802.1x authentication issues.
in [Wireless]
|
From: Tim on 30 May 2005 08:03 Hi, I am trying to retrench an existing Windows 2003 Server configured for 802.11x. As far as I can tell, the new server is configured the same as the old - with minor exceptions such as the Old has CertServices, the new does not. The old has ISA 2000, the new has 2004 and is otherwise going ok. There are no Denied connections in the ISA Logs. I have instlalled a copy of the machine key for the machine being authenticated below into the cert store in the new machine and using certservices I have loaded into the new DC all the certificates that seem to be loadable. I can log on to the network while the old server is offline. If I change the radius server address in the WAP with the new server address I get the following event log record: Access request for user Me(a)Here.com was discarded. Fully-Qualified-User-Name = ... my user name... NAS-IP-Address = 192.168.99.254 NAS-Identifier = default Called-Station-Identifier = <not present> Calling-Station-Identifier = 00-0e-35-2b-7c-04 Client-Friendly-Name = Wireless Modem Client-IP-Address = 192.168.99.254 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = 0 Proxy-Policy-Name = Use Windows authentication for all users Authentication-Provider = Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason = The request was discarded by a third-party extension DLL file. ____ If the RAIDUS server IP is left pointing to the old server the wireless connection succeeds ok. The failure is after Packet ID 10 is processed during the client during Authentication (RASTLS.log file). I cannot see anything that makes sense re: this error in any of the Trace files for RRAS. After Packet ID 10, the client goes back to Validating Identity and gets stuck there. The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange. Thanks in advance to anyone that can help. - Tim
From: Jerry Peterson[MSFT] on 31 May 2005 16:03 Was there a third-party EAP type installed on the system at any point? What is the Remote Access Policy configuration for the RAS Host? What access points are you using? -- Jerry Peterson Windows Network Services - Wireless This posting is provided "AS IS" with no warranties, and confers no rights. "Tim" <Tim(a)NoSpam> wrote in message news:uW0tk5QZFHA.2688(a)TK2MSFTNGP09.phx.gbl... > Hi, > > I am trying to retrench an existing Windows 2003 Server configured for > 802.11x. As far as I can tell, the new server is configured the same as > the > old - with minor exceptions such as the Old has CertServices, the new does > not. The old has ISA 2000, the new has 2004 and is otherwise going ok. > There > are no Denied connections in the ISA Logs. I have instlalled a copy of the > machine key for the machine being authenticated below into the cert store > in > the new machine and using certservices I have loaded into the new DC all > the > certificates that seem to be loadable. I can log on to the network while > the > old server is offline. > > If I change the radius server address in the WAP with the new server > address > I get the following event log record: > > Access request for user Me(a)Here.com was discarded. > Fully-Qualified-User-Name = ... my user name... > NAS-IP-Address = 192.168.99.254 > NAS-Identifier = default > Called-Station-Identifier = <not present> > Calling-Station-Identifier = 00-0e-35-2b-7c-04 > Client-Friendly-Name = Wireless Modem > Client-IP-Address = 192.168.99.254 > NAS-Port-Type = Wireless - IEEE 802.11 > NAS-Port = 0 > Proxy-Policy-Name = Use Windows authentication for all users > Authentication-Provider = Windows > Authentication-Server = <undetermined> > > Reason-Code = 9 > Reason = The request was discarded by a third-party extension DLL file. > ____ > > If the RAIDUS server IP is left pointing to the old server the wireless > connection succeeds ok. The failure is after Packet ID 10 is processed > during the client during Authentication (RASTLS.log file). I cannot see > anything that makes sense re: this error in any of the Trace files for > RRAS. > After Packet ID 10, the client goes back to Validating Identity and gets > stuck there. > > The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange. > > Thanks in advance to anyone that can help. > > - Tim > > > > >
From: Tim on 1 Jun 2005 07:02 Hi, 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1 server with MS Anti Spyware, Windows support tools IAS, RRAS, CertServices (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see anything occuring in ISA server traces that would indicate it is blocking. The certificate listed below now is a new cert generated last night - it is a WWW cert (IE server authentication). The cert service does not have a legitimate CA cert - it was self issued. Such a cert has worked on the other server before. Q: Are they certificate key length restrictions? The RRAS Access Policy is as follows: Order = 1 Name = Allow Wireless Users Policy Conditions: If the user is a member of the "My VPN Users" group Grant Access. (The user is me, and I am). Profile: IP - Client may request an IP Address No input or output filters. Multilink: Server settings determine Multilink usage BAP is not ticked and defaults. Authentication EAP Methods Command shows: Smart Card or Other Certificate a Certificate for this domain is listed and expires in 2 years. PEAP a certificate is listed and is the same as above... Enable Fast Reconnect EAP Types Smart Card or Other Certificate same certificate as above. Secured Password (EAP-MSCHAP-V2) Retry = 2 Allow client to change password. MS CHAP-V2 is ticked User can change password after it has expired ticked. Order = 2 Name = Allow Wireless Computers If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND Windows-Groups matches "domain name\Wireless Computers" Grant Access. (ditto: both machines are and have worked previosly) As above. Machine right click Properties (by tab) General: Router LAN routing only Security Authenication Provider: Radius Authentication Configure: Server = self.domainname, (ie this machine/domain) Secret = <null> (ie none) Initial Score = 29 Always use message authenticator is Off, Timeout = 5, Port = 1812 Accounting Provider: None Allow custom IPSec policy... No. IP: Enable Ip Forwarding ticked. Allow IP based remote access and demand dial connections: ticked. Enable broadcast name resolution: unticked. Use the following adapter for DHCP / DNC / Wins Addresses... LAN ( this is the subnet for all devices around here). PPP Defaults Logging Log all events and Log Additional... The access point is a D-Link Airplus G+. This was working off the other DC machine in the same domain without issues (apart from seeming to like an occasional reset...). The IASSAM.log file has this: [5708] 06-01 22:09:11:511: Processing output from EAP DLL. [5708] 06-01 22:09:11:511: EAPACTION_Done [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL. [5708] 06-01 22:09:11:511: Inserting attribute 4140 [5708] 06-01 22:09:11:511: Inserting attribute 4141 [5708] 06-01 22:09:11:511: Inserting attribute 8097 [5708] 06-01 22:09:11:511: Inserting attribute 8097 [5708] 06-01 22:09:11:511: Inserting attribute 8097 [5708] 06-01 22:09:11:511: EAP authentication succeeded. [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14 [5708] 06-01 22:09:11:511: RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256) 256 = "discard" according to Autif.h in PSDK. RC = 14 = "Not Enough Storage" if it is a stock error code. Is there anywhere where it will indicate who or what has delcined and why? Many Thanks. - Tim Some more stuff from logs in case it is of use: From RASTLS.Log: :09:02:828: EapTlsSMakeMessage [1496] 22:09:02:828: MakeReplyMessage [1496] 22:09:02:828: SecurityContextFunction [1496] 22:09:03:049: AcceptSecurityContext returned 0x0 [1496] 22:09:03:049: AuthenticateUser [1496] 22:09:03:049: FGetEKUUsage [1496] 22:09:03:049: FCheckPolicy [1496] 22:09:03:049: FCheckPolicy done. [1496] 22:09:03:049: CheckUserName [1496] 22:09:03:049: CreateOIDAttributes [1496] 22:09:03:049: CreateMPPEKeyAttributes [1496] 22:09:03:059: State change to SentFinished [1496] 22:09:03:059: BuildPacket [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length: 53, Type: 13, TLS blob length: 43. Flags: L [5708] 22:09:11:511: [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim) [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16, Length: 6, Type: 13, TLS blob length: 0. Flags: [5708] 22:09:11:511: EapTlsSMakeMessage [5708] 22:09:11:511: Negotiation successful [5708] 22:09:11:511: BuildPacket [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length: 4, Type: 0, TLS blob length: 0. Flags: [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3) [5708] 22:09:11:511: EapTlsEnd [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim) all other log files appear to have little of interest in them - either they are empty, have entries that do not relate by time or indicate success doing other things.... "Jerry Peterson[MSFT]" <jerrype(a)online.microsoft.com> wrote in message news:eyyJTvhZFHA.2212(a)TK2MSFTNGP14.phx.gbl... > Was there a third-party EAP type installed on the system at any point? > What is the Remote Access Policy configuration for the RAS Host? > What access points are you using? > > -- > Jerry Peterson > Windows Network Services - Wireless > > This posting is provided "AS IS" with no warranties, and confers no > rights. > "Tim" <Tim(a)NoSpam> wrote in message > news:uW0tk5QZFHA.2688(a)TK2MSFTNGP09.phx.gbl... >> Hi, >> >> I am trying to retrench an existing Windows 2003 Server configured for >> 802.11x. As far as I can tell, the new server is configured the same as >> the >> old - with minor exceptions such as the Old has CertServices, the new >> does >> not. The old has ISA 2000, the new has 2004 and is otherwise going ok. >> There >> are no Denied connections in the ISA Logs. I have instlalled a copy of >> the >> machine key for the machine being authenticated below into the cert store >> in >> the new machine and using certservices I have loaded into the new DC all >> the >> certificates that seem to be loadable. I can log on to the network while >> the >> old server is offline. >> >> If I change the radius server address in the WAP with the new server >> address >> I get the following event log record: >> >> Access request for user Me(a)Here.com was discarded. >> Fully-Qualified-User-Name = ... my user name... >> NAS-IP-Address = 192.168.99.254 >> NAS-Identifier = default >> Called-Station-Identifier = <not present> >> Calling-Station-Identifier = 00-0e-35-2b-7c-04 >> Client-Friendly-Name = Wireless Modem >> Client-IP-Address = 192.168.99.254 >> NAS-Port-Type = Wireless - IEEE 802.11 >> NAS-Port = 0 >> Proxy-Policy-Name = Use Windows authentication for all users >> Authentication-Provider = Windows >> Authentication-Server = <undetermined> >> >> Reason-Code = 9 >> Reason = The request was discarded by a third-party extension DLL file. >> ____ >> >> If the RAIDUS server IP is left pointing to the old server the wireless >> connection succeeds ok. The failure is after Packet ID 10 is processed >> during the client during Authentication (RASTLS.log file). I cannot see >> anything that makes sense re: this error in any of the Trace files for >> RRAS. >> After Packet ID 10, the client goes back to Validating Identity and gets >> stuck there. >> >> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange. >> >> Thanks in advance to anyone that can help. >> >> - Tim >> >> >> >> >> > >
From: Carl DaVault [MSFT] on 9 Jun 2005 14:10 You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing the lost packet. Please see this article. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/ias_start_page.asp Hope this helps. -- Standard Disclaimers - This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. "Tim" <Tim(a)NoSpam> wrote in message news:u9eu1gpZFHA.644(a)TK2MSFTNGP10.phx.gbl... > Hi, > > 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1 > server with MS Anti Spyware, Windows support tools IAS, RRAS, CertServices > (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see anything > occuring in ISA server traces that would indicate it is blocking. > > The certificate listed below now is a new cert generated last night - it > is a WWW cert (IE server authentication). The cert service does not have a > legitimate CA cert - it was self issued. Such a cert has worked on the > other server before. > > Q: Are they certificate key length restrictions? > > The RRAS Access Policy is as follows: > > Order = 1 > Name = Allow Wireless Users > Policy Conditions: > If the user is a member of the "My VPN Users" group > Grant Access. > (The user is me, and I am). > > Profile: > IP - Client may request an IP Address > No input or output filters. > Multilink: Server settings determine Multilink usage > BAP is not ticked and defaults. > Authentication > EAP Methods Command shows: > Smart Card or Other Certificate > a Certificate for this domain is listed and expires in 2 > years. > PEAP > a certificate is listed and is the same as above... > Enable Fast Reconnect > EAP Types > Smart Card or Other Certificate > same certificate as above. > Secured Password (EAP-MSCHAP-V2) > Retry = 2 > Allow client to change password. > MS CHAP-V2 is ticked > User can change password after it has expired ticked. > > Order = 2 > Name = Allow Wireless Computers > If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND > Windows-Groups matches "domain name\Wireless Computers" > Grant Access. (ditto: both machines are and have worked previosly) > > As above. > > Machine right click Properties (by tab) > General: > Router > LAN routing only > Security > Authenication Provider: > Radius Authentication > Configure: > Server = self.domainname, (ie this machine/domain) > Secret = <null> (ie none) > Initial Score = 29 > Always use message authenticator is Off, > Timeout = 5, > Port = 1812 > Accounting Provider: None > Allow custom IPSec policy... No. > IP: > Enable Ip Forwarding ticked. > Allow IP based remote access and demand dial connections: ticked. > Enable broadcast name resolution: unticked. > Use the following adapter for DHCP / DNC / Wins Addresses... > LAN ( this is the subnet for all devices around here). > PPP > Defaults > Logging > Log all events and Log Additional... > > The access point is a D-Link Airplus G+. This was working off the other DC > machine in the same domain without issues (apart from seeming to like an > occasional reset...). > > The IASSAM.log file has this: > [5708] 06-01 22:09:11:511: Processing output from EAP DLL. > [5708] 06-01 22:09:11:511: EAPACTION_Done > [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL. > [5708] 06-01 22:09:11:511: Inserting attribute 4140 > [5708] 06-01 22:09:11:511: Inserting attribute 4141 > [5708] 06-01 22:09:11:511: Inserting attribute 8097 > [5708] 06-01 22:09:11:511: Inserting attribute 8097 > [5708] 06-01 22:09:11:511: Inserting attribute 8097 > [5708] 06-01 22:09:11:511: EAP authentication succeeded. > [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs > [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll > [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14 > [5708] 06-01 22:09:11:511: > RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256) > > 256 = "discard" according to Autif.h in PSDK. > RC = 14 = "Not Enough Storage" if it is a stock error code. > > Is there anywhere where it will indicate who or what has delcined and why? > > Many Thanks. > > - Tim > > Some more stuff from logs in case it is of use: > From RASTLS.Log: > :09:02:828: EapTlsSMakeMessage > [1496] 22:09:02:828: MakeReplyMessage > [1496] 22:09:02:828: SecurityContextFunction > [1496] 22:09:03:049: AcceptSecurityContext returned 0x0 > [1496] 22:09:03:049: AuthenticateUser > [1496] 22:09:03:049: FGetEKUUsage > [1496] 22:09:03:049: FCheckPolicy > [1496] 22:09:03:049: FCheckPolicy done. > [1496] 22:09:03:049: CheckUserName > [1496] 22:09:03:049: CreateOIDAttributes > [1496] 22:09:03:049: CreateMPPEKeyAttributes > [1496] 22:09:03:059: State change to SentFinished > [1496] 22:09:03:059: BuildPacket > [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length: > 53, Type: 13, TLS blob length: 43. Flags: L > [5708] 22:09:11:511: > [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim) > [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16, > Length: 6, Type: 13, TLS blob length: 0. Flags: > [5708] 22:09:11:511: EapTlsSMakeMessage > [5708] 22:09:11:511: Negotiation successful > [5708] 22:09:11:511: BuildPacket > [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length: > 4, Type: 0, TLS blob length: 0. Flags: > [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3) > [5708] 22:09:11:511: EapTlsEnd > [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim) > > all other log files appear to have little of interest in them - either > they are empty, have entries that do not relate by time or indicate > success doing other things.... > > "Jerry Peterson[MSFT]" <jerrype(a)online.microsoft.com> wrote in message > news:eyyJTvhZFHA.2212(a)TK2MSFTNGP14.phx.gbl... >> Was there a third-party EAP type installed on the system at any point? >> What is the Remote Access Policy configuration for the RAS Host? >> What access points are you using? >> >> -- >> Jerry Peterson >> Windows Network Services - Wireless >> >> This posting is provided "AS IS" with no warranties, and confers no >> rights. >> "Tim" <Tim(a)NoSpam> wrote in message >> news:uW0tk5QZFHA.2688(a)TK2MSFTNGP09.phx.gbl... >>> Hi, >>> >>> I am trying to retrench an existing Windows 2003 Server configured for >>> 802.11x. As far as I can tell, the new server is configured the same as >>> the >>> old - with minor exceptions such as the Old has CertServices, the new >>> does >>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok. >>> There >>> are no Denied connections in the ISA Logs. I have instlalled a copy of >>> the >>> machine key for the machine being authenticated below into the cert >>> store in >>> the new machine and using certservices I have loaded into the new DC all >>> the >>> certificates that seem to be loadable. I can log on to the network while >>> the >>> old server is offline. >>> >>> If I change the radius server address in the WAP with the new server >>> address >>> I get the following event log record: >>> >>> Access request for user Me(a)Here.com was discarded. >>> Fully-Qualified-User-Name = ... my user name... >>> NAS-IP-Address = 192.168.99.254 >>> NAS-Identifier = default >>> Called-Station-Identifier = <not present> >>> Calling-Station-Identifier = 00-0e-35-2b-7c-04 >>> Client-Friendly-Name = Wireless Modem >>> Client-IP-Address = 192.168.99.254 >>> NAS-Port-Type = Wireless - IEEE 802.11 >>> NAS-Port = 0 >>> Proxy-Policy-Name = Use Windows authentication for all users >>> Authentication-Provider = Windows >>> Authentication-Server = <undetermined> >>> >>> Reason-Code = 9 >>> Reason = The request was discarded by a third-party extension DLL file. >>> ____ >>> >>> If the RAIDUS server IP is left pointing to the old server the wireless >>> connection succeeds ok. The failure is after Packet ID 10 is processed >>> during the client during Authentication (RASTLS.log file). I cannot see >>> anything that makes sense re: this error in any of the Trace files for >>> RRAS. >>> After Packet ID 10, the client goes back to Validating Identity and gets >>> stuck there. >>> >>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS >>> Exchange. >>> >>> Thanks in advance to anyone that can help. >>> >>> - Tim >>> >>> >>> >>> >>> >> >> > >
From: Tim on 10 Jun 2005 07:12 Carl, I don't see how a 3rd party DLL could be there unless that extension DLL was supplied by MS as I have not any 3rd party software. I appreciate that the machine is probably not a recommended config, but its purpose is partly business (My own) and to understand how to implement such systems at customer sites... I will check through the DLL's that can be configured in ISA server. In ISA, I recall there are some special RSA and other DLL's that may have some influence???????? Perhaps that's it... However logic tells me it is quite sensible to have ISA on the same machine. The joys of computers :) Thanks for the reference. I'll have a good read of it. Thanks. - Tim "Carl DaVault [MSFT]" <carlda(a)online.microsoft.com> wrote in message news:ux9o85RbFHA.2128(a)TK2MSFTNGP14.phx.gbl... > You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing > the lost packet. > > Please see this article. > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/ias_start_page.asp > > Hope this helps. > > -- > Standard Disclaimers - > This posting is provided "AS IS" with no warranties, > and confers no rights. Please do not send e-mail directly > to this alias. This alias is for newsgroup purposes only. > > > "Tim" <Tim(a)NoSpam> wrote in message > news:u9eu1gpZFHA.644(a)TK2MSFTNGP10.phx.gbl... >> Hi, >> >> 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1 >> server with MS Anti Spyware, Windows support tools IAS, RRAS, >> CertServices (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see >> anything occuring in ISA server traces that would indicate it is >> blocking. >> >> The certificate listed below now is a new cert generated last night - it >> is a WWW cert (IE server authentication). The cert service does not have >> a legitimate CA cert - it was self issued. Such a cert has worked on the >> other server before. >> >> Q: Are they certificate key length restrictions? >> >> The RRAS Access Policy is as follows: >> >> Order = 1 >> Name = Allow Wireless Users >> Policy Conditions: >> If the user is a member of the "My VPN Users" group >> Grant Access. >> (The user is me, and I am). >> >> Profile: >> IP - Client may request an IP Address >> No input or output filters. >> Multilink: Server settings determine Multilink usage >> BAP is not ticked and defaults. >> Authentication >> EAP Methods Command shows: >> Smart Card or Other Certificate >> a Certificate for this domain is listed and expires in 2 >> years. >> PEAP >> a certificate is listed and is the same as above... >> Enable Fast Reconnect >> EAP Types >> Smart Card or Other Certificate >> same certificate as above. >> Secured Password (EAP-MSCHAP-V2) >> Retry = 2 >> Allow client to change password. >> MS CHAP-V2 is ticked >> User can change password after it has expired ticked. >> >> Order = 2 >> Name = Allow Wireless Computers >> If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND >> Windows-Groups matches "domain name\Wireless Computers" >> Grant Access. (ditto: both machines are and have worked previosly) >> >> As above. >> >> Machine right click Properties (by tab) >> General: >> Router >> LAN routing only >> Security >> Authenication Provider: >> Radius Authentication >> Configure: >> Server = self.domainname, (ie this machine/domain) >> Secret = <null> (ie none) >> Initial Score = 29 >> Always use message authenticator is Off, >> Timeout = 5, >> Port = 1812 >> Accounting Provider: None >> Allow custom IPSec policy... No. >> IP: >> Enable Ip Forwarding ticked. >> Allow IP based remote access and demand dial connections: ticked. >> Enable broadcast name resolution: unticked. >> Use the following adapter for DHCP / DNC / Wins Addresses... >> LAN ( this is the subnet for all devices around here). >> PPP >> Defaults >> Logging >> Log all events and Log Additional... >> >> The access point is a D-Link Airplus G+. This was working off the other >> DC machine in the same domain without issues (apart from seeming to like >> an occasional reset...). >> >> The IASSAM.log file has this: >> [5708] 06-01 22:09:11:511: Processing output from EAP DLL. >> [5708] 06-01 22:09:11:511: EAPACTION_Done >> [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL. >> [5708] 06-01 22:09:11:511: Inserting attribute 4140 >> [5708] 06-01 22:09:11:511: Inserting attribute 4141 >> [5708] 06-01 22:09:11:511: Inserting attribute 8097 >> [5708] 06-01 22:09:11:511: Inserting attribute 8097 >> [5708] 06-01 22:09:11:511: Inserting attribute 8097 >> [5708] 06-01 22:09:11:511: EAP authentication succeeded. >> [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs >> [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll >> [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14 >> [5708] 06-01 22:09:11:511: >> RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256) >> >> 256 = "discard" according to Autif.h in PSDK. >> RC = 14 = "Not Enough Storage" if it is a stock error code. >> >> Is there anywhere where it will indicate who or what has delcined and >> why? >> >> Many Thanks. >> >> - Tim >> >> Some more stuff from logs in case it is of use: >> From RASTLS.Log: >> :09:02:828: EapTlsSMakeMessage >> [1496] 22:09:02:828: MakeReplyMessage >> [1496] 22:09:02:828: SecurityContextFunction >> [1496] 22:09:03:049: AcceptSecurityContext returned 0x0 >> [1496] 22:09:03:049: AuthenticateUser >> [1496] 22:09:03:049: FGetEKUUsage >> [1496] 22:09:03:049: FCheckPolicy >> [1496] 22:09:03:049: FCheckPolicy done. >> [1496] 22:09:03:049: CheckUserName >> [1496] 22:09:03:049: CreateOIDAttributes >> [1496] 22:09:03:049: CreateMPPEKeyAttributes >> [1496] 22:09:03:059: State change to SentFinished >> [1496] 22:09:03:059: BuildPacket >> [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length: >> 53, Type: 13, TLS blob length: 43. Flags: L >> [5708] 22:09:11:511: >> [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim) >> [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16, >> Length: 6, Type: 13, TLS blob length: 0. Flags: >> [5708] 22:09:11:511: EapTlsSMakeMessage >> [5708] 22:09:11:511: Negotiation successful >> [5708] 22:09:11:511: BuildPacket >> [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length: >> 4, Type: 0, TLS blob length: 0. Flags: >> [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3) >> [5708] 22:09:11:511: EapTlsEnd >> [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim) >> >> all other log files appear to have little of interest in them - either >> they are empty, have entries that do not relate by time or indicate >> success doing other things.... >> >> "Jerry Peterson[MSFT]" <jerrype(a)online.microsoft.com> wrote in message >> news:eyyJTvhZFHA.2212(a)TK2MSFTNGP14.phx.gbl... >>> Was there a third-party EAP type installed on the system at any point? >>> What is the Remote Access Policy configuration for the RAS Host? >>> What access points are you using? >>> >>> -- >>> Jerry Peterson >>> Windows Network Services - Wireless >>> >>> This posting is provided "AS IS" with no warranties, and confers no >>> rights. >>> "Tim" <Tim(a)NoSpam> wrote in message >>> news:uW0tk5QZFHA.2688(a)TK2MSFTNGP09.phx.gbl... >>>> Hi, >>>> >>>> I am trying to retrench an existing Windows 2003 Server configured for >>>> 802.11x. As far as I can tell, the new server is configured the same as >>>> the >>>> old - with minor exceptions such as the Old has CertServices, the new >>>> does >>>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok. >>>> There >>>> are no Denied connections in the ISA Logs. I have instlalled a copy of >>>> the >>>> machine key for the machine being authenticated below into the cert >>>> store in >>>> the new machine and using certservices I have loaded into the new DC >>>> all the >>>> certificates that seem to be loadable. I can log on to the network >>>> while the >>>> old server is offline. >>>> >>>> If I change the radius server address in the WAP with the new server >>>> address >>>> I get the following event log record: >>>> >>>> Access request for user Me(a)Here.com was discarded. >>>> Fully-Qualified-User-Name = ... my user name... >>>> NAS-IP-Address = 192.168.99.254 >>>> NAS-Identifier = default >>>> Called-Station-Identifier = <not present> >>>> Calling-Station-Identifier = 00-0e-35-2b-7c-04 >>>> Client-Friendly-Name = Wireless Modem >>>> Client-IP-Address = 192.168.99.254 >>>> NAS-Port-Type = Wireless - IEEE 802.11 >>>> NAS-Port = 0 >>>> Proxy-Policy-Name = Use Windows authentication for all users >>>> Authentication-Provider = Windows >>>> Authentication-Server = <undetermined> >>>> >>>> Reason-Code = 9 >>>> Reason = The request was discarded by a third-party extension DLL file. >>>> ____ >>>> >>>> If the RAIDUS server IP is left pointing to the old server the wireless >>>> connection succeeds ok. The failure is after Packet ID 10 is processed >>>> during the client during Authentication (RASTLS.log file). I cannot see >>>> anything that makes sense re: this error in any of the Trace files for >>>> RRAS. >>>> After Packet ID 10, the client goes back to Validating Identity and >>>> gets >>>> stuck there. >>>> >>>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS >>>> Exchange. >>>> >>>> Thanks in advance to anyone that can help. >>>> >>>> - Tim >>>> >>>> >>>> >>>> >>>> >>> >>> >> >> > >
|
Next
|
Last
Pages: 1 2 Prev: External exception E06D7363 message with Linksys card Next: My Wireless Tab has disappeared! |