Discussion:
IAS Errors
(too old to reply)
Tim
2009-04-02 14:25:01 UTC
Permalink
I have 8 VPN users authenticating through a CheckPoint firewall over RADIUS
to one of 2 IAS Servers both of which are domain controllers. Simply put
when people succeed and 7 of them do, the following or similar message gets
put in the system log of the IAS server...

"Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 3/17/2009
Time: 10:46:50 AM
User: N/A
Computer: PDC Emulator & IAS Server computer name



Description:
User jonesm was granted access.
Fully-Qualified-User-Name = internal.domainname/Users/Margaret Jones
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Our Standard RADIUS Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00"

Note the Fully-Qualified-User-Name and correct Policy-Name being present.
The user name smells like DNS being resolved and this makes sense to me.
Now here's what happens to the one user that has 50% success and 50% failure.

"Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/16/2009
Time: 7:43:09 PM
User: N/A
Computer: Same PDC emulator and IAS server computer name
Description:
User doed was denied access.
Fully-Qualified-User-Name = domainnetbiosname\doed
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 36
Reason = The user account is currently locked and cannot be authenticated.
Only a person with administrative rights for either the computer or the
domain can unlock the user account.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 75 07 07 80"

Note the netbios resolution and lack of Policy Name. Why in the world would
this happen? No they are not really locked out. The message is absolutely
LYING! Thoughts?
Wayne Tilton
2009-04-02 15:11:59 UTC
Permalink
Post by Tim
I have 8 VPN users authenticating through a CheckPoint firewall over
RADIUS to one of 2 IAS Servers both of which are domain controllers.
Simply put when people succeed and 7 of them do, the following or
similar message gets put in the system log of the IAS server...
"Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 3/17/2009
Time: 10:46:50 AM
User: N/A
Computer: PDC Emulator & IAS Server computer name
User jonesm was granted access.
Fully-Qualified-User-Name = internal.domainname/Users/Margaret Jones
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Our Standard RADIUS Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 00 00 00 00"
Note the Fully-Qualified-User-Name and correct Policy-Name being
present. The user name smells like DNS being resolved and this makes
sense to me. Now here's what happens to the one user that has 50%
success and 50% failure.
"Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/16/2009
Time: 7:43:09 PM
User: N/A
Computer: Same PDC emulator and IAS server computer name
User doed was denied access.
Fully-Qualified-User-Name = domainnetbiosname\doed
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 36
Reason = The user account is currently locked and cannot be
authenticated.
Only a person with administrative rights for either the computer or
the domain can unlock the user account.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 75 07 07 80"
Note the netbios resolution and lack of Policy Name. Why in the world
would this happen? No they are not really locked out. The message is
absolutely LYING! Thoughts?
Don't be so sure the account isn't 'locked'. We have an extensive
EAP/TLS wireless deployment and about half a dozen times over the last
couple of years we've had issues with users who got this error yet
looking at their account in AD U&C they don't show locked. However,
looking at the userAccountControl attribute showed it set to 528 (Normal
Account + Lockout). Resetting userAccountControl to 512 as resolved the
issue every time.

HTH
Wayne Tilton
Tim
2009-04-22 19:28:06 UTC
Permalink
Yeah already checked that. On most occasions the Netbios type of resolution
always fails versus the DNS FQDN name spelled out style succeeds in a good
VPN connection. I should have added that very rarely does the error state
that the account is locked out. I wonder if there's a way to avoid the
Netbios domain resolution form of authentication.
Post by Wayne Tilton
Post by Tim
I have 8 VPN users authenticating through a CheckPoint firewall over
RADIUS to one of 2 IAS Servers both of which are domain controllers.
Simply put when people succeed and 7 of them do, the following or
similar message gets put in the system log of the IAS server...
"Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 3/17/2009
Time: 10:46:50 AM
User: N/A
Computer: PDC Emulator & IAS Server computer name
User jonesm was granted access.
Fully-Qualified-User-Name = internal.domainname/Users/Margaret Jones
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
Calling-Station-Identifier = <not present>
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Our Standard RADIUS Policy
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 00 00 00 00"
Note the Fully-Qualified-User-Name and correct Policy-Name being
present. The user name smells like DNS being resolved and this makes
sense to me. Now here's what happens to the one user that has 50%
success and 50% failure.
"Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 3/16/2009
Time: 7:43:09 PM
User: N/A
Computer: Same PDC emulator and IAS server computer name
User doed was denied access.
Fully-Qualified-User-Name = domainnetbiosname\doed
NAS-IP-Address = 192.168.102.1
NAS-Identifier = <not present>
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = Firewall Host Name
Client-IP-Address = 192.168.100.252
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MS-CHAPv2
EAP-Type = <undetermined>
Reason-Code = 36
Reason = The user account is currently locked and cannot be
authenticated.
Only a person with administrative rights for either the computer or
the domain can unlock the user account.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0000: 75 07 07 80"
Note the netbios resolution and lack of Policy Name. Why in the world
would this happen? No they are not really locked out. The message is
absolutely LYING! Thoughts?
Don't be so sure the account isn't 'locked'. We have an extensive
EAP/TLS wireless deployment and about half a dozen times over the last
couple of years we've had issues with users who got this error yet
looking at their account in AD U&C they don't show locked. However,
looking at the userAccountControl attribute showed it set to 528 (Normal
Account + Lockout). Resetting userAccountControl to 512 as resolved the
issue every time.
HTH
Wayne Tilton
Loading...