IAS and RADIUS Authentication

  • Thread starter Thread starter IT Guy
  • Start date Start date
I

IT Guy

Hello,

I recently posted a question regarding IAS, RADIUS and
WiFi. My problem I'm having is authenticating via RADIUS
when connecting to an access point. I am hitting the
RADIUS server and get the following IAS message under the
event viewer:

(DOMAIN NAMES & MAC ADDRESSES CONCEALED)

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/16/2004
Time: 12:00:52 PM
User: N/A
Computer: *server NETBIOS name*
Description:
User DOMAIN\administrator was denied access.
Fully-Qualified-User-Name = domain.com/Users/Administrator
NAS-IP-Address = 10.100.50.1
NAS-Identifier = D-link Corp. Access Point
Called-Station-Identifier = 00-00-00-00-00-00
Calling-Station-Identifier = 00-00-00-00-00-00
Client-Friendly-Name = 10.100.50.1
Client-IP-Address = 10.100.50.1
NAS-Port-Type = 19
NAS-Port = 1
Policy-Name = Allow dial-in access if dial-in permission
is enabled
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized
authentication method.


This is using Windows XP. I force a login window to come
up and I can then send a username/password to the server.
It won't authenticate. I have all the authentication
methods checked under the Remote Access Policies. Nothing
works. Also, if I use a Windows 2000 machine, which 95% of
all computers at our business use, I cannot get a login
prompt at all. The wireless card (DLINK DWLG650) only
allows use of a "certificate." How would I implement such
a thing? Getting confused. Any input would be much
appreciated. Thanks in advance.

Jay
 
-----Original Message-----
Hello,

I recently posted a question regarding IAS, RADIUS and
WiFi. My problem I'm having is authenticating via RADIUS
when connecting to an access point. I am hitting the
RADIUS server and get the following IAS message under the
event viewer:

(DOMAIN NAMES & MAC ADDRESSES CONCEALED)

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 6/16/2004
Time: 12:00:52 PM
User: N/A
Computer: *server NETBIOS name*
Description:
User DOMAIN\administrator was denied access.
Fully-Qualified-User-Name = domain.com/Users/Administrator
NAS-IP-Address = 10.100.50.1
NAS-Identifier = D-link Corp. Access Point
Called-Station-Identifier = 00-00-00-00-00-00
Calling-Station-Identifier = 00-00-00-00-00-00
Client-Friendly-Name = 10.100.50.1
Client-IP-Address = 10.100.50.1
NAS-Port-Type = 19
NAS-Port = 1
Policy-Name = Allow dial-in access if dial-in permission
is enabled
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an unauthorized
authentication method.


This is using Windows XP. I force a login window to come
up and I can then send a username/password to the server.
It won't authenticate. I have all the authentication
methods checked under the Remote Access Policies. Nothing
works. Also, if I use a Windows 2000 machine, which 95% of
all computers at our business use, I cannot get a login
prompt at all. The wireless card (DLINK DWLG650) only
allows use of a "certificate." How would I implement such
a thing? Getting confused. Any input would be much
appreciated. Thanks in advance.

Jay
.
Click to expand...

I'm having the same issue, was hoping someone knew of a
guide on setting up routing and remote access in case I
missed something, I'll let you know if I come up with a
solution.
 
I'm having the same issue, was hoping someone knew of a
guide on setting up routing and remote access in case I
missed something, I'll let you know if I come up with a
solution.
Click to expand...

It looks like the problem is that you are using EAP but have not configured
an EAP type in IAS remote access policy.

When using EAP, EAP is viewed as an authentication method into which you
must "plug" an authentication type.

If you want to use passwords only, configure a password-based
authentication type. I haven't used W2K for awhile so I don't recall for
certain, but I think you have EAP-MD5 as an option.

If you want to deploy a public key infrastructure (PKI) with a
Certification Authority (CA, aka Certificate Services in Windows 2000
Server), you can do so, however it can be complicated and you should deploy
in a test lab first. This provides the best security, too.

The key here is in properly configuring IAS remote access policy (see the
product Help) and to make sure that the clients are configured to use the
same authentication method and encryption level. (For example, if clients
are trying to connect with no encryption, as guest, but you don't have
guest access enabled, the connection request is denied.)

Just FYI, you can get a lot more help with IAS and RADIUS questions in the
IAS newsgroup at microsoft.public.internet.radius. If your news server
doesn't carry the group you can access it with the web interface at
microsoft.com Communities.

Hope that helps!


--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top