WLAN Security WPA EAP/TLS. Authentication Failed error

[Guest Steve Halvorson]

I am setting up WLAN to secure our wireless network. I plan to use 802.1x

EAP/TLS with certificates for the client machine and user. My issuing

certificate server is Windows 2003 Enterprise and I have the certificates set

to Autoenroll the machines in the correct AD group. WHen I check the

machines, they appear to have the correct certificates installed. The AP is

set for 802.1x and is pointed to the radius server. The radius server has

the AP as a client. However, when trying to connect to the AP, I get a

"Windows was unable to log you into the network" error after the initial

connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need some

help troubleshooting this issue. I've included some of the radius server log

below but I don't see any obvious problems.

 

Radius Server Log.

"RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections

to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15

31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all

users",1,,,,

"RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections

to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15

31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all

users",1,,,,

 

I am really scratching my head on how to tell where the process is failing

so any help would be greatly appreciated.

 

Steve Halvorson

Preferred Credit, Inc

[Guest Jian-Ping Zhu [MSFT]]

Hello,

 

Thanks for your post.

 

It seems that there are some authentication or IAS access policy

configuration issues.

 

Firstly, I would like to know the following info:

 

1. How did you configure the Wireless Network? Are you referring to any of

the Microsoft article on securing wireless network? For your convenience, I

include some articles as following:

Providing Secure Wireless Services

<http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>

IEEE 802.1X Authentication for Wireless Connections:

<http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>

To define 802.1X authentication for wireless networks in Group Policy:

<http://www.microsoft.com/resources/documen.../2003/standard/

proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta

ndard/proddocs/en-us/define_8021x_inGP.asp>

 

2. Which authentication protocol the Remote Access Policies are using?

CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access

Policy, click the Edit Profile button, go to Authentication tab, press

PrScrn key on the keyboard, paste it in MSPAINT application and email to me.

 

3. If there is and What's the error message it appears on the client

computer when the Wireless connection failed? Please press PrScrn key when

the error message occurs, paste it in MSPAINT applicaiton and email to me.

 

During IAS access, after the wireless client contacted the AP and sent the

logon credential to the AP, the AP, which is also known as IAS client will

contact the IAS for validation. If the shared secret between the IAS client

matches the one stored in IAS Server, IAS client will then forward the

logon info to the IAS Server for validation. The logon info contains a list

of requirements that must be met to allow access for the user. This list of

requirements can include verification of the password, and it can also

specify whether the user is allowed access.

 

Regarding this issue, we need to firstly check out if it is a problem about

the communication between IAS Client and the IAS Server or if the issue

occurs on Logon info validation.

 

So, please do the following and provide me with the log files for research:

 

1. IAS Logging:

============

 

Go to IAS Server, go to command prompt and type the following command

"netsh ras set tracing enable" (without the quotation marks).

Repro the issue and then, compress and email me with the C:\winodws\debug

folder.

 

2. Networking Edition MPS_Report log:

=============================

 

Download the Network Edition of MPS_Report tool from

<http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the

%COMPUTERNAME%_MPSReports_.CAB file which is under the

%systemroot%\MPSReports\network\bin\cab directory.

 

3. Directory Edition of MPS_Report log:

==============================

 

If the wireless cilent PC is in a domain environment, please download the

Directory Edition of MPS_Report tool from

<http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the

%COMPUTERNAME%_MPSReports_.CAB file which is under the

%systemroot%\MPSReports\Setup\Lite\Cab directory.

 

4. Event log from client computer:

==========================

 

a. On the wireless client computer, click Start -> Run, type EVENTVWR and

click OK.

b. Right click Application event, select ?Save Log File As???, save it as

.evt file, email it to me.

c. Export the System event log and email to me too.

 

You can send the log files to me at v-jpzhu@microsoft.com <mailto:

v-jpzhu@microsoft.com>.

 

Thanks for your time and I look forward to hearing from you. : )

 

Sincerely,

Neo Zhu,

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Steve Halvorson]

Thanks I gather the info and email it to you.

--

Steve Halvorson

Preferred Credit, Inc

 

 

"Jian-Ping Zhu [MSFT]" wrote:

<span style="color:blue">

> Hello,

>

> Thanks for your post.

>

> It seems that there are some authentication or IAS access policy

> configuration issues.

>

> Firstly, I would like to know the following info:

>

> 1. How did you configure the Wireless Network? Are you referring to any of

> the Microsoft article on securing wireless network? For your convenience, I

> include some articles as following:

> Providing Secure Wireless Services

> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>

> IEEE 802.1X Authentication for Wireless Connections:

> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>

> To define 802.1X authentication for wireless networks in Group Policy:

> <http://www.microsoft.com/resources/documen.../2003/standard/

> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta

> ndard/proddocs/en-us/define_8021x_inGP.asp>

>

> 2. Which authentication protocol the Remote Access Policies are using?

> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access

> Policy, click the Edit Profile button, go to Authentication tab, press

> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.

>

> 3. If there is and What's the error message it appears on the client

> computer when the Wireless connection failed? Please press PrScrn key when

> the error message occurs, paste it in MSPAINT applicaiton and email to me.

>

> During IAS access, after the wireless client contacted the AP and sent the

> logon credential to the AP, the AP, which is also known as IAS client will

> contact the IAS for validation. If the shared secret between the IAS client

> matches the one stored in IAS Server, IAS client will then forward the

> logon info to the IAS Server for validation. The logon info contains a list

> of requirements that must be met to allow access for the user. This list of

> requirements can include verification of the password, and it can also

> specify whether the user is allowed access.

>

> Regarding this issue, we need to firstly check out if it is a problem about

> the communication between IAS Client and the IAS Server or if the issue

> occurs on Logon info validation.

>

> So, please do the following and provide me with the log files for research:

>

> 1. IAS Logging:

> ============

>

> Go to IAS Server, go to command prompt and type the following command

> "netsh ras set tracing enable" (without the quotation marks).

> Repro the issue and then, compress and email me with the C:winodwsdebug

> folder.

>

> 2. Networking Edition MPS_Report log:

> =============================

>

> Download the Network Edition of MPS_Report tool from

> <http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the

> %COMPUTERNAME%_MPSReports_.CAB file which is under the

> %systemroot%MPSReportsnetworkbincab directory.

>

> 3. Directory Edition of MPS_Report log:

> ==============================

>

> If the wireless cilent PC is in a domain environment, please download the

> Directory Edition of MPS_Report tool from

> <http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the

> %COMPUTERNAME%_MPSReports_.CAB file which is under the

> %systemroot%MPSReportsSetupLiteCab directory.

>

> 4. Event log from client computer:

> ==========================

>

> a. On the wireless client computer, click Start -> Run, type EVENTVWR and

> click OK.

> b. Right click Application event, select ?Save Log File As???, save it as

> .evt file, email it to me.

> c. Export the System event log and email to me too.

>

> You can send the log files to me at v-jpzhu@microsoft.com <mailto:

> v-jpzhu@microsoft.com>.

>

> Thanks for your time and I look forward to hearing from you. : )

>

> Sincerely,

> Neo Zhu,

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> </span>

[Guest Steve Halvorson]

By the way - I used the Midsize Security Guidance - Secure Wireless Access

Point Configuration as a guide to setting up the network.

--

Steve Halvorson

Preferred Credit, Inc

 

 

"Jian-Ping Zhu [MSFT]" wrote:

<span style="color:blue">

> Hello,

>

> Thanks for your post.

>

> It seems that there are some authentication or IAS access policy

> configuration issues.

>

> Firstly, I would like to know the following info:

>

> 1. How did you configure the Wireless Network? Are you referring to any of

> the Microsoft article on securing wireless network? For your convenience, I

> include some articles as following:

> Providing Secure Wireless Services

> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>

> IEEE 802.1X Authentication for Wireless Connections:

> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>

> To define 802.1X authentication for wireless networks in Group Policy:

> <http://www.microsoft.com/resources/documen.../2003/standard/

> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta

> ndard/proddocs/en-us/define_8021x_inGP.asp>

>

> 2. Which authentication protocol the Remote Access Policies are using?

> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access

> Policy, click the Edit Profile button, go to Authentication tab, press

> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.

>

> 3. If there is and What's the error message it appears on the client

> computer when the Wireless connection failed? Please press PrScrn key when

> the error message occurs, paste it in MSPAINT applicaiton and email to me.

>

> During IAS access, after the wireless client contacted the AP and sent the

> logon credential to the AP, the AP, which is also known as IAS client will

> contact the IAS for validation. If the shared secret between the IAS client

> matches the one stored in IAS Server, IAS client will then forward the

> logon info to the IAS Server for validation. The logon info contains a list

> of requirements that must be met to allow access for the user. This list of

> requirements can include verification of the password, and it can also

> specify whether the user is allowed access.

>

> Regarding this issue, we need to firstly check out if it is a problem about

> the communication between IAS Client and the IAS Server or if the issue

> occurs on Logon info validation.

>

> So, please do the following and provide me with the log files for research:

>

> 1. IAS Logging:

> ============

>

> Go to IAS Server, go to command prompt and type the following command

> "netsh ras set tracing enable" (without the quotation marks).

> Repro the issue and then, compress and email me with the C:winodwsdebug

> folder.

>

> 2. Networking Edition MPS_Report log:

> =============================

>

> Download the Network Edition of MPS_Report tool from

> <http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the

> %COMPUTERNAME%_MPSReports_.CAB file which is under the

> %systemroot%MPSReportsnetworkbincab directory.

>

> 3. Directory Edition of MPS_Report log:

> ==============================

>

> If the wireless cilent PC is in a domain environment, please download the

> Directory Edition of MPS_Report tool from

> <http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the

> %COMPUTERNAME%_MPSReports_.CAB file which is under the

> %systemroot%MPSReportsSetupLiteCab directory.

>

> 4. Event log from client computer:

> ==========================

>

> a. On the wireless client computer, click Start -> Run, type EVENTVWR and

> click OK.

> b. Right click Application event, select ?Save Log File As???, save it as

> .evt file, email it to me.

> c. Export the System event log and email to me too.

>

> You can send the log files to me at v-jpzhu@microsoft.com <mailto:

> v-jpzhu@microsoft.com>.

>

> Thanks for your time and I look forward to hearing from you. : )

>

> Sincerely,

> Neo Zhu,

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> </span>

[Guest S. Pidgorny]

If you're using descriptive policy names, using Windows authentication for

all users is not the right thing to do if you're using certificate

authentication.

 

Can you copy/pasted a formatted System log entry from event viewer?

 

--

Svyatoslav Pidgorny, MS MVP - Security, MCSE

-= F1 is the key =-

 

http://sl.mvps.org http://msmvps.com/blogs/sp

 

"Steve Halvorson" <steveh@news.postalias> wrote in message

news:C95D2B50-350E-4572-AF18-F2E9EF52A1C3@microsoft.com...<span style="color:blue">

>I am setting up WLAN to secure our wireless network. I plan to use 802.1x

> EAP/TLS with certificates for the client machine and user. My issuing

> certificate server is Windows 2003 Enterprise and I have the certificates

> set

> to Autoenroll the machines in the correct AD group. WHen I check the

> machines, they appear to have the correct certificates installed. The AP

> is

> set for 802.1x and is pointed to the radius server. The radius server has

> the AP as a client. However, when trying to connect to the AP, I get a

> "Windows was unable to log you into the network" error after the initial

> connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need

> some

> help troubleshooting this issue. I've included some of the radius server

> log

> below but I don't see any obvious problems.

>

> Radius Server Log.

> "RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections

> to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15

> 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for

> all

> users",1,,,,

> "RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections

> to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15

> 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for

> all

> users",1,,,,

>

> I am really scratching my head on how to tell where the process is failing

> so any help would be greatly appreciated.

>

> Steve Halvorson

> Preferred Credit, Inc </span>

[Guest Jian-Ping Zhu [MSFT]]

Hello,

 

Thank you for your feedback.

 

I haven't received the mail from you up till now. I wonder whether you have

already sent me the mail or you will send it after you finish gathering the

logs and screenshot.

 

I have created a workspace for you to upload information files in case

that the log files are large. After you finish gathering all the

information I need, please zip all the files, name the zip package using

your name and upload to the following space:

 

<https://sftus.one.microsoft.com/ChooseTrans...5fc0-fc5b-4c03-

8ecd-493ff0e71577>

 

Password: < PayV567Qn#>

 

Please post a quick note in this thread so that I can check the workspace

timely.

 

Thank you for your assistance and I look forward to hearing from you soon.

 

Sincerely,

Neo Zhu,

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Steve Halvorson]

I was able to get authentication to the WLAN working and it appears to be

working securely with certificates. However, I am not sure that it is using

the "Wireless" IAS rules. I seem to be able to connect to the WLAN even

though the computer is not in the "Remote Access Policy Wireless Computers"

group, which is what the Wireless rule is setup as in IAS. I am thinking

that it is using the "Connections to other access server" rule instead. The

wireless rule is #1 and the connections to other rule is #4. How can I tell

for sure what rule it is using?

--

Steve Halvorson

Preferred Credit, Inc

 

 

"Jian-Ping Zhu [MSFT]" wrote:

<span style="color:blue">

> Hello,

>

> Thanks for your post.

>

> It seems that there are some authentication or IAS access policy

> configuration issues.

>

> Firstly, I would like to know the following info:

>

> 1. How did you configure the Wireless Network? Are you referring to any of

> the Microsoft article on securing wireless network? For your convenience, I

> include some articles as following:

> Providing Secure Wireless Services

> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>

> IEEE 802.1X Authentication for Wireless Connections:

> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>

> To define 802.1X authentication for wireless networks in Group Policy:

> <http://www.microsoft.com/resources/documen.../2003/standard/

> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta

> ndard/proddocs/en-us/define_8021x_inGP.asp>

>

> 2. Which authentication protocol the Remote Access Policies are using?

> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access

> Policy, click the Edit Profile button, go to Authentication tab, press

> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.

>

> 3. If there is and What's the error message it appears on the client

> computer when the Wireless connection failed? Please press PrScrn key when

> the error message occurs, paste it in MSPAINT applicaiton and email to me.

>

> During IAS access, after the wireless client contacted the AP and sent the

> logon credential to the AP, the AP, which is also known as IAS client will

> contact the IAS for validation. If the shared secret between the IAS client

> matches the one stored in IAS Server, IAS client will then forward the

> logon info to the IAS Server for validation. The logon info contains a list

> of requirements that must be met to allow access for the user. This list of

> requirements can include verification of the password, and it can also

> specify whether the user is allowed access.

>

> Regarding this issue, we need to firstly check out if it is a problem about

> the communication between IAS Client and the IAS Server or if the issue

> occurs on Logon info validation.

>

> So, please do the following and provide me with the log files for research:

>

> 1. IAS Logging:

> ============

>

> Go to IAS Server, go to command prompt and type the following command

> "netsh ras set tracing enable" (without the quotation marks).

> Repro the issue and then, compress and email me with the C:winodwsdebug

> folder.

>

> 2. Networking Edition MPS_Report log:

> =============================

>

> Download the Network Edition of MPS_Report tool from

> <http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the

> %COMPUTERNAME%_MPSReports_.CAB file which is under the

> %systemroot%MPSReportsnetworkbincab directory.

>

> 3. Directory Edition of MPS_Report log:

> ==============================

>

> If the wireless cilent PC is in a domain environment, please download the

> Directory Edition of MPS_Report tool from

> <http://download.microsoft.com/download/b/b...fe5-a579-30b0bd

> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the

> %COMPUTERNAME%_MPSReports_.CAB file which is under the

> %systemroot%MPSReportsSetupLiteCab directory.

>

> 4. Event log from client computer:

> ==========================

>

> a. On the wireless client computer, click Start -> Run, type EVENTVWR and

> click OK.

> b. Right click Application event, select ?Save Log File As???, save it as

> .evt file, email it to me.

> c. Export the System event log and email to me too.

>

> You can send the log files to me at v-jpzhu@microsoft.com <mailto:

> v-jpzhu@microsoft.com>.

>

> Thanks for your time and I look forward to hearing from you. : )

>

> Sincerely,

> Neo Zhu,

> Microsoft Online Support

> Microsoft Global Technical Support Center

>

> Get Secure! - www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> </span>

[Guest Jian-Ping Zhu [MSFT]]

Hello,

 

Thank you for your reply.

 

I think there is an easy way to check which rule is used for remote access.

Just deny remote access permission on all the other remote access polices

(including ' Connections to other access server' policy) and grant remote

access permission on the first rule which is named as 'wireless'.

 

You could do it in this way:

1. Right clicking the policy and click properties.

2. Select deny/grant remote access permission and press OK.

 

After that, try to establish the wireless connection again. If it still

works, this means the 'wireless' remote access policy is matched and the

authentication is successful.

 

You might also check Event log -> System log to check which remote access

police is applied.

 

Moreover, the following article tells you how IAS works which might be

helpful to you.

 

How IAS Technology Works

http://technet2.microsoft.com/windowsserve...d5-fdaf-430c-9e

f4-318f8c15baf11033.mspx?mfr=true

 

I hope this helps.

 

Sincerely,

Neo Zhu,

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

[Guest Steve Halvorson]

I guess I am not sure what you mean by a formatted copy of the system event

log, but here is the event that appears to apply...

 

User host/SJHAHPNC6400.mydomain.net was denied access.

 

Fully-Qualified-User-Name = mydomain.net/Windows Vista/SJHAHPNC6400

 

NAS-IP-Address = 0.0.0.0

 

NAS-Identifier = DWL-3140_WLS_SW

 

Called-Station-Identifier = 00-1c-f0-59-df-d1

 

Calling-Station-Identifier = 00-19-d2-ab-72-13

 

Client-Friendly-Name = AP_1

 

Client-IP-Address = 10.1.0.101

 

NAS-Port-Type = Wireless - IEEE 802.11

 

NAS-Port = 0

 

Proxy-Policy-Name = Use Windows authentication for all users

 

Authentication-Provider = Windows

 

Authentication-Server = <undetermined>

 

Policy-Name = Connections to other access servers

 

Authentication-Type = EAP

 

EAP-Type = <undetermined>

 

Reason-Code = 65

 

Reason = The connection attempt failed because remote access permission for

the user account was denied. To allow remote access, enable remote access

permission for the user account, or, if the user account specifies that

access is controlled through the matching remote access policy, enable remote

access permission for that remote access policy.

 

Note that the radius server is also being used to authenticate VPN traffic

through our ISA server.

 

Thanks

--

Steve Halvorson

Preferred Credit, Inc

 

 

"S. Pidgorny <MVP>" wrote:

<span style="color:blue">

> If you're using descriptive policy names, using Windows authentication for

> all users is not the right thing to do if you're using certificate

> authentication.

>

> Can you copy/pasted a formatted System log entry from event viewer?

>

> --

> Svyatoslav Pidgorny, MS MVP - Security, MCSE

> -= F1 is the key =-

>

> http://sl.mvps.org http://msmvps.com/blogs/sp

>

> "Steve Halvorson" <steveh@news.postalias> wrote in message

> news:C95D2B50-350E-4572-AF18-F2E9EF52A1C3@microsoft.com...<span style="color:green">

> >I am setting up WLAN to secure our wireless network. I plan to use 802.1x

> > EAP/TLS with certificates for the client machine and user. My issuing

> > certificate server is Windows 2003 Enterprise and I have the certificates

> > set

> > to Autoenroll the machines in the correct AD group. WHen I check the

> > machines, they appear to have the correct certificates installed. The AP

> > is

> > set for 802.1x and is pointed to the radius server. The radius server has

> > the AP as a client. However, when trying to connect to the AP, I get a

> > "Windows was unable to log you into the network" error after the initial

> > connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need

> > some

> > help troubleshooting this issue. I've included some of the radius server

> > log

> > below but I don't see any obvious problems.

> >

> > Radius Server Log.

> > "RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections

> > to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15

> > 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for

> > all

> > users",1,,,,

> > "RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections

> > to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15

> > 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for

> > all

> > users",1,,,,

> >

> > I am really scratching my head on how to tell where the process is failing

> > so any help would be greatly appreciated.

> >

> > Steve Halvorson

> > Preferred Credit, Inc </span>

>

>

> </span>

[Guest Jian-Ping Zhu [MSFT]]

Dear Customer,

 

Regarding your last email , I am just check and follow-up on your status.

 

I'm wondering if the suggestion has helped or if you have any further

questions.

 

Please feel free to respond to the newsgroups if I can assist further.

 

Sincerely,

Neo Zhu,

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

--------------------

From: v-jpzhu@online.microsoft.com (Jian-Ping Zhu [MSFT])

Date: Thu, 13 Mar 2008 11:38:19 GMT

Subject: RE: WLAN Security WPA EAP/TLS. Authentication Failed error

Newsgroups: microsoft.public.security

 

Hello,

 

Thank you for your reply.

 

I think there is an easy way to check which rule is used for remote access.

Just deny remote access permission on all the other remote access polices

(including ' Connections to other access server' policy) and grant remote

access permission on the first rule which is named as 'wireless'.

 

You could do it in this way:

1. Right clicking the policy and click properties.

2. Select deny/grant remote access permission and press OK.

 

After that, try to establish the wireless connection again. If it still

works, this means the 'wireless' remote access policy is matched and the

authentication is successful.

 

You might also check Event log -> System log to check which remote access

police is applied.

 

Moreover, the following article tells you how IAS works which might be

helpful to you.

 

How IAS Technology Works

http://technet2.microsoft.com/windowsserve...d5-fdaf-430c-9e

f4-318f8c15baf11033.mspx?mfr=true

 

I hope this helps.

 

Sincerely,

Neo Zhu,

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.