Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

IAS Event ID 3 Reason-Code = 1

Wi-Fi, Mobile phone.

IAS Event ID 3 Reason-Code = 1

Postby guest » Fri Apr 24, 2009 2:00 pm

I had the certificate remade - with the fully qualified domain name in the
server certificate - this fixed the problem.

Thank you for all your help.

Susan

> Is the certificate issued to the computer using its fully-qualified domain
> name? Do you see the cert when you configure your IAS? Can you post the
cert
> so that we can compare that to something that works here...
>
> --
> Svyatoslav Pidgorny, MVP, MCSE
> -= F1 is the key =-
>

> > Here are the error messages from the event log - it seems to think
there
> > are no certificates configured for EAP but in fact they are - with the
> same
> > configuration & certificates this setup works on a member server but
> > produces these errors on a domain controller. I have replaced the domain
> > name & user name with domain\user.
> >
> > Error log
> >
> > 2/25/2004 2:22:50 PM IAS Information None 20190 N/A WALC01 Because no
> > certificate has been configured for clients dialing in with EAP-TLS, a
> > default certificate is being sent to user domain\user
> > Please go to the user's Remote Access Policy and configure the
Extensible
> > Authentication Protocol (EAP).
> >
> > 2/25/2004 2:22:37 PM IAS Error None 3 N/A WALC01 Access request for user
> > domain\user was discarded.
> > Fully-Qualified-User-Name = <undetermined>
> > NAS-IP-Address = 140.107.249.15
> > NAS-Identifier = la-scca-test-ap
> > Called-Station-Identifier = 0040.96a0.b93d
> > Calling-Station-Identifier = 0090.4b62.bd0e
> > Client-Friendly-Name = la-scca-test-ap
> > Client-IP-Address = 140.107.249.15
> > NAS-Port-Type = Wireless - IEEE 802.11
> > NAS-Port = 281
> > Proxy-Policy-Name = <none>
> > Authentication-Provider = <undetermined>
> > Authentication-Server = <undetermined>
> > Reason-Code = 1
> > Reason = An internal error occurred. Check the system event log for
> > additional information.
> >
> > 2/25/2004 2:22:37 PM IAS Error None 20168 N/A WALC01 Could not retrieve
> the
> > Remote Access Server's certificate due to the following error: No
> > credentials are available in the security package
> >
> > Thanks for your help.
> >
> > Susan
> >

> > > "The certificate fails" requires some elaboration - error messages,
> > > certificate DN, etc. In my experience working with 1x authentication,
> the
> > > error messages are self-explanatory.
> > >
> > > --
> > > Svyatoslav Pidgorny, MVP, MCSE
> > >
> > > > Does anyone know if there are issues or special install instructions
> for
> > > > installing third party certificates on Domain Controllers?
> > > >
> > > > We have an Active Directory 2003 domain - IAS installed on the DCs -
> > works
> > > > for the VPN with no problems.
> > > >
> > > > We installed server 3rd party certificates for wireless
> authentication -
> > > the
> > > > certificate fails. If we install IAS and the certificates on a
member
> > > server
> > > > running 2003 no problems - they work.
> > > >
> > > > It maybe that some setting on the domain controllers policy is
causing
> > the
> > > > problem? They are set at the defaults.
> > > >
> > > > Anyone seen this before?
> > > >
> > > > Thanks
> > > > Susan
> > > >
> > > > sway@fhcrc.org
> > > >
Last edited by guest on Fri Apr 24, 2009 2:27 pm, edited 1 time in total.
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9552
Joined: Mon Nov 27, 2006 1:10 pm

Postby guest » Fri Apr 24, 2009 2:07 pm

Hello,

We have exactly the same case here and exactly the same message.

We have two servers with, it seems, exactly the same software configuration, but we cannot make IAS work as a Radius server on the second one.

I would add one thing though :
We can see the connection requests coming through but they are not authorized for some reason.

We get two messages per connection :

1. the same one as above : event id 20168
2. then : Access request for user DOMAIN\test was discarded.
Fully-Qualified-User-Name = xxxxxxx (i hide this part since it's our domain related)
NAS-IP-Address = 193.50.57.x
NAS-Identifier = ap
Called-Station-Identifier = 0014.a9d4.x
Calling-Station-Identifier = 0016.6fb6.x
Client-Friendly-Name = ap
Client-IP-Address = 193.50.57.x
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 294
Proxy-Policy-Name = User_test
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 1
Reason = An internal error occurred. Check the system event log for additional information.

If i just change in the connection Request Processing the authentication from Authenticate Request on this server to forward to a remote radius, and select our other server it works perfectly.

Here is what message we have when it works (using the remote authentication):

1. On the first server :
User DOMAIN\User was granted access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 193.50.57.x
NAS-Identifier = ap
Client-Friendly-Name = ap
Client-IP-Address = 193.50.57.x
Calling-Station-Identifier = 0016.6faa.x
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 314
Proxy-Policy-Name = test
Authentication-Provider = RADIUS Proxy
Authentication-Server = 172.x.x.x
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
2. On the second server
User DOMAIN\User was granted access.
Fully-Qualified-User-Name = xxxxxxx
NAS-IP-Address = 193.50.57.x
NAS-Identifier = ap
Client-Friendly-Name = servername
Client-IP-Address = 193.x.x.x
Calling-Station-Identifier = 0016.6faa.x
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 314
Proxy-Policy-Name = Utilisateur_user
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = WIFI-PEAP
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

Any idea would be great
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9552
Joined: Mon Nov 27, 2006 1:10 pm

Postby guest » Fri Apr 24, 2009 2:07 pm

This is related to the certificate for the IAS machine. If you want to use a public-signed cert, you have to import it along with the key, and get it in the right place.

First, you need the cert and the key together in one pkcs12 file. If you have them separately as .pem files, you can convert them using this openssl command:
pkcs12 -in crtfile -inkey keyfile -export -out pkcs12file. Windows likes these named .p12 files.

Run mmc, and add the Certificates snap-in, to manage certs for the Computer account.

In the left pane, right-click on Certificates (Local Computer) > Personal > Certificates and import your .p12 file. If you previously imported this cert to some other location, do *not* cut and paste the cert in the mmc, as it will not copy the private key or something. Instead, delete it and re-import it to the right place.


Now point to this cert in the IAS config. This will be part of a Remote Access Policy. Open the Policy and Edit the Profile... Click the Authentication tab and the EAP Methods button. Add or edit your EAP type, and there is a drop-down box to choose the certificate. The cert you just imported should be there.

Good luck!
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9552
Joined: Mon Nov 27, 2006 1:10 pm


Return to Wireless

Your Ad Here

Who is online

Users browsing this forum: No registered users and 0 guests