|
Posted by =?Utf-8?B?U3RldmUgSGFsdm9yc29u on March 6, 2008, 10:04 am
If you were Registered and logged in, you could reply and use other advanced thread options
I am setting up WLAN to secure our wireless network. I plan to use 802.1x
EAP/TLS with certificates for the client machine and user. My issuing
certificate server is Windows 2003 Enterprise and I have the certificates set
to Autoenroll the machines in the correct AD group. WHen I check the
machines, they appear to have the correct certificates installed. The AP is
set for 802.1x and is pointed to the radius server. The radius server has
the AP as a client. However, when trying to connect to the AP, I get a
"Windows was unable to log you into the network" error after the initial
connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need some
help troubleshooting this issue. I've included some of the radius server log
below but I don't see any obvious problems.
Radius Server Log.
"RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections
to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15
31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all
users",1,,,,
"RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections
to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15
31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all
users",1,,,,
I am really scratching my head on how to tell where the process is failing
so any help would be greatly appreciated.
Steve Halvorson
Preferred Credit, Inc
|
|
Posted by Jian-Ping Zhu [MSFT] on March 7, 2008, 5:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hello,
Thanks for your post.
It seems that there are some authentication or IAS access policy
configuration issues.
Firstly, I would like to know the following info:
1. How did you configure the Wireless Network? Are you referring to any of
the Microsoft article on securing wireless network? For your convenience, I
include some articles as following:
Providing Secure Wireless Services
<http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
IEEE 802.1X Authentication for Wireless Connections:
<http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
To define 802.1X authentication for wireless networks in Group Policy:
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
ndard/proddocs/en-us/define_8021x_inGP.asp>
2. Which authentication protocol the Remote Access Policies are using?
CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
Policy, click the Edit Profile button, go to Authentication tab, press
PrScrn key on the keyboard, paste it in MSPAINT application and email to me.
3. If there is and What's the error message it appears on the client
computer when the Wireless connection failed? Please press PrScrn key when
the error message occurs, paste it in MSPAINT applicaiton and email to me.
During IAS access, after the wireless client contacted the AP and sent the
logon credential to the AP, the AP, which is also known as IAS client will
contact the IAS for validation. If the shared secret between the IAS client
matches the one stored in IAS Server, IAS client will then forward the
logon info to the IAS Server for validation. The logon info contains a list
of requirements that must be met to allow access for the user. This list of
requirements can include verification of the password, and it can also
specify whether the user is allowed access.
Regarding this issue, we need to firstly check out if it is a problem about
the communication between IAS Client and the IAS Server or if the issue
occurs on Logon info validation.
So, please do the following and provide me with the log files for research:
1. IAS Logging:
============
Go to IAS Server, go to command prompt and type the following command
"netsh ras set tracing * enable" (without the quotation marks).
Repro the issue and then, compress and email me with the C:\winodws\debug
folder.
2. Networking Edition MPS_Report log:
=============================
Download the Network Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\network\bin\cab directory.
3. Directory Edition of MPS_Report log:
==============================
If the wireless cilent PC is in a domain environment, please download the
Directory Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\Setup\Lite\Cab directory.
4. Event log from client computer:
==========================
a. On the wireless client computer, click Start -> Run, type EVENTVWR and
click OK.
b. Right click Application event, select ?Save Log File As???, save it as
evt file, email it to me.
c. Export the System event log and email to me too.
You can send the log files to me at v-jpzhu@microsoft.com <mailto:
v-jpzhu@microsoft.com>.
Thanks for your time and I look forward to hearing from you. : )
Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
|
|
Posted by =?Utf-8?B?U3RldmUgSGFsdm9yc29u on March 7, 2008, 5:14 pm
If you were Registered and logged in, you could reply and use other advanced thread options
--
Steve Halvorson
Preferred Credit, Inc
"Jian-Ping Zhu [MSFT]" wrote:
> Hello,
>
> Thanks for your post.
>
> It seems that there are some authentication or IAS access policy
> configuration issues.
>
> Firstly, I would like to know the following info:
>
> 1. How did you configure the Wireless Network? Are you referring to any of
> the Microsoft article on securing wireless network? For your convenience, I
> include some articles as following:
> Providing Secure Wireless Services
> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
> IEEE 802.1X Authentication for Wireless Connections:
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
> To define 802.1X authentication for wireless networks in Group Policy:
> <http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
> ndard/proddocs/en-us/define_8021x_inGP.asp>
>
> 2. Which authentication protocol the Remote Access Policies are using?
> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
> Policy, click the Edit Profile button, go to Authentication tab, press
> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.
>
> 3. If there is and What's the error message it appears on the client
> computer when the Wireless connection failed? Please press PrScrn key when
> the error message occurs, paste it in MSPAINT applicaiton and email to me.
>
> During IAS access, after the wireless client contacted the AP and sent the
> logon credential to the AP, the AP, which is also known as IAS client will
> contact the IAS for validation. If the shared secret between the IAS client
> matches the one stored in IAS Server, IAS client will then forward the
> logon info to the IAS Server for validation. The logon info contains a list
> of requirements that must be met to allow access for the user. This list of
> requirements can include verification of the password, and it can also
> specify whether the user is allowed access.
>
> Regarding this issue, we need to firstly check out if it is a problem about
> the communication between IAS Client and the IAS Server or if the issue
> occurs on Logon info validation.
>
> So, please do the following and provide me with the log files for research:
>
> 1. IAS Logging:
> ============
>
> Go to IAS Server, go to command prompt and type the following command
> "netsh ras set tracing * enable" (without the quotation marks).
> Repro the issue and then, compress and email me with the C:\winodws\debug
> folder.
>
> 2. Networking Edition MPS_Report log:
> =============================
>
> Download the Network Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\network\bin\cab directory.
>
> 3. Directory Edition of MPS_Report log:
> ==============================
>
> If the wireless cilent PC is in a domain environment, please download the
> Directory Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\Setup\Lite\Cab directory.
>
> 4. Event log from client computer:
> ==========================
>
> a. On the wireless client computer, click Start -> Run, type EVENTVWR and
> click OK.
> b. Right click Application event, select ?Save Log File As???, save it as
> .evt file, email it to me.
> c. Export the System event log and email to me too.
>
> You can send the log files to me at v-jpzhu@microsoft.com <mailto:
> v-jpzhu@microsoft.com>.
>
> Thanks for your time and I look forward to hearing from you. : )
>
> Sincerely,
> Neo Zhu,
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
|
|
Posted by =?Utf-8?B?U3RldmUgSGFsdm9yc29u on March 7, 2008, 5:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Point Configuration as a guide to setting up the network.
--
Steve Halvorson
Preferred Credit, Inc
"Jian-Ping Zhu [MSFT]" wrote:
> Hello,
>
> Thanks for your post.
>
> It seems that there are some authentication or IAS access policy
> configuration issues.
>
> Firstly, I would like to know the following info:
>
> 1. How did you configure the Wireless Network? Are you referring to any of
> the Microsoft article on securing wireless network? For your convenience, I
> include some articles as following:
> Providing Secure Wireless Services
> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
> IEEE 802.1X Authentication for Wireless Connections:
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
> To define 802.1X authentication for wireless networks in Group Policy:
> <http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
> ndard/proddocs/en-us/define_8021x_inGP.asp>
>
> 2. Which authentication protocol the Remote Access Policies are using?
> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
> Policy, click the Edit Profile button, go to Authentication tab, press
> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.
>
> 3. If there is and What's the error message it appears on the client
> computer when the Wireless connection failed? Please press PrScrn key when
> the error message occurs, paste it in MSPAINT applicaiton and email to me.
>
> During IAS access, after the wireless client contacted the AP and sent the
> logon credential to the AP, the AP, which is also known as IAS client will
> contact the IAS for validation. If the shared secret between the IAS client
> matches the one stored in IAS Server, IAS client will then forward the
> logon info to the IAS Server for validation. The logon info contains a list
> of requirements that must be met to allow access for the user. This list of
> requirements can include verification of the password, and it can also
> specify whether the user is allowed access.
>
> Regarding this issue, we need to firstly check out if it is a problem about
> the communication between IAS Client and the IAS Server or if the issue
> occurs on Logon info validation.
>
> So, please do the following and provide me with the log files for research:
>
> 1. IAS Logging:
> ============
>
> Go to IAS Server, go to command prompt and type the following command
> "netsh ras set tracing * enable" (without the quotation marks).
> Repro the issue and then, compress and email me with the C:\winodws\debug
> folder.
>
> 2. Networking Edition MPS_Report log:
> =============================
>
> Download the Network Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\network\bin\cab directory.
>
> 3. Directory Edition of MPS_Report log:
> ==============================
>
> If the wireless cilent PC is in a domain environment, please download the
> Directory Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\Setup\Lite\Cab directory.
>
> 4. Event log from client computer:
> ==========================
>
> a. On the wireless client computer, click Start -> Run, type EVENTVWR and
> click OK.
> b. Right click Application event, select ?Save Log File As???, save it as
> .evt file, email it to me.
> c. Export the System event log and email to me too.
>
> You can send the log files to me at v-jpzhu@microsoft.com <mailto:
> v-jpzhu@microsoft.com>.
>
> Thanks for your time and I look forward to hearing from you. : )
>
> Sincerely,
> Neo Zhu,
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
|
|
Posted by Jian-Ping Zhu [MSFT] on March 10, 2008, 5:22 am
If you were Registered and logged in, you could reply and use other advanced thread options
Thank you for your feedback.
I haven't received the mail from you up till now. I wonder whether you have
already sent me the mail or you will send it after you finish gathering the
logs and screenshot.
I have created a workspace for you to upload information files in case
that the log files are large. After you finish gathering all the
information I need, please zip all the files, name the zip package using
your name and upload to the following space:
<https://sftus.one.microsoft.com/ChooseTransfer.aspx?key=6dac5fc0-fc5b-4c03-
8ecd-493ff0e71577>
Password: < PayV567Qn#>
Please post a quick note in this thread so that I can check the workspace
timely.
Thank you for your assistance and I look forward to hearing from you soon.
Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
|
| Similar Threads | Posted | | Error message0x800105ba application failed to initialize | January 3, 2007, 8:29 pm |
| SSPI client to ldap Server - Error at last stage of n-way authentication check | December 24, 2005, 1:14 am |
| SSPI client to ldap Server - Error at last stage of n-way authentication check | December 24, 2005, 1:15 am |
| Failed to config. Forefront client security on sbs2003r2 | July 22, 2008, 7:54 am |
| WLAN & Radius Setup | October 18, 2005, 11:02 am |
| Problem with WLAN IAS certificate enrollment | May 16, 2008, 11:51 am |
| may be getting security error message | January 5, 2006, 3:06 pm |
| Security Alert Error | October 29, 2007, 8:08 am |
| security certificate error | August 23, 2008, 12:48 pm |
| Security Error: Domain Name Mismatch | April 7, 2006, 1:29 pm |
|
XML site map