Discussion:
Oddball IAS Issue - sees login ID as MAC and fails to auth wireles
(too old to reply)
Raj
2008-05-01 01:50:12 UTC
Permalink
We have a strange situation whereby some wireless clients are connecting AOK
but some aren't.

The ones that work show up in the IAS log as -

User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

The ones that don't work show up in the IAS log as -

User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.

So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.

This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?

Cheers,
Raj.
S. Pidgorny <MVP>
2008-05-01 09:36:41 UTC
Permalink
Using Cisco wireless controllers or just access points?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Raj
We have a strange situation whereby some wireless clients are connecting AOK
but some aren't.
The ones that work show up in the IAS log as -
User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
The ones that don't work show up in the IAS log as -
User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.
This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?
Cheers,
Raj.
Raj
2008-05-01 18:52:00 UTC
Permalink
Yes - a Cisco WLAN 4400 controller and two models of Cisco AP's.

Initially I thought the Cisco or Airtight controller was denying access at a
MAC level but this wasn't the case - it was IAS.
Post by S. Pidgorny <MVP>
Using Cisco wireless controllers or just access points?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Raj
We have a strange situation whereby some wireless clients are connecting AOK
but some aren't.
The ones that work show up in the IAS log as -
User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
The ones that don't work show up in the IAS log as -
User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.
This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?
Cheers,
Raj.
S. Pidgorny <MVP>
2008-05-05 08:47:26 UTC
Permalink
I don't know why byt the Cisco controllers sometimes send MAC as the user
name. Will check confiuration, get back here.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Raj
Yes - a Cisco WLAN 4400 controller and two models of Cisco AP's.
Initially I thought the Cisco or Airtight controller was denying access at a
MAC level but this wasn't the case - it was IAS.
Post by S. Pidgorny <MVP>
Using Cisco wireless controllers or just access points?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Raj
We have a strange situation whereby some wireless clients are
connecting
AOK
but some aren't.
The ones that work show up in the IAS log as -
User domain\jbloggs was granted access.
Fully-Qualified-User-Name = domain/jbloggs
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
Calling-Station-Identifier = 00-18-4D-77-B6-61
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless Administrators
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
The ones that don't work show up in the IAS log as -
User 00:19:d2:b9:45:1a was denied access.
Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
NAS-IP-Address = 10.1.203.249
NAS-Identifier = WLAN
Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a
Client-Friendly-Name = WLAN
Client-IP-Address = 10.1.203.249
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = Unauthenticated
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist.
So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in.
IAS
is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.
This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?
Cheers,
Raj.
Prashant Siemens
2008-05-06 12:13:35 UTC
Permalink
Hi Raj,

If you will compare the both the access GRANT & Denied,

You will come to know that the policies are not set properly from
you radius side as well as the Client side.

1. It shows policy for the windows user base ,as for the denied it
is showing it is for the MAC base

For this go to wireless LAN & set use login of windows.

2. Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
Calling-Station-Identifier = 00-19-d2-b9-45-1a

So this policies show it is set for the another client but tha
same is not applicable for the grant user.

I think you need to set the policies in proper way if you are
creating the user base policy you should have that user created in
your radius

Kindly check policies from the both end SERVER as well as CLIENT.
Post by Raj
We have a strange situation whereby some wireless clients are connecting AOK
but some aren't.
The ones that work show up in the IAS log as -
User domain\jbloggs was granted access.
 Fully-Qualified-User-Name = domain/jbloggs
 NAS-IP-Address = 10.1.203.249
 NAS-Identifier = WLAN
 Client-Friendly-Name = WLAN
 Client-IP-Address = 10.1.203.249
 Calling-Station-Identifier = 00-18-4D-77-B6-61
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 29
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = Wireless Administrators
 Authentication-Type = PEAP
 EAP-Type = Secured password (EAP-MSCHAP v2)
The ones that don't work show up in the IAS log as -
User 00:19:d2:b9:45:1a was denied access.
 Fully-Qualified-User-Name = domain\00:19:d2:b9:45:1a
 NAS-IP-Address = 10.1.203.249
 NAS-Identifier = WLAN
 Called-Station-Identifier = 00-0b-85-73-61-f0:TEC
 Calling-Station-Identifier = 00-19-d2-b9-45-1a
 Client-Friendly-Name = WLAN
 Client-IP-Address = 10.1.203.249
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 29
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = Unauthenticated
 EAP-Type = <undetermined>
 Reason-Code = 8
 Reason = The specified user account does not exist.
So the systems (XP SP2 laptops) that don't work appear to be sending their
wireless MAC address rather than the userid of the person logging in. IAS is
configured to authorise any connecting system/person in a particular AD
group. We're also using MS-CHAPv2 & PEAP w/ a Werisign cert.
This is something new thats cropped up - just wondering if anyone else has
seen this before ? Or wether a system update/patch could be causing this ?
Cheers,
Raj.
Loading...