Several user accounts can't authenticate to secured wireless netwo

Discussion in 'Security Software' started by Richard Poon, Oct 24, 2005.

  1. Richard Poon

    Richard Poon Guest

    We use WPA-TKIP for corporate wide wireless encryption and 802.1x EAP for
    authentication. We have RADIUS servers running MS IAS.

    Some user accounts, including myself cannot login via wireless with the
    above authentication, although the accounts can login to the domain via wired
    network without problem. I am also the network administrator. My wireless
    connection didn't work from day one.

    From the IAS server log, I found that users with successful wireless
    authentications should have the phrase "Secured password (EAP-MSCHAP v2)" in
    the log, but mine doesn't get that section logged.

    Does anyone have the idea how it would happen please help?

    Thanks
    Richard Poon
     
    Richard Poon, Oct 24, 2005
    #1
    1. Advertisements

  2. I assume you mean PEAP?? Check that your computer has a certificate for the
    CA that issued the certificate to the IAS servers so that their certificates
    are trusted. You can use the mmc snapin for certificates/computer and look
    in the trusted root CA folder to see if it is there and if not you can
    import it via a .cer file that is exported from the CA or any other computer
    that has it. You might also want to check your IAS configuration to see if
    you can log the maximum amount of information so that more events are
    recorded in the security log of the IAS servers. I have also found that not
    all wireless cards work well with 802.1X. You might try borrowing one from
    a computer that works well with wireless, verify that your operating system
    has the same service pack and wireless configuration, and that your user AND
    computer accounts have the same dialup properties as computers that work in
    Active Directory Users and Computers. The link below is to a great MS white
    paper on setting up 802.1X wireless that you may want to review to check to
    see if anything was overlooked. --- Steve

    http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
     
    Steven L Umbach, Oct 24, 2005
    #2
    1. Advertisements

  3. Richard Poon

    Richard Poon Guest

    Steve, thanks for your suggestion. However, our problem seems more related
    to the user accounts than the PC. One user can logon to the wireless on a
    laptop PC, but the other account cannot logon with the same PC. Moreover,
    the same account always succeed or fail to logon using different laptop PCs.
    Those accounts have been logged on to all laptops under testing using wired
    connections before t6o make sure that that get the trusted root CA from our
    2003 AD domain.

    I have also checked that the trusted root CA is in place at both Current
    User and Local Computer. Any more idea?

    Thanks
    Richard
     
    Richard Poon, Oct 25, 2005
    #3
  4. Does anything show in the security logs of the IAS server and have you
    configured it to do more logging?? Yes it does appear to be user related.
    Check do see if a problem user has the same dial up permissions in their
    user account as a user that works and compare their group membership. Your
    IAS servers may be using a Remote Access Policy that restricts access by
    group membership and possibly problem users are not a member of that
    roup. --- Steve
     
    Steven L Umbach, Oct 25, 2005
    #4
  5. Richard Poon

    Richard Poon Guest

    OK. I just found it out to be a stupid mistake. It is related to the Remote
    Acess Policy. It applies to Domain Users group, but I am not is the group.
    I am only in Domain Administrators group and that's why I can't logon. Will
    also check this for other failed user.

    Thank you, Steve, again for your suggestion.

    Richard
     
    Richard Poon, Oct 25, 2005
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.