Radius Server - Should IAS permit domain logon (but no access) for users who do not match the Remote A

Author

Should IAS permit domain logon (but no access) for users who do not match the Remote A

Ned

2005-04-09, 8:51 pm

Hello

I have an Aironet 1231 configured for open authentication with EAP and
network EAP against IAS configured for MSCHAP V2. I am logging into a
domain wirelessly with a Windows XP laptop using Windows to manage my
wireless connection. Everything is working just fine but I noticed
something unusual and I am hoping someone can explain why it is
happening.

When I attempt to logon over the wlan with a domain account that has
never logged in on that laptop (no cached credentials) and which DOES
NOT have wireless permissions, the account is recognized as a valid
domain account and I am logged onto the workstation WITHOUT wireless
access to the domain. If I stop IAS and try the same thing it fails
until I start IAS. I took it a step further and configured a logon
script but it did not run. Shouldn't IAS block this user completely
since the account does not match the remote access policy? Why does it
verify domain membership over the wlan when the user should not have
any access at all?

Thanks
NH

Manjunath Bharadwaj [MSFT]

2005-04-10, 5:51 pm

Ned,

Can you see the IAS trace logs to see what the say? You can enable them by
"netsh ras set tracing * enable" and look at the IAS logs. Also can you
check the eventlogs on the IAS server and see what IAS says about accecc
accept/reject? If you could copy the relevant logs here, we could see if it
is an IAS issue.

Thanks, Manju

--
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights