HELP! Error /w Wireless Client Connecting to Win2003 Server /w IAS, CA

HELP! Error /w Wireless Client Connecting to Win2003 Server /w IAS, CA
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
HELP! Error /w Wireless Client Connecting to Win2003 Server /w IAS, CA Christopher C. Welber 11-12-2005
Posted by Christopher C. Welber on November 12, 2005, 4:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options



--PROBLEM:

The wireless client [Dell notebook] system goes to authenticate with windows
2003 server and it looks like the authentication is making it to the server
because we turned logging on and could see that there was some type of hand
shaking and access of the active directory for the user and then the system
kicks back the following error:



"The client could not be authenticated because the Extensible Authentication
Protocol EAP type can not be processed by the server"



We assume it means the windows 2003 server..



We have the following configuration [Complete Event Log Error Listed at the
End of This Message]:





--System Configuration



Windows Server 2003 Standard

Configuration:

- Base Server /w Latest MS Updates

- IAS installed

- CA Authority with certificates installed

- This server is part of a multiple-site domain connected through a cisco
style VPN connection

- Wireless policy is configured both in Active Directory & the IAS wireless
policy component

- There is a wireless group of it given access in the IAS wireless policy we
created and the test user has the Dial-In property enabled with "Control
Access Through Remote Access Policy" radio button selected.

- The Cisco IP is entered as a radius client under IAS service clients tab
and the shared secret password setup.



In the IAS Profile:

- We have all of the authentication methods unchecked, but I think it kicked
out the same error whether we had everything checked or not.

- Everything is checked in the Encryption tab

- In the advanced tab we have service of Radius Standard and framed selected

- Server settings determine IP assignment, but I don't think were even
making it that far

- No Dial-in constraints selected



In the Wireless policy in Active Directory:

- Networks to access "Access point [infrastructure only] networks only"

- Preferred Networks the access SSID is listed with network authentication
of WPA, data encryption TRIP

- Under IEEE 802.1x tab, EAPOL Start message is "Transmit per IEEE 802.1x",
EAP type is "Protected EAP [PEAP] [under these settings the certificate is
correctly selected we believe that was assigned to the server when we
created the CA, authentication method is EAP-MSCHAP v2]





Cisco Airoport 1100 Wireless Access Unit

Configuration:

Radius server is set to be the server /w shared secret password setup

PAP, TKIP are enabled on the wireless access point





Dell Notebook:

Configuration

/w wireless adapter enabled for WPA





Error Log Event Properties of the error are:

Source: IAS

Event ID: 2

Type: Warning

NAS IP: 10.10.10.5 [The Cisco Equipment]

Client IP: 10.10.10.5

NAS PORT Type: 802.11

NAS PORT 1042

Proxy-Policy Name: Use Windows authentication for all users

Authentication Provide: Windows

Authentication-Server = <undetermined>

Policy-name = Gws-wireless [this is the policy we created in IAS Server]

Reason Code = 22

Reason:

"The client could not be authenticated because the Extensible Authentication
Protocol EAP type can not be processed by the server"






Posted by S. Pidgorny on November 13, 2005, 2:13 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I would try wireless rollup hotfix (http://support.microsoft.com/?id=826942)
and/or WPA2/AES. My prime suspect would be TKIP. I suggest to enable EAP
debugging on the Cisco AP (debug dot11 aaa) and IAS logging can also help

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

>
>
>
> --PROBLEM:
>
> The wireless client [Dell notebook] system goes to authenticate with
> windows
> 2003 server and it looks like the authentication is making it to the
> server
> because we turned logging on and could see that there was some type of
> hand
> shaking and access of the active directory for the user and then the
> system
> kicks back the following error:
>
>
>
> "The client could not be authenticated because the Extensible
> Authentication
> Protocol EAP type can not be processed by the server"
>
>
>
> We assume it means the windows 2003 server..
>
>
>
> We have the following configuration [Complete Event Log Error Listed at
> the
> End of This Message]:
>
>
>
>
>
> --System Configuration
>
>
>
> Windows Server 2003 Standard
>
> Configuration:
>
> - Base Server /w Latest MS Updates
>
> - IAS installed
>
> - CA Authority with certificates installed
>
> - This server is part of a multiple-site domain connected through a cisco
> style VPN connection
>
> - Wireless policy is configured both in Active Directory & the IAS
> wireless
> policy component
>
> - There is a wireless group of it given access in the IAS wireless policy
> we
> created and the test user has the Dial-In property enabled with "Control
> Access Through Remote Access Policy" radio button selected.
>
> - The Cisco IP is entered as a radius client under IAS service clients tab
> and the shared secret password setup.
>
>
>
> In the IAS Profile:
>
> - We have all of the authentication methods unchecked, but I think it
> kicked
> out the same error whether we had everything checked or not.
>
> - Everything is checked in the Encryption tab
>
> - In the advanced tab we have service of Radius Standard and framed
> selected
>
> - Server settings determine IP assignment, but I don't think were even
> making it that far
>
> - No Dial-in constraints selected
>
>
>
> In the Wireless policy in Active Directory:
>
> - Networks to access "Access point [infrastructure only] networks only"
>
> - Preferred Networks the access SSID is listed with network authentication
> of WPA, data encryption TRIP
>
> - Under IEEE 802.1x tab, EAPOL Start message is "Transmit per IEEE
> 802.1x",
> EAP type is "Protected EAP [PEAP] [under these settings the certificate is
> correctly selected we believe that was assigned to the server when we
> created the CA, authentication method is EAP-MSCHAP v2]
>
>
>
>
>
> Cisco Airoport 1100 Wireless Access Unit
>
> Configuration:
>
> Radius server is set to be the server /w shared secret password setup
>
> PAP, TKIP are enabled on the wireless access point
>
>
>
>
>
> Dell Notebook:
>
> Configuration
>
> /w wireless adapter enabled for WPA
>
>
>
>
>
> Error Log Event Properties of the error are:
>
> Source: IAS
>
> Event ID: 2
>
> Type: Warning
>
> NAS IP: 10.10.10.5 [The Cisco Equipment]
>
> Client IP: 10.10.10.5
>
> NAS PORT Type: 802.11
>
> NAS PORT 1042
>
> Proxy-Policy Name: Use Windows authentication for all users
>
> Authentication Provide: Windows
>
> Authentication-Server = <undetermined>
>
> Policy-name = Gws-wireless [this is the policy we created in IAS Server]
>
> Reason Code = 22
>
> Reason:
>
> "The client could not be authenticated because the Extensible
> Authentication
> Protocol EAP type can not be processed by the server"
>
>
>
>
>



Posted by =?Utf-8?B?Q2hhcmxpZQ==?= on November 30, 2005, 9:05 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

Im having the same problem with a similar setup. Any solution to this problem?

The error I am seeing in my event logs is:

Event Type:        Warning
Event Source:        IAS
Event Category:        None
Event ID:        2
Date:                11/30/2005
Time:                9:02:58 AM
User:                N/A
Computer:        WESTWARD
Description:
User username was denied access.
Fully-Qualified-User-Name = my user name
NAS-IP-Address = 192.168.0.128
NAS-Identifier = R035-00022
Called-Station-Identifier = 00-03-52-EB-88-F0
Calling-Station-Identifier = 00-90-4B-17-B7-2C
Client-Friendly-Name = WAC
Client-IP-Address = 192.168.0.128
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Users
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible
Authentication Protocol (EAP) Type cannot be processed by the server.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....



"Christopher C. Welber" wrote:

>
>
>
> --PROBLEM:
>
> The wireless client [Dell notebook] system goes to authenticate with windows
> 2003 server and it looks like the authentication is making it to the server
> because we turned logging on and could see that there was some type of hand
> shaking and access of the active directory for the user and then the system
> kicks back the following error:
>
>
>
> "The client could not be authenticated because the Extensible Authentication
> Protocol EAP type can not be processed by the server"
>
>
>
> We assume it means the windows 2003 server..
>
>
>
> We have the following configuration [Complete Event Log Error Listed at the
> End of This Message]:
>
>
>
>
>
> --System Configuration
>
>
>
> Windows Server 2003 Standard
>
> Configuration:
>
> - Base Server /w Latest MS Updates
>
> - IAS installed
>
> - CA Authority with certificates installed
>
> - This server is part of a multiple-site domain connected through a cisco
> style VPN connection
>
> - Wireless policy is configured both in Active Directory & the IAS wireless
> policy component
>
> - There is a wireless group of it given access in the IAS wireless policy we
> created and the test user has the Dial-In property enabled with "Control
> Access Through Remote Access Policy" radio button selected.
>
> - The Cisco IP is entered as a radius client under IAS service clients tab
> and the shared secret password setup.
>
>
>
> In the IAS Profile:
>
> - We have all of the authentication methods unchecked, but I think it kicked
> out the same error whether we had everything checked or not.
>
> - Everything is checked in the Encryption tab
>
> - In the advanced tab we have service of Radius Standard and framed selected
>
> - Server settings determine IP assignment, but I don't think were even
> making it that far
>
> - No Dial-in constraints selected
>
>
>
> In the Wireless policy in Active Directory:
>
> - Networks to access "Access point [infrastructure only] networks only"
>
> - Preferred Networks the access SSID is listed with network authentication
> of WPA, data encryption TRIP
>
> - Under IEEE 802.1x tab, EAPOL Start message is "Transmit per IEEE 802.1x",
> EAP type is "Protected EAP [PEAP] [under these settings the certificate is
> correctly selected we believe that was assigned to the server when we
> created the CA, authentication method is EAP-MSCHAP v2]
>
>
>
>
>
> Cisco Airoport 1100 Wireless Access Unit
>
> Configuration:
>
> Radius server is set to be the server /w shared secret password setup
>
> PAP, TKIP are enabled on the wireless access point
>
>
>
>
>
> Dell Notebook:
>
> Configuration
>
> /w wireless adapter enabled for WPA
>
>
>
>
>
> Error Log Event Properties of the error are:
>
> Source: IAS
>
> Event ID: 2
>
> Type: Warning
>
> NAS IP: 10.10.10.5 [The Cisco Equipment]
>
> Client IP: 10.10.10.5
>
> NAS PORT Type: 802.11
>
> NAS PORT 1042
>
> Proxy-Policy Name: Use Windows authentication for all users
>
> Authentication Provide: Windows
>
> Authentication-Server = <undetermined>
>
> Policy-name = Gws-wireless [this is the policy we created in IAS Server]
>
> Reason Code = 22
>
> Reason:
>
> "The client could not be authenticated because the Extensible Authentication
> Protocol EAP type can not be processed by the server"
>
>
>
>
>
>

Similar ThreadsPosted
SSPI client to ldap Server - Error at last stage of n-way authentication check December 24, 2005, 1:14 am
SSPI client to ldap Server - Error at last stage of n-way authentication check December 24, 2005, 1:15 am
Disable NIC when connecting via wireless January 9, 2006, 7:57 am
error 5 connecting to Ghost share November 8, 2005, 6:45 pm
server 2000 i think some one is connecting...help..please thanks. May 16, 2006, 10:40 am
Win2003 SERVER file security BUG! February 7, 2006, 8:49 am
disabling NTLM in win2003 server. October 10, 2006, 4:37 pm
Hotfixes breaking Win2003 Server service ? July 1, 2005, 8:47 pm
Client Wireless Set To PEAP But Need Access To Public AP's Also February 21, 2007, 10:48 am
Problem connecting to RPC server + related ASP and DCOM issues February 1, 2007, 8:52 am

The site map in XML format XML site map

Contact Us | Privacy Policy