IAS question

[sgwisby]

I registered a cert for secure WLAN access to our network and registered IAS with AD. When we try to connect the event logs tell us that the username and/or password is incorrect. The logs show the AP, the username from AD and the RADIUS server, however it shows the Authentication Server = undetermined.
The IASSAM.log has the following error message after validating the username against AD:

[3060] 07-21 16:19:26:284: RasEapMakeMessage failed: The credentials supplied to the package were not recognized
[3060] 07-21 16:19:26:284: Caught COM exception: The credentials supplied to the package were not recognized

Any ideas will be greatly appreciated.
Thanks
David

 

[ADB100]

I have tested both PEAP & EAP-TLS and have this working. I have looked in event viewer on my IAS server and when a user authenticates I see the following event:

User DOMAIN\test-user was granted access.
Fully-Qualified-User-Name = domain.com/Users/test-user
NAS-IP-Address = 192.168.1.1
NAS-Identifier = ap1100
Client-Friendly-Name = ap1100
Client-IP-Address = 192.168.1.1
Calling-Station-Identifier = 000b.6b51.aaaa
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 268
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Policy
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate

Are you sure you have your IAS server configured correctly and your AP's configured as clients etcs?

Andy

 

[sgwisby]

As far as the IAS configuration, I followed Microsofts instructions to set it up and am fairly confident it is set up properly.
Here is what the event log is recordingNames changed to protect the innocent).

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 10/25/2005
Time: 4:09:57 PM
User: N/A
Computer: AURORA
Description:
User bfox was denied access.
Fully-Qualified-User-Name = xxx.net.xxx.edu/Accounts/Employees/xxxx
NAS-IP-Address = xxx.xxx.191.190
NAS-Identifier = out-test
Called-Station-Identifier = 001360116a00
Calling-Station-Identifier = 009096aa160c
Client-Friendly-Name = out-test
Client-IP-Address = xxx.xxx.191.190
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 625
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Access
Authentication-Type = PEAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = Authentication was not successful because an unknown user name or incorrect password was used.

We used the proper credentials but still get this error.
It appears that AD is validating the user, but at some point authentication fails.
I have tried just about everything to resolve this to no avail.
Can anyone help?
Thanks
David

 

[sgwisby]

Also, here is info from the ISSAM.log file indicating that AD can validate the username.

[3060] 07-21 16:19:26:268: NT-SAM Names handler received request with user identity jdoe.
[3060] 07-21 16:19:26:268: Prepending default domain.
[3060] 07-21 16:19:26:268: NameMapper:rependDefaultDomain
[3060] 07-21 16:19:26:268: SAM-Account-Name is "OUHSC\jdoe".
[3060] 07-21 16:19:26:268: NT-SAM Authentication handler received request for OUHSC\jdoe.
[3060] 07-21 16:19:26:268: Validating Windows account OUHSC\jdoe.
[3060] 07-21 16:19:26:268: Sending LDAP search to dcname.xxx.net.xx.edu.
[3060] 07-21 16:19:26:268: Successfully validated account.
[3060] 07-21 16:19:26:268: NT-SAM User Authorization handler received request for OUHSC\jdoe.
[3060] 07-21 16:19:26:268: Using native-mode dial-in parameters.
[3060] 07-21 16:19:26:268: Sending LDAP search to dcname.xxx.net.xx.edu.
[3060] 07-21 16:19:26:284: Successfully retrieved per-user attributes.
[3060] 07-21 16:19:26:284: NT-SAM EAP handler received request.
[3060] 07-21 16:19:26:284: No State attribute present. Creating new session.
[3060] 07-21 16:19:26:284: Allowed EAP type: 25
[3060] 07-21 16:19:26:284: Successfully created new EAP session for user OUHSC\jdoe.
[3060] 07-21 16:19:26:284: Setting max. packet length to 1396.
[3060] 07-21 16:19:26:284: RasEapMakeMessage failed: The credentials supplied to the package were not recognized
[3060] 07-21 16:19:26:284: Caught COM exception: The credentials supplied to the package were not recognized

It appears to be failing between the authentication protocol and the access point.
Any assistance will be greatly appreciated as we need to get this secure wireless project completed.
Thanks
David

 

[ADB100]

Your users have got 'Dial-in' enabled in the user properties in AD haven't they?

Andy

 

[sgwisby]

Thanks for the response Andy. I looked at the user properties in AD but did not find anything related to 'Dial-in'. Could you be more specific. The IAS server is for setting up secure and non-secure Wireless access.
Again Thanks,
David

 

[ADB100]

Open Active Directory Users & Computers, select the user and click properties. There should be a dial-in tab, make sure that the 'Allow Access' is enabled.

HTH

Andy

 

[sgwisby]

There are no Dial-in tabs in AD associated with users properties.
I checked a particular log file(rastls.log) and noticed the following:

[3060] 16:19:26:284: EapTlsBegin(OUHSC\jdoe)
[3060] 16:19:26:284: SetupMachineChangeNotification
[3060] 16:19:26:284: State change to Initial
[3060] 16:19:26:284: EapTlsBegin: Detected PEAP authentication
[3060] 16:19:26:284: MaxTLSMessageLength is now 16384
[3060] 16:19:26:284: CRYPT_E_NO_REVOCATION_CHECK will not be ignored
[3060] 16:19:26:284: CRYPT_E_REVOCATION_OFFLINE will not be ignored
[3060] 16:19:26:284: The root cert will not be checked for revocation
[3060] 16:19:26:284: The cert will be checked for revocation
[3060] 16:19:26:284: EapPeapBegin done
[3060] 16:19:26:284: EapPeapMakeMessage
[3060] 16:19:26:284: EapPeapSMakeMessage
[3060] 16:19:26:284: PEAPEAP_STATE_INITIAL
[3060] 16:19:26:284: EapTlsSMakeMessage
[3060] 16:19:26:284: EapTlsReset
[3060] 16:19:26:284: State change to Initial
[3060] 16:19:26:284: GetCredentials
[3060] 16:19:26:284: Flag is Server and Store is local Machine
[3060] 16:19:26:284: GetCachedCredentials Flags = 0x4061
[3060] 16:19:26:284: No Cert Name. Guest access requested
[3060] 16:19:26:284: AcquireCredentialsHandle failed and returned 0x8009030d
[3060] 16:19:26:284: EapPeapSMakeMessage done
[3060] 16:19:26:284: EapPeapMakeMessage done
[3060] 16:19:26:284: EapPeapEnd
[3060] 16:19:26:284: EapTlsEnd
[3060] 16:19:26:284: EapTlsEnd(ouhsc\jdoe)
[3060] 16:19:26:284: EapPeapEnd done

Note that when it does a GetCredentials the return is

[3060] 16:19:26:284:GetCachedCredentials Flags = 0x4061
[3060] 16:19:26:284: No Cert Name. Guest access requested
[3060] 16:19:26:284: AcquireCredentialsHandle failed and returned 0x8009030d

What would cause it to not return the cert name?
Thanks
David

 

[sgwisby]

Anybody have any ideas?
Thanks
David

 

[sgwisby]

Problem solved, wireless card config was the issue.