Windows 2003 IAS server blues (Can't get 802.1x to work)

  • Thread starter Thread starter Steve Halvorson
  • Start date Start date
S

Steve Halvorson

I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP
Switch and DWL 3140 Access points. The connection initiates and then fails
on authentication. This is 802.1x with WPA, EAP and AES. Certificate
services have been deployed to authenticate the machines as well as the users
and it appears that the certificates are deploying correctly. The event
viewer shows...

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/8/2008
Time: 11:53:16 AM
User: N/A
Computer: RAD1
Description:
User Max was denied access.
Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J.
Smart
NAS-IP-Address = 0.0.0.0
NAS-Identifier = DWL-3140_WLS_SW
Called-Station-Identifier = 00-1e-58-2c-0a-72
Calling-Station-Identifier = 00-16-6f-07-69-d5
Client-Friendly-Name = AP_8
Client-IP-Address = 10.1.0.197
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 27 03 09 80 '..€

--
IAS Log Sample
0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0
0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use
Windows authentication for all
users,4129,MyDomain\Max,4127,5,4149,Connections to other access
servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other
certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
Smart,4136,1,4142,0
0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28
05/08/2008 13:41:55 108,4132,Smart Card or other
certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
Smart,4149,Connections to other access
servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication
for all users,4129,MyDomain\Max,4136,3,4142,23
The log files for IAS show similar

This was setup using the "Secure Wireless Access Point Configuration" guide.

I found the guide for interpreting IAS logs but just my luck Unknown error
23 is just that - unknown (someday I hope to get a known error) This appears
to be an authentication failure note that in the IAS log code 4136 has the
value of 3 which is user access denied. I need to figure out why the user
access is being denied. any help will be greatly apprecated.

Steve
 
Hello Steve,

Thanks for your post.

For Reason Code 23 is a generic unexpected error that can't be sorted, we
can't get more information about the reason of the error from it.

Reason-Code = 23
SymbolicName = IASP_UNEXPECTED_EAP_ERROR
error. Possible error in server or client configuration

Possible reasons to this could be the corruption in the Access Point or an
expired Certificate. Please check the certificates on IAS and clients.

To troubleshoot the issue, we usually need to spend quite some time to
perform steps to find the problem causer due to complexity on technical
side. I appreciate your understanding and cooperation during the
troubleshooting process.

If this issue is urgent, we highly recommend you contact Microsoft Product
Support Services so that a dedicated support professional can resolve the
issue for you in the most efficient way. The Public Partner Newsgroup
Support is mainly for non-urgent break fix issues where a response within
24-hours is acceptable.

http://support.microsoft.com/?LN=en-us&scid=gp;en-us;offerprophone&x=3&y
=11

http://support.microsoft.com/common/international.aspx

For further investigation, could you please collect these information and
send to me?

1) Network Monitor trace on the IAS server to get the EAP message:
============

Download the NetMon3.1 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en


2) IAS Logging:
============

Go to IAS Server, go to command prompt and type the following command
"netsh ras set tracing * enable" (without the quotation marks).
Repro the issue and then, compress and email me with the C:\winodws\debug
folder.

3) Networking Edition MPS_Report log:
============

Download the Network Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\network\bin\cab directory.

4) Directory Edition of MPS_Report log:
============

Download the Directory Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_DirSvc.EXE>, run it on the SBS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\Setup\Lite\Cab directory.

5) Event log from client computer:
============

a. On the wireless client computer, click Start -> Run, type EVENTVWR and
click OK.
b. Right click Application event, select ?Save Log File As???, save it as
.evt file, email it to me.
c. Export the System event log and email to me too.


Please send files and logs to tfwst@microsoft.com

Note:

a. Please include the following three lines for this issue in the email
body:

IAS server blues (Can't get 802.1x to work)
Newsgroup # 41961931
Miles Li - MSFT

b. We will continue to discuss the issue here in the newsgroup and will NOT
reply via emails.

c. Pease post a quick note in the current thread to inform me after sending
the email.

Thanks.


Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Updated Information....
I am no longer getting the "23" error. I repulled the certificates for the
clients.
However, that does not mean that we are up and functioning yet. I am now
having a problem with pulling DHCP once the system has completed a reboot.
Pulling an IP address during reboot appears to work correctly, but when the
Intel adapter attempts to refresh the IP address it fails as if it cannot
talk to the DHCP server. Applying a static IP address to the machine appears
to make the wireless connection function properly. I believe it is getting
an initial IP address from DHCP because the utlility bxinfo displays an IP
address on the desktop.

Any Ideas what could be causing this issue?

This is a Intel PRO 2200 BG Adapter running on Windows XP SP2
--
Steve Halvorson
Preferred Credit, Inc


"Steve Halvorson" wrote:

> I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP
> Switch and DWL 3140 Access points. The connection initiates and then fails
> on authentication. This is 802.1x with WPA, EAP and AES. Certificate
> services have been deployed to authenticate the machines as well as the users
> and it appears that the certificates are deploying correctly. The event
> viewer shows...
>
> Event Type: Warning
> Event Source: IAS
> Event Category: None
> Event ID: 2
> Date: 5/8/2008
> Time: 11:53:16 AM
> User: N/A
> Computer: RAD1
> Description:
> User Max was denied access.
> Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J.
> Smart
> NAS-IP-Address = 0.0.0.0
> NAS-Identifier = DWL-3140_WLS_SW
> Called-Station-Identifier = 00-1e-58-2c-0a-72
> Calling-Station-Identifier = 00-16-6f-07-69-d5
> Client-Friendly-Name = AP_8
> Client-IP-Address = 10.1.0.197
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 0
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Policy-Name = Connections to other access servers
> Authentication-Type = EAP
> EAP-Type = Smart Card or other certificate
> Reason-Code = 23
> Reason = Unexpected error. Possible error in server or client configuration.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 27 03 09 80 '..€
>
> --
> IAS Log Sample
> 0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0
> 0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use
> Windows authentication for all
> users,4129,MyDomain\Max,4127,5,4149,Connections to other access
> servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other
> certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
> Smart,4136,1,4142,0
> 0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28
> 05/08/2008 13:41:55 108,4132,Smart Card or other
> certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
> Smart,4149,Connections to other access
> servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication
> for all users,4129,MyDomain\Max,4136,3,4142,23
> The log files for IAS show similar
>
> This was setup using the "Secure Wireless Access Point Configuration" guide.
>
> I found the guide for interpreting IAS logs but just my luck Unknown error
> 23 is just that - unknown (someday I hope to get a known error) This appears
> to be an authentication failure note that in the IAS log code 4136 has the
> value of 3 which is user access denied. I need to figure out why the user
> access is being denied. any help will be greatly apprecated.
>
> Steve
 
Hello Steve,

I am sorry for the delayed response. According to your reply, it seems that
the original IAS issue has been resolved now and you are currently
experiencing a client DHCP IP address renew problem.

First of all, please install the latest Windows XP service pack and the
latest NIC driver from the manufacturer and then check how it works.

How to obtain the latest Windows XP service pack
http://support.microsoft.com/kb/322389/


Please run "ipconfig /renew" to attempt to get a IP address lease from the
DHCP server and then run the "ipconfig /all" command to check whether you
receive an invalid IP address such as APIPA address (169.254.X.X).

To trouble the general wireless network issues you may refer to:

How to troubleshoot wireless network connections in Windows XP Service Pack
2
http://support.microsoft.com/default.aspx?scid=kben-us870702

If this problem continues, please answer the following questions:

1. What is acting as the DHCP server in the network, a router or Microsoft
DHCP server?
2. What error do you receive when you try to renew the IP address? Please
let us know the exact error WORD BY WORD.
3. Does this issue happen on all clients or just some specific clients?
Does this issue only happen on clients which use the Intel PRO 2200 BG
adapter?
4. Does this issue exist on all clients which use Intel PRO 2200 BG
adapter?

By the way, we generally focus on one question per post in the newsgroups.
This will also make the thread more clear and consistent for your
reference. As the DHCP issue is different from the original IAS problem, I
suggest that you open a new thread for this issue and include answers to
our questions if the problem continues. Thank you for your understanding.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hello Steve,

I am just writing in to check the problem status with you. Please have a
sure that we can keep on monitoring this issue, and once there is any
questions in the further we still be able to reopen the case at any time.
Please kindly let m know your idea about it.

Thanks for your time.


Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top