Archived from groups: microsoft.public.windows.networking.wireless (
More info?)
Carl,
I don't see how a 3rd party DLL could be there unless that extension DLL was
supplied by MS as I have not any 3rd party software. I appreciate that the
machine is probably not a recommended config, but its purpose is partly
business (My own) and to understand how to implement such systems at
customer sites...
I will check through the DLL's that can be configured in ISA server. In ISA,
I recall there are some special RSA and other DLL's that may have some
influence???????? Perhaps that's it... However logic tells me it is quite
sensible to have ISA on the same machine.
The joys of computers
Thanks for the reference. I'll have a good read of it.
Thanks.
- Tim
"Carl DaVault [MSFT]" <carlda@online.microsoft.com> wrote in message
news:ux9o85RbFHA.2128@TK2MSFTNGP14.phx.gbl...
> You have a 3rd party RADIUS/IAS DLL installed - sounds like it's causing
> the lost packet.
>
> Please see this article.
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ias/ias/ias_start_page.asp
>
> Hope this helps.
>
> --
> Standard Disclaimers -
> This posting is provided "AS IS" with no warranties,
> and confers no rights. Please do not send e-mail directly
> to this alias. This alias is for newsgroup purposes only.
>
>
> "Tim" <Tim@NoSpam> wrote in message
> news:u9eu1gpZFHA.644@TK2MSFTNGP10.phx.gbl...
>> Hi,
>>
>> 3rd party EAP type installed? No idea. This is a stock Windows 2003 SP1
>> server with MS Anti Spyware, Windows support tools IAS, RRAS,
>> CertServices (now) MS Exchange 2004, DHCP, DNS, and ISA 2004. I can't see
>> anything occuring in ISA server traces that would indicate it is
>> blocking.
>>
>> The certificate listed below now is a new cert generated last night - it
>> is a WWW cert (IE server authentication). The cert service does not have
>> a legitimate CA cert - it was self issued. Such a cert has worked on the
>> other server before.
>>
>> Q: Are they certificate key length restrictions?
>>
>> The RRAS Access Policy is as follows:
>>
>> Order = 1
>> Name = Allow Wireless Users
>> Policy Conditions:
>> If the user is a member of the "My VPN Users" group
>> Grant Access.
>> (The user is me, and I am).
>>
>> Profile:
>> IP - Client may request an IP Address
>> No input or output filters.
>> Multilink: Server settings determine Multilink usage
>> BAP is not ticked and defaults.
>> Authentication
>> EAP Methods Command shows:
>> Smart Card or Other Certificate
>> a Certificate for this domain is listed and expires in 2
>> years.
>> PEAP
>> a certificate is listed and is the same as above...
>> Enable Fast Reconnect
>> EAP Types
>> Smart Card or Other Certificate
>> same certificate as above.
>> Secured Password (EAP-MSCHAP-V2)
>> Retry = 2
>> Allow client to change password.
>> MS CHAP-V2 is ticked
>> User can change password after it has expired ticked.
>>
>> Order = 2
>> Name = Allow Wireless Computers
>> If the NAS-Port-Type matcheds "Wireless - IEEE 802.11" AND
>> Windows-Groups matches "domain name\Wireless Computers"
>> Grant Access. (ditto: both machines are and have worked previosly)
>>
>> As above.
>>
>> Machine right click Properties (by tab)
>> General:
>> Router
>> LAN routing only
>> Security
>> Authenication Provider:
>> Radius Authentication
>> Configure:
>> Server = self.domainname, (ie this machine/domain)
>> Secret = <null> (ie none)
>> Initial Score = 29
>> Always use message authenticator is Off,
>> Timeout = 5,
>> Port = 1812
>> Accounting Provider: None
>> Allow custom IPSec policy... No.
>> IP:
>> Enable Ip Forwarding ticked.
>> Allow IP based remote access and demand dial connections: ticked.
>> Enable broadcast name resolution: unticked.
>> Use the following adapter for DHCP / DNC / Wins Addresses...
>> LAN ( this is the subnet for all devices around here).
>> PPP
>> Defaults
>> Logging
>> Log all events and Log Additional...
>>
>> The access point is a D-Link Airplus G+. This was working off the other
>> DC machine in the same domain without issues (apart from seeming to like
>> an occasional reset...).
>>
>> The IASSAM.log file has this:
>> [5708] 06-01 22:09:11:511: Processing output from EAP DLL.
>> [5708] 06-01 22:09:11:511: EAPACTION_Done
>> [5708] 06-01 22:09:11:511: Translating attributes returned by EAP DLL.
>> [5708] 06-01 22:09:11:511: Inserting attribute 4140
>> [5708] 06-01 22:09:11:511: Inserting attribute 4141
>> [5708] 06-01 22:09:11:511: Inserting attribute 8097
>> [5708] 06-01 22:09:11:511: Inserting attribute 8097
>> [5708] 06-01 22:09:11:511: Inserting attribute 8097
>> [5708] 06-01 22:09:11:511: EAP authentication succeeded.
>> [5708] 06-01 22:09:11:511: Invoking AuthorizationDLLs
>> [5708] 06-01 22:09:11:511: Invoking extension vpnplgin.dll
>> [5708] 06-01 22:09:11:511: RadiusExtensionProcess2 returned 14
>> [5708] 06-01 22:09:11:511:
>> RADIUS_EXTENSION_CONTROL_BLOCK.SetResponseType(256)
>>
>> 256 = "discard" according to Autif.h in PSDK.
>> RC = 14 = "Not Enough Storage" if it is a stock error code.
>>
>> Is there anywhere where it will indicate who or what has delcined and
>> why?
>>
>> Many Thanks.
>>
>> - Tim
>>
>> Some more stuff from logs in case it is of use:
>> From RASTLS.Log:
>> :09:02:828: EapTlsSMakeMessage
>> [1496] 22:09:02:828: MakeReplyMessage
>> [1496] 22:09:02:828: SecurityContextFunction
>> [1496] 22:09:03:049: AcceptSecurityContext returned 0x0
>> [1496] 22:09:03:049: AuthenticateUser
>> [1496] 22:09:03:049: FGetEKUUsage
>> [1496] 22:09:03:049: FCheckPolicy
>> [1496] 22:09:03:049: FCheckPolicy done.
>> [1496] 22:09:03:049: CheckUserName
>> [1496] 22:09:03:049: CreateOIDAttributes
>> [1496] 22:09:03:049: CreateMPPEKeyAttributes
>> [1496] 22:09:03:059: State change to SentFinished
>> [1496] 22:09:03:059: BuildPacket
>> [1496] 22:09:03:059: << Sending Request (Code: 1) packet: Id: 16, Length:
>> 53, Type: 13, TLS blob length: 43. Flags: L
>> [5708] 22:09:11:511:
>> [5708] 22:09:11:511: EapTlsMakeMessage(MyDomain\Tim)
>> [5708] 22:09:11:511: >> Received Response (Code: 2) packet: Id: 16,
>> Length: 6, Type: 13, TLS blob length: 0. Flags:
>> [5708] 22:09:11:511: EapTlsSMakeMessage
>> [5708] 22:09:11:511: Negotiation successful
>> [5708] 22:09:11:511: BuildPacket
>> [5708] 22:09:11:511: << Sending Success (Code: 3) packet: Id: 16, Length:
>> 4, Type: 0, TLS blob length: 0. Flags:
>> [5708] 22:09:11:511: AuthResultCode = (0), bCode = (3)
>> [5708] 22:09:11:511: EapTlsEnd
>> [5708] 22:09:11:511: EapTlsEnd(MyDomain\tim)
>>
>> all other log files appear to have little of interest in them - either
>> they are empty, have entries that do not relate by time or indicate
>> success doing other things....
>>
>> "Jerry Peterson[MSFT]" <jerrype@online.microsoft.com> wrote in message
>> news:eyyJTvhZFHA.2212@TK2MSFTNGP14.phx.gbl...
>>> Was there a third-party EAP type installed on the system at any point?
>>> What is the Remote Access Policy configuration for the RAS Host?
>>> What access points are you using?
>>>
>>> --
>>> Jerry Peterson
>>> Windows Network Services - Wireless
>>>
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>> "Tim" <Tim@NoSpam> wrote in message
>>> news:uW0tk5QZFHA.2688@TK2MSFTNGP09.phx.gbl...
>>>> Hi,
>>>>
>>>> I am trying to retrench an existing Windows 2003 Server configured for
>>>> 802.11x. As far as I can tell, the new server is configured the same as
>>>> the
>>>> old - with minor exceptions such as the Old has CertServices, the new
>>>> does
>>>> not. The old has ISA 2000, the new has 2004 and is otherwise going ok.
>>>> There
>>>> are no Denied connections in the ISA Logs. I have instlalled a copy of
>>>> the
>>>> machine key for the machine being authenticated below into the cert
>>>> store in
>>>> the new machine and using certservices I have loaded into the new DC
>>>> all the
>>>> certificates that seem to be loadable. I can log on to the network
>>>> while the
>>>> old server is offline.
>>>>
>>>> If I change the radius server address in the WAP with the new server
>>>> address
>>>> I get the following event log record:
>>>>
>>>> Access request for user Me@Here.com was discarded.
>>>> Fully-Qualified-User-Name = ... my user name...
>>>> NAS-IP-Address = 192.168.99.254
>>>> NAS-Identifier = default
>>>> Called-Station-Identifier = <not present>
>>>> Calling-Station-Identifier = 00-0e-35-2b-7c-04
>>>> Client-Friendly-Name = Wireless Modem
>>>> Client-IP-Address = 192.168.99.254
>>>> NAS-Port-Type = Wireless - IEEE 802.11
>>>> NAS-Port = 0
>>>> Proxy-Policy-Name = Use Windows authentication for all users
>>>> Authentication-Provider = Windows
>>>> Authentication-Server = <undetermined>
>>>>
>>>> Reason-Code = 9
>>>> Reason = The request was discarded by a third-party extension DLL file.
>>>> ____
>>>>
>>>> If the RAIDUS server IP is left pointing to the old server the wireless
>>>> connection succeeds ok. The failure is after Packet ID 10 is processed
>>>> during the client during Authentication (RASTLS.log file). I cannot see
>>>> anything that makes sense re: this error in any of the Trace files for
>>>> RRAS.
>>>> After Packet ID 10, the client goes back to Validating Identity and
>>>> gets
>>>> stuck there.
>>>>
>>>> The config is: Windows 2003 Server with SP1, RRAS, IAS, ISA, MS
>>>> Exchange.
>>>>
>>>> Thanks in advance to anyone that can help.
>>>>
>>>> - Tim
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Facebook
Twitter
Instagram