IAS and workgroup computers.

Hi,

I have setup a IAS on my Windows 2003 SP1 domain controller.
I configured the IAS with a policy that grants wireless access to PEAP
protocol with mschap v2 and a certificate.
The policy and the wireless works fine for computers in my domain.
When workgroup computers try to access the wireless AP, the IAS sees that it
cannot authenticate the credentials, and send a reject for the authentication
request (I can see it in the event viewer).
As a result, my AP sends me a notification that the radius server is not
responding.
I have tried to add a policy in the IAS, that denies access to all
authentication methods and but that did not help. I still get the same
behaviour.
I even tried to set a policy that denies all ("*") NAS-Identifiers, but thid
didn't help either.

Here is an example of the event:

Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 09/01/2007
Time: 12:43:45
User: N/A
Computer: XXXXXX
Description:
Access request for user XXXX\XXXX was discarded.
Fully-Qualified-User-Name = XXXX\XXXX
NAS-IP-Address = XXX.XXX.XXX.XXX
NAS-Identifier = AP_FL7_E
Called-Station-Identifier = 0011.932e.6d61
Calling-Station-Identifier = 0013.ce50.28e3
Client-Friendly-Name = A.P - FL7 E
Client-IP-Address = XXX.XXX.XXX.XXX
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 38993
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 5
Reason = The user account domain cannot be accessed.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....


Does anyone know how can I configure the IAS to reject these authentication
requests?

Reagrds,

--
Guy Melamed
MCSE: Messgaing (2000/2003)

I am not sure what you want to do. IAS is accepting valid requests and is
rejecting invalid ones. What exactly is your problem? Do you want to somehow
stop the AP from sending you a notification when this happens?

"Guy Melamed" <guy.melamed@news.postalias> wrote in message
news:62F7C238-3372-40BE-91E6-FD206EE29C91@microsoft.com...
> Hi,
>
> I have setup a IAS on my Windows 2003 SP1 domain controller.
> I configured the IAS with a policy that grants wireless access to PEAP
> protocol with mschap v2 and a certificate.
> The policy and the wireless works fine for computers in my domain.
> When workgroup computers try to access the wireless AP, the IAS sees that
> it
> cannot authenticate the credentials, and send a reject for the
> authentication
> request (I can see it in the event viewer).
> As a result, my AP sends me a notification that the radius server is not
> responding.
> I have tried to add a policy in the IAS, that denies access to all
> authentication methods and but that did not help. I still get the same
> behaviour.
> I even tried to set a policy that denies all ("*") NAS-Identifiers, but
> thid
> didn't help either.
>
> Here is an example of the event:
>
> Event Type: Error
> Event Source: IAS
> Event Category: None
> Event ID: 3
> Date: 09/01/2007
> Time: 12:43:45
> User: N/A
> Computer: XXXXXX
> Description:
> Access request for user XXXX\XXXX was discarded.
> Fully-Qualified-User-Name = XXXX\XXXX
> NAS-IP-Address = XXX.XXX.XXX.XXX
> NAS-Identifier = AP_FL7_E
> Called-Station-Identifier = 0011.932e.6d61
> Calling-Station-Identifier = 0013.ce50.28e3
> Client-Friendly-Name = A.P - FL7 E
> Client-IP-Address = XXX.XXX.XXX.XXX
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 38993
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Reason-Code = 5
> Reason = The user account domain cannot be accessed.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 00 00 00 00 ....
>
>
> Does anyone know how can I configure the IAS to reject these
> authentication
> requests?
>
> Reagrds,
>
> --
> Guy Melamed
> MCSE: Messgaing (2000/2003)
>

Hi Bill, and thank you for your reply.

IAS can return three responds to authentication equests: Accepet, Reject and
Drop.
In this case IAS drops the request, but I would like it to reject it.

Do you understand?

Thanks,
--
Guy Melamed
MCSE: Messgaing (2000/2003)

"Bill Grant" wrote:

> I am not sure what you want to do. IAS is accepting valid requests and is
> rejecting invalid ones. What exactly is your problem? Do you want to somehow
> stop the AP from sending you a notification when this happens?
>
> "Guy Melamed" <guy.melamed@news.postalias> wrote in message
> news:62F7C238-3372-40BE-91E6-FD206EE29C91@microsoft.com...
> > Hi,
> >
> > I have setup a IAS on my Windows 2003 SP1 domain controller.
> > I configured the IAS with a policy that grants wireless access to PEAP
> > protocol with mschap v2 and a certificate.
> > The policy and the wireless works fine for computers in my domain.
> > When workgroup computers try to access the wireless AP, the IAS sees that
> > it
> > cannot authenticate the credentials, and send a reject for the
> > authentication
> > request (I can see it in the event viewer).
> > As a result, my AP sends me a notification that the radius server is not
> > responding.
> > I have tried to add a policy in the IAS, that denies access to all
> > authentication methods and but that did not help. I still get the same
> > behaviour.
> > I even tried to set a policy that denies all ("*") NAS-Identifiers, but
> > thid
> > didn't help either.
> >
> > Here is an example of the event:
> >
> > Event Type: Error
> > Event Source: IAS
> > Event Category: None
> > Event ID: 3
> > Date: 09/01/2007
> > Time: 12:43:45
> > User: N/A
> > Computer: XXXXXX
> > Description:
> > Access request for user XXXX\XXXX was discarded.
> > Fully-Qualified-User-Name = XXXX\XXXX
> > NAS-IP-Address = XXX.XXX.XXX.XXX
> > NAS-Identifier = AP_FL7_E
> > Called-Station-Identifier = 0011.932e.6d61
> > Calling-Station-Identifier = 0013.ce50.28e3
> > Client-Friendly-Name = A.P - FL7 E
> > Client-IP-Address = XXX.XXX.XXX.XXX
> > NAS-Port-Type = Wireless - IEEE 802.11
> > NAS-Port = 38993
> > Proxy-Policy-Name = Use Windows authentication for all users
> > Authentication-Provider = Windows
> > Authentication-Server = <undetermined>
> > Reason-Code = 5
> > Reason = The user account domain cannot be accessed.
> >
> > For more information, see Help and Support Center at
> > http://go.microsoft.com/fwlink/events.asp.
> > Data:
> > 0000: 00 00 00 00 ....
> >
> >
> > Does anyone know how can I configure the IAS to reject these
> > authentication
> > requests?
> >
> > Reagrds,
> >
> > --
> > Guy Melamed
> > MCSE: Messgaing (2000/2003)
> >
>
>
>

Yes, I now understand what you want it to do. I don't have an answer. My
guess is that the because PEAP authentication fails, the IAS server does not
set up a communication link to the AP, so it cannot send back the error
code. It just sends a reject.

"Guy Melamed" <guy.melamed@news.postalias> wrote in message
news:95B702C6-1BFD-4420-801B-83FC60481BE3@microsoft.com...
> Hi Bill, and thank you for your reply.
>
> IAS can return three responds to authentication equests: Accepet, Reject
> and
> Drop.
> In this case IAS drops the request, but I would like it to reject it.
>
> Do you understand?
>
> Thanks,
> --
> Guy Melamed
> MCSE: Messgaing (2000/2003)
>
> "Bill Grant" wrote:
>
>> I am not sure what you want to do. IAS is accepting valid requests and
>> is
>> rejecting invalid ones. What exactly is your problem? Do you want to
>> somehow
>> stop the AP from sending you a notification when this happens?
>>
>> "Guy Melamed" <guy.melamed@news.postalias> wrote in message
>> news:62F7C238-3372-40BE-91E6-FD206EE29C91@microsoft.com...
>> > Hi,
>> >
>> > I have setup a IAS on my Windows 2003 SP1 domain controller.
>> > I configured the IAS with a policy that grants wireless access to PEAP
>> > protocol with mschap v2 and a certificate.
>> > The policy and the wireless works fine for computers in my domain.
>> > When workgroup computers try to access the wireless AP, the IAS sees
>> > that
>> > it
>> > cannot authenticate the credentials, and send a reject for the
>> > authentication
>> > request (I can see it in the event viewer).
>> > As a result, my AP sends me a notification that the radius server is
>> > not
>> > responding.
>> > I have tried to add a policy in the IAS, that denies access to all
>> > authentication methods and but that did not help. I still get the same
>> > behaviour.
>> > I even tried to set a policy that denies all ("*") NAS-Identifiers, but
>> > thid
>> > didn't help either.
>> >
>> > Here is an example of the event:
>> >
>> > Event Type: Error
>> > Event Source: IAS
>> > Event Category: None
>> > Event ID: 3
>> > Date: 09/01/2007
>> > Time: 12:43:45
>> > User: N/A
>> > Computer: XXXXXX
>> > Description:
>> > Access request for user XXXX\XXXX was discarded.
>> > Fully-Qualified-User-Name = XXXX\XXXX
>> > NAS-IP-Address = XXX.XXX.XXX.XXX
>> > NAS-Identifier = AP_FL7_E
>> > Called-Station-Identifier = 0011.932e.6d61
>> > Calling-Station-Identifier = 0013.ce50.28e3
>> > Client-Friendly-Name = A.P - FL7 E
>> > Client-IP-Address = XXX.XXX.XXX.XXX
>> > NAS-Port-Type = Wireless - IEEE 802.11
>> > NAS-Port = 38993
>> > Proxy-Policy-Name = Use Windows authentication for all users
>> > Authentication-Provider = Windows
>> > Authentication-Server = <undetermined>
>> > Reason-Code = 5
>> > Reason = The user account domain cannot be accessed.
>> >
>> > For more information, see Help and Support Center at
>> > http://go.microsoft.com/fwlink/events.asp.
>> > Data:
>> > 0000: 00 00 00 00 ....
>> >
>> >
>> > Does anyone know how can I configure the IAS to reject these
>> > authentication
>> > requests?
>> >
>> > Reagrds,
>> >
>> > --
>> > Guy Melamed
>> > MCSE: Messgaing (2000/2003)
>> >
>>
>>
>>

I suspect you will need to contact Microsoft PSS to get a fix for this.

"Bill Grant" <not.available@online> wrote in message
news:%23zrnXeJNHHA.1252@TK2MSFTNGP02.phx.gbl...
> Yes, I now understand what you want it to do. I don't have an answer. My
> guess is that the because PEAP authentication fails, the IAS server does
> not set up a communication link to the AP, so it cannot send back the
> error code. It just sends a reject.
>
> "Guy Melamed" <guy.melamed@news.postalias> wrote in message
> news:95B702C6-1BFD-4420-801B-83FC60481BE3@microsoft.com...
>> Hi Bill, and thank you for your reply.
>>
>> IAS can return three responds to authentication equests: Accepet, Reject
>> and
>> Drop.
>> In this case IAS drops the request, but I would like it to reject it.
>>
>> Do you understand?
>>
>> Thanks,
>> --
>> Guy Melamed
>> MCSE: Messgaing (2000/2003)
>>
>> "Bill Grant" wrote:
>>
>>> I am not sure what you want to do. IAS is accepting valid requests
>>> and is
>>> rejecting invalid ones. What exactly is your problem? Do you want to
>>> somehow
>>> stop the AP from sending you a notification when this happens?
>>>
>>> "Guy Melamed" <guy.melamed@news.postalias> wrote in message
>>> news:62F7C238-3372-40BE-91E6-FD206EE29C91@microsoft.com...
>>> > Hi,
>>> >
>>> > I have setup a IAS on my Windows 2003 SP1 domain controller.
>>> > I configured the IAS with a policy that grants wireless access to PEAP
>>> > protocol with mschap v2 and a certificate.
>>> > The policy and the wireless works fine for computers in my domain.
>>> > When workgroup computers try to access the wireless AP, the IAS sees
>>> > that
>>> > it
>>> > cannot authenticate the credentials, and send a reject for the
>>> > authentication
>>> > request (I can see it in the event viewer).
>>> > As a result, my AP sends me a notification that the radius server is
>>> > not
>>> > responding.
>>> > I have tried to add a policy in the IAS, that denies access to all
>>> > authentication methods and but that did not help. I still get the same
>>> > behaviour.
>>> > I even tried to set a policy that denies all ("*") NAS-Identifiers,
>>> > but
>>> > thid
>>> > didn't help either.
>>> >
>>> > Here is an example of the event:
>>> >
>>> > Event Type: Error
>>> > Event Source: IAS
>>> > Event Category: None
>>> > Event ID: 3
>>> > Date: 09/01/2007
>>> > Time: 12:43:45
>>> > User: N/A
>>> > Computer: XXXXXX
>>> > Description:
>>> > Access request for user XXXX\XXXX was discarded.
>>> > Fully-Qualified-User-Name = XXXX\XXXX
>>> > NAS-IP-Address = XXX.XXX.XXX.XXX
>>> > NAS-Identifier = AP_FL7_E
>>> > Called-Station-Identifier = 0011.932e.6d61
>>> > Calling-Station-Identifier = 0013.ce50.28e3
>>> > Client-Friendly-Name = A.P - FL7 E
>>> > Client-IP-Address = XXX.XXX.XXX.XXX
>>> > NAS-Port-Type = Wireless - IEEE 802.11
>>> > NAS-Port = 38993
>>> > Proxy-Policy-Name = Use Windows authentication for all users
>>> > Authentication-Provider = Windows
>>> > Authentication-Server = <undetermined>
>>> > Reason-Code = 5
>>> > Reason = The user account domain cannot be accessed.
>>> >
>>> > For more information, see Help and Support Center at
>>> > http://go.microsoft.com/fwlink/events.asp.
>>> > Data:
>>> > 0000: 00 00 00 00 ....
>>> >
>>> >
>>> > Does anyone know how can I configure the IAS to reject these
>>> > authentication
>>> > requests?
>>> >
>>> > Reagrds,
>>> >
>>> > --
>>> > Guy Melamed
>>> > MCSE: Messgaing (2000/2003)
>>> >
>>>
>>>
>>>
>
>

Hi Bill,

Do you know if this is a known issue that already has a fix?

Kind regards,

--
Guy Melamed
MCSE: Messgaing (2000/2003)

"Bill Grant" wrote:

> I suspect you will need to contact Microsoft PSS to get a fix for this.
>
> "Bill Grant" <not.available@online> wrote in message
> news:%23zrnXeJNHHA.1252@TK2MSFTNGP02.phx.gbl...
> > Yes, I now understand what you want it to do. I don't have an answer. My
> > guess is that the because PEAP authentication fails, the IAS server does
> > not set up a communication link to the AP, so it cannot send back the
> > error code. It just sends a reject.
> >
> > "Guy Melamed" <guy.melamed@news.postalias> wrote in message
> > news:95B702C6-1BFD-4420-801B-83FC60481BE3@microsoft.com...
> >> Hi Bill, and thank you for your reply.
> >>
> >> IAS can return three responds to authentication equests: Accepet, Reject
> >> and
> >> Drop.
> >> In this case IAS drops the request, but I would like it to reject it.
> >>
> >> Do you understand?
> >>
> >> Thanks,
> >> --
> >> Guy Melamed
> >> MCSE: Messgaing (2000/2003)
> >>
> >> "Bill Grant" wrote:
> >>
> >>> I am not sure what you want to do. IAS is accepting valid requests
> >>> and is
> >>> rejecting invalid ones. What exactly is your problem? Do you want to
> >>> somehow
> >>> stop the AP from sending you a notification when this happens?
> >>>
> >>> "Guy Melamed" <guy.melamed@news.postalias> wrote in message
> >>> news:62F7C238-3372-40BE-91E6-FD206EE29C91@microsoft.com...
> >>> > Hi,
> >>> >
> >>> > I have setup a IAS on my Windows 2003 SP1 domain controller.
> >>> > I configured the IAS with a policy that grants wireless access to PEAP
> >>> > protocol with mschap v2 and a certificate.
> >>> > The policy and the wireless works fine for computers in my domain.
> >>> > When workgroup computers try to access the wireless AP, the IAS sees
> >>> > that
> >>> > it
> >>> > cannot authenticate the credentials, and send a reject for the
> >>> > authentication
> >>> > request (I can see it in the event viewer).
> >>> > As a result, my AP sends me a notification that the radius server is
> >>> > not
> >>> > responding.
> >>> > I have tried to add a policy in the IAS, that denies access to all
> >>> > authentication methods and but that did not help. I still get the same
> >>> > behaviour.
> >>> > I even tried to set a policy that denies all ("*") NAS-Identifiers,
> >>> > but
> >>> > thid
> >>> > didn't help either.
> >>> >
> >>> > Here is an example of the event:
> >>> >
> >>> > Event Type: Error
> >>> > Event Source: IAS
> >>> > Event Category: None
> >>> > Event ID: 3
> >>> > Date: 09/01/2007
> >>> > Time: 12:43:45
> >>> > User: N/A
> >>> > Computer: XXXXXX
> >>> > Description:
> >>> > Access request for user XXXX\XXXX was discarded.
> >>> > Fully-Qualified-User-Name = XXXX\XXXX
> >>> > NAS-IP-Address = XXX.XXX.XXX.XXX
> >>> > NAS-Identifier = AP_FL7_E
> >>> > Called-Station-Identifier = 0011.932e.6d61
> >>> > Calling-Station-Identifier = 0013.ce50.28e3
> >>> > Client-Friendly-Name = A.P - FL7 E
> >>> > Client-IP-Address = XXX.XXX.XXX.XXX
> >>> > NAS-Port-Type = Wireless - IEEE 802.11
> >>> > NAS-Port = 38993
> >>> > Proxy-Policy-Name = Use Windows authentication for all users
> >>> > Authentication-Provider = Windows
> >>> > Authentication-Server = <undetermined>
> >>> > Reason-Code = 5
> >>> > Reason = The user account domain cannot be accessed.
> >>> >
> >>> > For more information, see Help and Support Center at
> >>> > http://go.microsoft.com/fwlink/events.asp.
> >>> > Data:
> >>> > 0000: 00 00 00 00 ....
> >>> >
> >>> >
> >>> > Does anyone know how can I configure the IAS to reject these
> >>> > authentication
> >>> > requests?
> >>> >
> >>> > Reagrds,
> >>> >
> >>> > --
> >>> > Guy Melamed
> >>> > MCSE: Messgaing (2000/2003)
> >>> >
> >>>
> >>>
> >>>
> >
> >
>
>
>

I am not aware of it being a known issue.

"Guy Melamed" <guy.melamed@news.postalias> wrote in message
news:41644BF7-8022-40AD-81DD-B8A59D9C136C@microsoft.com...
> Hi Bill,
>
> Do you know if this is a known issue that already has a fix?
>
> Kind regards,
>
> --
> Guy Melamed
> MCSE: Messgaing (2000/2003)
>
> "Bill Grant" wrote:
>
>> I suspect you will need to contact Microsoft PSS to get a fix for this.
>>
>> "Bill Grant" <not.available@online> wrote in message
>> news:%23zrnXeJNHHA.1252@TK2MSFTNGP02.phx.gbl...
>> > Yes, I now understand what you want it to do. I don't have an answer.
>> > My
>> > guess is that the because PEAP authentication fails, the IAS server
>> > does
>> > not set up a communication link to the AP, so it cannot send back the
>> > error code. It just sends a reject.
>> >
>> > "Guy Melamed" <guy.melamed@news.postalias> wrote in message
>> > news:95B702C6-1BFD-4420-801B-83FC60481BE3@microsoft.com...
>> >> Hi Bill, and thank you for your reply.
>> >>
>> >> IAS can return three responds to authentication equests: Accepet,
>> >> Reject
>> >> and
>> >> Drop.
>> >> In this case IAS drops the request, but I would like it to reject it.
>> >>
>> >> Do you understand?
>> >>
>> >> Thanks,
>> >> --
>> >> Guy Melamed
>> >> MCSE: Messgaing (2000/2003)
>> >>
>> >> "Bill Grant" wrote:
>> >>
>> >>> I am not sure what you want to do. IAS is accepting valid requests
>> >>> and is
>> >>> rejecting invalid ones. What exactly is your problem? Do you want to
>> >>> somehow
>> >>> stop the AP from sending you a notification when this happens?
>> >>>
>> >>> "Guy Melamed" <guy.melamed@news.postalias> wrote in message
>> >>> news:62F7C238-3372-40BE-91E6-FD206EE29C91@microsoft.com...
>> >>> > Hi,
>> >>> >
>> >>> > I have setup a IAS on my Windows 2003 SP1 domain controller.
>> >>> > I configured the IAS with a policy that grants wireless access to
>> >>> > PEAP
>> >>> > protocol with mschap v2 and a certificate.
>> >>> > The policy and the wireless works fine for computers in my domain.
>> >>> > When workgroup computers try to access the wireless AP, the IAS
>> >>> > sees
>> >>> > that
>> >>> > it
>> >>> > cannot authenticate the credentials, and send a reject for the
>> >>> > authentication
>> >>> > request (I can see it in the event viewer).
>> >>> > As a result, my AP sends me a notification that the radius server
>> >>> > is
>> >>> > not
>> >>> > responding.
>> >>> > I have tried to add a policy in the IAS, that denies access to all
>> >>> > authentication methods and but that did not help. I still get the
>> >>> > same
>> >>> > behaviour.
>> >>> > I even tried to set a policy that denies all ("*") NAS-Identifiers,
>> >>> > but
>> >>> > thid
>> >>> > didn't help either.
>> >>> >
>> >>> > Here is an example of the event:
>> >>> >
>> >>> > Event Type: Error
>> >>> > Event Source: IAS
>> >>> > Event Category: None
>> >>> > Event ID: 3
>> >>> > Date: 09/01/2007
>> >>> > Time: 12:43:45
>> >>> > User: N/A
>> >>> > Computer: XXXXXX
>> >>> > Description:
>> >>> > Access request for user XXXX\XXXX was discarded.
>> >>> > Fully-Qualified-User-Name = XXXX\XXXX
>> >>> > NAS-IP-Address = XXX.XXX.XXX.XXX
>> >>> > NAS-Identifier = AP_FL7_E
>> >>> > Called-Station-Identifier = 0011.932e.6d61
>> >>> > Calling-Station-Identifier = 0013.ce50.28e3
>> >>> > Client-Friendly-Name = A.P - FL7 E
>> >>> > Client-IP-Address = XXX.XXX.XXX.XXX
>> >>> > NAS-Port-Type = Wireless - IEEE 802.11
>> >>> > NAS-Port = 38993
>> >>> > Proxy-Policy-Name = Use Windows authentication for all users
>> >>> > Authentication-Provider = Windows
>> >>> > Authentication-Server = <undetermined>
>> >>> > Reason-Code = 5
>> >>> > Reason = The user account domain cannot be accessed.
>> >>> >
>> >>> > For more information, see Help and Support Center at
>> >>> > http://go.microsoft.com/fwlink/events.asp.
>> >>> > Data:
>> >>> > 0000: 00 00 00 00 ....
>> >>> >
>> >>> >
>> >>> > Does anyone know how can I configure the IAS to reject these
>> >>> > authentication
>> >>> > requests?
>> >>> >
>> >>> > Reagrds,
>> >>> >
>> >>> > --
>> >>> > Guy Melamed
>> >>> > MCSE: Messgaing (2000/2003)
>> >>> >
>> >>>
>> >>>
>> >>>
>> >
>> >
>>
>>
>>