EAP RADIUS error...

I'm setting up a wireless network, using a Cisco Aironet 1200 AP, Windows
2000 native domain, running IAS. I've set up a stand-alone root CA, issued
certificates to the two DCs that are running IAS, and have configured a GPO
to autoenroll certificates to computers belonging to a specific OU. The
certificate deployment works fine, the laptops can see the AP, but upon
attempting authentication the clients display an error message stating that
Windows cannot locate a certificate to log on to the network. The following
warning is logged by IAS on the DC:

User host/laptop.domain.com was denied access.
Fully-Qualified-User-Name = DOMAIN\laptop$
NAS-IP-Address = 10.xx.xx.xx
NAS-Identifier = AP
Called-Station-Identifier = 1234.5678.90AB
Calling-Station-Identifier = 0123.4567.89AB
Client-Friendly-Name = AP
Client-IP-Address = 10.xx.xx.xx
NAS-Port-Type = 19
NAS-Port = 328
Policy-Name = Allow WLAN Access
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 16
Reason = There was an authentication failure because of an unknown user
name or a bad password.

I've played with a few different settings with regards to the registry in
the key:
HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parame ters\General\Global\
tweaking the values for AuthMode and SupplicantMode.

What am I missing? Any help would be greatly appreciated, and if anyone
needs further information, just ask. Thanks!

Kirk Hauer, CCNA, MCSE

=?Utf-8?B?S0hhdWVy?=

Kirk,

I would try to use PEAP - just temporarily - to make sure that the server
infrastructure is okay.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-


"KHauer" <> wrote in message
news:A846EA0B-FE76-4BC9-8F90-...
> I'm setting up a wireless network, using a Cisco Aironet 1200 AP, Windows
> 2000 native domain, running IAS. I've set up a stand-alone root CA, issued
> certificates to the two DCs that are running IAS, and have configured a
> GPO
> to autoenroll certificates to computers belonging to a specific OU. The
> certificate deployment works fine, the laptops can see the AP, but upon
> attempting authentication the clients display an error message stating
> that
> Windows cannot locate a certificate to log on to the network. The
> following
> warning is logged by IAS on the DC:
>
> User host/laptop.domain.com was denied access.
> Fully-Qualified-User-Name = DOMAIN\laptop$
> NAS-IP-Address = 10.xx.xx.xx
> NAS-Identifier = AP
> Called-Station-Identifier = 1234.5678.90AB
> Calling-Station-Identifier = 0123.4567.89AB
> Client-Friendly-Name = AP
> Client-IP-Address = 10.xx.xx.xx
> NAS-Port-Type = 19
> NAS-Port = 328
> Policy-Name = Allow WLAN Access
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 16
> Reason = There was an authentication failure because of an unknown user
> name or a bad password.
>
> I've played with a few different settings with regards to the registry in
> the key:
> HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parame ters\General\Global\
> tweaking the values for AuthMode and SupplicantMode.
>
> What am I missing? Any help would be greatly appreciated, and if anyone
> needs further information, just ask. Thanks!
>
> Kirk Hauer, CCNA, MCSE

S. Pidgorny

Was the FQUN actually the name of the system (not the user)?
If so, then it's machine authentication that's failing.

You can uncheck the client side option that says send machine credentials, and
that will go away.
I don't know exactly what you need to configure in the Remote Access Policy on
your IAS to accept them. But someone from MS should know.

Dave.

KHauer <> wrote:

>I'm setting up a wireless network, using a Cisco Aironet 1200 AP, Windows
>2000 native domain, running IAS. I've set up a stand-alone root CA, issued
>certificates to the two DCs that are running IAS, and have configured a GPO
>to autoenroll certificates to computers belonging to a specific OU. The
>certificate deployment works fine, the laptops can see the AP, but upon
>attempting authentication the clients display an error message stating that
>Windows cannot locate a certificate to log on to the network. The following
>warning is logged by IAS on the DC:
>
>User host/laptop.domain.com was denied access.
> Fully-Qualified-User-Name = DOMAIN\laptop$
> NAS-IP-Address = 10.xx.xx.xx
> NAS-Identifier = AP
> Called-Station-Identifier = 1234.5678.90AB
> Calling-Station-Identifier = 0123.4567.89AB
> Client-Friendly-Name = AP
> Client-IP-Address = 10.xx.xx.xx
> NAS-Port-Type = 19
> NAS-Port = 328
> Policy-Name = Allow WLAN Access
> Authentication-Type = EAP
> EAP-Type = <undetermined>
> Reason-Code = 16
> Reason = There was an authentication failure because of an unknown user
>name or a bad password.
>
>I've played with a few different settings with regards to the registry in
>the key:
>HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Param eters\General\Global\
>tweaking the values for AuthMode and SupplicantMode.
>
>What am I missing? Any help would be greatly appreciated, and if anyone
>needs further information, just ask. Thanks!
>
>Kirk Hauer, CCNA, MCSE

Dave Mitton