+ Post New Thread
Results 1 to 11 of 11
Wireless Networks Thread, IAS Issues help! in Technical; i Started to experience intermittent wireless problems last week, this week no one can get a wireless connect apart from ...
  1. #1

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21

    IAS Issues help!

    i Started to experience intermittent wireless problems last week, this week no one can get a wireless connect apart from a few random ones. I set up 35 Access points(wag102), IAS(server 2003) and 3 netgear Wireless smart switches last summer . This set up has worked fine up until last week. I haven't changed any settings honest! I m getting the following error message on the IAS server event viewer:

    All users get the same message. If you can help i would be most grateful

    User host/RMLAPBRODIEN.campion.internal was denied access.
    Fully-Qualified-User-Name = campion.internal/Establishments/SEC/Locations - SEC/Staff Notebooks/RMLAPBRODIEN
    NAS-IP-Address = 10.122.140.41
    NAS-Identifier = 10.122.140.43
    Called-Station-Identifier = 001B2F24EB80
    Calling-Station-Identifier = 001B2FAF8F40
    Client-Friendly-Name = SmartSwitch Slave 2
    Client-IP-Address = 10.122.140.43
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Access
    Authentication-Type = PEAP
    EAP-Type = <undetermined>
    Reason-Code = 16
    Reason = Authentication was not successful because an unknown user name or incorrect password was used.


    all user receive the same error.
    Last edited by mtdmitchell; 3rd February 2009 at 11:18 AM.

  2. #2

    Join Date
    Mar 2008
    Location
    Surrey
    Posts
    2,168
    Thank Post
    98
    Thanked 319 Times in 261 Posts
    Blog Entries
    4
    Rep Power
    112
    Are the working ones consistently working?

    Do any of them have a different service pack installed?

    If so this might be worth a look: A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server

  3. #3

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21
    Quote Originally Posted by jamesb View Post
    Are the working ones consistently working?

    Do any of them have a different service pack installed?

    If so this might be worth a look: A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server
    no consistency what so ever. All Laptops are Xp Sp2

  4. #4

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21
    f so this might be worth a look: A user is not successfully authenticated when NTLMv2 authentication is used on a Windows Server 2003-based IAS server
    i think that only applies to 2003 Sp1, thanks anyway, i have server 2003 sp2 installed
    Last edited by mtdmitchell; 3rd February 2009 at 01:30 PM.

  5. #5

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by dirtydogmitchell View Post
    i Started to experience intermittent wireless problems last week, this week no one can get a wireless connect apart from a few random ones. I set up 35 Access points(wag102), IAS(server 2003) and 3 netgear Wireless smart switches last summer . This set up has worked fine up until last week. I haven't changed any settings honest! I m getting the following error message on the IAS server event viewer:

    All users get the same message. If you can help i would be most grateful

    User host/RMLAPBRODIEN.campion.internal was denied access.
    Fully-Qualified-User-Name = campion.internal/Establishments/SEC/Locations - SEC/Staff Notebooks/RMLAPBRODIEN
    NAS-IP-Address = 10.122.140.41
    NAS-Identifier = 10.122.140.43
    Called-Station-Identifier = 001B2F24EB80
    Calling-Station-Identifier = 001B2FAF8F40
    Client-Friendly-Name = SmartSwitch Slave 2
    Client-IP-Address = 10.122.140.43
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 1
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = Wireless Access
    Authentication-Type = PEAP
    EAP-Type = <undetermined>
    Reason-Code = 16
    Reason = Authentication was not successful because an unknown user name or incorrect password was used.


    all user receive the same error.
    It seems to me that the host is denied rather than the user i.e. the machine account is not allowed access for some reason.

    Have you got a policy created that allows computers to connect to wireless before the user logs in? - to sort of simulate the wired experience

    Ash.

  6. #6

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21
    Quote Originally Posted by ashok View Post
    It seems to me that the host is denied rather than the user i.e. the machine account is not allowed access for some reason.

    Have you got a policy created that allows computers to connect to wireless before the user logs in? - to sort of simulate the wired experience

    Ash.
    Policy is set for All Domain computers and Domain Users

    Infact i followed your instructions to the letter, it has worked fine for over 5 months.
    Last edited by mtdmitchell; 3rd February 2009 at 04:54 PM.

  7. #7

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by dirtydogmitchell View Post
    Policy is set for All Domain computers and Domain Users

    Infact i followed your instructions to the letter, it has worked fine for over 5 months.
    Hmm, Just wondering if you certificate has expired or comming up to expiration. You can try renewing the certificate to see if it cures this problem.

    Also which cert method are you using?

    1 Enterprise CA
    2 Stand-alone CA
    3 Self-signed Cert

    One other thing you can try is to create a policy for domain computer seperately and another seperate policy for domain users. Also check that the user has "control through remote policy" setting enabled on the dial-in tab of the user properties.

    Your domain functional level must be windows 2000 or 2003 for the above option to be available.

    Also make sure that the shared secret is correct at both ends on the AP or controller as well as its corrosponding entry in Radius Clients section of IAS as this will cause authentication issues if they don't match.

    Ash.
    Last edited by spc-rocket; 3rd February 2009 at 07:19 PM.

  8. #8

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21
    Quote Originally Posted by ashok View Post
    Hmm, Just wondering if you certificate has expired or comming up to expiration. You can try renewing the certificate to see if it cures this problem.

    Also which cert method are you using?

    1 Enterprise CA
    2 Stand-alone CA
    3 Self-signed Cert

    One other thing you can try is to create a policy for domain computer seperately and another seperate policy for domain users. Also check that the user has "control through remote policy" setting enabled on the dial-in tab of the user properties.

    Your domain functional level must be windows 2000 or 2003 for the above option to be available.

    Also make sure that the shared secret is correct at both ends on the AP or controller as well as its corrosponding entry in Radius Clients section of IAS as this will cause authentication issues if they don't match.

    Ash.
    thanks for the replies Ash, i really appreiciate it.

    I have an RM CC3 network so we are using the Enterprise C.A . The certificate doesn't expire for another 2-3 months.control through remote policy is on and Shared Secret is ok.

    I will try a seperate policy.

  9. #9

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21
    Ash can you tell me if the CA is actually installed on the stations of a cc3 network or are they on the stations because they are joined to the domain?

    I see they can be pushed out though group policy but RM dont do this from what i can see

  10. #10

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by dirtydogmitchell View Post
    Ash can you tell me if the CA is actually installed on the stations of a cc3 network or are they on the stations because they are joined to the domain?

    I see they can be pushed out though group policy but RM dont do this from what i can see
    Hiya,

    On the RM CC3 they have the enterprise CA installed on the forest root server so it does make it easier to request the certificates from the FR server. Because its enterprise CA, the root certificate of the CA is automatically copied to all stations that are joined to the domain so you don't need to use the GPO method to roll out the root cert. to stations.

    From memory i think RM calles the Certificate authority CA followed by the name of the school i think i.e. CA Wakefiled School.

    In your configuration on the laptop you should have a tick next to this certificate for it to identify the Radius server. The reason for this is that you want to know that the radius server you are connected is trusted and is not bogus otherwise there are potential for man in the middle attacks.

    So if you used your enterprise CA to obtain a Cert for your IAS server then you should be okay.

    If you are trying to authenticate stations that are not domain joined then you need to copy the root certificate of the enterprise CA and import it to the station (in the trusted root certification authority store).

    Can you try renewing the certificate to see if it cures the problem. I think its the cert that's the issue.

    I'm on annual leave from next week for about a month so won't be able to get back to you but do tell me how you get on.

    Ash.

  11. Thanks to spc-rocket from:

    mtdmitchell (7th February 2009)

  12. #11

    Join Date
    Feb 2007
    Location
    Four Oaks
    Posts
    283
    Thank Post
    37
    Thanked 10 Times in 9 Posts
    Rep Power
    21
    I re-issued the CA earlier in the week and it has cured the problem on 99% of the laptops. I just have few random laptops which will not Authenticate ( A rebuild cures the problem). Strange because if i manually add the CA or delete the CA on the laptop it still does not work. Another strange thing is these stations have two or three CA's installed. But not to worry as im back up and running now thanks to your advise.

    I asked about the certificate because i spoke to a RM tech who is telling the no CA is copied onto the RM stations.

    Thanks again
    Martin

SHARE:
+ Post New Thread

Similar Threads

  1. RADIUS and IAS
    By HodgeHi in forum Wireless Networks
    Replies: 98
    Last Post: 30th April 2009, 10:39 AM
  2. NED Issues
    By SimpleSi in forum CLEO
    Replies: 0
    Last Post: 28th January 2009, 03:11 PM
  3. Replies: 1
    Last Post: 26th August 2008, 01:49 PM
  4. FreeRadius with Microsoft IAS?
    By Knarkargott in forum Wireless Networks
    Replies: 0
    Last Post: 30th May 2008, 12:59 PM
  5. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •