem that the first two are using laptop to connect..
> Is that because XP support MSCHAPv2? but not PPC?
>
> Thanks.
>
>
192.168.0.203,RVTEST\eappeap,10/15/2005,15:16:08,IAS,PEN,4,192.168.0.203,30,
>
0011d8604c70,31,000e35b69335,32,0011d860
4c70,5,16,12,1400,61,19,4108,192.168
> .0.203,4116,0,4128,CE8021X,4155,1,25,311 1 192.168.0.100 10/15/2005
02:15:25
> 481,4155,1,4132,Secured password (EAP-MSCHAP
>
v2),4129,RVTEST\eappeap,4127,11,4130,rvt
est.local/Users/eappeap,4136,1,4142,
> 0
>
> 192.168.0.203,RVTEST\eappeap,10/15/2005,15:16:08,IAS,PEN,25,311 1
> 192.168.0.100 10/15/2005 02:15:25 481,4132,Secured password (EAP-MSCHAP
>
v2),4127,11,26,0x0000013711340000201E8C1
A186E6B1919B4457725E4AA5BB8F7B3EDA2D[vbc
ol=seagreen]
>[/vbcol]
6FC26DAEA66F9923DAFD09A00000000000000000
0000000000000,26,0x00000137103400002[vbc
ol=seagreen]
>[/vbcol]
08B5AA78B8C6E84E75A97AF3786F12B2858B8236
A6BC4A86B5D81FEBD12945D4300000000000[vbc
ol=seagreen]
>[/vbcol]
0000000000000000000,8100,0,26,0x00000137
1A2D01533D44354643394330303345454331[vbc
ol=seagreen]
>[/vbcol]
4637453236333132354146354443383832354246
31433430354446,26,0x000001370A080152[vbc
ol=seagreen]
> 56544553,4108,192.168.0.203,4116,0,4128,CE8021X,4155,1,4154,Use Windows
> authentication for all users,4155,1,4154,Use Windows authentication for[/vbcol]
all
> users,4129,RVTEST\eappeap,4149,EAP-PEAP
> Authentication,6,2,4130,rvtest.local/Users/eappeap,4136,2,4142,0
>
>
192.168.0.203,rvtest\eappeap,10/15/2005,15:41:21,IAS,PEN,4,192.168.0.203,30,
>
0011d8604c70,31,00000e62784b,32,0011d860
4c70,5,17,12,1400,61,19,4108,192.168
> .0.203,4116,0,4128,CE8021X,4155,1,25,311 1 192.168.0.100 10/15/2005
02:15:25
>
487,4127,11,4155,1,4129,RVTEST\eappeap,4
130,rvtest.local/Users/eappeap,4136,
> 1,4142,0
>
> 192.168.0.203,rvtest\eappeap,10/15/2005,15:41:21,IAS,PEN,25,311 1
> 192.168.0.100 10/15/2005 02:15:25
> 487,4127,11,4130,rvtest.local/Users/eappeap,4149,EAP-PEAP
> Authentication,4129,RVTEST\eappeap,4154,
Use Windows authentication for all
> users,4155,1,4154,Use Windows authentication for all
> users,4108,192.168.0. 203,4116,0,4128,CE8021X,4155,1,4136,3,41
42,16
>
>
> "James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> news:Xns96F676AABABE4jamesmcionlinemicro
s@207.46.248.16...
> else,
server[vbcol=seagreen]
IAS[vbcol=seagreen]
> account
> rights.
>
>
| |
|
| oh...
you are right...
the WinCE client is not authenticated...
Here's the log of it
~~~~~~~~~~~~~~~~~~~
User testing\123 was denied access.
Fully-Qualified-User-Name = testing.local/Users/123
NAS-IP-Address = 192.168.0.203
NAS-Identifier = 0011d8604c70
Called-Station-Identifier = 0011d8604c70
Calling-Station-Identifier = 00e000de448e
Client-Friendly-Name = 8021X
Client-IP-Address = 192.168.0.203
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 20
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = EAP-PEAP Authentication
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or
incorrect password was used.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
~~~~~~~~~~~~~~~~~~~
And here's... a log of another device with success authentication.
~~~~~~~~~~~~~~~~~~~
User rvtest\123 was granted access.
Fully-Qualified-User-Name = rvtest.local/Users/123
NAS-IP-Address = 192.168.0.203
NAS-Identifier = 0011d8604c70
Client-Friendly-Name = CE8021X
Client-IP-Address = 192.168.0.203
Calling-Station-Identifier = 0011d8a6bda4
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 63
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = EAP-PEAP Authentication
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
~~~~~~~~~~~~~~~~~~~
Any problem with them?
Thanks.
"James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
news:Xns96F676AABABE4jamesmcionlinemicro
s@207.46.248.16...
> It will be helpful if you can provide additional details, such as the
> following:
>
> -- Type of access point you are using
> -- The authentication method you have configured in IAS
> -- IAS log entries that show the connection attempt and whether
> authentication succeeds or fails
>
> I suspect that you aren't being authenticated. With 802.1X, if
> authentication fails, you don't get an IP address. Could be something
else,
> but that's my first guess.
>
> Also, double-check that you have the same shared secret on the IAS server
> and the access point, that the AP is configured to use RADIUS and your IAS
> server, and that both devices have the correct IP for the other device.
>
>
> "Louis" <haha@haha.com> wrote in
> news:u7j$O8f1FHA.464@TK2MSFTNGP15.phx.gbl:
>
>
>
>
> --
> James McIllece, Microsoft
>
> Please do not send email directly to this alias. This is my online
account
> name for newsgroup participation only.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
| |
|
| oh... it's okay now...
because of the cert....
Thanks so much
"Louis" <louis@haha.com> wrote in message
news:%23vUwNh73FHA.3292@tk2msftngp13.phx.gbl...
> oh...
> you are right...
> the WinCE client is not authenticated...
>
> Here's the log of it
> ~~~~~~~~~~~~~~~~~~~
> User testing\123 was denied access.
> Fully-Qualified-User-Name = testing.local/Users/123
> NAS-IP-Address = 192.168.0.203
> NAS-Identifier = 0011d8604c70
> Called-Station-Identifier = 0011d8604c70
> Calling-Station-Identifier = 00e000de448e
> Client-Friendly-Name = 8021X
> Client-IP-Address = 192.168.0.203
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 20
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = EAP-PEAP Authentication
> Authentication-Type = PEAP
> EAP-Type = <undetermined>
> Reason-Code = 16
> Reason = Authentication was not successful because an unknown user name
or
> incorrect password was used.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> ~~~~~~~~~~~~~~~~~~~
>
> And here's... a log of another device with success authentication.
> ~~~~~~~~~~~~~~~~~~~
> User rvtest\123 was granted access.
> Fully-Qualified-User-Name = rvtest.local/Users/123
> NAS-IP-Address = 192.168.0.203
> NAS-Identifier = 0011d8604c70
> Client-Friendly-Name = CE8021X
> Client-IP-Address = 192.168.0.203
> Calling-Station-Identifier = 0011d8a6bda4
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 63
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = EAP-PEAP Authentication
> Authentication-Type = PEAP
> EAP-Type = Secured password (EAP-MSCHAP v2)
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> ~~~~~~~~~~~~~~~~~~~
>
>
> Any problem with them?
>
> Thanks.
>
>
> "James McIllece [MS]" <jamesmci@online.microsoft.com> wrote in message
> news:Xns96F676AABABE4jamesmcionlinemicro
s@207.46.248.16...
> else,
server[vbcol=seagreen]
IAS[vbcol=seagreen]
> account
> rights.
>
>
|
|
|
|
|