Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

IAS Reason-Code = 22 and 97

Active Directory, Domain, DNS, WINS, DHCP, SBS, New Releases.

IAS Reason-Code = 22 and 97

Postby chicagotech » Mon Jul 16, 2007 2:08 pm

I am seeing a bunch of errors in my system log relating to EAP
converstations. My setup is a cisco AP1200 and mostly cisco cards in
laptops, mostly embedded pci cards but some pcmcia. The errors are:
1.)
User DOM\user was denied access.
Fully-Qualified-User-Name = DOM\user
NAS-IP-Address = 192.168.2.211
NAS-Identifier = <not>
Called-Station-Identifier = 000c.85db.be18
Calling-Station-Identifier = 00d0.59c8.6e11
Client-Friendly-Name = AP1
Client-IP-Address = 192.168.2.211
NAS-Port-Type = Virtual
NAS-Port = 319
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless with VPN attributes
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 22
Reason = The client could not be authenticated because the Extensible
Authentication Protocol (EAP) Type cannot be processed by the server.


2.)
Fully-Qualified-User-Name = DOM\user
NAS-IP-Address = 192.168.2.211
NAS-Identifier = <not>
Called-Station-Identifier = 000c.85db.be18
Calling-Station-Identifier = 0002.8ad8.6535
Client-Friendly-Name = AP1
Client-IP-Address = 192.168.2.211
NAS-Port-Type = Virtual
NAS-Port = 378
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 97
Reason = The authentication request was not processed because it
contained a Remote Authentication Dial-In User Service (RADIUS) message
that was not appropriate for the secure authentication transaction.

Any ideas?

TIA,
Steve



Steve -

Most likely your issue is that you have your Remote Access Policy set
to only allow NAS-Port types of Wireless - Other or Wireless - 802.11.
Since your clients are reporting their NAS type as virtual your
policy isn't getting matched correctly. Simply add the 'Virtual' type
to your policy and you should be all set. I have yet to figure out
why clients report their port type as Virtual. Its not the AP I don't
think because we use a number of different NICs and some report as
802.11 and other as Virtual.

Hope that helps.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7087
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby chicagotech » Mon Jul 16, 2007 2:10 pm

I am trying to get wired XP clients authenticating using MS Chap v2. The Radius client is a cisco 6509 switch and the Radius server is a member server running windows 2003. THere is a standalone CA on the domain and I have generated a certificate from that. MY main issue is that I am not sure if my remote access policy is set up correctly. The policy is set to check membership of a windows group and Authentication type matches EAP or MS-CHAP V2. When a client tries to connect an error is written to the IAS event log withthe following details

Event Id2 Reason code 22. The client could not be authenticated because the EAP type cannot be processed by the server.

If anyone can shed any light on this I would be grateful. I think its something that I have not configured properly in the Remote Access Policy

Many Thanks

Ken

Hi there --

I am unclear about which authentication method and authentication type you
are attempting to deploy.

If you want to deploy EAP, for 802.1X authenticating switches you can
deploy several possible things:

Protected EAP with MS-CHAP v2. This requires a server cert on your IAS
server that client computers trust. Users are authenticated with password-
based credentials and the client computer authenticates the server with the
server certificate.

EAP-TLS. This requires server certs and client certs, and you must deploy a
public key infrastructure (PKI) / Certificate Services in Windows.

EAP-MD5. This is a password-based authentication method that is similar to
CHAP, but the challenge and response are sent as EAP messages.

If you are just trying to deploy MS-CHAP v2, do not select an EAP method in
the remote access policy. Only select the check box (on the Authentication
tab of the RAP profile for MS-CHAP v2.

Then make sure your clients are configured to use the auth method you have
selected on the IAS server's RAP.

--
James McIllece, Microsoft

There is a difference between PEAP-EAP-MSCHAPv2 and MS-CHAPv2. I will not
get into the details of the difference
For Wired and Wireless clients, you can't use MS-CHAPv2 to authenticate,
it's in fact PEAP-EAP-MSCHAPv2 that you need.
To enable PEAP-EAP-MSCHAPv2 on the server, goto EAP, Add PEAP, [by default
it will have EAP-MSCHAPv2 as an internal method]
This should resolve the issue of Reason Code 22 in your case

HTH
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7087
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby chicagotech » Mon Jul 16, 2007 2:13 pm

I would try wireless rollup hotfix (http://support.microsoft.com/?id=826942)
and/or WPA2/AES. My prime suspect would be TKIP. I suggest to enable EAP
debugging on the Cisco AP (debug dot11 aaa) and IAS logging can also help



--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Christopher C. Welber" <chriswelber> wrote in message
news:eIs1AB95FHA.3636@TK2MSFTNGP09.phx.gbl...
>
>
>
> --PROBLEM:
>
> The wireless client [Dell notebook] system goes to authenticate with
> windows
> 2003 server and it looks like the authentication is making it to the
> server
> because we turned logging on and could see that there was some type of
> hand
> shaking and access of the active directory for the user and then the
> system
> kicks back the following error:
>
>
>
> "The client could not be authenticated because the Extensible
> Authentication
> Protocol EAP type can not be processed by the server"
>
>
>
> We assume it means the windows 2003 server..
>
>
>
> We have the following configuration [Complete Event Log Error Listed at
> the
> End of This Message]:
>
>
>
>
>
> --System Configuration
>
>
>
> Windows Server 2003 Standard
>
> Configuration:
>
> - Base Server /w Latest MS Updates
>
> - IAS installed
>
> - CA Authority with certificates installed
>
> - This server is part of a multiple-site domain connected through a cisco
> style VPN connection
>
> - Wireless policy is configured both in Active Directory & the IAS
> wireless
> policy component
>
> - There is a wireless group of it given access in the IAS wireless policy
> we
> created and the test user has the Dial-In property enabled with "Control
> Access Through Remote Access Policy" radio ***on selected.
>
> - The Cisco IP is entered as a radius client under IAS service clients tab
> and the shared secret password setup.
>
>
>
> In the IAS Profile:
>
> - We have all of the authentication methods unchecked, but I think it
> kicked
> out the same error whether we had everything checked or not.
>
> - Everything is checked in the Encryption tab
>
> - In the advanced tab we have service of Radius Standard and framed
> selected
>
> - Server settings determine IP assignment, but I don't think were even
> making it that far
>
> - No Dial-in constraints selected
>
>
>
> In the Wireless policy in Active Directory:
>
> - Networks to access "Access point [infrastructure only] networks only"
>
> - Preferred Networks the access SSID is listed with network authentication
> of WPA, data encryption TRIP
>
> - Under IEEE 802.1x tab, EAPOL Start message is "Transmit per IEEE
> 802.1x",
> EAP type is "Protected EAP [PEAP] [under these settings the certificate is
> correctly selected we believe that was assigned to the server when we
> created the CA, authentication method is EAP-MSCHAP v2]
>
>
>
>
>
> Cisco Airoport 1100 Wireless Access Unit
>
> Configuration:
>
> Radius server is set to be the server /w shared secret password setup
>
> PAP, TKIP are enabled on the wireless access point
>
>
>
>
>
> Dell Notebook:
>
> Configuration
>
> /w wireless adapter enabled for WPA
>
>
>
>
>
> Error Log Event Properties of the error are:
>
> Source: IAS
>
> Event ID: 2
>
> Type: Warning
>
> NAS IP: 10.10.10.5 [The Cisco Equipment]
>
> Client IP: 10.10.10.5
>
> NAS PORT Type: 802.11
>
> NAS PORT 1042
>
> Proxy-Policy Name: Use Windows authentication for all users
>
> Authentication Provide: Windows
>
> Authentication-Server = <undetermined>
>
> Policy-name = Gws-wireless [this is the policy we created in IAS Server]
>
> Reason Code = 22
>
> Reason:
>
> "The client could not be authenticated because the Extensible
> Authentication
> Protocol EAP type can not be processed by the server
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7087
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby chicagotech » Tue Jul 17, 2007 12:22 pm

Hi,

Thanks for your suggestion I've tried this and it makes no difference, I
tried setting it to various numbers 1344,1000,64,128 none made any
difference. I have since found out that using another make Access Point
rather than 3Com and Vista will connect but all 3Com acccess points i've
tried work fine with XP but not with Vista.

I'm not sure what else to try.

Regards
Paul Mckenna

""Ken Zhao [MSFT]"" wrote:

> Hello Paul,
>
> Thank you for using newsgroup!
>
> From your post, I'd like to suggest you try to reduce the EAP packet size
> of a Remote Authentication Dial-In User Service (RADIUS) server. You can do
> this by using the Framed-MTU attribute in Internet Authentication Services
> (IAS) of a Microsoft Windows Server 2003-based computer. For more detailed
> steps, please refer to:
> 883389: How to reduce the EAP packet size by using the Framed MTU attribute
> in Windows Server 2003
> http://support.microsoft.com/default.as ... -US;883389
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security <http>
> ====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
>
>
> --------------------
> | Thread-Topic: Vista wireless using IAS and WPA-Enterprise
> | thread-index: AcfH9YDU6jOQn/+xSL2/iOe7lK2ZoQ==
> | X-WBNR-Posting-Host: 207.46.193.207
> | From: =?Utf-8?B?UGF1bCBNY2tlbm5h?= <JazzyJ187>
> | References: <CB717348>
> <OvXp5E9xHHA>
> <EB1DC5EB>
> <uE4PtN>
> | Subject: Re: Vista wireless using IAS and WPA-Enterprise
> | Date: Mon, 16 Jul 2007 15:06:04 -0700
> | Lines: 115
> | Message-ID: <44117B87>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
> | Newsgroups: microsoft.public.windows.server.networking
> | Path: TK2MSFTNGHUB02.phx.gbl
> | Xref: TK2MSFTNGHUB02.phx.gbl
> microsoft.public.windows.server.networking:5812
> | NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
> | X-Tomcat-NG: microsoft.public.windows.server.networking
> |
> | again I Appreciate your response but this works with XP, XP sends the
> message
> | to IAS that it wants to use PEAP authentication where as Vista sends the
> | message to use EAP (which is not configured and is not something i want
> to
> | use) even though Vista is configured to use PEAP.
> | So although these error message will probably help with someone who wants
> to
> | use EAP-TLS without having properly configured it. They don't really shed
> any
> | light on my problem.
> |
> | Thnaks again
> |
> | Regards
> | Paul
> |
> |
> | "Robert L [MVP - Networking]" wrote:
> |
> | > Or this post:.
> | >
> | > IAS Reason-Code = 22 and 97
> | > http://chicagotech.net/netforums/viewtopic.php?t=1063
> | >
> | > Bob Lin, MS-MVP, MCSE & CNE
> | > Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> | > How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> | > "Paul Mckenna" <JazzyJ187> wrote in message
> news:EB1DC5EB-D1C7-43D2-943E-755251B9E8B5@microsoft.com...
> | >
> | > Thanks for your quick response, It's my fault i posted the wrong
> error
> | > message.. The actual failure is
> | >
> | > User DOMAIN\Paul was denied access.
> | > Fully-Qualified-User-Name = domain.local/Technical/Paul Mckenna
> | > NAS-IP-Address = 192.168.100.126
> | > NAS-Identifier =
> | > Called-Station-Identifier = <not>
> | > Calling-Station-Identifier = <not>
> | > Client-Friendly-Name = 3com
> | > Client-IP-Address = 192.168.100.126
> | > NAS-Port-Type = Wireless - IEEE 802.11
> | > NAS-Port = 29
> | > Proxy-Policy-Name = Use Windows authentication for all users
> | > Authentication-Provider = Windows
> | > Authentication-Server = <undetermined>
> | > Policy-Name = VPN
> | > Authentication-Type = EAP
> | > EAP-Type = <undetermined>
> | > Reason-Code = 22
> | > Reason = The client could not be authenticated because the
> Extensible
> | > Authentication Protocol (EAP) Type cannot be processed by the server.
> | >
> | > For more information, see Help and Support Center at
> | > http://go.microsoft.com/fwlink/events.asp.
> | >
> | > It seems to be that Vista is sending that it wants to use EAP even
> though
> | > it's configured to use PEAP.
> | >
> | > "Robert L [MVP - Networking]" wrote:
> | >
> | > > I would double check the remote Access Policy. This post may help,
> | > >
> | > > IAS Reason-Code = 65
> | > >
> | > > http://www.chicagotech.net/netforums/vi ... =1711#1711
> | > >
> | > >
> | > > Bob Lin, MS-MVP, MCSE & CNE
> | > > Networking, Internet, Routing, VPN Troubleshooting on
> http://www.ChicagoTech.net
> | > > How to Setup Windows, Network, VPN & Remote Access on
> http://www.HowToNetworking.com
> | > > "Paul Mckenna" <JazzyJ187> wrote in message
> news:CB717348-F026-42B2-BED0-6AD0DAF42784@microsoft.com...
> | > > Hi,
> | > >
> | > > I've got a problem with Vista not connecting to our wireless
> network,
> | > > Everything works great with XP but on Vista although Vista is
> configured to
> | > > use PEAP i get this error message on the server when the Vista PC
> try to
> | > > connect...
> | > >
> | > > User host/Paul07.domain.local was denied access.
> | > > Fully-Qualified-User-Name = domain.local/Computers/PAUL07
> | > > NAS-IP-Address = 192.168.100.126
> | > > NAS-Identifier =
> | > > Called-Station-Identifier = <not>
> | > > Calling-Station-Identifier = <not>
> | > > Client-Friendly-Name = 3com
> | > > Client-IP-Address = 192.168.100.126
> | > > NAS-Port-Type = Wireless - IEEE 802.11
> | > > NAS-Port = 29
> | > > Proxy-Policy-Name = Use Windows authentication for all users
> | > > Authentication-Provider = Windows
> | > > Authentication-Server = <undetermined>
> | > > Policy-Name = Connections to other access servers
> | > > Authentication-Type = EAP
> | > > EAP-Type = <undetermined>
> | > > Reason-Code = 65
> | > > Reason = The connection attempt failed because remote access
> permission for
> | > > the user account was denied. To allow remote access, enable
> remote access
> | > > permission for the user account, or, if the user account
> specifies that
> | > > access is controlled through the matching remote access policy,
> enable remote
> | > > access permission for that remote access policy.
> | > >
> | > > For more information, see Help and Support Center at
> | > > http://go.microsoft.com/fwlink/events.asp.
> | > >
> | > > At the moment IAS is only configured to accept PEAP
> authentication, If i
> | > > enable EAP (Which i don't want to use) i get this message..
> | > >
> | > > Because no certificate has been configured for clients dialing in
> with
> | > > EAP-TLS, a default certificate is being sent to user domain\paul.
> Please go
> | > > to the user's Remote Access Policy and configure the Extensible
> | > > Authentication Protocol (EAP).
> | > >
> | > > Like i say Vista is configured to PEAP but for some reason seems
> to be
> | > > sending info that it wants to use EAP-TLS
> | > >
> | > > What am i doing wrong?
> | > >
> | > > Thanks in advance for any help
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7087
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby chicagotech » Wed Jul 18, 2007 9:49 am

Thanks for your suggestion.

I've tried turning off autotuninglevel on the Vista machines but with no
joy, I've also looked at the KB articles none of which seem to relate to the
problem i'm having but i've tried the suggestions, Still nothing.

Just to recap when using any 3Com Access Point with a windows Vista client
the 3com access point sends data to the IAS server to say it wants to use EAP
(even thought vista is configured to use PEAP) authentication, with an XP
client the 3com box sends it want to use PEAP authentication. If i enable
EAP-TLS authentication on IAS and install a user certificate on the Vista
machine and set Vista to use a certificate to log in, the connection works
but it's a lot of hassle maintaining and installing certificates for each
user, i would much rather use PEAP.

Regards
Paul Mckenna
""Ken Zhao [MSFT]"" wrote:

> Hi Paul,
>
> Based on my research, if the problem only occurs on Windows Vista machines,
> I suggest you perform the following steps on the Vista machines:
>
> 1£®Click Start , click All Programs, click Accessories, and then click
> Command Prompt.
> 2£®At the command prompt, type the following command, and then press ENTER:
> netsh interface tcp set global autotuninglevel=disabled
> This command disables the Receive Window Auto-Tuning feature.
> 3£®Try to make a non-HTTP network connection.
> Note: If the connectivity problem is resolved, contact the manufacturer of
> the firewall device for steps to correct the issue.
> 4£®At a command prompt, type the following command, and then press ENTER:
> netsh interface tcp set global autotuninglevel=normal
> This command enables Receive Window Auto-Tuning again so that you can take
> advantage of the network throughput performance increase it provides.
>
> Also I found there are new KB articles already described for this issue and
> give the workaround.
> 934430: Network connectivity may fail when you try to use Windows Vista
> behind a firewall device
> http://support.microsoft.com/kb/934430
>
> 929868: A Web site sends data very slowly or drops the data completely when
> you use Windows Vista Enterprise
> http://support.microsoft.com/kb/929868
>
> 935400: It takes a very long time to download an e-mail message from a POP3
> server in Outlook 2007
> http://support.microsoft.com/kb/935400
>
> Hope that helps!
>
> Thanks & Regards,
>
> Ken Zhao
>
> Microsoft Online Support
> Microsoft Global Technical Support Center
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 7087
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA


Return to Windows

Your Ad Here

Who is online

Users browsing this forum: No registered users and 9 guests