802.1x authentication issues.

Discussion in 'Wireless Networking' started by Tim, May 30, 2005.

  1. Tim

    Tim Guest

    Hi,

    I am trying to retrench an existing Windows 2003 Server configured for
    802.11x. As far as I can tell, the new server is configured the same as the
    old - with minor exceptions such as the Old has CertServices, the new does
    not. The old has ISA 2000, the new has 2004 and is otherwise going ok. There
    are no Denied connections in the ISA Logs. I have instlalled a copy of the
    machine key for the machine being authenticated below into the cert store in
    the new machine and using certservices I have loaded into the new DC all the
    certificates that seem to be loadable. I can log on to the network while the
    old server is offline.

    If I change the radius server address in the WAP with the new server address
    I get the following event log record:

    Access request for user was discarded.
    Fully-Qualified-User-Name = ... my user name...
    NAS-IP-Address = 192.168.99.254
    NAS-Identifier = default
    Called-Station-Identifier = <not present>
    Calling-Station-Identifier = 00-0e-35-2b-7c-04
    Client-Friendly-Name = Wireless Modem
    Client-IP-Address = 192.168.99.254
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 0
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>

    Reason-Code = 9
    Reason = The request was discarded by a third-party extension DLL file.
    ____

    If the RAIDUS server IP is left pointing to the old server the wireless
    connection succeeds ok. The failure is after Packet ID 10 is processed
    during the client during Authentication (RASTLS.log file). I cannot see
    anything that makes sense re: this error in any of the Trace files for RRAS.
    After Packet ID 10, the client goes back to Validating Identity and gets
    stuck there.

    The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange.

    Thanks in advance to anyone that can help.

    - Tim
    Tim, May 30, 2005
    #1
    1. Advertising

  2. Was there a third-party EAP type installed on the system at any point?
    What is the Remote Access Policy configuration for the RAS Host?
    What access points are you using?

    --
    Jerry Peterson
    Windows Network Services - Wireless

    This posting is provided "AS IS" with no warranties, and confers no rights.
    "Tim" <Tim@NoSpam> wrote in message
    news:...
    > Hi,
    >
    > I am trying to retrench an existing Windows 2003 Server configured for
    > 802.11x. As far as I can tell, the new server is configured the same as
    > the
    > old - with minor exceptions such as the Old has CertServices, the new does
    > not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
    > There
    > are no Denied connections in the ISA Logs. I have instlalled a copy of the
    > machine key for the machine being authenticated below into the cert store
    > in
    > the new machine and using certservices I have loaded into the new DC all
    > the
    > certificates that seem to be loadable. I can log on to the network while
    > the
    > old server is offline.
    >
    > If I change the radius server address in the WAP with the new server
    > address
    > I get the following event log record:
    >
    > Access request for user was discarded.
    > Fully-Qualified-User-Name = ... my user name...
    > NAS-IP-Address = 192.168.99.254
    > NAS-Identifier = default
    > Called-Station-Identifier = <not present>
    > Calling-Station-Identifier = 00-0e-35-2b-7c-04
    > Client-Friendly-Name = Wireless Modem
    > Client-IP-Address = 192.168.99.254
    > NAS-Port-Type = Wireless - IEEE 802.11
    > NAS-Port = 0
    > Proxy-Policy-Name = Use Windows authentication for all users
    > Authentication-Provider = Windows
    > Authentication-Server = <undetermined>
    >
    > Reason-Code = 9
    > Reason = The request was discarded by a third-party extension DLL file.
    > ____
    >
    > If the RAIDUS server IP is left pointing to the old server the wireless
    > connection succeeds ok. The failure is after Packet ID 10 is processed
    > during the client during Authentication (RASTLS.log file). I cannot see
    > anything that makes sense re: this error in any of the Trace files for
    > RRAS.
    > After Packet ID 10, the client goes back to Validating Identity and gets
    > stuck there.
    >
    > The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange.
    >
    > Thanks in advance to anyone that can help.
    >
    > - Tim
    >
    >
    >
    >
    >
    Jerry Peterson[MSFT], May 31, 2005
    #2
    1. Advertising

  3. Tim

    Tim Guest

    Hi,

    3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
    server with MS Anti Spyware, Windows support tools IAS, RRAS, CertServices
    (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see anything
    occuring in ISA server traces that would indicate it is blocking.

    The certificate listed below now is a new cert generated last night - it is
    a WWW cert (IE server authentication). The cert service does not have a
    legitimate CA cert - it was self issued. Such a cert has worked on the other
    server before.

    Q: Are they certificate key length restrictions?

    The RRAS Access Policy is as follows:

    Order = 1
    Name = Allow Wireless Users
    Policy Conditions:
    If the user is a member of the "My VPN Users" group
    Grant Access.
    (The user is me, and I am).

    Profile:
    IP - Client may request an IP Address
    No input or output filters.
    Multilink: Server settings determine Multilink usage
    BAP is not ticked and defaults.
    Authentication
    EAP Methods Command shows:
    Smart Card or Other Certificate
    a Certificate for this domain is listed and expires in 2
    years.
    PEAP
    a certificate is listed and is the same as above...
    Enable Fast Reconnect
    EAP Types
    Smart Card or Other Certificate
    same certificate as above.
    Secured Password (EAP-MSCHAP-V2)
    Retry = 2
    Allow client to change password.
    MS CHAP-V2 is ticked
    User can change password after it has expired ticked.

    Order = 2
    Name = Allow Wireless Computers
    If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
    Windows-Groups matches "domain name\Wireless Computers"
    Grant Access. (ditto: both machines are and have worked previosly)

    As above.

    Machine right click Properties (by tab)
    General:
    Router
    LAN routing only
    Security
    Authenication Provider:
    Radius Authentication
    Configure:
    Server = self.domainname, (ie this machine/domain)
    Secret = <null> (ie none)
    Initial Score = 29
    Always use message authenticator is Off,
    Timeout = 5,
    Port = 1812
    Accounting Provider: None
    Allow custom IPSec policy... No.
    IP:
    Enable Ip Forwarding ticked.
    Allow IP based remote access and demand dial connections: ticked.
    Enable broadcast name resolution: unticked.
    Use the following adapter for DHCP / DNC / Wins Addresses...
    LAN ( this is the subnet for all devices around here).
    PPP
    Defaults
    Logging
    Log all events and Log Additional...

    The access point is a D-Link Airplus G+. This was working off the other DC
    machine in the same domain without issues (apart from seeming to like an
    occasional reset...).

    The IASSAM.log file has this:
    [5708] 06-01 22:09:11:511: Processing output from EAP DLL.
    [5708] 06-01 22:09:11:511: EAPACTION_Done
    [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
    [5708] 06-01 22:09:11:511: Inserting attribute 4140
    [5708] 06-01 22:09:11:511: Inserting attribute 4141
    [5708] 06-01 22:09:11:511: Inserting attribute 8097
    [5708] 06-01 22:09:11:511: Inserting attribute 8097
    [5708] 06-01 22:09:11:511: Inserting attribute 8097
    [5708] 06-01 22:09:11:511: EAP authentication succeeded.
    [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
    [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
    [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
    [5708] 06-01 22:09:11:511:
    RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)

    256 = "discard" according to Autif.h in PSDK.
    RC = 14 = "Not Enough Storage" if it is a stock error code.

    Is there anywhere where it will indicate who or what has delcined and why?

    Many Thanks.

    - Tim

    Some more stuff from logs in case it is of use:
    From RASTLS.Log:
    :09:02:828: EapTlsSMakeMessage
    [1496] 22:09:02:828: MakeReplyMessage
    [1496] 22:09:02:828: SecurityContextFunction
    [1496] 22:09:03:049: AcceptSecurityContext returned 0x0
    [1496] 22:09:03:049: AuthenticateUser
    [1496] 22:09:03:049: FGetEKUUsage
    [1496] 22:09:03:049: FCheckPolicy
    [1496] 22:09:03:049: FCheckPolicy done.
    [1496] 22:09:03:049: CheckUserName
    [1496] 22:09:03:049: CreateOIDAttributes
    [1496] 22:09:03:049: CreateMPPEKeyAttributes
    [1496] 22:09:03:059: State change to SentFinished
    [1496] 22:09:03:059: BuildPacket
    [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
    53, Type: 13, TLS blob length: 43. Flags: L
    [5708] 22:09:11:511:
    [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
    [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16, Length:
    6, Type: 13, TLS blob length: 0. Flags:
    [5708] 22:09:11:511: EapTlsSMakeMessage
    [5708] 22:09:11:511: Negotiation successful
    [5708] 22:09:11:511: BuildPacket
    [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length: 4,
    Type: 0, TLS blob length: 0. Flags:
    [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
    [5708] 22:09:11:511: EapTlsEnd
    [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)

    all other log files appear to have little of interest in them - either they
    are empty, have entries that do not relate by time or indicate success doing
    other things....

    "Jerry Peterson[MSFT]" <> wrote in message
    news:...
    > Was there a third-party EAP type installed on the system at any point?
    > What is the Remote Access Policy configuration for the RAS Host?
    > What access points are you using?
    >
    > --
    > Jerry Peterson
    > Windows Network Services - Wireless
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > "Tim" <Tim@NoSpam> wrote in message
    > news:...
    >> Hi,
    >>
    >> I am trying to retrench an existing Windows 2003 Server configured for
    >> 802.11x. As far as I can tell, the new server is configured the same as
    >> the
    >> old - with minor exceptions such as the Old has CertServices, the new
    >> does
    >> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
    >> There
    >> are no Denied connections in the ISA Logs. I have instlalled a copy of
    >> the
    >> machine key for the machine being authenticated below into the cert store
    >> in
    >> the new machine and using certservices I have loaded into the new DC all
    >> the
    >> certificates that seem to be loadable. I can log on to the network while
    >> the
    >> old server is offline.
    >>
    >> If I change the radius server address in the WAP with the new server
    >> address
    >> I get the following event log record:
    >>
    >> Access request for user was discarded.
    >> Fully-Qualified-User-Name = ... my user name...
    >> NAS-IP-Address = 192.168.99.254
    >> NAS-Identifier = default
    >> Called-Station-Identifier = <not present>
    >> Calling-Station-Identifier = 00-0e-35-2b-7c-04
    >> Client-Friendly-Name = Wireless Modem
    >> Client-IP-Address = 192.168.99.254
    >> NAS-Port-Type = Wireless - IEEE 802.11
    >> NAS-Port = 0
    >> Proxy-Policy-Name = Use Windows authentication for all users
    >> Authentication-Provider = Windows
    >> Authentication-Server = <undetermined>
    >>
    >> Reason-Code = 9
    >> Reason = The request was discarded by a third-party extension DLL file.
    >> ____
    >>
    >> If the RAIDUS server IP is left pointing to the old server the wireless
    >> connection succeeds ok. The failure is after Packet ID 10 is processed
    >> during the client during Authentication (RASTLS.log file). I cannot see
    >> anything that makes sense re: this error in any of the Trace files for
    >> RRAS.
    >> After Packet ID 10, the client goes back to Validating Identity and gets
    >> stuck there.
    >>
    >> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange.
    >>
    >> Thanks in advance to anyone that can help.
    >>
    >> - Tim
    >>
    >>
    >>
    >>
    >>

    >
    >
    Tim, Jun 1, 2005
    #3
  4. You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing the
    lost packet.

    Please see this article.

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/ias_start_page.asp

    Hope this helps.

    --
    Standard Disclaimers -
    This posting is provided "AS IS" with no warranties,
    and confers no rights. Please do not send e-mail directly
    to this alias. This alias is for newsgroup purposes only.


    "Tim" <Tim@NoSpam> wrote in message
    news:...
    > Hi,
    >
    > 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
    > server with MS Anti Spyware, Windows support tools IAS, RRAS, CertServices
    > (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see anything
    > occuring in ISA server traces that would indicate it is blocking.
    >
    > The certificate listed below now is a new cert generated last night - it
    > is a WWW cert (IE server authentication). The cert service does not have a
    > legitimate CA cert - it was self issued. Such a cert has worked on the
    > other server before.
    >
    > Q: Are they certificate key length restrictions?
    >
    > The RRAS Access Policy is as follows:
    >
    > Order = 1
    > Name = Allow Wireless Users
    > Policy Conditions:
    > If the user is a member of the "My VPN Users" group
    > Grant Access.
    > (The user is me, and I am).
    >
    > Profile:
    > IP - Client may request an IP Address
    > No input or output filters.
    > Multilink: Server settings determine Multilink usage
    > BAP is not ticked and defaults.
    > Authentication
    > EAP Methods Command shows:
    > Smart Card or Other Certificate
    > a Certificate for this domain is listed and expires in 2
    > years.
    > PEAP
    > a certificate is listed and is the same as above...
    > Enable Fast Reconnect
    > EAP Types
    > Smart Card or Other Certificate
    > same certificate as above.
    > Secured Password (EAP-MSCHAP-V2)
    > Retry = 2
    > Allow client to change password.
    > MS CHAP-V2 is ticked
    > User can change password after it has expired ticked.
    >
    > Order = 2
    > Name = Allow Wireless Computers
    > If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
    > Windows-Groups matches "domain name\Wireless Computers"
    > Grant Access. (ditto: both machines are and have worked previosly)
    >
    > As above.
    >
    > Machine right click Properties (by tab)
    > General:
    > Router
    > LAN routing only
    > Security
    > Authenication Provider:
    > Radius Authentication
    > Configure:
    > Server = self.domainname, (ie this machine/domain)
    > Secret = <null> (ie none)
    > Initial Score = 29
    > Always use message authenticator is Off,
    > Timeout = 5,
    > Port = 1812
    > Accounting Provider: None
    > Allow custom IPSec policy... No.
    > IP:
    > Enable Ip Forwarding ticked.
    > Allow IP based remote access and demand dial connections: ticked.
    > Enable broadcast name resolution: unticked.
    > Use the following adapter for DHCP / DNC / Wins Addresses...
    > LAN ( this is the subnet for all devices around here).
    > PPP
    > Defaults
    > Logging
    > Log all events and Log Additional...
    >
    > The access point is a D-Link Airplus G+. This was working off the other DC
    > machine in the same domain without issues (apart from seeming to like an
    > occasional reset...).
    >
    > The IASSAM.log file has this:
    > [5708] 06-01 22:09:11:511: Processing output from EAP DLL.
    > [5708] 06-01 22:09:11:511: EAPACTION_Done
    > [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
    > [5708] 06-01 22:09:11:511: Inserting attribute 4140
    > [5708] 06-01 22:09:11:511: Inserting attribute 4141
    > [5708] 06-01 22:09:11:511: Inserting attribute 8097
    > [5708] 06-01 22:09:11:511: Inserting attribute 8097
    > [5708] 06-01 22:09:11:511: Inserting attribute 8097
    > [5708] 06-01 22:09:11:511: EAP authentication succeeded.
    > [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
    > [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
    > [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
    > [5708] 06-01 22:09:11:511:
    > RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)
    >
    > 256 = "discard" according to Autif.h in PSDK.
    > RC = 14 = "Not Enough Storage" if it is a stock error code.
    >
    > Is there anywhere where it will indicate who or what has delcined and why?
    >
    > Many Thanks.
    >
    > - Tim
    >
    > Some more stuff from logs in case it is of use:
    > From RASTLS.Log:
    > :09:02:828: EapTlsSMakeMessage
    > [1496] 22:09:02:828: MakeReplyMessage
    > [1496] 22:09:02:828: SecurityContextFunction
    > [1496] 22:09:03:049: AcceptSecurityContext returned 0x0
    > [1496] 22:09:03:049: AuthenticateUser
    > [1496] 22:09:03:049: FGetEKUUsage
    > [1496] 22:09:03:049: FCheckPolicy
    > [1496] 22:09:03:049: FCheckPolicy done.
    > [1496] 22:09:03:049: CheckUserName
    > [1496] 22:09:03:049: CreateOIDAttributes
    > [1496] 22:09:03:049: CreateMPPEKeyAttributes
    > [1496] 22:09:03:059: State change to SentFinished
    > [1496] 22:09:03:059: BuildPacket
    > [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
    > 53, Type: 13, TLS blob length: 43. Flags: L
    > [5708] 22:09:11:511:
    > [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
    > [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16,
    > Length: 6, Type: 13, TLS blob length: 0. Flags:
    > [5708] 22:09:11:511: EapTlsSMakeMessage
    > [5708] 22:09:11:511: Negotiation successful
    > [5708] 22:09:11:511: BuildPacket
    > [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length:
    > 4, Type: 0, TLS blob length: 0. Flags:
    > [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
    > [5708] 22:09:11:511: EapTlsEnd
    > [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)
    >
    > all other log files appear to have little of interest in them - either
    > they are empty, have entries that do not relate by time or indicate
    > success doing other things....
    >
    > "Jerry Peterson[MSFT]" <> wrote in message
    > news:...
    >> Was there a third-party EAP type installed on the system at any point?
    >> What is the Remote Access Policy configuration for the RAS Host?
    >> What access points are you using?
    >>
    >> --
    >> Jerry Peterson
    >> Windows Network Services - Wireless
    >>
    >> This posting is provided "AS IS" with no warranties, and confers no
    >> rights.
    >> "Tim" <Tim@NoSpam> wrote in message
    >> news:...
    >>> Hi,
    >>>
    >>> I am trying to retrench an existing Windows 2003 Server configured for
    >>> 802.11x. As far as I can tell, the new server is configured the same as
    >>> the
    >>> old - with minor exceptions such as the Old has CertServices, the new
    >>> does
    >>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
    >>> There
    >>> are no Denied connections in the ISA Logs. I have instlalled a copy of
    >>> the
    >>> machine key for the machine being authenticated below into the cert
    >>> store in
    >>> the new machine and using certservices I have loaded into the new DC all
    >>> the
    >>> certificates that seem to be loadable. I can log on to the network while
    >>> the
    >>> old server is offline.
    >>>
    >>> If I change the radius server address in the WAP with the new server
    >>> address
    >>> I get the following event log record:
    >>>
    >>> Access request for user was discarded.
    >>> Fully-Qualified-User-Name = ... my user name...
    >>> NAS-IP-Address = 192.168.99.254
    >>> NAS-Identifier = default
    >>> Called-Station-Identifier = <not present>
    >>> Calling-Station-Identifier = 00-0e-35-2b-7c-04
    >>> Client-Friendly-Name = Wireless Modem
    >>> Client-IP-Address = 192.168.99.254
    >>> NAS-Port-Type = Wireless - IEEE 802.11
    >>> NAS-Port = 0
    >>> Proxy-Policy-Name = Use Windows authentication for all users
    >>> Authentication-Provider = Windows
    >>> Authentication-Server = <undetermined>
    >>>
    >>> Reason-Code = 9
    >>> Reason = The request was discarded by a third-party extension DLL file.
    >>> ____
    >>>
    >>> If the RAIDUS server IP is left pointing to the old server the wireless
    >>> connection succeeds ok. The failure is after Packet ID 10 is processed
    >>> during the client during Authentication (RASTLS.log file). I cannot see
    >>> anything that makes sense re: this error in any of the Trace files for
    >>> RRAS.
    >>> After Packet ID 10, the client goes back to Validating Identity and gets
    >>> stuck there.
    >>>
    >>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS
    >>> Exchange.
    >>>
    >>> Thanks in advance to anyone that can help.
    >>>
    >>> - Tim
    >>>
    >>>
    >>>
    >>>
    >>>

    >>
    >>

    >
    >
    Carl DaVault [MSFT], Jun 9, 2005
    #4
  5. Tim

    Tim Guest

    Carl,

    I don't see how a 3rd party DLL could be there unless that extension DLL was
    supplied by MS as I have not any 3rd party software. I appreciate that the
    machine is probably not a recommended config, but its purpose is partly
    business (My own) and to understand how to implement such systems at
    customer sites...

    I will check through the DLL's that can be configured in ISA server. In ISA,
    I recall there are some special RSA and other DLL's that may have some
    influence???????? Perhaps that's it... However logic tells me it is quite
    sensible to have ISA on the same machine.

    The joys of computers :)

    Thanks for the reference. I'll have a good read of it.

    Thanks.

    - Tim


    "Carl DaVault [MSFT]" <> wrote in message
    news:...
    > You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing
    > the lost packet.
    >
    > Please see this article.
    >
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/ias_start_page.asp
    >
    > Hope this helps.
    >
    > --
    > Standard Disclaimers -
    > This posting is provided "AS IS" with no warranties,
    > and confers no rights. Please do not send e-mail directly
    > to this alias. This alias is for newsgroup purposes only.
    >
    >
    > "Tim" <Tim@NoSpam> wrote in message
    > news:...
    >> Hi,
    >>
    >> 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
    >> server with MS Anti Spyware, Windows support tools IAS, RRAS,
    >> CertServices (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see
    >> anything occuring in ISA server traces that would indicate it is
    >> blocking.
    >>
    >> The certificate listed below now is a new cert generated last night - it
    >> is a WWW cert (IE server authentication). The cert service does not have
    >> a legitimate CA cert - it was self issued. Such a cert has worked on the
    >> other server before.
    >>
    >> Q: Are they certificate key length restrictions?
    >>
    >> The RRAS Access Policy is as follows:
    >>
    >> Order = 1
    >> Name = Allow Wireless Users
    >> Policy Conditions:
    >> If the user is a member of the "My VPN Users" group
    >> Grant Access.
    >> (The user is me, and I am).
    >>
    >> Profile:
    >> IP - Client may request an IP Address
    >> No input or output filters.
    >> Multilink: Server settings determine Multilink usage
    >> BAP is not ticked and defaults.
    >> Authentication
    >> EAP Methods Command shows:
    >> Smart Card or Other Certificate
    >> a Certificate for this domain is listed and expires in 2
    >> years.
    >> PEAP
    >> a certificate is listed and is the same as above...
    >> Enable Fast Reconnect
    >> EAP Types
    >> Smart Card or Other Certificate
    >> same certificate as above.
    >> Secured Password (EAP-MSCHAP-V2)
    >> Retry = 2
    >> Allow client to change password.
    >> MS CHAP-V2 is ticked
    >> User can change password after it has expired ticked.
    >>
    >> Order = 2
    >> Name = Allow Wireless Computers
    >> If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
    >> Windows-Groups matches "domain name\Wireless Computers"
    >> Grant Access. (ditto: both machines are and have worked previosly)
    >>
    >> As above.
    >>
    >> Machine right click Properties (by tab)
    >> General:
    >> Router
    >> LAN routing only
    >> Security
    >> Authenication Provider:
    >> Radius Authentication
    >> Configure:
    >> Server = self.domainname, (ie this machine/domain)
    >> Secret = <null> (ie none)
    >> Initial Score = 29
    >> Always use message authenticator is Off,
    >> Timeout = 5,
    >> Port = 1812
    >> Accounting Provider: None
    >> Allow custom IPSec policy... No.
    >> IP:
    >> Enable Ip Forwarding ticked.
    >> Allow IP based remote access and demand dial connections: ticked.
    >> Enable broadcast name resolution: unticked.
    >> Use the following adapter for DHCP / DNC / Wins Addresses...
    >> LAN ( this is the subnet for all devices around here).
    >> PPP
    >> Defaults
    >> Logging
    >> Log all events and Log Additional...
    >>
    >> The access point is a D-Link Airplus G+. This was working off the other
    >> DC machine in the same domain without issues (apart from seeming to like
    >> an occasional reset...).
    >>
    >> The IASSAM.log file has this:
    >> [5708] 06-01 22:09:11:511: Processing output from EAP DLL.
    >> [5708] 06-01 22:09:11:511: EAPACTION_Done
    >> [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
    >> [5708] 06-01 22:09:11:511: Inserting attribute 4140
    >> [5708] 06-01 22:09:11:511: Inserting attribute 4141
    >> [5708] 06-01 22:09:11:511: Inserting attribute 8097
    >> [5708] 06-01 22:09:11:511: Inserting attribute 8097
    >> [5708] 06-01 22:09:11:511: Inserting attribute 8097
    >> [5708] 06-01 22:09:11:511: EAP authentication succeeded.
    >> [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
    >> [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
    >> [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
    >> [5708] 06-01 22:09:11:511:
    >> RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)
    >>
    >> 256 = "discard" according to Autif.h in PSDK.
    >> RC = 14 = "Not Enough Storage" if it is a stock error code.
    >>
    >> Is there anywhere where it will indicate who or what has delcined and
    >> why?
    >>
    >> Many Thanks.
    >>
    >> - Tim
    >>
    >> Some more stuff from logs in case it is of use:
    >> From RASTLS.Log:
    >> :09:02:828: EapTlsSMakeMessage
    >> [1496] 22:09:02:828: MakeReplyMessage
    >> [1496] 22:09:02:828: SecurityContextFunction
    >> [1496] 22:09:03:049: AcceptSecurityContext returned 0x0
    >> [1496] 22:09:03:049: AuthenticateUser
    >> [1496] 22:09:03:049: FGetEKUUsage
    >> [1496] 22:09:03:049: FCheckPolicy
    >> [1496] 22:09:03:049: FCheckPolicy done.
    >> [1496] 22:09:03:049: CheckUserName
    >> [1496] 22:09:03:049: CreateOIDAttributes
    >> [1496] 22:09:03:049: CreateMPPEKeyAttributes
    >> [1496] 22:09:03:059: State change to SentFinished
    >> [1496] 22:09:03:059: BuildPacket
    >> [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
    >> 53, Type: 13, TLS blob length: 43. Flags: L
    >> [5708] 22:09:11:511:
    >> [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
    >> [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16,
    >> Length: 6, Type: 13, TLS blob length: 0. Flags:
    >> [5708] 22:09:11:511: EapTlsSMakeMessage
    >> [5708] 22:09:11:511: Negotiation successful
    >> [5708] 22:09:11:511: BuildPacket
    >> [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length:
    >> 4, Type: 0, TLS blob length: 0. Flags:
    >> [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
    >> [5708] 22:09:11:511: EapTlsEnd
    >> [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)
    >>
    >> all other log files appear to have little of interest in them - either
    >> they are empty, have entries that do not relate by time or indicate
    >> success doing other things....
    >>
    >> "Jerry Peterson[MSFT]" <> wrote in message
    >> news:...
    >>> Was there a third-party EAP type installed on the system at any point?
    >>> What is the Remote Access Policy configuration for the RAS Host?
    >>> What access points are you using?
    >>>
    >>> --
    >>> Jerry Peterson
    >>> Windows Network Services - Wireless
    >>>
    >>> This posting is provided "AS IS" with no warranties, and confers no
    >>> rights.
    >>> "Tim" <Tim@NoSpam> wrote in message
    >>> news:...
    >>>> Hi,
    >>>>
    >>>> I am trying to retrench an existing Windows 2003 Server configured for
    >>>> 802.11x. As far as I can tell, the new server is configured the same as
    >>>> the
    >>>> old - with minor exceptions such as the Old has CertServices, the new
    >>>> does
    >>>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
    >>>> There
    >>>> are no Denied connections in the ISA Logs. I have instlalled a copy of
    >>>> the
    >>>> machine key for the machine being authenticated below into the cert
    >>>> store in
    >>>> the new machine and using certservices I have loaded into the new DC
    >>>> all the
    >>>> certificates that seem to be loadable. I can log on to the network
    >>>> while the
    >>>> old server is offline.
    >>>>
    >>>> If I change the radius server address in the WAP with the new server
    >>>> address
    >>>> I get the following event log record:
    >>>>
    >>>> Access request for user was discarded.
    >>>> Fully-Qualified-User-Name = ... my user name...
    >>>> NAS-IP-Address = 192.168.99.254
    >>>> NAS-Identifier = default
    >>>> Called-Station-Identifier = <not present>
    >>>> Calling-Station-Identifier = 00-0e-35-2b-7c-04
    >>>> Client-Friendly-Name = Wireless Modem
    >>>> Client-IP-Address = 192.168.99.254
    >>>> NAS-Port-Type = Wireless - IEEE 802.11
    >>>> NAS-Port = 0
    >>>> Proxy-Policy-Name = Use Windows authentication for all users
    >>>> Authentication-Provider = Windows
    >>>> Authentication-Server = <undetermined>
    >>>>
    >>>> Reason-Code = 9
    >>>> Reason = The request was discarded by a third-party extension DLL file.
    >>>> ____
    >>>>
    >>>> If the RAIDUS server IP is left pointing to the old server the wireless
    >>>> connection succeeds ok. The failure is after Packet ID 10 is processed
    >>>> during the client during Authentication (RASTLS.log file). I cannot see
    >>>> anything that makes sense re: this error in any of the Trace files for
    >>>> RRAS.
    >>>> After Packet ID 10, the client goes back to Validating Identity and
    >>>> gets
    >>>> stuck there.
    >>>>
    >>>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS
    >>>> Exchange.
    >>>>
    >>>> Thanks in advance to anyone that can help.
    >>>>
    >>>> - Tim
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    Tim, Jun 10, 2005
    #5
  6. Tim

    boogiept Guest

    hello...
    i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
    and ias

    Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
    perfectly fine with wireless. The configuration was the following:

    Cable internet / router / server nic2

    server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
    radius.

    All wireless clients could authenticate in AD

    Today I installed ISA 2004 and couldn't connect to AD, it throws an
    error
    message, then I did the configuration in ISA and in IAS

    error:
    Access request for user sergiofonseca was discarded.
    Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
    Fonseca
    NAS-IP-Address = 192.168.16.4
    NAS-Identifier = default
    Called-Station-Identifier = <not present>
    Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
    Client-Friendly-Name = router
    Client-IP-Address = 192.168.16.4
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 0
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Reason-Code = 9
    Reason = The request was discarded by a third-party extension DLL file.


    Or:

    Description: The VPN connection attempt by user xxx\iki from VPN client
    IP
    address x0-xf-xa-x5-xc-x4 could not be established.
    The failure is due to error: 0xc0040021

    The strange thing is that the xp sp2 client asks for user and password
    and
    if I hit it wrong it asks again and says it is wrong, but if I insert
    the
    right one it doesn't ask for some time, seems to be stuck on
    something then
    after some time it asks again to authenticate.

    I need some help to fix this problem, thanks in advance.
    boogiept, Jun 10, 2005
    #6
  7. Tim

    Tim Guest

    If you come across a solution faster than MS does, could you please post
    back. This is a pain.

    MS: Do I have to repeat that there is nothing on the box other than MS
    Software? That if a 3rd party dll is rejecting the connect then MS is a
    third party unto itself. I checked the add ins in ISA Server and all are
    listed now as Vendor: Microsoft.

    Please, even a (preferably strong, specific, pointed) hint would do....

    - Tim



    "boogiept" <> wrote in message
    news:...
    > hello...
    > i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
    > and ias
    >
    > Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
    > perfectly fine with wireless. The configuration was the following:
    >
    > Cable internet / router / server nic2
    >
    > server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
    > radius.
    >
    > All wireless clients could authenticate in AD
    >
    > Today I installed ISA 2004 and couldn't connect to AD, it throws an
    > error
    > message, then I did the configuration in ISA and in IAS
    >
    > error:
    > Access request for user sergiofonseca was discarded.
    > Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
    > Fonseca
    > NAS-IP-Address = 192.168.16.4
    > NAS-Identifier = default
    > Called-Station-Identifier = <not present>
    > Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
    > Client-Friendly-Name = router
    > Client-IP-Address = 192.168.16.4
    > NAS-Port-Type = Wireless - IEEE 802.11
    > NAS-Port = 0
    > Proxy-Policy-Name = Use Windows authentication for all users
    > Authentication-Provider = Windows
    > Authentication-Server = <undetermined>
    > Reason-Code = 9
    > Reason = The request was discarded by a third-party extension DLL file.
    >
    >
    > Or:
    >
    > Description: The VPN connection attempt by user xxx\iki from VPN client
    > IP
    > address x0-xf-xa-x5-xc-x4 could not be established.
    > The failure is due to error: 0xc0040021
    >
    > The strange thing is that the xp sp2 client asks for user and password
    > and
    > if I hit it wrong it asks again and says it is wrong, but if I insert
    > the
    > right one it doesn't ask for some time, seems to be stuck on
    > something then
    > after some time it asks again to authenticate.
    >
    > I need some help to fix this problem, thanks in advance.
    >
    Tim, Jun 13, 2005
    #7
  8. I see that you're running all-MS software. I see two products that I don't
    normally (personally) have installed:

    (1) the SBS version of server
    (2) ISA 2004

    Since both of you run ISA 2004. I suspect the problem to be with ISA 2004.
    This is a complete speculation.

    From the perspective of *IAS*, if it didn't ship as part of a standard IAS
    install, even a Microsoft-supplied DLL is "3rd-party" since they are
    separate products.

    I appreciate you bringing up this issue and it's why it's important that
    we're watching these newsgroups.

    Meanwhile, if you want to fix the problem in the short term, you can
    probably remove the add-in.

    I will find someone on the ISA or IAS teams to ask about this and reply back
    to you.

    -Carl

    --
    Standard Disclaimers -
    This posting is provided "AS IS" with no warranties,
    and confers no rights. Please do not send e-mail directly
    to this alias. This alias is for newsgroup purposes only.


    "Tim" <Tim@NoSpam> wrote in message
    news:...
    > If you come across a solution faster than MS does, could you please post
    > back. This is a pain.
    >
    > MS: Do I have to repeat that there is nothing on the box other than MS
    > Software? That if a 3rd party dll is rejecting the connect then MS is a
    > third party unto itself. I checked the add ins in ISA Server and all are
    > listed now as Vendor: Microsoft.
    >
    > Please, even a (preferably strong, specific, pointed) hint would do....
    >
    > - Tim
    >
    >
    >
    > "boogiept" <> wrote in message
    > news:...
    >> hello...
    >> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
    >> and ias
    >>
    >> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
    >> perfectly fine with wireless. The configuration was the following:
    >>
    >> Cable internet / router / server nic2
    >>
    >> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
    >> radius.
    >>
    >> All wireless clients could authenticate in AD
    >>
    >> Today I installed ISA 2004 and couldn't connect to AD, it throws an
    >> error
    >> message, then I did the configuration in ISA and in IAS
    >>
    >> error:
    >> Access request for user sergiofonseca was discarded.
    >> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
    >> Fonseca
    >> NAS-IP-Address = 192.168.16.4
    >> NAS-Identifier = default
    >> Called-Station-Identifier = <not present>
    >> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
    >> Client-Friendly-Name = router
    >> Client-IP-Address = 192.168.16.4
    >> NAS-Port-Type = Wireless - IEEE 802.11
    >> NAS-Port = 0
    >> Proxy-Policy-Name = Use Windows authentication for all users
    >> Authentication-Provider = Windows
    >> Authentication-Server = <undetermined>
    >> Reason-Code = 9
    >> Reason = The request was discarded by a third-party extension DLL file.
    >>
    >>
    >> Or:
    >>
    >> Description: The VPN connection attempt by user xxx\iki from VPN client
    >> IP
    >> address x0-xf-xa-x5-xc-x4 could not be established.
    >> The failure is due to error: 0xc0040021
    >>
    >> The strange thing is that the xp sp2 client asks for user and password
    >> and
    >> if I hit it wrong it asks again and says it is wrong, but if I insert
    >> the
    >> right one it doesn't ask for some time, seems to be stuck on
    >> something then
    >> after some time it asks again to authenticate.
    >>
    >> I need some help to fix this problem, thanks in advance.
    >>

    >
    >
    Carl DaVault [MSFT], Jun 14, 2005
    #8
  9. So... it's a bug in ISA or (more likely) the VPN plugin (which didn't expect
    packets from an AP as opposed to a more VPN-centric NAS). Here's the
    workaround. I've asked for a KB on this issue, but it may take a while to
    get thru the release process.

    You might need to specify CCS instead of a specific CCS like CCS001. Sorry I
    don't have a machine to try this, but you get the idea - remove any
    vpnplgin.dll-related entries for any AuthorizationDLLs values - you can
    probably just rename the key to something like DELETEMEAuthorizationDLLs, if
    you want to be more conservative than actually deleting the key.

    Remove the following registry key:
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AuthSrv\Parameters]
    "AuthorizationDLLs"="C:\Program Files\Microsoft ISA Server\vpnplgin.dll"
    Reboot the server..



    --
    Standard Disclaimers -
    This posting is provided "AS IS" with no warranties,
    and confers no rights. Please do not send e-mail directly
    to this alias. This alias is for newsgroup purposes only.


    "Carl DaVault [MSFT]" <> wrote in message
    news:...
    >I see that you're running all-MS software. I see two products that I don't
    >normally (personally) have installed:
    >
    > (1) the SBS version of server
    > (2) ISA 2004
    >
    > Since both of you run ISA 2004. I suspect the problem to be with ISA 2004.
    > This is a complete speculation.
    >
    > From the perspective of *IAS*, if it didn't ship as part of a standard IAS
    > install, even a Microsoft-supplied DLL is "3rd-party" since they are
    > separate products.
    >
    > I appreciate you bringing up this issue and it's why it's important that
    > we're watching these newsgroups.
    >
    > Meanwhile, if you want to fix the problem in the short term, you can
    > probably remove the add-in.
    >
    > I will find someone on the ISA or IAS teams to ask about this and reply
    > back to you.
    >
    > -Carl
    >
    > --
    > Standard Disclaimers -
    > This posting is provided "AS IS" with no warranties,
    > and confers no rights. Please do not send e-mail directly
    > to this alias. This alias is for newsgroup purposes only.
    >
    >
    > "Tim" <Tim@NoSpam> wrote in message
    > news:...
    >> If you come across a solution faster than MS does, could you please post
    >> back. This is a pain.
    >>
    >> MS: Do I have to repeat that there is nothing on the box other than MS
    >> Software? That if a 3rd party dll is rejecting the connect then MS is a
    >> third party unto itself. I checked the add ins in ISA Server and all are
    >> listed now as Vendor: Microsoft.
    >>
    >> Please, even a (preferably strong, specific, pointed) hint would do....
    >>
    >> - Tim
    >>
    >>
    >>
    >> "boogiept" <> wrote in message
    >> news:...
    >>> hello...
    >>> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
    >>> and ias
    >>>
    >>> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
    >>> perfectly fine with wireless. The configuration was the following:
    >>>
    >>> Cable internet / router / server nic2
    >>>
    >>> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
    >>> radius.
    >>>
    >>> All wireless clients could authenticate in AD
    >>>
    >>> Today I installed ISA 2004 and couldn't connect to AD, it throws an
    >>> error
    >>> message, then I did the configuration in ISA and in IAS
    >>>
    >>> error:
    >>> Access request for user sergiofonseca was discarded.
    >>> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
    >>> Fonseca
    >>> NAS-IP-Address = 192.168.16.4
    >>> NAS-Identifier = default
    >>> Called-Station-Identifier = <not present>
    >>> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
    >>> Client-Friendly-Name = router
    >>> Client-IP-Address = 192.168.16.4
    >>> NAS-Port-Type = Wireless - IEEE 802.11
    >>> NAS-Port = 0
    >>> Proxy-Policy-Name = Use Windows authentication for all users
    >>> Authentication-Provider = Windows
    >>> Authentication-Server = <undetermined>
    >>> Reason-Code = 9
    >>> Reason = The request was discarded by a third-party extension DLL file.
    >>>
    >>>
    >>> Or:
    >>>
    >>> Description: The VPN connection attempt by user xxx\iki from VPN client
    >>> IP
    >>> address x0-xf-xa-x5-xc-x4 could not be established.
    >>> The failure is due to error: 0xc0040021
    >>>
    >>> The strange thing is that the xp sp2 client asks for user and password
    >>> and
    >>> if I hit it wrong it asks again and says it is wrong, but if I insert
    >>> the
    >>> right one it doesn't ask for some time, seems to be stuck on
    >>> something then
    >>> after some time it asks again to authenticate.
    >>>
    >>> I need some help to fix this problem, thanks in advance.
    >>>

    >>
    >>

    >
    >
    Carl DaVault [MSFT], Jun 16, 2005
    #9
  10. Tim

    Tim Guest

    Thanks.
    Sorry for sounding a little terse.

    My system should not have the SBS version of Windows 2003... unless that is
    the base for the MSDN issued copies. "boogiept" indicated he/she has SBS.

    You have lost me on this point "You might need to specify CCS instead of a
    specific CCS like CCS001".

    CCS?

    Your workaround appears to work.

    Thanks again.

    - Tim


    "Carl DaVault [MSFT]" <> wrote in message
    news:%...
    > So... it's a bug in ISA or (more likely) the VPN plugin (which didn't
    > expect packets from an AP as opposed to a more VPN-centric NAS). Here's
    > the workaround. I've asked for a KB on this issue, but it may take a while
    > to get thru the release process.
    >
    > You might need to specify CCS instead of a specific CCS like CCS001. Sorry
    > I don't have a machine to try this, but you get the idea - remove any
    > vpnplgin.dll-related entries for any AuthorizationDLLs values - you can
    > probably just rename the key to something like DELETEMEAuthorizationDLLs,
    > if you want to be more conservative than actually deleting the key.
    >
    > Remove the following registry key:
    > [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AuthSrv\Parameters]
    > "AuthorizationDLLs"="C:\Program Files\Microsoft ISA Server\vpnplgin.dll"
    > Reboot the server..
    >
    >
    >
    > --
    > Standard Disclaimers -
    > This posting is provided "AS IS" with no warranties,
    > and confers no rights. Please do not send e-mail directly
    > to this alias. This alias is for newsgroup purposes only.
    >
    >
    > "Carl DaVault [MSFT]" <> wrote in message
    > news:...
    >>I see that you're running all-MS software. I see two products that I don't
    >>normally (personally) have installed:
    >>
    >> (1) the SBS version of server
    >> (2) ISA 2004
    >>
    >> Since both of you run ISA 2004. I suspect the problem to be with ISA
    >> 2004. This is a complete speculation.
    >>
    >> From the perspective of *IAS*, if it didn't ship as part of a standard
    >> IAS install, even a Microsoft-supplied DLL is "3rd-party" since they are
    >> separate products.
    >>
    >> I appreciate you bringing up this issue and it's why it's important that
    >> we're watching these newsgroups.
    >>
    >> Meanwhile, if you want to fix the problem in the short term, you can
    >> probably remove the add-in.
    >>
    >> I will find someone on the ISA or IAS teams to ask about this and reply
    >> back to you.
    >>
    >> -Carl
    >>
    >> --
    >> Standard Disclaimers -
    >> This posting is provided "AS IS" with no warranties,
    >> and confers no rights. Please do not send e-mail directly
    >> to this alias. This alias is for newsgroup purposes only.
    >>
    >>
    >> "Tim" <Tim@NoSpam> wrote in message
    >> news:...
    >>> If you come across a solution faster than MS does, could you please post
    >>> back. This is a pain.
    >>>
    >>> MS: Do I have to repeat that there is nothing on the box other than MS
    >>> Software? That if a 3rd party dll is rejecting the connect then MS is a
    >>> third party unto itself. I checked the add ins in ISA Server and all are
    >>> listed now as Vendor: Microsoft.
    >>>
    >>> Please, even a (preferably strong, specific, pointed) hint would do....
    >>>
    >>> - Tim
    >>>
    >>>
    >>>
    >>> "boogiept" <> wrote in message
    >>> news:...
    >>>> hello...
    >>>> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
    >>>> and ias
    >>>>
    >>>> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
    >>>> perfectly fine with wireless. The configuration was the following:
    >>>>
    >>>> Cable internet / router / server nic2
    >>>>
    >>>> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
    >>>> radius.
    >>>>
    >>>> All wireless clients could authenticate in AD
    >>>>
    >>>> Today I installed ISA 2004 and couldn't connect to AD, it throws an
    >>>> error
    >>>> message, then I did the configuration in ISA and in IAS
    >>>>
    >>>> error:
    >>>> Access request for user sergiofonseca was discarded.
    >>>> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
    >>>> Fonseca
    >>>> NAS-IP-Address = 192.168.16.4
    >>>> NAS-Identifier = default
    >>>> Called-Station-Identifier = <not present>
    >>>> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
    >>>> Client-Friendly-Name = router
    >>>> Client-IP-Address = 192.168.16.4
    >>>> NAS-Port-Type = Wireless - IEEE 802.11
    >>>> NAS-Port = 0
    >>>> Proxy-Policy-Name = Use Windows authentication for all users
    >>>> Authentication-Provider = Windows
    >>>> Authentication-Server = <undetermined>
    >>>> Reason-Code = 9
    >>>> Reason = The request was discarded by a third-party extension DLL file.
    >>>>
    >>>>
    >>>> Or:
    >>>>
    >>>> Description: The VPN connection attempt by user xxx\iki from VPN client
    >>>> IP
    >>>> address x0-xf-xa-x5-xc-x4 could not be established.
    >>>> The failure is due to error: 0xc0040021
    >>>>
    >>>> The strange thing is that the xp sp2 client asks for user and password
    >>>> and
    >>>> if I hit it wrong it asks again and says it is wrong, but if I insert
    >>>> the
    >>>> right one it doesn't ask for some time, seems to be stuck on
    >>>> something then
    >>>> after some time it asks again to authenticate.
    >>>>
    >>>> I need some help to fix this problem, thanks in advance.
    >>>>
    >>>
    >>>

    >>
    >>

    >
    >
    Tim, Jun 21, 2005
    #10
  11. Tim

    boogiept Guest

    Hi, Thank you for your post but at the moment I don't have a chance to
    test that because I had a surgery and I'll only be able to test it in
    15 days, but I can tell that before I left the company I've removed
    ISA 2004 and installed ISA 2000 and that way everything would be
    working fine until I get back.
    Thanks everyone I'll reply back in 15 days! Thanks!

    sérgio fonseca
    boogiept, Jun 22, 2005
    #11
  12. Tim

    boogiept Guest

    hello
    I`m back
    today I did as you said and deleted registry key and now it is working perfectly
    thanks a lot
    sérgio Fonseca
    boogiept, Jul 9, 2005
    #12
  13. Tim

    Tim Guest

    Mine is still going too.

    Carl, Sergio: Thanks

    - Tim

    "boogiept" <> wrote in message
    news:...
    > hello
    > I`m back
    > today I did as you said and deleted registry key and now it is working
    > perfectly
    > thanks a lot
    > sérgio Fonseca
    Tim, Jul 11, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Berhard Wagner

    WPA with 802.1x boot time issue, machine authentication

    Berhard Wagner, Aug 13, 2004, in forum: Wireless Networking
    Replies:
    2
    Views:
    5,242
    bebrox
    Aug 27, 2004
  2. Oli
    Replies:
    3
    Views:
    840
  3. Rafael
    Replies:
    1
    Views:
    3,194
  4. Johnny
    Replies:
    11
    Views:
    3,077
    Cerebrus
    Aug 4, 2006
  5. zillah
    Replies:
    0
    Views:
    715
    zillah
    Nov 9, 2006
Loading...

Share This Page