Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Event ID 2: Reason-Code = 66

Permissions, Group Policy, IPSec, Virus, Spam, Spyware, Malware.

Event ID 2: Reason-Code = 66

Postby chicagotech » Sun Apr 15, 2007 11:41 pm

Symptom: the IAS may receive this event:
Event Type: Warning
Event Source: IAS
Description:
User blin was denied access.
Fully-Qualified-User-Name = chicagotech.net/Users/Bob Lin
NAS-IP-Address = 10.0.20.53
NAS-Identifier = Outdoor
Called-Station-Identifier = <not>
Calling-Station-Identifier = <not>
Client-Friendly-Name = Non-Root Bridge
Client-IP-Address = 10.0.20.53
NAS-Port-Type = Async
NAS-Port = <not>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = All
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

Cause: There is a different Authentication-Type between the IAS and the client. In this case, the client is non-root wireless bridge. The IAS may not recognize the non-domain user.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6484
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby mariog » Mon May 14, 2007 3:38 am

Hello
I would like some advice in this issue.
I have setup a portail where users who possess a laptop must authenticate in order to access the Internet by WI-FI. they authenticate using a radius server which I have installed in one of the domain controllers. at the beginning they could authenticate but somehow, something which I don't know what has changed in the configuration and I am not able to authenticate. with the event ID and reason code stated earlier.
I include here two logs on the same machine, the same day with the same user but only a few minutes difference between the two logs.
one show the log where the user can authenticate successfully.. the other he can't because an authentication method not enabled.
I know authentication works because I set up in vmware a domain controller in a fictious domain, and installed windows 2003 server and IAS... and I can authenticate there and access the Internet. is it a problem in the way the production domain has been set up which prevents me from authenticate. I had extensevely tested this portail ina testing environment with a domain controller in vmware inside the lan but not in the main domain but in a domain called something.local. and today i am supposed to go in production and i come across this
here are the two logs:
working log
Code: Select all
Event Type:   Information
Event Source:   IAS
Event Category:   None
Event ID:   1
Date:      11/05/2007
Time:      10:27:09
User:      N/A
Computer:   SVSTUDENT
Description:
User student was granted access.
Fully-Qualified-User-Name = ihecs.net/Utilisateurs Squid/Etudiants/Ihecs/Test/student
NAS-IP-Address = 192.168.1.2
NAS-Identifier = svm0n0.ihecs.net
Client-Friendly-Name = wireless-m0n0wall
Client-IP-Address = 192.168.2.10
Calling-Station-Identifier = 00:11:24:a1:68:ee
NAS-Port-Type = Ethernet
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = ethernet
Authentication-Type = PAP
EAP-Type = <undetermined>

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....   


non working log
Code: Select all
Event Type:   Warning
Event Source:   IAS
Event Category:   None
Event ID:   2
Date:      11/05/2007
Time:      10:59:32
User:      N/A
Computer:   SVSTUDENT
Description:
User student was denied access.
Fully-Qualified-User-Name = ihecs.net/Utilisateurs Squid/Etudiants/Ihecs/Test/student
NAS-IP-Address = 192.168.1.2
NAS-Identifier = svm0n0.ihecs.net
Called-Station-Identifier = 00:80:c8:d3:65:eb
Calling-Station-Identifier = 00:11:24:a1:68:ee
Client-Friendly-Name = wireless-m0n0wall
Client-IP-Address = 192.168.2.10
NAS-Port-Type = Ethernet
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00   


the only difference between those logs is the called-station identifier with the mac address of the wan interface of the router that is serving as portal.
Also I don't understand why it say connection type ethernet? while I am using a wireless router as access point (the wan interface in the router not used) fyi is a dlink 524+ I connect the portal interface to one of the lan ports; dhcp is disabled in the router as the firewall serves as dhcp server.
the users connect wirelessly only.
any assistance will be very helpful ,
Thank you very much.
Mario
....
mariog
 
Posts: 3
Joined: Fri May 11, 2007 12:35 pm

Postby chicagotech » Mon May 14, 2007 10:17 am

How many policies do you have? Can I assuming you have ethernet and Connections to other access servers? How do you setup them?
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6484
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby mariog » Tue May 15, 2007 4:05 am

there are three policies, the two by default when you start the ias snap-in, one is called:
connect to microsoft routing and remote access server
the other is :
connect to other access servers
I set the policy using the wizard, I click new remote access policy, enter a friendly name then I choose wireless (i have the choice between vpn, dial-in, wireless and ethernet), i add then the groups that are allowed to connect. then I get a screen : Select the EAP type for this policy. the only i am able to choose is MD5 challenge. then when the wizard stop I right click properties then add authentication-type and i chose PAP.
in the server in vmware this works.. in the actual domain it does not.
thank you very much.
mariog
 
Posts: 3
Joined: Fri May 11, 2007 12:35 pm

Postby chicagotech » Tue May 15, 2007 4:51 pm

Based on your post, the NAS-Port-Type = Ethernet. It should be wireless. Double check the settings or follow this how to.

How to create Remote Access Policy under IAS for wireless access
http://www.howtonetworking.com/Security ... policy.htm
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6484
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby mariog » Thu May 17, 2007 6:45 pm

I don't know if it should be wireless as it's connected to a computer not directly to the ias server.
there's a firewall bsd based called mOnOwall which gives me captive portal capabilities. it's there i put the html page where the users will input password and username then i'll transmit the request to the ias server. before that it has to pass some other firewalls in the company towards the actual ias server. whether i choose wireless or ethernet, the answers is the same.

I just should click authentication type pap somewhere as this m0n0wall send the request in pap; i already have taken care of this by adding wpa2 as encryption
thank you
mariog
 
Posts: 3
Joined: Fri May 11, 2007 12:35 pm

Postby chicagotech » Fri Mar 07, 2008 5:28 pm

Q: I am trying to setup Cisco ASA as VPN using IAS authentication. When using this command "test aaa authentication IASIP12 host 10.0.0.12" to test it. I receive ERROR: Authentication Rejected: Invalid password. I know I have correct password and I have tried different username. This is Cisco tech support replied:

according to the ASA test command the server is rejecting the authentication, not the ASA, remember that we have 3 different responses from server, authentication success, authentication rejected, authentication failed, when he have the reject it means that the server not the ASA is not letting this user connect. According to your MS server the reason is.
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

Please check the MS server and make sure that the user has VPN Dial-in permission enabled, in case you have questions in order to configure the MS server I'll suggest you to check with Microsoft Tech Support.

After receiving this reply, I did try to enable VPN Dial-in in the remote access policy, but that don't fix the problem. In the Windows Event I also receive these two events:

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
User: DOMAIN\blin
Computer: DEVICES1
Description:
Successful Network Logon:
User Name: BLin
Domain: DOMAIN
Logon ID: (0x0,0xB277183E)
Logon Type: 3
Logon Process: IAS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
Logon GUID: -
Caller User Name: DEVICES1$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1188
Transited Services: -
Source Network Address: -
Source Port: -

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
User: N/A
Computer: DEVICES1
Description:
User blin was denied access.
Fully-Qualified-User-Name = chicagotech.net/Users/Bob Lin
NAS-IP-Address = 172.16.252.254
NAS-Identifier = <not>
Called-Station-Identifier = <not>
Calling-Station-Identifier = 000.000.000.000
Client-Friendly-Name = ASAVPN
Client-IP-Address = 172.16.252.254
NAS-Port-Type = Virtual
NAS-Port = <not>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = All
Authentication-Type = PAP
EAP-Type = <undetermined>
Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

Before Event ID 2, the IAS server also lists this event

Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 5050
User: N/A
Computer: DEVICES1
Description:
A LDAP connection with domain controller dc.chicagotech.net for domain DOMAIN is established.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6484
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby chicagotech » Fri Mar 07, 2008 5:28 pm

I read the Event carefully and found it used PAP. After I enabled PAP, the
authentication works. Does the PAP safe?

PAP is safe?:
======
Password Authentication Protocol (PAP) uses plaintext passwords and is the
least secure authentication protocol. It is typically negotiated if the
remote access client and remote access server cannot negotiate a more
secure form of validation.

To improve security, I suggest you do not use PAP as the authentication
method.

Authentication method in Windows:
======
Windows clients/IAS server by default uses MSCHAP/MSCHAPV2, which is far
more safer than PAP. You also have options to use EAP-TLS/PEAP
authentication method to improve security.

For your reference, I have included this link here:

RADIUS authentication for remote VPN clients
http://www.microsoft.com/technet/isa/20 ... x?mfr=true


Authentication method for third party client:
======
I believe they shall also support other methods, which are safer than PAP.
For more information about how to configure other authentication methods,
please contact the software/hardware vendor for detail steps.
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
chicagotech
Site Admin
 
Posts: 6484
Joined: Mon Nov 27, 2006 1:24 pm
Location: Chicago USA

Postby guest » Tue Feb 03, 2009 7:09 pm

It seems to me the authentication methods don't match. Or check this link.

IAS Issue CollectionsIAS related Event ID and IAS Reason Codes. Most Windows
IAS Event ID errors are related ... IAS Event ID 2 - Reason-Code = 65 ·
Event ID 2: Reason-Code = 66 ...
www.chicagotech.net/troubleshooting/eventid2.htm


--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

>> Hello,
>> I'm having some troubles trying to configure my wired network to use
>> 802.1X
>> with Radius server.
>> Here my problem: I'm using a Procurve 2650 as Radius Client, IAS as
>> Radius
>> Server and Windows XP as supplicant.
>>
>> If I configure CHAP authentication, selecting MD5-Challenge under
>> Authentication in the network configuration of Windows XP and CHAP
>> authentication under Authentication window of the Radius (IAS) policy,
>> all
>> works fine and I can login correctly in my network (I can see the log
>> into
>> the event viewer).
>>
>> But when I choose to use PEAP, selecting it from the drop down list under
>> Authentication window of network configuration (in XP), and selecting the
>> same into the radius policy, I can't correctly login, and in the event
>> viewer
>> I see this error:
>> Reason-Code = 66.
>> Reason = The user attempted to use an authentication method that is not
>> enabled on the matching remote access policy
>>
>> This is a problem because only PEAP permit to automatically submit the
>> login
>> credentials (or does somebody know how to do it with CHAP?), and because
>> with
>> Windows Vista MD5 is totally unavailable because it's considered obsolete
>> and
>> unsecure.
>>
>> Probably I'm missing some step to enable that authentication method in
>> the
>> GPO of my domain, or something similar.
>> Does somebody has a suggestion about this problem?
>>
>> Thank you
>
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9519
Joined: Mon Nov 27, 2006 1:10 pm

Postby guest » Tue Feb 03, 2009 7:11 pm

Thank you for the update.

--
Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on
http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on
http://www.HowToNetworking.com

> thank you to everyone for the replies,
> I discovered that my was a Procurve problem, related to the old firmware
> version.
>
> Now, with the latest version, PEAP authentication works like a charm. :-)
Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com

Troubleshooting Vista Wireless
http://chicagotech.net/
guest
 
Posts: 9519
Joined: Mon Nov 27, 2006 1:10 pm


Return to Security

Your Ad Here

Who is online

Users browsing this forum: No registered users and 2 guests