Guest Steve Halvorson Posted May 8, 2008 Posted May 8, 2008 I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP Switch and DWL 3140 Access points. The connection initiates and then fails on authentication. This is 802.1x with WPA, EAP and AES. Certificate services have been deployed to authenticate the machines as well as the users and it appears that the certificates are deploying correctly. The event viewer shows... Event Type: Warning Event Source: IAS Event Category: None Event ID: 2 Date: 5/8/2008 Time: 11:53:16 AM User: N/A Computer: RAD1 Description: User Max was denied access. Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J. Smart NAS-IP-Address = 0.0.0.0 NAS-Identifier = DWL-3140_WLS_SW Called-Station-Identifier = 00-1e-58-2c-0a-72 Calling-Station-Identifier = 00-16-6f-07-69-d5 Client-Friendly-Name = AP_8 Client-IP-Address = 10.1.0.197 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 0 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Policy-Name = Connections to other access servers Authentication-Type = EAP EAP-Type = Smart Card or other certificate Reason-Code = 23 Reason = Unexpected error. Possible error in server or client configuration. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: 0000: 27 03 09 80 '..� -- IAS Log Sample 0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0 0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use Windows authentication for all users,4129,MyDomain\Max,4127,5,4149,Connections to other access servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other certificate,4130,MyDomain.net/InformationTechnology/Maxwell J. Smart,4136,1,4142,0 0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other certificate,4130,MyDomain.net/InformationTechnology/Maxwell J. Smart,4149,Connections to other access servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication for all users,4129,MyDomain\Max,4136,3,4142,23 The log files for IAS show similar This was setup using the "Secure Wireless Access Point Configuration" guide. I found the guide for interpreting IAS logs but just my luck Unknown error 23 is just that - unknown (someday I hope to get a known error) This appears to be an authentication failure note that in the IAS log code 4136 has the value of 3 which is user access denied. I need to figure out why the user access is being denied. any help will be greatly apprecated. Steve
Guest Meinolf Weber Posted May 9, 2008 Posted May 9, 2008 Re: IAS server blues (Can't get 802.1x to work) Hello Steve, Did you check this one, even if the error code is different, because you are also using certificates: http://support.microsoft.com/kb/838502 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > Reason-Code = 23 >
Guest Miles Li [MSFT] Posted May 9, 2008 Posted May 9, 2008 Re: IAS server blues (Can't get 802.1x to work) Hello Steve, Thanks for your post. For Reason Code 23 is a generic unexpected error that can't be sorted, we can't get more information about the reason of the error from it. Reason-Code = 23 SymbolicName = IASP_UNEXPECTED_EAP_ERROR error. Possible error in server or client configuration Possible reasons to this could be the corruption in the Access Point or an expired Certificate. Please check the certificates on IAS and clients. To troubleshoot the issue, we usually need to spend quite some time to perform steps to find the problem causer due to complexity on technical side. I appreciate your understanding and cooperation during the troubleshooting process. If this issue is urgent, we highly recommend you contact Microsoft Product Support Services so that a dedicated support professional can resolve the issue for you in the most efficient way. The Public Partner Newsgroup Support is mainly for non-urgent break fix issues where a response within 24-hours is acceptable. http://support.microsoft.com/?LN=en-us&scid=gp%3Ben-us%3Bofferprophone&x=3&y =11 http://support.microsoft.com/common/international.aspx For further investigation, could you please collect these information and send to me? 1) Network Monitor trace on the IAS server to get the EAP message: ============ Download the NetMon3.1 from the following link: http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213- 8d17-2f6dde7d7aac&DisplayLang=en 2) IAS Logging: ============ Go to IAS Server, go to command prompt and type the following command "netsh ras set tracing * enable" (without the quotation marks). Repro the issue and then, compress and email me with the C:\winodws\debug folder. 3) Networking Edition MPS_Report log: ============ Download the Network Edition of MPS_Report tool from <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the %COMPUTERNAME%_MPSReports_.CAB file which is under the %systemroot%\MPSReports\network\bin\cab directory. 4) Directory Edition of MPS_Report log: ============ Download the Directory Edition of MPS_Report tool from <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd 915706/MPSRPT_DirSvc.EXE>, run it on the SBS Server. Email me the %COMPUTERNAME%_MPSReports_.CAB file which is under the %systemroot%\MPSReports\Setup\Lite\Cab directory. 5) Event log from client computer: ============ a. On the wireless client computer, click Start -> Run, type EVENTVWR and click OK. b. Right click Application event, select ?Save Log File As???, save it as .evt file, email it to me. c. Export the System event log and email to me too. Please send files and logs to tfwst@microsoft.com Note: a. Please include the following three lines for this issue in the email body: IAS server blues (Can't get 802.1x to work) Newsgroup # 41961931 Miles Li - MSFT b. We will continue to discuss the issue here in the newsgroup and will NOT reply via emails. c. Pease post a quick note in the current thread to inform me after sending the email. Thanks. Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Guest Steve Halvorson Posted May 20, 2008 Posted May 20, 2008 RE: IAS server blues (Can't get 802.1x to work) Updated Information.... I am no longer getting the "23" error. I repulled the certificates for the clients. However, that does not mean that we are up and functioning yet. I am now having a problem with pulling DHCP once the system has completed a reboot. Pulling an IP address during reboot appears to work correctly, but when the Intel adapter attempts to refresh the IP address it fails as if it cannot talk to the DHCP server. Applying a static IP address to the machine appears to make the wireless connection function properly. I believe it is getting an initial IP address from DHCP because the utlility bxinfo displays an IP address on the desktop. Any Ideas what could be causing this issue? This is a Intel PRO 2200 BG Adapter running on Windows XP SP2 -- Steve Halvorson Preferred Credit, Inc "Steve Halvorson" wrote: > I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP > Switch and DWL 3140 Access points. The connection initiates and then fails > on authentication. This is 802.1x with WPA, EAP and AES. Certificate > services have been deployed to authenticate the machines as well as the users > and it appears that the certificates are deploying correctly. The event > viewer shows... > > Event Type: Warning > Event Source: IAS > Event Category: None > Event ID: 2 > Date: 5/8/2008 > Time: 11:53:16 AM > User: N/A > Computer: RAD1 > Description: > User Max was denied access. > Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J. > Smart > NAS-IP-Address = 0.0.0.0 > NAS-Identifier = DWL-3140_WLS_SW > Called-Station-Identifier = 00-1e-58-2c-0a-72 > Calling-Station-Identifier = 00-16-6f-07-69-d5 > Client-Friendly-Name = AP_8 > Client-IP-Address = 10.1.0.197 > NAS-Port-Type = Wireless - IEEE 802.11 > NAS-Port = 0 > Proxy-Policy-Name = Use Windows authentication for all users > Authentication-Provider = Windows > Authentication-Server = <undetermined> > Policy-Name = Connections to other access servers > Authentication-Type = EAP > EAP-Type = Smart Card or other certificate > Reason-Code = 23 > Reason = Unexpected error. Possible error in server or client configuration. > > For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp. > Data: > 0000: 27 03 09 80 '..� > > -- > IAS Log Sample > 0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0 > 0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use > Windows authentication for all > users,4129,MyDomain\Max,4127,5,4149,Connections to other access > servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other > certificate,4130,MyDomain.net/InformationTechnology/Maxwell J. > Smart,4136,1,4142,0 > 0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28 > 05/08/2008 13:41:55 108,4132,Smart Card or other > certificate,4130,MyDomain.net/InformationTechnology/Maxwell J. > Smart,4149,Connections to other access > servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication > for all users,4129,MyDomain\Max,4136,3,4142,23 > The log files for IAS show similar > > This was setup using the "Secure Wireless Access Point Configuration" guide. > > I found the guide for interpreting IAS logs but just my luck Unknown error > 23 is just that - unknown (someday I hope to get a known error) This appears > to be an authentication failure note that in the IAS log code 4136 has the > value of 3 which is user access denied. I need to figure out why the user > access is being denied. any help will be greatly apprecated. > > Steve
Guest Miles Li [MSFT] Posted May 28, 2008 Posted May 28, 2008 RE: IAS server blues (Can't get 802.1x to work) Hello Steve, I am sorry for the delayed response. According to your reply, it seems that the original IAS issue has been resolved now and you are currently experiencing a client DHCP IP address renew problem. First of all, please install the latest Windows XP service pack and the latest NIC driver from the manufacturer and then check how it works. How to obtain the latest Windows XP service pack http://support.microsoft.com/kb/322389/ Please run "ipconfig /renew" to attempt to get a IP address lease from the DHCP server and then run the "ipconfig /all" command to check whether you receive an invalid IP address such as APIPA address (169.254.X.X). To trouble the general wireless network issues you may refer to: How to troubleshoot wireless network connections in Windows XP Service Pack 2 http://support.microsoft.com/default.aspx?scid=kb;en-us;870702 If this problem continues, please answer the following questions: 1. What is acting as the DHCP server in the network, a router or Microsoft DHCP server? 2. What error do you receive when you try to renew the IP address? Please let us know the exact error WORD BY WORD. 3. Does this issue happen on all clients or just some specific clients? Does this issue only happen on clients which use the Intel PRO 2200 BG adapter? 4. Does this issue exist on all clients which use Intel PRO 2200 BG adapter? By the way, we generally focus on one question per post in the newsgroups. This will also make the thread more clear and consistent for your reference. As the DHCP issue is different from the original IAS problem, I suggest that you open a new thread for this issue and include answers to our questions if the problem continues. Thank you for your understanding. Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Guest Miles Li [MSFT] Posted June 3, 2008 Posted June 3, 2008 RE: IAS server blues (Can't get 802.1x to work) Hello Steve, I am just writing in to check the problem status with you. Please have a sure that we can keep on monitoring this issue, and once there is any questions in the further we still be able to reopen the case at any time. Please kindly let m know your idea about it. Thanks for your time. Sincerely, Miles Li Microsoft Online Partner Support Microsoft Global Technical Support Center Get Secure! - http://www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Recommended Posts