Re: Several user accounts can't authenticate to secured wireless n

From: Richard Poon (RichardPoon_at_discussions.microsoft.com)
Date: 10/25/05 

Date: Tue, 25 Oct 2005 08:11:08 -0700

OK. I just found it out to be a stupid mistake. It is related to the Remote
Acess Policy. It applies to Domain Users group, but I am not is the group.
I am only in Domain Administrators group and that's why I can't logon. Will
also check this for other failed user.

Thank you, Steve, again for your suggestion.

Richard

"Steven L Umbach" wrote:

> Does anything show in the security logs of the IAS server and have you
> configured it to do more logging?? Yes it does appear to be user related.
> Check do see if a problem user has the same dial up permissions in their
> user account as a user that works and compare their group membership. Your
> IAS servers may be using a Remote Access Policy that restricts access by
> group membership and possibly problem users are not a member of that
> roup. --- Steve
>
>
> "Richard Poon" <RichardPoon@discussions.microsoft.com> wrote in message
> news:FBEF12AD-5A51-46B2-8D7E-D9EE30E8503B@microsoft.com...
> > Steve, thanks for your suggestion. However, our problem seems more
> > related
> > to the user accounts than the PC. One user can logon to the wireless on a
> > laptop PC, but the other account cannot logon with the same PC. Moreover,
> > the same account always succeed or fail to logon using different laptop
> > PCs.
> > Those accounts have been logged on to all laptops under testing using
> > wired
> > connections before t6o make sure that that get the trusted root CA from
> > our
> > 2003 AD domain.
> >
> > I have also checked that the trusted root CA is in place at both Current
> > User and Local Computer. Any more idea?
> >
> > Thanks
> > Richard
> >
> > "Steven L Umbach" wrote:
> >
> >> I assume you mean PEAP?? Check that your computer has a certificate for
> >> the
> >> CA that issued the certificate to the IAS servers so that their
> >> certificates
> >> are trusted. You can use the mmc snapin for certificates/computer and
> >> look
> >> in the trusted root CA folder to see if it is there and if not you can
> >> import it via a .cer file that is exported from the CA or any other
> >> computer
> >> that has it. You might also want to check your IAS configuration to see
> >> if
> >> you can log the maximum amount of information so that more events are
> >> recorded in the security log of the IAS servers. I have also found that
> >> not
> >> all wireless cards work well with 802.1X. You might try borrowing one
> >> from
> >> a computer that works well with wireless, verify that your operating
> >> system
> >> has the same service pack and wireless configuration, and that your user
> >> AND
> >> computer accounts have the same dialup properties as computers that work
> >> in
> >> Active Directory Users and Computers. The link below is to a great MS
> >> white
> >> paper on setting up 802.1X wireless that you may want to review to check
> >> to
> >> see if anything was overlooked. --- Steve
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
> >>
> >> "Richard Poon" <RichardPoon@discussions.microsoft.com> wrote in message
> >> news:7F5194AF-92D2-43A5-A4BF-0E79CF118A6E@microsoft.com...
> >> > We use WPA-TKIP for corporate wide wireless encryption and 802.1x EAP
> >> > for
> >> > authentication. We have RADIUS servers running MS IAS.
> >> >
> >> > Some user accounts, including myself cannot login via wireless with the
> >> > above authentication, although the accounts can login to the domain via
> >> > wired
> >> > network without problem. I am also the network administrator. My
> >> > wireless
> >> > connection didn't work from day one.
> >> >
> >> > From the IAS server log, I found that users with successful wireless
> >> > authentications should have the phrase "Secured password (EAP-MSCHAP
> >> > v2)"
> >> > in
> >> > the log, but mine doesn't get that section logged.
> >> >
> >> > Does anyone have the idea how it would happen please help?
> >> >
> >> > Thanks
> >> > Richard Poon
> >>
> >>
> >>
>
>
>

Relevant Pages

  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is it really true that NTFS is secure?
    ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ...
    (microsoft.public.security)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Logon Server Unavailable
    ... >> More Connections Can Be Made At This Time ... >> The network folder specified is currently mapped using a different user ... >> account in its primary domain is missing or the password on that account ... >> There are currently no logon servers available to service the logon ...
    (microsoft.public.windows.server.general)