Troubleshooting IAS Authentication and Authorization

Previous page
Table of content
Next page

Troubleshooting IAS Authentication and Authorization

To troubleshoot the most common issues with IAS authentication and authorization, verify the following:

  • The wireless AP can reach the IAS servers.

    To test this, try to ping the IP address of the wireless AP s interface on the wired network from each of the IAS servers. Additionally, ensure that Internet Protocol security (IPSec) policies, IP packet filters, and other mechanisms that restrict network traffic are not preventing the exchange of RADIUS messages between the wireless AP and its configured IAS servers. RADIUS traffic to the IAS servers uses a source IP address of the wireless AP, a destination IP address of the IAS server, and a destination User Datagram Protocol (UDP) port of 1812 for authentication messages and destination UDP port 1813 for accounting messages. RADIUS traffic from the IAS servers uses a source IP address of the IAS server, a destination IP address of the wireless AP, and a source UDP port of 1812 for authentication messages and source UDP port 1813 for accounting messages. These examples assume that you are using the RADIUS UDP ports defined in RFC 2865 and 2866 for RADIUS authentication and accounting traffic.

  • Each IAS server/wireless AP pair is configured with a common RADIUS shared secret.

    Each IAS server/wireless AP pair does not necessarily have to use a unique RADIUS shared secret, but it must use the same value for the RADIUS shared secret. For example, when you copy the IAS configuration from one IAS server to another, the shared secret must be the same for the IAS server/wireless AP pair for the IAS server that the configuration is being copied from to each IAS server/wireless AP pair for the IAS servers the configuration is being copied to.

  • The IAS servers can reach a global catalog server and an Active Directory domain controller.

    The IAS server uses a global catalog server to resolve the user principal name (UPN) of the computer or user certificate or the Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2) account name to the distinguished name of the corresponding account in Active Directory. The IAS server uses an Active Directory domain controller to validate the credentials of the computer and user account and obtain account properties to evaluate authorization.

  • The computer accounts of the IAS servers are members of the RAS and IAS Servers security group for the appropriate domains.

    Adding the IAS server computer accounts to the RAS and IAS Servers security group for the appropriate domains is normally done during the initial configuration of the IAS server. To add the IAS server computer account to the appropriate domains, you can use the netsh ras add registeredserver command.

  • The user or computer account is not locked out, expired, or disabled; or the time the connection is being made corresponds to the permitted logon hours.

  • The user account has not been locked out by remote access account lockout.

    Remote access account lockout is an authentication counting and lockout mechanism designed to prevent an online dictionary attack against a user s password. If remote access account lockout is enabled, you can reset account lockout for the account by deleting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Access\Parameters\AccountLockout\DomainName:AccountName registry value on the IAS server.

More Info
For more information about remote access account lockout, see Chapter 4.

  • The connection is authorized. For authorization, the parameters of the connection attempt must:

    • Match all the conditions of at least one remote access policy.

    • Be granted remote access permission through the user account (set to Allow Access), or if the user account has the Control Access Through Remote Access Policy option selected, the remote access permission of the first matching remote access policy must be set to Grant Remote Access Permission.

    • Match all the settings of the profile. Verify that the authentication settings of the profile have EAP-TLS or PEAP-MS-CHAP v2 enabled and properly configured.

    • Match all the settings of the dial-in properties of the user or computer account.

      To obtain the name of the remote access policy that rejected the connection attempt, ensure that IAS event logging is enabled for rejected authentication attempts and use the Event Viewer to view the events that have the Source of IAS and Event ID set to 2. In the text of the event message, look for the remote access policy name in the Policy-Name field.

  • If you have just changed your Active Directory domain from mixed-mode to native-mode, IAS servers can no longer authenticate valid connection requests. You must restart every domain controller in the domain in order for the change to replicate.


Previous page
Table of content
Next page
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
Deploying Secure 802.11 Wireless Networks with Microsoft Windows
ISBN: 0735619395
EAN: 2147483647
Year: 2000
Pages: 123
Authors: Joseph Davies
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
The .NET Developers Guide to Directory Services Programming
Snort Cookbook
FileMaker Pro 8: The Missing Manual
Systematic Software Testing (Artech House Computer Library)
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy