HELP! Error /w Wireless Client to Win2003 Server /w IAS, CA
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > IIS server support > Radius Server > HELP! Error /w Wireless Client to Win2003 Server /w IAS, CA




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    HELP! Error /w Wireless Client to Win2003 Server /w IAS, CA  
Christopher C. Welber


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
11-12-05 10:51 PM




--PROBLEM:

The wireless client [Dell notebook] system goes to authenticate with win
dows
2003 server and it looks like the authentication is making it to the server
because we turned logging on and could see that there was some type of hand
shaking and access of the active directory for the user and then the system
kicks back the following error:



"The client could not be authenticated because the Extensible Authentication
Protocol EAP type can not be processed by the server"



We assume it means the windows 2003 server..



We have the following configuration [Complete Event Log Error Listed at 
the
End of This Message]:





--System Configuration



Windows Server 2003 Standard

Configuration:

- Base Server /w Latest MS Updates

- IAS installed

- CA Authority with certificates installed

- This server is part of a multiple-site domain connected through a cisco
style VPN connection

- Wireless policy is configured both in Active Directory & the IAS wireless
policy component

- There is a wireless group of it given access in the IAS wireless policy we
created and the test user has the Dial-In property enabled with "Control
Access Through Remote Access Policy" radio button selected.

- The cisco IP is entered as a radius client under IAS service clients tab
and the shared secret password setup.



In the IAS Profile:

- We have all of the authentication methods unchecked, but I think it kicked
out the same error whether we had everything checked or not.

- Everything is checked in the Encryption tab

- In the advanced tab we have service of Radius Standard and framed selected

- Server settings determine IP assignment, but I don't think were even
making it that far

- No Dial-in constraints selected



In the Wireless policy in Active Directory:

- Networks to access "Access point [infrastructure only] networks only"

- Preferred Networks the access SSID is listed with network authentication
of WPA, data encryption TRIP

- Under IEEE 802.1x tab, EAPOL Start message is "Transmit per IEEE 802.1x",
EAP type is "Protected EAP [PEAP] [under these settings the certific
ate is
correctly selected we believe that was assigned to the server when we
created the CA, authentication method is EAP-MSCHAP v2]





Cisco Airoport 1100 Wireless Access Unit

Configuration:

Radius server is set to be the server /w shared secret password setup

PAP, TKIP are enabled on the wireless access point





Dell Notebook:

Configuration

/w wireless adapter enabled for WPA





Error Log Event Properties of the error are:

Source: IAS

Event ID: 2

Type: Warning

NAS IP: 10.10.10.5 [The cisco Equipment]

Client IP: 10.10.10.5

NAS PORT Type: 802.11

NAS PORT 1042

Proxy-Policy Name: Use Windows authentication for all users

Authentication Provide: Windows

Authentication-Server = <undetermined>

Policy-name = Gws-wireless [this is the policy we created in  IAS Server
]

Reason Code = 22

Reason:

"The client could not be authenticated because the Extensible Authentication
Protocol EAP type can not be processed by the server"




[ Post a follow-up to this message ]



    Re: HELP! Error /w Wireless Client to Win2003 Server /w IAS, CA  
James McIllece [MS]


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
11-14-05 10:56 PM

"Christopher C. Welber" <chriswelber@yahoo.com> wrote in
news:e5N6JA95FHA.1140@tk2msftngp13.phx.gbl:

>
>
>
> --PROBLEM:
>
> The wireless client [Dell notebook] system goes to authenticate with
> windows 2003 server and it looks like the authentication is making it
> to the server because we turned logging on and could see that there
> was some type of hand shaking and access of the active directory for
> the user and then the system kicks back the following error:
>
>
>snip<
>
> Policy-name = Gws-wireless [this is the policy we created in  IAS
> Server]
>
> Reason Code = 22
>
> Reason:
>
> "The client could not be authenticated because the Extensible
> Authentication Protocol EAP type can not be processed by the server"
>

I assume you are trying to deploy wireless with PEAP-MS-CHAP v2. If this is
the case, your remote access policy should not have multiple authentication
methods checked -- none should be checked on the authentication tab. To
configure PEAP, do the following:

Click Edit Profile.

On the Authentication tab, click EAP Methods.

In Select EAP providers, click Add. Select the authentication methods that
you want to use, and then click OK.

In Select EAP providers, click Protected EAP, and then click Edit. The
Protected EAP Properties dialog box opens. In Certificate Issued, select
the certificate that the server uses to identify itself to client
computers.

To enable PEAP fast reconnect for 802.11 wireless client computers, click
Enable Fast Reconnect. Secure password user authentication with EAP-
MSCHAPv2 is the default in EAP Types. To configure EAP-MSCHAPv2 properties,
click Edit. To configure certificate or smart card user authentication
click Add. In Authentication methods, click Smart Card or other
certificate, and then click OK.

(Note: the above is an excerpt of the Help topic "To configure PEAP and EAP
methods")

Keep in mind that your AP must be configured to allow EAP. And you must
have a server certificate that is configured with the minimum server
certificate requirements. These requirements are found in the Help topic
"Network access authentication and certificates."

The server certificate that you use must be trusted by client computers,
too. You can deploy your own CA or you can purchase a server certificate
that clients already trust from a third-party company such as Verisign.

Here are some whitepapers that contain related deployment information:

"Step-by-Step Secure Wireless for Home / Small Office and Small
Organizations" at
http://download.microsoft.com/downl...c6d2-4c53-85a4-
0e23d8dd499d/StepSORGWirelessAcc.doc


"Obtaining and Installing a VeriSign WLAN Server Certificate for PEAP-MS-
CHAP v2 Wireless Authentication" at
http://www.microsoft.com/downloads/...=1971d43c-d2d9-
408d-bd97-139afc60996b&DisplayLang=en

"Enterprise Deployment of Secure 802.11 Networks Using Microsoft Windows"
at http://www.microsoft.com/windowsser...as/default.mspx




--
James McIllece, Microsoft

Please do not send email directly to this alias.  This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 03:52 PM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register