Re: wireless authentication before logon

From: MToddH (MToddH_at_discussions.microsoft.com)
Date: 12/01/04

• Next message: Bigbruva: "Re: Windows Server 2003 Security Guide Issue"
• Previous message: Chad P.: "RE: Retrieving Blocked Attachment"
• In reply to: S. Pidgorny : "Re: wireless authentication before logon"
• Next in thread: MToddH: "Re: wireless authentication before logon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 1 Dec 2004 14:25:33 -0800

I see two default policies:
1. Connections to Microsoft Routing and Remote Access Server
2. Connections to other access servers

Are you talking about #2?
Doesn't this open up access to VPN and other things that also use these
policies to determine access?

I created a second wireless policy for a group that only has workstations.
Doesn't seem to make a difference. Continues to say my user doesn't have
access and it should be enabled or set through a policy if that is configured
in the user account. I originally thought that my domain being in mixed-mode
had something to do with available dial-in properties. I switched to native
mode, but it doesn't seem to help.

"S. Pidgorny <MVP>" wrote:

> Have you removed the default remote access policy in IAS? That's the one
> requiring the dial-in permission.
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>
> "MToddH" <MToddH@discussions.microsoft.com> wrote in message
> news:053D42DE-EEF8-45A1-87A8-4286705986F9@microsoft.com...
> > I checked the event viewer and found this every time my machine attemps to
> > authenticate. I have my computer & user accounts in the group that has
> been
> > granted access to the remote access policy. It's interesting that I don't
> > have a Dial-in tab on my computer accounts as has been mentioned in some
> KB
> > articles. I do have a Dial-in tab for users.
> >
> > Reason-Code = 65
> > Reason = The connection attempt failed because remote access permission
> for
> > the user account was denied. To allow remote access, enable remote access
> > permission for the user account, or, if the user account specifies that
> > access is controlled through the matching remote access policy, enable
> remote
> > access permission for that remote access policy.
> >
> >
> >
> > "S. Pidgorny <MVP>" wrote:
> >
> > > First and foremost, review the logs on IAS and on the client. Enable
> > > debugging on the access point and capture debugging info too. there
> might be
> > > clues - or the solution giveaways. Load wireless sniffer and see if the
> > > client tries to authenticate at all.
> > >
> > > Make sure that you don't install the wireless card's vendor client
> > > software/control application/anything but the driver.
> > > Update the driver to the latest version, preferably through Windows
> Update.
> > > If that still doesn't work - try another wireless card.
> > >
> > > --
> > > Svyatoslav Pidgorny, MVP, MCSE
> > > -= F1 is the key =-
> > >
> > > "MToddH" <MToddH@discussions.microsoft.com> wrote in message
> > > news:44A90D45-D418-48A3-BC0B-EA66827DEAF3@microsoft.com...
> > > > I am testing a wireless configuration using 802.1x with the AP
> > > authentication
> > > > running through IAS RADIUS & AD. I am using EAP-TLS. I have issued
> > > computer
> > > > and user certificates to my test users.
> > > >
> > > > I am using Win2003 IAS & CA with a Win2000 AD.
> > > >
> > > > Authentication and access seems to be working fine for me after domain
> > > > logon, but I can't get my machine to authenticate before logon
> happens. I
> > > > want to allow my clients to acquire an IP before logon. I have turned
> on
> > > > "Authenticate as Computer" on my client and my computer account is
> added
> > > to
> > > > the group that has access to the remote access policy. Any
> suggestions?
> > >
> > >
> > >
>
>
>

---

• Next message: Bigbruva: "Re: Windows Server 2003 Security Guide Issue"
• Previous message: Chad P.: "RE: Retrieving Blocked Attachment"
• In reply to: S. Pidgorny : "Re: wireless authentication before logon"
• Next in thread: MToddH: "Re: wireless authentication before logon"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: wireless authentication before logon ... granted access to the remote access policy. ... the user account was denied. ... > client tries to authenticate at all. ... (microsoft.public.security) Re: Issues with IAS/802.1x authentication ... As soon as I modified the IAS Remote Access Policy and removed this policy ... When I check the eventlog I find the IAS ... > the user account was denied. ... (microsoft.public.internet.radius) Re: wireless authentication before logon ... Have you removed the default remote access policy in IAS? ... requiring the dial-in permission. ... > the user account was denied. ... (microsoft.public.security) RE: Issues with IAS/802.1x authentication ... Maybe You have a mismatch authentication configuration between client and ... is not enabled on the matching remote access policy). ... > the user account was denied. ... (microsoft.public.internet.radius) Re: 802.1X help needed ... Proxy-Policy-Name = Use Windows authentication for all users ... Reason = The connection attempt failed because remote access ... permission for the user account was denied. ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)