Sign in with
Sign up | Sign in
Your question

802.1x authentication issues.

Last response: in Wireless Networking
Share
May 31, 2005 4:03:12 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hi,

I am trying to retrench an existing Windows 2003 Server configured for
802.11x. As far as I can tell, the new server is configured the same as the
old - with minor exceptions such as the Old has CertServices, the new does
not. The old has ISA 2000, the new has 2004 and is otherwise going ok. There
are no Denied connections in the ISA Logs. I have instlalled a copy of the
machine key for the machine being authenticated below into the cert store in
the new machine and using certservices I have loaded into the new DC all the
certificates that seem to be loadable. I can log on to the network while the
old server is offline.

If I change the radius server address in the WAP with the new server address
I get the following event log record:

Access request for user Me@Here.com was discarded.
Fully-Qualified-User-Name = ... my user name...
NAS-IP-Address = 192.168.99.254
NAS-Identifier = default
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 00-0e-35-2b-7c-04
Client-Friendly-Name = Wireless Modem
Client-IP-Address = 192.168.99.254
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>

Reason-Code = 9
Reason = The request was discarded by a third-party extension DLL file.
____

If the RAIDUS server IP is left pointing to the old server the wireless
connection succeeds ok. The failure is after Packet ID 10 is processed
during the client during Authentication (RASTLS.log file). I cannot see
anything that makes sense re: this error in any of the Trace files for RRAS.
After Packet ID 10, the client goes back to Validating Identity and gets
stuck there.

The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange.

Thanks in advance to anyone that can help.

- Tim
Anonymous
May 31, 2005 5:03:30 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Was there a third-party EAP type installed on the system at any point?
What is the Remote Access Policy configuration for the RAS Host?
What access points are you using?

--
Jerry Peterson
Windows Network Services - Wireless

This posting is provided "AS IS" with no warranties, and confers no rights.
"Tim" <Tim@NoSpam> wrote in message
news:uW0tk5QZFHA.2688@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am trying to retrench an existing Windows 2003 Server configured for
> 802.11x. As far as I can tell, the new server is configured the same as
> the
> old - with minor exceptions such as the Old has CertServices, the new does
> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
> There
> are no Denied connections in the ISA Logs. I have instlalled a copy of the
> machine key for the machine being authenticated below into the cert store
> in
> the new machine and using certservices I have loaded into the new DC all
> the
> certificates that seem to be loadable. I can log on to the network while
> the
> old server is offline.
>
> If I change the radius server address in the WAP with the new server
> address
> I get the following event log record:
>
> Access request for user Me@Here.com was discarded.
> Fully-Qualified-User-Name = ... my user name...
> NAS-IP-Address = 192.168.99.254
> NAS-Identifier = default
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = 00-0e-35-2b-7c-04
> Client-Friendly-Name = Wireless Modem
> Client-IP-Address = 192.168.99.254
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 0
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
>
> Reason-Code = 9
> Reason = The request was discarded by a third-party extension DLL file.
> ____
>
> If the RAIDUS server IP is left pointing to the old server the wireless
> connection succeeds ok. The failure is after Packet ID 10 is processed
> during the client during Authentication (RASTLS.log file). I cannot see
> anything that makes sense re: this error in any of the Trace files for
> RRAS.
> After Packet ID 10, the client goes back to Validating Identity and gets
> stuck there.
>
> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange.
>
> Thanks in advance to anyone that can help.
>
> - Tim
>
>
>
>
>
June 2, 2005 3:02:50 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hi,

3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
server with MS Anti Spyware, Windows support tools IAS, RRAS, CertServices
(now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see anything
occuring in ISA server traces that would indicate it is blocking.

The certificate listed below now is a new cert generated last night - it is
a WWW cert (IE server authentication). The cert service does not have a
legitimate CA cert - it was self issued. Such a cert has worked on the other
server before.

Q: Are they certificate key length restrictions?

The RRAS Access Policy is as follows:

Order = 1
Name = Allow Wireless Users
Policy Conditions:
If the user is a member of the "My VPN Users" group
Grant Access.
(The user is me, and I am).

Profile:
IP - Client may request an IP Address
No input or output filters.
Multilink: Server settings determine Multilink usage
BAP is not ticked and defaults.
Authentication
EAP Methods Command shows:
Smart Card or Other Certificate
a Certificate for this domain is listed and expires in 2
years.
PEAP
a certificate is listed and is the same as above...
Enable Fast Reconnect
EAP Types
Smart Card or Other Certificate
same certificate as above.
Secured Password (EAP-MSCHAP-V2)
Retry = 2
Allow client to change password.
MS CHAP-V2 is ticked
User can change password after it has expired ticked.

Order = 2
Name = Allow Wireless Computers
If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
Windows-Groups matches "domain name\Wireless Computers"
Grant Access. (ditto: both machines are and have worked previosly)

As above.

Machine right click Properties (by tab)
General:
Router
LAN routing only
Security
Authenication Provider:
Radius Authentication
Configure:
Server = self.domainname, (ie this machine/domain)
Secret = <null> (ie none)
Initial Score = 29
Always use message authenticator is Off,
Timeout = 5,
Port = 1812
Accounting Provider: None
Allow custom IPSec policy... No.
IP:
Enable Ip Forwarding ticked.
Allow IP based remote access and demand dial connections: ticked.
Enable broadcast name resolution: unticked.
Use the following adapter for DHCP / DNC / Wins Addresses...
LAN ( this is the subnet for all devices around here).
PPP
Defaults
Logging
Log all events and Log Additional...

The access point is a D-Link Airplus G+. This was working off the other DC
machine in the same domain without issues (apart from seeming to like an
occasional reset...).

The IASSAM.log file has this:
[5708] 06-01 22:09:11:511: Processing output from EAP DLL.
[5708] 06-01 22:09:11:511: EAPACTION_Done
[5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
[5708] 06-01 22:09:11:511: Inserting attribute 4140
[5708] 06-01 22:09:11:511: Inserting attribute 4141
[5708] 06-01 22:09:11:511: Inserting attribute 8097
[5708] 06-01 22:09:11:511: Inserting attribute 8097
[5708] 06-01 22:09:11:511: Inserting attribute 8097
[5708] 06-01 22:09:11:511: EAP authentication succeeded.
[5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
[5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
[5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
[5708] 06-01 22:09:11:511:
RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)

256 = "discard" according to Autif.h in PSDK.
RC = 14 = "Not Enough Storage" if it is a stock error code.

Is there anywhere where it will indicate who or what has delcined and why?

Many Thanks.

- Tim

Some more stuff from logs in case it is of use:
From RASTLS.Log:
:09:02:828: EapTlsSMakeMessage
[1496] 22:09:02:828: MakeReplyMessage
[1496] 22:09:02:828: SecurityContextFunction
[1496] 22:09:03:049: AcceptSecurityContext returned 0x0
[1496] 22:09:03:049: AuthenticateUser
[1496] 22:09:03:049: FGetEKUUsage
[1496] 22:09:03:049: FCheckPolicy
[1496] 22:09:03:049: FCheckPolicy done.
[1496] 22:09:03:049: CheckUserName
[1496] 22:09:03:049: CreateOIDAttributes
[1496] 22:09:03:049: CreateMPPEKeyAttributes
[1496] 22:09:03:059: State change to SentFinished
[1496] 22:09:03:059: BuildPacket
[1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
53, Type: 13, TLS blob length: 43. Flags: L
[5708] 22:09:11:511:
[5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
[5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16, Length:
6, Type: 13, TLS blob length: 0. Flags:
[5708] 22:09:11:511: EapTlsSMakeMessage
[5708] 22:09:11:511: Negotiation successful
[5708] 22:09:11:511: BuildPacket
[5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length: 4,
Type: 0, TLS blob length: 0. Flags:
[5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
[5708] 22:09:11:511: EapTlsEnd
[5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)

all other log files appear to have little of interest in them - either they
are empty, have entries that do not relate by time or indicate success doing
other things....

"Jerry Peterson[MSFT]" <jerrype@online.microsoft.com> wrote in message
news:eyyJTvhZFHA.2212@TK2MSFTNGP14.phx.gbl...
> Was there a third-party EAP type installed on the system at any point?
> What is the Remote Access Policy configuration for the RAS Host?
> What access points are you using?
>
> --
> Jerry Peterson
> Windows Network Services - Wireless
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> "Tim" <Tim@NoSpam> wrote in message
> news:uW0tk5QZFHA.2688@TK2MSFTNGP09.phx.gbl...
>> Hi,
>>
>> I am trying to retrench an existing Windows 2003 Server configured for
>> 802.11x. As far as I can tell, the new server is configured the same as
>> the
>> old - with minor exceptions such as the Old has CertServices, the new
>> does
>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
>> There
>> are no Denied connections in the ISA Logs. I have instlalled a copy of
>> the
>> machine key for the machine being authenticated below into the cert store
>> in
>> the new machine and using certservices I have loaded into the new DC all
>> the
>> certificates that seem to be loadable. I can log on to the network while
>> the
>> old server is offline.
>>
>> If I change the radius server address in the WAP with the new server
>> address
>> I get the following event log record:
>>
>> Access request for user Me@Here.com was discarded.
>> Fully-Qualified-User-Name = ... my user name...
>> NAS-IP-Address = 192.168.99.254
>> NAS-Identifier = default
>> Called-Station-Identifier = <not present>
>> Calling-Station-Identifier = 00-0e-35-2b-7c-04
>> Client-Friendly-Name = Wireless Modem
>> Client-IP-Address = 192.168.99.254
>> NAS-Port-Type = Wireless - IEEE 802.11
>> NAS-Port = 0
>> Proxy-Policy-Name = Use Windows authentication for all users
>> Authentication-Provider = Windows
>> Authentication-Server = <undetermined>
>>
>> Reason-Code = 9
>> Reason = The request was discarded by a third-party extension DLL file.
>> ____
>>
>> If the RAIDUS server IP is left pointing to the old server the wireless
>> connection succeeds ok. The failure is after Packet ID 10 is processed
>> during the client during Authentication (RASTLS.log file). I cannot see
>> anything that makes sense re: this error in any of the Trace files for
>> RRAS.
>> After Packet ID 10, the client goes back to Validating Identity and gets
>> stuck there.
>>
>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS Exchange.
>>
>> Thanks in advance to anyone that can help.
>>
>> - Tim
>>
>>
>>
>>
>>
>
>
Related resources
Anonymous
June 9, 2005 3:10:13 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing the
lost packet.

Please see this article.

http://msdn.microsoft.com/library/default.asp?url=/libr...

Hope this helps.

--
Standard Disclaimers -
This posting is provided "AS IS" with no warranties,
and confers no rights. Please do not send e-mail directly
to this alias. This alias is for newsgroup purposes only.


"Tim" <Tim@NoSpam> wrote in message
news:u9eu1gpZFHA.644@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
> server with MS Anti Spyware, Windows support tools IAS, RRAS, CertServices
> (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see anything
> occuring in ISA server traces that would indicate it is blocking.
>
> The certificate listed below now is a new cert generated last night - it
> is a WWW cert (IE server authentication). The cert service does not have a
> legitimate CA cert - it was self issued. Such a cert has worked on the
> other server before.
>
> Q: Are they certificate key length restrictions?
>
> The RRAS Access Policy is as follows:
>
> Order = 1
> Name = Allow Wireless Users
> Policy Conditions:
> If the user is a member of the "My VPN Users" group
> Grant Access.
> (The user is me, and I am).
>
> Profile:
> IP - Client may request an IP Address
> No input or output filters.
> Multilink: Server settings determine Multilink usage
> BAP is not ticked and defaults.
> Authentication
> EAP Methods Command shows:
> Smart Card or Other Certificate
> a Certificate for this domain is listed and expires in 2
> years.
> PEAP
> a certificate is listed and is the same as above...
> Enable Fast Reconnect
> EAP Types
> Smart Card or Other Certificate
> same certificate as above.
> Secured Password (EAP-MSCHAP-V2)
> Retry = 2
> Allow client to change password.
> MS CHAP-V2 is ticked
> User can change password after it has expired ticked.
>
> Order = 2
> Name = Allow Wireless Computers
> If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
> Windows-Groups matches "domain name\Wireless Computers"
> Grant Access. (ditto: both machines are and have worked previosly)
>
> As above.
>
> Machine right click Properties (by tab)
> General:
> Router
> LAN routing only
> Security
> Authenication Provider:
> Radius Authentication
> Configure:
> Server = self.domainname, (ie this machine/domain)
> Secret = <null> (ie none)
> Initial Score = 29
> Always use message authenticator is Off,
> Timeout = 5,
> Port = 1812
> Accounting Provider: None
> Allow custom IPSec policy... No.
> IP:
> Enable Ip Forwarding ticked.
> Allow IP based remote access and demand dial connections: ticked.
> Enable broadcast name resolution: unticked.
> Use the following adapter for DHCP / DNC / Wins Addresses...
> LAN ( this is the subnet for all devices around here).
> PPP
> Defaults
> Logging
> Log all events and Log Additional...
>
> The access point is a D-Link Airplus G+. This was working off the other DC
> machine in the same domain without issues (apart from seeming to like an
> occasional reset...).
>
> The IASSAM.log file has this:
> [5708] 06-01 22:09:11:511: Processing output from EAP DLL.
> [5708] 06-01 22:09:11:511: EAPACTION_Done
> [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
> [5708] 06-01 22:09:11:511: Inserting attribute 4140
> [5708] 06-01 22:09:11:511: Inserting attribute 4141
> [5708] 06-01 22:09:11:511: Inserting attribute 8097
> [5708] 06-01 22:09:11:511: Inserting attribute 8097
> [5708] 06-01 22:09:11:511: Inserting attribute 8097
> [5708] 06-01 22:09:11:511: EAP authentication succeeded.
> [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
> [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
> [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
> [5708] 06-01 22:09:11:511:
> RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)
>
> 256 = "discard" according to Autif.h in PSDK.
> RC = 14 = "Not Enough Storage" if it is a stock error code.
>
> Is there anywhere where it will indicate who or what has delcined and why?
>
> Many Thanks.
>
> - Tim
>
> Some more stuff from logs in case it is of use:
> From RASTLS.Log:
> :09:02:828: EapTlsSMakeMessage
> [1496] 22:09:02:828: MakeReplyMessage
> [1496] 22:09:02:828: SecurityContextFunction
> [1496] 22:09:03:049: AcceptSecurityContext returned 0x0
> [1496] 22:09:03:049: AuthenticateUser
> [1496] 22:09:03:049: FGetEKUUsage
> [1496] 22:09:03:049: FCheckPolicy
> [1496] 22:09:03:049: FCheckPolicy done.
> [1496] 22:09:03:049: CheckUserName
> [1496] 22:09:03:049: CreateOIDAttributes
> [1496] 22:09:03:049: CreateMPPEKeyAttributes
> [1496] 22:09:03:059: State change to SentFinished
> [1496] 22:09:03:059: BuildPacket
> [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
> 53, Type: 13, TLS blob length: 43. Flags: L
> [5708] 22:09:11:511:
> [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
> [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16,
> Length: 6, Type: 13, TLS blob length: 0. Flags:
> [5708] 22:09:11:511: EapTlsSMakeMessage
> [5708] 22:09:11:511: Negotiation successful
> [5708] 22:09:11:511: BuildPacket
> [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length:
> 4, Type: 0, TLS blob length: 0. Flags:
> [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
> [5708] 22:09:11:511: EapTlsEnd
> [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)
>
> all other log files appear to have little of interest in them - either
> they are empty, have entries that do not relate by time or indicate
> success doing other things....
>
> "Jerry Peterson[MSFT]" <jerrype@online.microsoft.com> wrote in message
> news:eyyJTvhZFHA.2212@TK2MSFTNGP14.phx.gbl...
>> Was there a third-party EAP type installed on the system at any point?
>> What is the Remote Access Policy configuration for the RAS Host?
>> What access points are you using?
>>
>> --
>> Jerry Peterson
>> Windows Network Services - Wireless
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> "Tim" <Tim@NoSpam> wrote in message
>> news:uW0tk5QZFHA.2688@TK2MSFTNGP09.phx.gbl...
>>> Hi,
>>>
>>> I am trying to retrench an existing Windows 2003 Server configured for
>>> 802.11x. As far as I can tell, the new server is configured the same as
>>> the
>>> old - with minor exceptions such as the Old has CertServices, the new
>>> does
>>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
>>> There
>>> are no Denied connections in the ISA Logs. I have instlalled a copy of
>>> the
>>> machine key for the machine being authenticated below into the cert
>>> store in
>>> the new machine and using certservices I have loaded into the new DC all
>>> the
>>> certificates that seem to be loadable. I can log on to the network while
>>> the
>>> old server is offline.
>>>
>>> If I change the radius server address in the WAP with the new server
>>> address
>>> I get the following event log record:
>>>
>>> Access request for user Me@Here.com was discarded.
>>> Fully-Qualified-User-Name = ... my user name...
>>> NAS-IP-Address = 192.168.99.254
>>> NAS-Identifier = default
>>> Called-Station-Identifier = <not present>
>>> Calling-Station-Identifier = 00-0e-35-2b-7c-04
>>> Client-Friendly-Name = Wireless Modem
>>> Client-IP-Address = 192.168.99.254
>>> NAS-Port-Type = Wireless - IEEE 802.11
>>> NAS-Port = 0
>>> Proxy-Policy-Name = Use Windows authentication for all users
>>> Authentication-Provider = Windows
>>> Authentication-Server = <undetermined>
>>>
>>> Reason-Code = 9
>>> Reason = The request was discarded by a third-party extension DLL file.
>>> ____
>>>
>>> If the RAIDUS server IP is left pointing to the old server the wireless
>>> connection succeeds ok. The failure is after Packet ID 10 is processed
>>> during the client during Authentication (RASTLS.log file). I cannot see
>>> anything that makes sense re: this error in any of the Trace files for
>>> RRAS.
>>> After Packet ID 10, the client goes back to Validating Identity and gets
>>> stuck there.
>>>
>>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS
>>> Exchange.
>>>
>>> Thanks in advance to anyone that can help.
>>>
>>> - Tim
>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
Anonymous
June 10, 2005 5:13:50 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

hello...
i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
and ias

Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
perfectly fine with wireless. The configuration was the following:

Cable internet / router / server nic2

server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
radius.

All wireless clients could authenticate in AD

Today I installed ISA 2004 and couldn't connect to AD, it throws an
error
message, then I did the configuration in ISA and in IAS

error:
Access request for user sergiofonseca was discarded.
Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
Fonseca
NAS-IP-Address = 192.168.16.4
NAS-Identifier = default
Called-Station-Identifier = <not present>
Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
Client-Friendly-Name = router
Client-IP-Address = 192.168.16.4
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 9
Reason = The request was discarded by a third-party extension DLL file.


Or:

Description: The VPN connection attempt by user xxx\iki from VPN client
IP
address x0-xf-xa-x5-xc-x4 could not be established.
The failure is due to error: 0xc0040021

The strange thing is that the xp sp2 client asks for user and password
and
if I hit it wrong it asks again and says it is wrong, but if I insert
the
right one it doesn't ask for some time, seems to be stuck on
something then
after some time it asks again to authenticate.

I need some help to fix this problem, thanks in advance.
June 11, 2005 3:12:26 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Carl,

I don't see how a 3rd party DLL could be there unless that extension DLL was
supplied by MS as I have not any 3rd party software. I appreciate that the
machine is probably not a recommended config, but its purpose is partly
business (My own) and to understand how to implement such systems at
customer sites...

I will check through the DLL's that can be configured in ISA server. In ISA,
I recall there are some special RSA and other DLL's that may have some
influence???????? Perhaps that's it... However logic tells me it is quite
sensible to have ISA on the same machine.

The joys of computers :) 

Thanks for the reference. I'll have a good read of it.

Thanks.

- Tim


"Carl DaVault [MSFT]" <carlda@online.microsoft.com> wrote in message
news:ux9o85RbFHA.2128@TK2MSFTNGP14.phx.gbl...
> You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing
> the lost packet.
>
> Please see this article.
>
> http://msdn.microsoft.com/library/default.asp?url=/libr...
>
> Hope this helps.
>
> --
> Standard Disclaimers -
> This posting is provided "AS IS" with no warranties,
> and confers no rights. Please do not send e-mail directly
> to this alias. This alias is for newsgroup purposes only.
>
>
> "Tim" <Tim@NoSpam> wrote in message
> news:u9eu1gpZFHA.644@TK2MSFTNGP10.phx.gbl...
>> Hi,
>>
>> 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
>> server with MS Anti Spyware, Windows support tools IAS, RRAS,
>> CertServices (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see
>> anything occuring in ISA server traces that would indicate it is
>> blocking.
>>
>> The certificate listed below now is a new cert generated last night - it
>> is a WWW cert (IE server authentication). The cert service does not have
>> a legitimate CA cert - it was self issued. Such a cert has worked on the
>> other server before.
>>
>> Q: Are they certificate key length restrictions?
>>
>> The RRAS Access Policy is as follows:
>>
>> Order = 1
>> Name = Allow Wireless Users
>> Policy Conditions:
>> If the user is a member of the "My VPN Users" group
>> Grant Access.
>> (The user is me, and I am).
>>
>> Profile:
>> IP - Client may request an IP Address
>> No input or output filters.
>> Multilink: Server settings determine Multilink usage
>> BAP is not ticked and defaults.
>> Authentication
>> EAP Methods Command shows:
>> Smart Card or Other Certificate
>> a Certificate for this domain is listed and expires in 2
>> years.
>> PEAP
>> a certificate is listed and is the same as above...
>> Enable Fast Reconnect
>> EAP Types
>> Smart Card or Other Certificate
>> same certificate as above.
>> Secured Password (EAP-MSCHAP-V2)
>> Retry = 2
>> Allow client to change password.
>> MS CHAP-V2 is ticked
>> User can change password after it has expired ticked.
>>
>> Order = 2
>> Name = Allow Wireless Computers
>> If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
>> Windows-Groups matches "domain name\Wireless Computers"
>> Grant Access. (ditto: both machines are and have worked previosly)
>>
>> As above.
>>
>> Machine right click Properties (by tab)
>> General:
>> Router
>> LAN routing only
>> Security
>> Authenication Provider:
>> Radius Authentication
>> Configure:
>> Server = self.domainname, (ie this machine/domain)
>> Secret = <null> (ie none)
>> Initial Score = 29
>> Always use message authenticator is Off,
>> Timeout = 5,
>> Port = 1812
>> Accounting Provider: None
>> Allow custom IPSec policy... No.
>> IP:
>> Enable Ip Forwarding ticked.
>> Allow IP based remote access and demand dial connections: ticked.
>> Enable broadcast name resolution: unticked.
>> Use the following adapter for DHCP / DNC / Wins Addresses...
>> LAN ( this is the subnet for all devices around here).
>> PPP
>> Defaults
>> Logging
>> Log all events and Log Additional...
>>
>> The access point is a D-Link Airplus G+. This was working off the other
>> DC machine in the same domain without issues (apart from seeming to like
>> an occasional reset...).
>>
>> The IASSAM.log file has this:
>> [5708] 06-01 22:09:11:511: Processing output from EAP DLL.
>> [5708] 06-01 22:09:11:511: EAPACTION_Done
>> [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
>> [5708] 06-01 22:09:11:511: Inserting attribute 4140
>> [5708] 06-01 22:09:11:511: Inserting attribute 4141
>> [5708] 06-01 22:09:11:511: Inserting attribute 8097
>> [5708] 06-01 22:09:11:511: Inserting attribute 8097
>> [5708] 06-01 22:09:11:511: Inserting attribute 8097
>> [5708] 06-01 22:09:11:511: EAP authentication succeeded.
>> [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
>> [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
>> [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
>> [5708] 06-01 22:09:11:511:
>> RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)
>>
>> 256 = "discard" according to Autif.h in PSDK.
>> RC = 14 = "Not Enough Storage" if it is a stock error code.
>>
>> Is there anywhere where it will indicate who or what has delcined and
>> why?
>>
>> Many Thanks.
>>
>> - Tim
>>
>> Some more stuff from logs in case it is of use:
>> From RASTLS.Log:
>> :09:02:828: EapTlsSMakeMessage
>> [1496] 22:09:02:828: MakeReplyMessage
>> [1496] 22:09:02:828: SecurityContextFunction
>> [1496] 22:09:03:049: AcceptSecurityContext returned 0x0
>> [1496] 22:09:03:049: AuthenticateUser
>> [1496] 22:09:03:049: FGetEKUUsage
>> [1496] 22:09:03:049: FCheckPolicy
>> [1496] 22:09:03:049: FCheckPolicy done.
>> [1496] 22:09:03:049: CheckUserName
>> [1496] 22:09:03:049: CreateOIDAttributes
>> [1496] 22:09:03:049: CreateMPPEKeyAttributes
>> [1496] 22:09:03:059: State change to SentFinished
>> [1496] 22:09:03:059: BuildPacket
>> [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
>> 53, Type: 13, TLS blob length: 43. Flags: L
>> [5708] 22:09:11:511:
>> [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
>> [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16,
>> Length: 6, Type: 13, TLS blob length: 0. Flags:
>> [5708] 22:09:11:511: EapTlsSMakeMessage
>> [5708] 22:09:11:511: Negotiation successful
>> [5708] 22:09:11:511: BuildPacket
>> [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length:
>> 4, Type: 0, TLS blob length: 0. Flags:
>> [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
>> [5708] 22:09:11:511: EapTlsEnd
>> [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)
>>
>> all other log files appear to have little of interest in them - either
>> they are empty, have entries that do not relate by time or indicate
>> success doing other things....
>>
>> "Jerry Peterson[MSFT]" <jerrype@online.microsoft.com> wrote in message
>> news:eyyJTvhZFHA.2212@TK2MSFTNGP14.phx.gbl...
>>> Was there a third-party EAP type installed on the system at any point?
>>> What is the Remote Access Policy configuration for the RAS Host?
>>> What access points are you using?
>>>
>>> --
>>> Jerry Peterson
>>> Windows Network Services - Wireless
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> "Tim" <Tim@NoSpam> wrote in message
>>> news:uW0tk5QZFHA.2688@TK2MSFTNGP09.phx.gbl...
>>>> Hi,
>>>>
>>>> I am trying to retrench an existing Windows 2003 Server configured for
>>>> 802.11x. As far as I can tell, the new server is configured the same as
>>>> the
>>>> old - with minor exceptions such as the Old has CertServices, the new
>>>> does
>>>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
>>>> There
>>>> are no Denied connections in the ISA Logs. I have instlalled a copy of
>>>> the
>>>> machine key for the machine being authenticated below into the cert
>>>> store in
>>>> the new machine and using certservices I have loaded into the new DC
>>>> all the
>>>> certificates that seem to be loadable. I can log on to the network
>>>> while the
>>>> old server is offline.
>>>>
>>>> If I change the radius server address in the WAP with the new server
>>>> address
>>>> I get the following event log record:
>>>>
>>>> Access request for user Me@Here.com was discarded.
>>>> Fully-Qualified-User-Name = ... my user name...
>>>> NAS-IP-Address = 192.168.99.254
>>>> NAS-Identifier = default
>>>> Called-Station-Identifier = <not present>
>>>> Calling-Station-Identifier = 00-0e-35-2b-7c-04
>>>> Client-Friendly-Name = Wireless Modem
>>>> Client-IP-Address = 192.168.99.254
>>>> NAS-Port-Type = Wireless - IEEE 802.11
>>>> NAS-Port = 0
>>>> Proxy-Policy-Name = Use Windows authentication for all users
>>>> Authentication-Provider = Windows
>>>> Authentication-Server = <undetermined>
>>>>
>>>> Reason-Code = 9
>>>> Reason = The request was discarded by a third-party extension DLL file.
>>>> ____
>>>>
>>>> If the RAIDUS server IP is left pointing to the old server the wireless
>>>> connection succeeds ok. The failure is after Packet ID 10 is processed
>>>> during the client during Authentication (RASTLS.log file). I cannot see
>>>> anything that makes sense re: this error in any of the Trace files for
>>>> RRAS.
>>>> After Packet ID 10, the client goes back to Validating Identity and
>>>> gets
>>>> stuck there.
>>>>
>>>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS
>>>> Exchange.
>>>>
>>>> Thanks in advance to anyone that can help.
>>>>
>>>> - Tim
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
June 13, 2005 9:45:25 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

If you come across a solution faster than MS does, could you please post
back. This is a pain.

MS: Do I have to repeat that there is nothing on the box other than MS
Software? That if a 3rd party dll is rejecting the connect then MS is a
third party unto itself. I checked the add ins in ISA Server and all are
listed now as Vendor: Microsoft.

Please, even a (preferably strong, specific, pointed) hint would do....

- Tim



"boogiept" <boogiept@gmail.com> wrote in message
news:1118434430.815240.246060@z14g2000cwz.googlegroups.com...
> hello...
> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
> and ias
>
> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
> perfectly fine with wireless. The configuration was the following:
>
> Cable internet / router / server nic2
>
> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
> radius.
>
> All wireless clients could authenticate in AD
>
> Today I installed ISA 2004 and couldn't connect to AD, it throws an
> error
> message, then I did the configuration in ISA and in IAS
>
> error:
> Access request for user sergiofonseca was discarded.
> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
> Fonseca
> NAS-IP-Address = 192.168.16.4
> NAS-Identifier = default
> Called-Station-Identifier = <not present>
> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
> Client-Friendly-Name = router
> Client-IP-Address = 192.168.16.4
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 0
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Reason-Code = 9
> Reason = The request was discarded by a third-party extension DLL file.
>
>
> Or:
>
> Description: The VPN connection attempt by user xxx\iki from VPN client
> IP
> address x0-xf-xa-x5-xc-x4 could not be established.
> The failure is due to error: 0xc0040021
>
> The strange thing is that the xp sp2 client asks for user and password
> and
> if I hit it wrong it asks again and says it is wrong, but if I insert
> the
> right one it doesn't ask for some time, seems to be stuck on
> something then
> after some time it asks again to authenticate.
>
> I need some help to fix this problem, thanks in advance.
>
Anonymous
June 14, 2005 1:11:26 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

I see that you're running all-MS software. I see two products that I don't
normally (personally) have installed:

(1) the SBS version of server
(2) ISA 2004

Since both of you run ISA 2004. I suspect the problem to be with ISA 2004.
This is a complete speculation.

From the perspective of *IAS*, if it didn't ship as part of a standard IAS
install, even a Microsoft-supplied DLL is "3rd-party" since they are
separate products.

I appreciate you bringing up this issue and it's why it's important that
we're watching these newsgroups.

Meanwhile, if you want to fix the problem in the short term, you can
probably remove the add-in.

I will find someone on the ISA or IAS teams to ask about this and reply back
to you.

-Carl

--
Standard Disclaimers -
This posting is provided "AS IS" with no warranties,
and confers no rights. Please do not send e-mail directly
to this alias. This alias is for newsgroup purposes only.


"Tim" <Tim@NoSpam> wrote in message
news:eMsZxn9bFHA.2128@TK2MSFTNGP14.phx.gbl...
> If you come across a solution faster than MS does, could you please post
> back. This is a pain.
>
> MS: Do I have to repeat that there is nothing on the box other than MS
> Software? That if a 3rd party dll is rejecting the connect then MS is a
> third party unto itself. I checked the add ins in ISA Server and all are
> listed now as Vendor: Microsoft.
>
> Please, even a (preferably strong, specific, pointed) hint would do....
>
> - Tim
>
>
>
> "boogiept" <boogiept@gmail.com> wrote in message
> news:1118434430.815240.246060@z14g2000cwz.googlegroups.com...
>> hello...
>> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
>> and ias
>>
>> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
>> perfectly fine with wireless. The configuration was the following:
>>
>> Cable internet / router / server nic2
>>
>> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
>> radius.
>>
>> All wireless clients could authenticate in AD
>>
>> Today I installed ISA 2004 and couldn't connect to AD, it throws an
>> error
>> message, then I did the configuration in ISA and in IAS
>>
>> error:
>> Access request for user sergiofonseca was discarded.
>> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
>> Fonseca
>> NAS-IP-Address = 192.168.16.4
>> NAS-Identifier = default
>> Called-Station-Identifier = <not present>
>> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
>> Client-Friendly-Name = router
>> Client-IP-Address = 192.168.16.4
>> NAS-Port-Type = Wireless - IEEE 802.11
>> NAS-Port = 0
>> Proxy-Policy-Name = Use Windows authentication for all users
>> Authentication-Provider = Windows
>> Authentication-Server = <undetermined>
>> Reason-Code = 9
>> Reason = The request was discarded by a third-party extension DLL file.
>>
>>
>> Or:
>>
>> Description: The VPN connection attempt by user xxx\iki from VPN client
>> IP
>> address x0-xf-xa-x5-xc-x4 could not be established.
>> The failure is due to error: 0xc0040021
>>
>> The strange thing is that the xp sp2 client asks for user and password
>> and
>> if I hit it wrong it asks again and says it is wrong, but if I insert
>> the
>> right one it doesn't ask for some time, seems to be stuck on
>> something then
>> after some time it asks again to authenticate.
>>
>> I need some help to fix this problem, thanks in advance.
>>
>
>
Anonymous
June 16, 2005 5:54:42 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

So... it's a bug in ISA or (more likely) the VPN plugin (which didn't expect
packets from an AP as opposed to a more VPN-centric NAS). Here's the
workaround. I've asked for a KB on this issue, but it may take a while to
get thru the release process.

You might need to specify CCS instead of a specific CCS like CCS001. Sorry I
don't have a machine to try this, but you get the idea - remove any
vpnplgin.dll-related entries for any AuthorizationDLLs values - you can
probably just rename the key to something like DELETEMEAuthorizationDLLs, if
you want to be more conservative than actually deleting the key.

Remove the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AuthSrv\Parameters]
"AuthorizationDLLs"="C:\Program Files\Microsoft ISA Server\vpnplgin.dll"
Reboot the server..



--
Standard Disclaimers -
This posting is provided "AS IS" with no warranties,
and confers no rights. Please do not send e-mail directly
to this alias. This alias is for newsgroup purposes only.


"Carl DaVault [MSFT]" <carlda@online.microsoft.com> wrote in message
news:e0VF4uPcFHA.2756@tk2msftngp13.phx.gbl...
>I see that you're running all-MS software. I see two products that I don't
>normally (personally) have installed:
>
> (1) the SBS version of server
> (2) ISA 2004
>
> Since both of you run ISA 2004. I suspect the problem to be with ISA 2004.
> This is a complete speculation.
>
> From the perspective of *IAS*, if it didn't ship as part of a standard IAS
> install, even a Microsoft-supplied DLL is "3rd-party" since they are
> separate products.
>
> I appreciate you bringing up this issue and it's why it's important that
> we're watching these newsgroups.
>
> Meanwhile, if you want to fix the problem in the short term, you can
> probably remove the add-in.
>
> I will find someone on the ISA or IAS teams to ask about this and reply
> back to you.
>
> -Carl
>
> --
> Standard Disclaimers -
> This posting is provided "AS IS" with no warranties,
> and confers no rights. Please do not send e-mail directly
> to this alias. This alias is for newsgroup purposes only.
>
>
> "Tim" <Tim@NoSpam> wrote in message
> news:eMsZxn9bFHA.2128@TK2MSFTNGP14.phx.gbl...
>> If you come across a solution faster than MS does, could you please post
>> back. This is a pain.
>>
>> MS: Do I have to repeat that there is nothing on the box other than MS
>> Software? That if a 3rd party dll is rejecting the connect then MS is a
>> third party unto itself. I checked the add ins in ISA Server and all are
>> listed now as Vendor: Microsoft.
>>
>> Please, even a (preferably strong, specific, pointed) hint would do....
>>
>> - Tim
>>
>>
>>
>> "boogiept" <boogiept@gmail.com> wrote in message
>> news:1118434430.815240.246060@z14g2000cwz.googlegroups.com...
>>> hello...
>>> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
>>> and ias
>>>
>>> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
>>> perfectly fine with wireless. The configuration was the following:
>>>
>>> Cable internet / router / server nic2
>>>
>>> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
>>> radius.
>>>
>>> All wireless clients could authenticate in AD
>>>
>>> Today I installed ISA 2004 and couldn't connect to AD, it throws an
>>> error
>>> message, then I did the configuration in ISA and in IAS
>>>
>>> error:
>>> Access request for user sergiofonseca was discarded.
>>> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
>>> Fonseca
>>> NAS-IP-Address = 192.168.16.4
>>> NAS-Identifier = default
>>> Called-Station-Identifier = <not present>
>>> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
>>> Client-Friendly-Name = router
>>> Client-IP-Address = 192.168.16.4
>>> NAS-Port-Type = Wireless - IEEE 802.11
>>> NAS-Port = 0
>>> Proxy-Policy-Name = Use Windows authentication for all users
>>> Authentication-Provider = Windows
>>> Authentication-Server = <undetermined>
>>> Reason-Code = 9
>>> Reason = The request was discarded by a third-party extension DLL file.
>>>
>>>
>>> Or:
>>>
>>> Description: The VPN connection attempt by user xxx\iki from VPN client
>>> IP
>>> address x0-xf-xa-x5-xc-x4 could not be established.
>>> The failure is due to error: 0xc0040021
>>>
>>> The strange thing is that the xp sp2 client asks for user and password
>>> and
>>> if I hit it wrong it asks again and says it is wrong, but if I insert
>>> the
>>> right one it doesn't ask for some time, seems to be stuck on
>>> something then
>>> after some time it asks again to authenticate.
>>>
>>> I need some help to fix this problem, thanks in advance.
>>>
>>
>>
>
>
Anonymous
June 22, 2005 6:27:16 AM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Hi, Thank you for your post but at the moment I don't have a chance to
test that because I had a surgery and I'll only be able to test it in
15 days, but I can tell that before I left the company I've removed
ISA 2004 and installed ISA 2000 and that way everything would be
working fine until I get back.
Thanks everyone I'll reply back in 15 days! Thanks!

sérgio fonseca
June 22, 2005 2:51:43 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Thanks.
Sorry for sounding a little terse.

My system should not have the SBS version of Windows 2003... unless that is
the base for the MSDN issued copies. "boogiept" indicated he/she has SBS.

You have lost me on this point "You might need to specify CCS instead of a
specific CCS like CCS001".

CCS?

Your workaround appears to work.

Thanks again.

- Tim


"Carl DaVault [MSFT]" <carlda@online.microsoft.com> wrote in message
news:%235ClhWrcFHA.2696@TK2MSFTNGP09.phx.gbl...
> So... it's a bug in ISA or (more likely) the VPN plugin (which didn't
> expect packets from an AP as opposed to a more VPN-centric NAS). Here's
> the workaround. I've asked for a KB on this issue, but it may take a while
> to get thru the release process.
>
> You might need to specify CCS instead of a specific CCS like CCS001. Sorry
> I don't have a machine to try this, but you get the idea - remove any
> vpnplgin.dll-related entries for any AuthorizationDLLs values - you can
> probably just rename the key to something like DELETEMEAuthorizationDLLs,
> if you want to be more conservative than actually deleting the key.
>
> Remove the following registry key:
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AuthSrv\Parameters]
> "AuthorizationDLLs"="C:\Program Files\Microsoft ISA Server\vpnplgin.dll"
> Reboot the server..
>
>
>
> --
> Standard Disclaimers -
> This posting is provided "AS IS" with no warranties,
> and confers no rights. Please do not send e-mail directly
> to this alias. This alias is for newsgroup purposes only.
>
>
> "Carl DaVault [MSFT]" <carlda@online.microsoft.com> wrote in message
> news:e0VF4uPcFHA.2756@tk2msftngp13.phx.gbl...
>>I see that you're running all-MS software. I see two products that I don't
>>normally (personally) have installed:
>>
>> (1) the SBS version of server
>> (2) ISA 2004
>>
>> Since both of you run ISA 2004. I suspect the problem to be with ISA
>> 2004. This is a complete speculation.
>>
>> From the perspective of *IAS*, if it didn't ship as part of a standard
>> IAS install, even a Microsoft-supplied DLL is "3rd-party" since they are
>> separate products.
>>
>> I appreciate you bringing up this issue and it's why it's important that
>> we're watching these newsgroups.
>>
>> Meanwhile, if you want to fix the problem in the short term, you can
>> probably remove the add-in.
>>
>> I will find someone on the ISA or IAS teams to ask about this and reply
>> back to you.
>>
>> -Carl
>>
>> --
>> Standard Disclaimers -
>> This posting is provided "AS IS" with no warranties,
>> and confers no rights. Please do not send e-mail directly
>> to this alias. This alias is for newsgroup purposes only.
>>
>>
>> "Tim" <Tim@NoSpam> wrote in message
>> news:eMsZxn9bFHA.2128@TK2MSFTNGP14.phx.gbl...
>>> If you come across a solution faster than MS does, could you please post
>>> back. This is a pain.
>>>
>>> MS: Do I have to repeat that there is nothing on the box other than MS
>>> Software? That if a 3rd party dll is rejecting the connect then MS is a
>>> third party unto itself. I checked the add ins in ISA Server and all are
>>> listed now as Vendor: Microsoft.
>>>
>>> Please, even a (preferably strong, specific, pointed) hint would do....
>>>
>>> - Tim
>>>
>>>
>>>
>>> "boogiept" <boogiept@gmail.com> wrote in message
>>> news:1118434430.815240.246060@z14g2000cwz.googlegroups.com...
>>>> hello...
>>>> i have the same problem with Windows Server SBS 2003 sp1, isa 2004 sp1
>>>> and ias
>>>>
>>>> Until yesterday I had 15 machines and SBS 2003 with ISA 2000 working
>>>> perfectly fine with wireless. The configuration was the following:
>>>>
>>>> Cable internet / router / server nic2
>>>>
>>>> server nic1/ switch / client pcs and wireless AP Dlink 2000+ with
>>>> radius.
>>>>
>>>> All wireless clients could authenticate in AD
>>>>
>>>> Today I installed ISA 2004 and couldn't connect to AD, it throws an
>>>> error
>>>> message, then I did the configuration in ISA and in IAS
>>>>
>>>> error:
>>>> Access request for user sergiofonseca was discarded.
>>>> Fully-Qualified-User-Name = xxx.local/MyBusiness/Users/SBSUsers/Sergio
>>>> Fonseca
>>>> NAS-IP-Address = 192.168.16.4
>>>> NAS-Identifier = default
>>>> Called-Station-Identifier = <not present>
>>>> Calling-Station-Identifier = 0x-0x-ex-8x-dx-ax
>>>> Client-Friendly-Name = router
>>>> Client-IP-Address = 192.168.16.4
>>>> NAS-Port-Type = Wireless - IEEE 802.11
>>>> NAS-Port = 0
>>>> Proxy-Policy-Name = Use Windows authentication for all users
>>>> Authentication-Provider = Windows
>>>> Authentication-Server = <undetermined>
>>>> Reason-Code = 9
>>>> Reason = The request was discarded by a third-party extension DLL file.
>>>>
>>>>
>>>> Or:
>>>>
>>>> Description: The VPN connection attempt by user xxx\iki from VPN client
>>>> IP
>>>> address x0-xf-xa-x5-xc-x4 could not be established.
>>>> The failure is due to error: 0xc0040021
>>>>
>>>> The strange thing is that the xp sp2 client asks for user and password
>>>> and
>>>> if I hit it wrong it asks again and says it is wrong, but if I insert
>>>> the
>>>> right one it doesn't ask for some time, seems to be stuck on
>>>> something then
>>>> after some time it asks again to authenticate.
>>>>
>>>> I need some help to fix this problem, thanks in advance.
>>>>
>>>
>>>
>>
>>
>
>
Anonymous
July 9, 2005 2:06:37 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

hello
I`m back
today I did as you said and deleted registry key and now it is working perfectly
thanks a lot
sérgio Fonseca
July 11, 2005 3:30:09 PM

Archived from groups: microsoft.public.windows.networking.wireless (More info?)

Mine is still going too.

Carl, Sergio: Thanks

- Tim

"boogiept" <boogiept@gmail.com> wrote in message
news:7b401036.0507090906.4bf51241@posting.google.com...
> hello
> I`m back
> today I did as you said and deleted registry key and now it is working
> perfectly
> thanks a lot
> sérgio Fonseca
!