Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
945
Views
0
Helpful
1
Replies

Sporadic Authentication issues, IAS / 1100 Aironet

josh.sherlock
Level 1
Level 1

‎10-06-2006 12:09 PM - edited ‎07-04-2021 01:15 PM

Hello

I'm having a problem with authentication and I can't figure it out.

I have Cisco Aironet 1100's for my AP's and I have them authenticate against a Windows 2003 Server as a radius server. To do that, I'm using IAS 2003 to authenticate against internal certificate. Using WPA / TKIP as well as PEAP authentication modes. Client workstations are, for the most part, IBM Thinkpad T series laptops.

Anyway, When a user connects to my wireless network, it authenticates their windows user and computer account and grants them access to my network as designed. HOwever, sporadically, it drops their connection while it appears to 'reauthenticate' them, for no reason that I can discern.

I've looked in the event viewer on the IAS server (which is also a domain controller) and I see these messages below (the first two are messages i've seen when the user is 'dropped' from my network', the later is a typical 'success' message).

FAIL:

Access request for user DOMAIN1\doej was discarded.

Fully-Qualified-User-Name = <undetermined>

NAS-IP-Address = 192.168.1.222

NAS-Identifier = CHIWAP007

Called-Station-Identifier = 0017.5aa1.f1f0

Calling-Station-Identifier = 0013.ce45.3f7d

Client-Friendly-Name = CHIWAP007

Client-IP-Address = 192.168.1.222

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 33971

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Reason-Code = 96

Reason = The authentication request was not processed because the session timed out.

User host/doej.domain1.com was denied access.

Fully-Qualified-User-Name = domain1.com/Computers/doej

NAS-IP-Address = 192.168.1.220

NAS-Identifier = CHIWAP005

Called-Station-Identifier = 0017.5a4f.6200

Calling-Station-Identifier = 0013.ce45.3f7d

Client-Friendly-Name = CHIWAP005

Client-IP-Address = 192.168.1.220

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 30524

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = Connections to other access servers

Authentication-Type = EAP

EAP-Type = <undetermined>

Reason-Code = 65

Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.

SUCCESS:

User DOMAIN1\doej was granted access.

Fully-Qualified-User-Name = domain1.com/Users/John Doe

NAS-IP-Address = 192.168.1.222

NAS-Identifier = CHIWAP007

Client-Friendly-Name = CHIWAP007

Client-IP-Address = 192.168.1.222

Calling-Station-Identifier = 0013.ce45.3f7d

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 33984

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = Wireless access to the Intranet

Authentication-Type = PEAP

EAP-Type = Secured password (EAP-MSCHAP v2)

Any ideas?!?

Thanks

Josh Sherlock

Labels:
0 Helpful
1 Reply 1

aghaznavi
Level 5
Level 5

‎10-12-2006 07:46 AM

Check the Proxy Distribution Table.

The resolution is Increase Tacacs timeout.

tacacs-server timeout <1-1000 in sec>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card