Raj
2008-05-01 01:50:12 UTC
We have a strange situation whereby some wireless clients are connecting AOK
but some aren't.
The ones that work show up in the IAS log as -
User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
The ones that don't work show up in the IAS log as -
User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.
This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?
Cheers,
Raj.
but some aren't.
The ones that work show up in the IAS log as -
User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
The ones that don't work show up in the IAS log as -
User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.
This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?
Cheers,
Raj.