IAS server blues (Can't get 802.1x to work)

[Guest Steve Halvorson]

I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP

Switch and DWL 3140 Access points. The connection initiates and then fails

on authentication. This is 802.1x with WPA, EAP and AES. Certificate

services have been deployed to authenticate the machines as well as the users

and it appears that the certificates are deploying correctly. The event

viewer shows...

 

Event Type: Warning

Event Source: IAS

Event Category: None

Event ID: 2

Date: 5/8/2008

Time: 11:53:16 AM

User: N/A

Computer: RAD1

Description:

User Max was denied access.

Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J.

Smart

NAS-IP-Address = 0.0.0.0

NAS-Identifier = DWL-3140_WLS_SW

Called-Station-Identifier = 00-1e-58-2c-0a-72

Calling-Station-Identifier = 00-16-6f-07-69-d5

Client-Friendly-Name = AP_8

Client-IP-Address = 10.1.0.197

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 0

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = Connections to other access servers

Authentication-Type = EAP

EAP-Type = Smart Card or other certificate

Reason-Code = 23

Reason = Unexpected error. Possible error in server or client configuration.

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 27 03 09 80 '..�

 

--

IAS Log Sample

0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0

0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use

Windows authentication for all

users,4129,MyDomain\Max,4127,5,4149,Connections to other access

servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other

certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.

Smart,4136,1,4142,0

0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28

05/08/2008 13:41:55 108,4132,Smart Card or other

certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.

Smart,4149,Connections to other access

servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication

for all users,4129,MyDomain\Max,4136,3,4142,23

The log files for IAS show similar

 

This was setup using the "Secure Wireless Access Point Configuration" guide.

 

I found the guide for interpreting IAS logs but just my luck Unknown error

23 is just that - unknown (someday I hope to get a known error) This appears

to be an authentication failure note that in the IAS log code 4136 has the

value of 3 which is user access denied. I need to figure out why the user

access is being denied. any help will be greatly apprecated.

 

Steve

[Guest Meinolf Weber]

Re: IAS server blues (Can't get 802.1x to work)

 

Hello Steve,

 

Did you check this one, even if the error code is different, because you

are also using certificates:

http://support.microsoft.com/kb/838502

 

Best regards

 

Meinolf Weber

Disclaimer: This posting is provided "AS IS" with no warranties, and confers

no rights.

** Please do NOT email, only reply to Newsgroups

** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Reason-Code = 23

>

[Guest Miles Li [MSFT]]

Re: IAS server blues (Can't get 802.1x to work)

 

Hello Steve,

 

Thanks for your post.

 

For Reason Code 23 is a generic unexpected error that can't be sorted, we

can't get more information about the reason of the error from it.

 

Reason-Code = 23

SymbolicName = IASP_UNEXPECTED_EAP_ERROR

error. Possible error in server or client configuration

 

Possible reasons to this could be the corruption in the Access Point or an

expired Certificate. Please check the certificates on IAS and clients.

 

To troubleshoot the issue, we usually need to spend quite some time to

perform steps to find the problem causer due to complexity on technical

side. I appreciate your understanding and cooperation during the

troubleshooting process.

 

If this issue is urgent, we highly recommend you contact Microsoft Product

Support Services so that a dedicated support professional can resolve the

issue for you in the most efficient way. The Public Partner Newsgroup

Support is mainly for non-urgent break fix issues where a response within

24-hours is acceptable.

 

http://support.microsoft.com/?LN=en-us&scid=gp%3Ben-us%3Bofferprophone&x=3&y

=11

 

http://support.microsoft.com/common/international.aspx

 

For further investigation, could you please collect these information and

send to me?

 

1) Network Monitor trace on the IAS server to get the EAP message:

============

 

Download the NetMon3.1 from the following link:

http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-

8d17-2f6dde7d7aac&DisplayLang=en

 

 

2) IAS Logging:

============

 

Go to IAS Server, go to command prompt and type the following command

"netsh ras set tracing * enable" (without the quotation marks).

Repro the issue and then, compress and email me with the C:\winodws\debug

folder.

 

3) Networking Edition MPS_Report log:

============

 

Download the Network Edition of MPS_Report tool from

<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd

915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the

%COMPUTERNAME%_MPSReports_.CAB file which is under the

%systemroot%\MPSReports\network\bin\cab directory.

 

4) Directory Edition of MPS_Report log:

============

 

Download the Directory Edition of MPS_Report tool from

<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd

915706/MPSRPT_DirSvc.EXE>, run it on the SBS Server. Email me the

%COMPUTERNAME%_MPSReports_.CAB file which is under the

%systemroot%\MPSReports\Setup\Lite\Cab directory.

 

5) Event log from client computer:

============

 

a. On the wireless client computer, click Start -> Run, type EVENTVWR and

click OK.

b. Right click Application event, select ?Save Log File As???, save it as

.evt file, email it to me.

c. Export the System event log and email to me too.

 

 

Please send files and logs to tfwst@microsoft.com

 

Note:

 

a. Please include the following three lines for this issue in the email

body:

 

IAS server blues (Can't get 802.1x to work)

Newsgroup # 41961931

Miles Li - MSFT

 

b. We will continue to discuss the issue here in the newsgroup and will NOT

reply via emails.

 

c. Pease post a quick note in the current thread to inform me after sending

the email.

 

Thanks.

 

 

Sincerely,

Miles Li

 

Microsoft Online Partner Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Steve Halvorson]

RE: IAS server blues (Can't get 802.1x to work)

 

Updated Information....

I am no longer getting the "23" error. I repulled the certificates for the

clients.

However, that does not mean that we are up and functioning yet. I am now

having a problem with pulling DHCP once the system has completed a reboot.

Pulling an IP address during reboot appears to work correctly, but when the

Intel adapter attempts to refresh the IP address it fails as if it cannot

talk to the DHCP server. Applying a static IP address to the machine appears

to make the wireless connection function properly. I believe it is getting

an initial IP address from DHCP because the utlility bxinfo displays an IP

address on the desktop.

 

Any Ideas what could be causing this issue?

 

This is a Intel PRO 2200 BG Adapter running on Windows XP SP2

--

Steve Halvorson

Preferred Credit, Inc

 

 

"Steve Halvorson" wrote:

> I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP

> Switch and DWL 3140 Access points. The connection initiates and then fails

> on authentication. This is 802.1x with WPA, EAP and AES. Certificate

> services have been deployed to authenticate the machines as well as the users

> and it appears that the certificates are deploying correctly. The event

> viewer shows...

>

> Event Type: Warning

> Event Source: IAS

> Event Category: None

> Event ID: 2

> Date: 5/8/2008

> Time: 11:53:16 AM

> User: N/A

> Computer: RAD1

> Description:

> User Max was denied access.

> Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J.

> Smart

> NAS-IP-Address = 0.0.0.0

> NAS-Identifier = DWL-3140_WLS_SW

> Called-Station-Identifier = 00-1e-58-2c-0a-72

> Calling-Station-Identifier = 00-16-6f-07-69-d5

> Client-Friendly-Name = AP_8

> Client-IP-Address = 10.1.0.197

> NAS-Port-Type = Wireless - IEEE 802.11

> NAS-Port = 0

> Proxy-Policy-Name = Use Windows authentication for all users

> Authentication-Provider = Windows

> Authentication-Server = <undetermined>

> Policy-Name = Connections to other access servers

> Authentication-Type = EAP

> EAP-Type = Smart Card or other certificate

> Reason-Code = 23

> Reason = Unexpected error. Possible error in server or client configuration.

>

> For more information, see Help and Support Center at

> http://go.microsoft.com/fwlink/events.asp.

> Data:

> 0000: 27 03 09 80 '..�

>

> --

> IAS Log Sample

> 0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0

> 0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use

> Windows authentication for all

> users,4129,MyDomain\Max,4127,5,4149,Connections to other access

> servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other

> certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.

> Smart,4136,1,4142,0

> 0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28

> 05/08/2008 13:41:55 108,4132,Smart Card or other

> certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.

> Smart,4149,Connections to other access

> servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication

> for all users,4129,MyDomain\Max,4136,3,4142,23

> The log files for IAS show similar

>

> This was setup using the "Secure Wireless Access Point Configuration" guide.

>

> I found the guide for interpreting IAS logs but just my luck Unknown error

> 23 is just that - unknown (someday I hope to get a known error) This appears

> to be an authentication failure note that in the IAS log code 4136 has the

> value of 3 which is user access denied. I need to figure out why the user

> access is being denied. any help will be greatly apprecated.

>

> Steve

[Guest Miles Li [MSFT]]

RE: IAS server blues (Can't get 802.1x to work)

 

Hello Steve,

 

I am sorry for the delayed response. According to your reply, it seems that

the original IAS issue has been resolved now and you are currently

experiencing a client DHCP IP address renew problem.

 

First of all, please install the latest Windows XP service pack and the

latest NIC driver from the manufacturer and then check how it works.

 

How to obtain the latest Windows XP service pack

http://support.microsoft.com/kb/322389/

 

 

Please run "ipconfig /renew" to attempt to get a IP address lease from the

DHCP server and then run the "ipconfig /all" command to check whether you

receive an invalid IP address such as APIPA address (169.254.X.X).

 

To trouble the general wireless network issues you may refer to:

 

How to troubleshoot wireless network connections in Windows XP Service Pack

2

http://support.microsoft.com/default.aspx?scid=kb;en-us;870702

 

If this problem continues, please answer the following questions:

 

1. What is acting as the DHCP server in the network, a router or Microsoft

DHCP server?

2. What error do you receive when you try to renew the IP address? Please

let us know the exact error WORD BY WORD.

3. Does this issue happen on all clients or just some specific clients?

Does this issue only happen on clients which use the Intel PRO 2200 BG

adapter?

4. Does this issue exist on all clients which use Intel PRO 2200 BG

adapter?

 

By the way, we generally focus on one question per post in the newsgroups.

This will also make the thread more clear and consistent for your

reference. As the DHCP issue is different from the original IAS problem, I

suggest that you open a new thread for this issue and include answers to

our questions if the problem continues. Thank you for your understanding.

 

Sincerely,

Miles Li

 

Microsoft Online Partner Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Miles Li [MSFT]]

RE: IAS server blues (Can't get 802.1x to work)

 

Hello Steve,

 

I am just writing in to check the problem status with you. Please have a

sure that we can keep on monitoring this issue, and once there is any

questions in the further we still be able to reopen the case at any time.

Please kindly let m know your idea about it.

 

Thanks for your time.

 

 

Sincerely,

Miles Li

 

Microsoft Online Partner Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.