|
Home > Archive > Radius Server > August 2006 > No authentication with AD from IAS
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
No authentication with AD from IAS
|
|
|
| IAS is installed on a DC and has permissions for AD. This server is also a
CA. I am using a Linksys WRT54GS router and using RADIUS authentication on
it. I have the client set up in IAS and have the policy set up. When a
client tries to connect (yes, they have permissions in Dial Up access though
AD), this is returned in the event log:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 4/28/2005
Time: 12:01:51 PM
User: N/A
Computer: COMPUTERNAME
Description:
User MyDomain\test was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.1.2
NAS-Identifier = 001310199dbd
Called-Station-Identifier = 001310199dbd
Calling-Station-Identifier = 00121785af8f
Client-Friendly-Name = MyWirelessName
Client-IP-Address = 192.168.1.2
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 37
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match any connection request
policy.
Any suggestions????
| |
| Manjunath Bharadwaj [MSFT] 2005-04-28, 5:58 pm |
| JB,
In this case you dont have your CRP configured properly. This is the error
message:
"The connection attempt did not match any connection request policy."
Look at your CRPs and make sure that the request matches atleast one of
them.
Thanks, Manju
--
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"JB" <jjmtb@qwest.net> wrote in message
news:%23m5WHXCTFHA.2812@TK2MSFTNGP09.phx.gbl...
> IAS is installed on a DC and has permissions for AD. This server is also
> a CA. I am using a Linksys WRT54GS router and using RADIUS authentication
> on it. I have the client set up in IAS and have the policy set up. When
> a client tries to connect (yes, they have permissions in Dial Up access
> though AD), this is returned in the event log:
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 4/28/2005
> Time: 12:01:51 PM
> User: N/A
> Computer: COMPUTERNAME
> Description:
> User MyDomain\test was denied access.
> Fully-Qualified-User-Name = <undetermined>
> NAS-IP-Address = 192.168.1.2
> NAS-Identifier = 001310199dbd
> Called-Station-Identifier = 001310199dbd
> Calling-Station-Identifier = 00121785af8f
> Client-Friendly-Name = MyWirelessName
> Client-IP-Address = 192.168.1.2
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 37
> Proxy-Policy-Name = <none>
> Authentication-Provider = <undetermined>
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = <undetermined>
> EAP-Type = <undetermined>
> Reason-Code = 49
> Reason = The connection attempt did not match any connection request
> policy.
>
>
> Any suggestions????
| |
|
| I REALLY appreciate the help.
That's what I thought... however...
In the "Connection Request Policies" there are no items. So I right click
to create a new one, and the first screen says:
"If users connect to this server through a VPN or by dialing directly, do
not create a policy. The IAS default policy is set up to accomodate this
scenario."
I figured that my connection was covered under this - but I suppose not. So
I went through and set one up and chose "Authenticate connection requests on
this server" and "Users dial directly into this server or connect through a
VPN". My only other option was "Authenticate connection requests on this
server" and "Users connect through this server through an ISP" - which isn't
the case. ANyway, when I choose the previous setting, it doesn't create
anything in the COnnection Request Policies: it's still empty.
Am I missing something?
Thanks!
"Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in message
news:ewtqWxCTFHA.3040@TK2MSFTNGP10.phx.gbl...
> JB,
>
> In this case you dont have your CRP configured properly. This is the
> error message:
> "The connection attempt did not match any connection request policy."
> Look at your CRPs and make sure that the request matches atleast one of
> them.
>
> Thanks, Manju
> --
> ++++++++++++++++++++++++++++++++++++++++
+++++++
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "JB" <jjmtb@qwest.net> wrote in message
> news:%23m5WHXCTFHA.2812@TK2MSFTNGP09.phx.gbl...
>
>
| |
| Manjunath Bharadwaj [MSFT] 2005-04-28, 5:58 pm |
| JB,
In this case, I think you might have deleted the default CRP policy which
existed when you created the policy and so IAS keeps insisiting that the
default should work. This is a known issue with the IAS UI. You have 2
options:
1) Create a policy using the wizard (but choose some other option other than
what you chose earlier) so that it creates a policy and then edit the policy
to suit your requirements.
It may be easiest to choose "custom policy" and then use the following:
policy conditions: use date/time and 24/7
profile: accept defaults
2) Restore c:\windows\system32\ias.mdb from your installation disks so you
get the default policies and then edit them as you need.
The first way is preferred since you will keep your exisiting configuration.
Let me know if it works after you configure it as described..
Thanks, Manju
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"JB" <jjmtb@qwest.net> wrote in message
news:uQUNHlDTFHA.2548@TK2MSFTNGP14.phx.gbl...
>I REALLY appreciate the help.
>
> That's what I thought... however...
>
> In the "Connection Request Policies" there are no items. So I right click
> to create a new one, and the first screen says:
>
> "If users connect to this server through a VPN or by dialing directly, do
> not create a policy. The IAS default policy is set up to accomodate this
> scenario."
>
> I figured that my connection was covered under this - but I suppose not.
> So I went through and set one up and chose "Authenticate connection
> requests on this server" and "Users dial directly into this server or
> connect through a VPN". My only other option was "Authenticate connection
> requests on this server" and "Users connect through this server through an
> ISP" - which isn't the case. ANyway, when I choose the previous setting,
> it doesn't create anything in the COnnection Request Policies: it's still
> empty.
>
> Am I missing something?
>
> Thanks!
| |
|
| That was exactly the problem! I very much appreciate the help - I was
getting frustrated and had even installed and uninstalled IAS (which didn't
restore the default CRP).
It works perfectly now! Thank you VERY much!
"Manjunath Bharadwaj [MSFT]" <mbhara@online.microsoft.com> wrote in message
news:O2c0zyDTFHA.3176@TK2MSFTNGP09.phx.gbl...
> JB,
>
> In this case, I think you might have deleted the default CRP policy which
> existed when you created the policy and so IAS keeps insisiting that the
> default should work. This is a known issue with the IAS UI. You have 2
> options:
>
> 1) Create a policy using the wizard (but choose some other option other
> than what you chose earlier) so that it creates a policy and then edit the
> policy to suit your requirements.
> It may be easiest to choose "custom policy" and then use the following:
> policy conditions: use date/time and 24/7
> profile: accept defaults
> 2) Restore c:\windows\system32\ias.mdb from your installation disks so you
> get the default policies and then edit them as you need.
>
> The first way is preferred since you will keep your exisiting
> configuration.
> Let me know if it works after you configure it as described..
> Thanks, Manju
>
> ++++++++++++++++++++++++++++++++++++++++
+++++++
> This posting is provided "AS IS" with no warranties, and confers no rights
>
>
> "JB" <jjmtb@qwest.net> wrote in message
> news:uQUNHlDTFHA.2548@TK2MSFTNGP14.phx.gbl...
>
>
| |
| Mark Gamache 2005-05-02, 5:55 pm |
| Are you using PEAP or EAP-TLS? Have you registered the IAS server in AD?
Did you use the wizard to create the wireless profile? I'd check the policy
that you created and also verify how the client is provisioned.
Cheers,
--
Mark Gamache
Certified Security Solutions
http://www.css-security.com
"JB" <jjmtb@qwest.net> wrote in message
news:%23m5WHXCTFHA.2812@TK2MSFTNGP09.phx.gbl...
> IAS is installed on a DC and has permissions for AD. This server is also
> a CA. I am using a Linksys WRT54GS router and using RADIUS authentication
> on it. I have the client set up in IAS and have the policy set up. When
> a client tries to connect (yes, they have permissions in Dial Up access
> though AD), this is returned in the event log:
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 4/28/2005
> Time: 12:01:51 PM
> User: N/A
> Computer: COMPUTERNAME
> Description:
> User MyDomain\test was denied access.
> Fully-Qualified-User-Name = <undetermined>
> NAS-IP-Address = 192.168.1.2
> NAS-Identifier = 001310199dbd
> Called-Station-Identifier = 001310199dbd
> Calling-Station-Identifier = 00121785af8f
> Client-Friendly-Name = MyWirelessName
> Client-IP-Address = 192.168.1.2
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 37
> Proxy-Policy-Name = <none>
> Authentication-Provider = <undetermined>
> Authentication-Server = <undetermined>
> Policy-Name = <undetermined>
> Authentication-Type = <undetermined>
> EAP-Type = <undetermined>
> Reason-Code = 49
> Reason = The connection attempt did not match any connection request
> policy.
>
>
> Any suggestions????
>
| |
|
| that's it I performed option 1 and raised forest functionalty level to 2003, now it is working properly.
thanks JB
quote:
Originally posted by Manjunath Bharadwaj [MSFT]
JB,
In this case, I think you might have deleted the default CRP policy which
existed when you created the policy and so IAS keeps insisiting that the
default should work. This is a known issue with the IAS UI. You have 2
options:
1) Create a policy using the wizard (but choose some other option other than
what you chose earlier) so that it creates a policy and then edit the policy
to suit your requirements.
It may be easiest to choose "custom policy" and then use the following:
policy conditions: use date/time and 24/7
profile: accept defaults
2) Restore c:\windows\system32\ias.mdb from your installation disks so you
get the default policies and then edit them as you need.
The first way is preferred since you will keep your exisiting configuration.
Let me know if it works after you configure it as described..
Thanks, Manju
++++++++++++++++++++++++++++++++++++++++
+++++++
This posting is provided "AS IS" with no warranties, and confers no rights
"JB" <jjmtb@qwest.net> wrote in message
news:uQUNHlDTFHA.2548@TK2MSFTNGP14.phx.gbl...
>I REALLY appreciate the help.
>
> That's what I thought... however...
>
> In the "Connection Request Policies" there are no items. So I right click
> to create a new one, and the first screen says:
>
> "If users connect to this server through a VPN or by dialing directly, do
> not create a policy. The IAS default policy is set up to accomodate this
> scenario."
>
> I figured that my connection was covered under this - but I suppose not.
> So I went through and set one up and chose "Authenticate connection
> requests on this server" and "Users dial directly into this server or
> connect through a VPN". My only other option was "Authenticate connection
> requests on this server" and "Users connect through this server through an
> ISP" - which isn't the case. ANyway, when I choose the previous setting,
> it doesn't create anything in the COnnection Request Policies: it's still
> empty.
>
> Am I missing something?
>
> Thanks!
|
|
|
|
|