Hi,
XP client running wzc (WPA with radius)
AP setup to use radius
Windows 2000 server using IAS for authentication and accounting.
using MS-CHAP v2 to authenticate against AD

I have set up everything as it should (but missing something since it isn't
working) as stated in "Enterprise deployment of windows-based IEEE 802.11
Networks"

I also looked at the post by Lars M. Hansen about the D-Link 624 and
WPA/RADIUS support?
and everything seems as it should work.

I have set up the CA and have through auto enrollment received the computer
certificate on the client.
Have set up the IAS with a radius-client pointing to my access point.
Have created a remote access policy "NAS-port-type" IEEE 802.11 OR
Wireless - other"
and also have a group added with my user in it, the user has access granted
on the dial-up tab

If I start the wzc on the client, eathereal starts monitoring EAP messages.
I don't get any error or warning in the event viewer on the server.
but the EAP doesn't succeed and thus doesn't start sending EAPOL messages

if I remove myself from the wireless group that is added in the remove
access policy I get a warning, in the event viewer

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date:  2004-05-26
Time:  13:38:09
User:  N/A
Computer: Server
Description:
User myDomain\myUser was denied access.
Fully-Qualified-User-Name = myDomain\myUser
NAS-IP-Address = 192.168.0.27
NAS-Identifier = 0030bd9da2db
Called-Station-Identifier = 0030bd9da2db
Calling-Station-Identifier = 0006254a52c4
Client-Friendly-Name = Belkin AP
Client-IP-Address = 192.168.0.27
NAS-Port-Type = 19
NAS-Port = 220
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The user's information did not match a Remote Access Policy.

but as soon as I add myself to the group again I don't get this warning.

I don't know where the authentication fails, anyone that has an idea about
what I should try/check?

thanks
/Niklas

[ Post a follow-up to this message ]

Hi Niklas,
Have you enabled tracing at the IAS?
Command: netsh ras set tracing * enabled

Then you can see much more of what happens in the "background". 
You can also look in the Wireless Monitor snap-in for the MMC at the XP comp
uter.

It has helped me :-)    /Jan-Erik

quote:
Originally posted by Niklas 
Hi,
XP client running wzc (WPA with radius)
AP setup to use radius
Windows 2000 server using IAS for authentication and accounting.
using MS-CHAP v2 to authenticate against AD

I have set up everything as it should (but missing something since it isn't
working) as stated in "Enterprise deployment of windows-based IEEE 802.11
Networks"

I also looked at the post by Lars M. Hansen about the D-Link 624 and
WPA/RADIUS support?
and everything seems as it should work.

I have set up the CA and have through auto enrollment received the computer
certificate on the client.
Have set up the IAS with a radius-client pointing to my access point.
Have created a remote access policy "NAS-port-type" IEEE 802.11 OR
Wireless - other"
and also have a group added with my user in it, the user has access granted
on the dial-up tab

If I start the wzc on the client, eathereal starts monitoring EAP messages.
I don't get any error or warning in the event viewer on the server.
but the EAP doesn't succeed and thus doesn't start sending EAPOL messages

if I remove myself from the wireless group that is added in the remove
access policy I get a warning, in the event viewer

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date:  2004-05-26
Time:  13:38:09
User:  N/A
Computer: Server
Description:
User myDomain\myUser was denied access.
Fully-Qualified-User-Name = myDomain\myUser
NAS-IP-Address = 192.168.0.27
NAS-Identifier = 0030bd9da2db
Called-Station-Identifier = 0030bd9da2db
Calling-Station-Identifier = 0006254a52c4
Client-Friendly-Name = Belkin AP
Client-IP-Address = 192.168.0.27
NAS-Port-Type = 19
NAS-Port = 220
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 48
Reason = The user's information did not match a Remote Access Policy.

but as soon as I add myself to the group again I don't get this warning.

I don't know where the authentication fails, anyone that has an idea about
what I should try/check?

thanks
/Niklas 

[ Post a follow-up to this message ]

thanks for the help,
one question though, where do I find the log from "netsh ras set..."? 

"Jan-Erik" <Jan-Erik.177igq@mail.webservertalk.com> wrote in message
news:Jan-Erik.177igq@mail.webservertalk.com...
>
> Hi Niklas,
> Have you enabled tracing at the IAS?
> Command: netsh ras set tracing * enabled
>
> Then you can see much more of what happens in the "background".
> You can also look in the Wireless Monitor snap-in for the MMC at the XP
> computer.
>
> It has helped me :-)    /Jan-Erik
>
> Niklas wrote: 
>
>
>
> --
> Jan-Erik
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message247391.html
>

[ Post a follow-up to this message ]

Hi Niklas,

you will find the tracing logs in the %systemroot%\Tracing folder.

----- Niklas wrote: -----

thanks for the help,
one question though, where do I find the log from "netsh ras set..."? 

"Jan-Erik" <Jan-Erik.177igq@mail.webservertalk.com> wrote in message
news:Jan-Erik.177igq@mail.webservertalk.com... 
> Have you enabled tracing at the IAS?
> Command: netsh ras set tracing * enabled 
> You can also look in the Wireless Monitor snap-in for the MMC at the XP
> computer. 
> Jan-Erik
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message247391.html
>

[ Post a follow-up to this message ]

well it was easier said then done to find any useful information in these
logs 
I got a few log files but none seems to be obviously wrong.
the only thing I could see that had anything to do with an error was in the
RASTLS.LOG
[3728] 16:02:38:335: EapTlsSMakeMessage
[3728] 16:02:38:335: MakeReplyMessage
[3728] 16:02:38:335: SecurityContextFunction
[3728] 16:02:38:335: AcceptSecurityContext returned 0x0
[3728] 16:02:38:335: AuthenticateUser
[3728] 16:02:38:335: QueryContextAttributes failed and returned 0x800903
0e
[3728] 16:02:38:335: Got no credentials from the client and executing PE
AP.
This is a success for eaptls.
[3728] 16:02:38:335: CreateMPPEKeyAttributes
[3728] 16:02:38:335: State change to SentFinished
[3728] 16:02:38:335: Negotiation successful

What does it mean "This is a success for eaptls"? I using ms-chap v2 not
eap-tls

thanks
/Niklas

"Jan-Erik" <Jan-Erik.177igq@mail.webservertalk.com> wrote in message
news:Jan-Erik.177igq@mail.webservertalk.com...
>
> Hi Niklas,
> Have you enabled tracing at the IAS?
> Command: netsh ras set tracing * enabled
>
> Then you can see much more of what happens in the "background".
> You can also look in the Wireless Monitor snap-in for the MMC at the XP
> computer.
>
> It has helped me :-)    /Jan-Erik
>
> Niklas wrote: 
>
>
>
> --
> Jan-Erik
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message247391.html
>

[ Post a follow-up to this message ]

Hi again,
When I read your information, you said that you have got a certificate to th
e client??? If you are using ms-chap it is one server certificate for the IA
S that you must have, as I know.
I am sure that you have checked that you are using the same 802.1X auth, met
hod at client and IAS several times :-)
Can you try to use eap-tls (cert at both IAS and client). I am using it and 
it works fine now. I have had problems and it was the IAS server that was co
rrupted. I saw it in the IAS logs, when I restarted the IAS Server. /Jan-Eri
k

quote:
Originally posted by Niklas 
well it was easier said then done to find any useful information in these
logs 
I got a few log files but none seems to be obviously wrong.
the only thing I could see that had anything to do with an error was in the
RASTLS.LOG
[3728] 16:02:38:335: EapTlsSMakeMessage
[3728] 16:02:38:335: MakeReplyMessage
[3728] 16:02:38:335: SecurityContextFunction
[3728] 16:02:38:335: AcceptSecurityContext returned 0x0
[3728] 16:02:38:335: AuthenticateUser
[3728] 16:02:38:335: QueryContextAttributes failed and returned 0x800903
0e
[3728] 16:02:38:335: Got no credentials from the client and executing PE
AP.
This is a success for eaptls.
[3728] 16:02:38:335: CreateMPPEKeyAttributes
[3728] 16:02:38:335: State change to SentFinished
[3728] 16:02:38:335: Negotiation successful

What does it mean "This is a success for eaptls"? I using ms-chap v2 not
eap-tls

thanks
/Niklas

"Jan-Erik" <Jan-Erik.177igq@mail.webservertalk.com> wrote in message
news:Jan-Erik.177igq@mail.webservertalk.com...
>
> Hi Niklas,
> Have you enabled tracing at the IAS?
> Command: netsh ras set tracing * enabled
>
> Then you can see much more of what happens in the "background".
> You can also look in the Wireless Monitor snap-in for the MMC at the XP
> computer.
>
> It has helped me :-)    /Jan-Erik
>
> Niklas wrote: 
>
>
>
> --
> Jan-Erik
> ------------------------------------------------------------------------
> Posted via http://www.webservertalk.com
> ------------------------------------------------------------------------
> View this thread: http://www.webservertalk.com/message247391.html
> 

[ Post a follow-up to this message ]