10-06-2006 12:09 PM - edited 07-04-2021 01:15 PM
Hello
I'm having a problem with authentication and I can't figure it out.
I have Cisco Aironet 1100's for my AP's and I have them authenticate against a Windows 2003 Server as a radius server. To do that, I'm using IAS 2003 to authenticate against internal certificate. Using WPA / TKIP as well as PEAP authentication modes. Client workstations are, for the most part, IBM Thinkpad T series laptops.
Anyway, When a user connects to my wireless network, it authenticates their windows user and computer account and grants them access to my network as designed. HOwever, sporadically, it drops their connection while it appears to 'reauthenticate' them, for no reason that I can discern.
I've looked in the event viewer on the IAS server (which is also a domain controller) and I see these messages below (the first two are messages i've seen when the user is 'dropped' from my network', the later is a typical 'success' message).
FAIL:
Access request for user DOMAIN1\doej was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Called-Station-Identifier = 0017.5aa1.f1f0
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33971
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 96
Reason = The authentication request was not processed because the session timed out.
User host/doej.domain1.com was denied access.
Fully-Qualified-User-Name = domain1.com/Computers/doej
NAS-IP-Address = 192.168.1.220
NAS-Identifier = CHIWAP005
Called-Station-Identifier = 0017.5a4f.6200
Calling-Station-Identifier = 0013.ce45.3f7d
Client-Friendly-Name = CHIWAP005
Client-IP-Address = 192.168.1.220
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 30524
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.
SUCCESS:
User DOMAIN1\doej was granted access.
Fully-Qualified-User-Name = domain1.com/Users/John Doe
NAS-IP-Address = 192.168.1.222
NAS-Identifier = CHIWAP007
Client-Friendly-Name = CHIWAP007
Client-IP-Address = 192.168.1.222
Calling-Station-Identifier = 0013.ce45.3f7d
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 33984
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless access to the Intranet
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)
Any ideas?!?
Thanks
Josh Sherlock
10-12-2006 07:46 AM
Check the Proxy Distribution Table.
The resolution is Increase Tacacs timeout.
tacacs-server timeout <1-1000 in sec>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide