IAS (radius) on 2003
I have IAS running on a windows 2000 DNS server. I have been using this IAS as a radius server for about a year with my wireless devices. All has worked fine. I'm using Protected EAP (PEAP), WPA, TKIP. The laptops autumatic log into the wireless with their DNS login. I started setting up another server with IAS for a backup. This time it was on a windows 2003 server. I set up IAS the same but I keep getting this error "Reason Code = 49, The connection attempted did not match any conneciton request policy" I can connect to the old IAS (windows 2000) fine, but not the new IAS (windows 2003).
ASKER
Here is the complete error message.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 12/21/2009
Time: 8:15:03 AM
User: N/A
Computer: RADIUS
Description:
User AUTUMNCORP\99-27 was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 190.150.142.164
NAS-Identifier = 99-TEST
Called-Station-Identifier = 0023.eb1f.5e30
Calling-Station-Identifier
Client-Friendly-Name = 99 TEST
Client-IP-Address = 190.150.142.164
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 431
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match
any connection request policy.
For more information,
see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 12/21/2009
Time: 8:15:03 AM
User: N/A
Computer: RADIUS
Description:
User AUTUMNCORP\99-27 was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 190.150.142.164
NAS-Identifier = 99-TEST
Called-Station-Identifier = 0023.eb1f.5e30
Calling-Station-Identifier
Client-Friendly-Name = 99 TEST
Client-IP-Address = 190.150.142.164
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 431
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match
any connection request policy.
For more information,
see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
Are you sure you have the same remote access policy in the new IAS?
the error clearly states that the client cannot gain access since it doesn't fulfill any of the criteria that is set to allow access.
this could be because there's something wrong or missing in the remote access policy - or this could be because the client sends the request the wrong way. Could you post the remote access policy?
feel free to gray out the IPs and names if you like
the error clearly states that the client cannot gain access since it doesn't fulfill any of the criteria that is set to allow access.
this could be because there's something wrong or missing in the remote access policy - or this could be because the client sends the request the wrong way. Could you post the remote access policy?
feel free to gray out the IPs and names if you like
ASKER
Here is a print screen of my remote access policy, Open it in Word Pad.
Also, after working with IAS yesterday the error message has changed a little. The NAS port number has changed.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 12/22/2009
Time: 9:02:19 AM
User: N/A
Computer: RADIUS
Description:
User AUTUMNCORP\99-27 was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 190.150.142.164
NAS-Identifier = 99-TEST
Called-Station-Identifier = 0023.eb1f.5e30
Calling-Station-Identifier
Client-Friendly-Name = 99 TEST
Client-IP-Address = 190.150.142.164
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 257
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match
any connection request policy.
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
IAS-Remote-Access-Policy.doc
Also, after working with IAS yesterday the error message has changed a little. The NAS port number has changed.
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 12/22/2009
Time: 9:02:19 AM
User: N/A
Computer: RADIUS
Description:
User AUTUMNCORP\99-27 was denied access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 190.150.142.164
NAS-Identifier = 99-TEST
Called-Station-Identifier = 0023.eb1f.5e30
Calling-Station-Identifier
Client-Friendly-Name = 99 TEST
Client-IP-Address = 190.150.142.164
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 257
Proxy-Policy-Name = <none>
Authentication-Provider = <undetermined>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
Reason-Code = 49
Reason = The connection attempt did not match
any connection request policy.
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 ....
IAS-Remote-Access-Policy.doc
try adding wireless 802.11 as medium where you have the group defined
ASKER
Are you talking about under -> IAS, Remote Access Policy, Policy Conditions "NAS-Port-Type matches Wireless - IEE 802.11"?
I added it there but still got the same result.
I added it there but still got the same result.
ASKER
I have noticed that the only server that I can run IAS is on the main DNS server.
Every other server I install IAS I get the same error message.
Every other server I install IAS I get the same error message.
Huh ... ? that doesn't really make sense. I guess your main DNS is also DC.
Try download Windows 2003 server support tools and run netdiag.exe from command
Download: http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
Do this on one of the IAS that isn't working
Try download Windows 2003 server support tools and run netdiag.exe from command
Download: http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
Do this on one of the IAS that isn't working
ASKER
Ok here is the result from the netdiag.exe.
netdiag.txt
netdiag.txt
ok
so you obviously have secure connection to DCs. (thought you might had that broken ...)
could you click EDIT on policy and post those settings here?
so you obviously have secure connection to DCs. (thought you might had that broken ...)
could you click EDIT on policy and post those settings here?
ASKER
Is this the information you want?
IAS.doc
IAS.doc
ASKER
Do I need to setup a Connection Request Policie, I have noticed that their are no CRP's listed.
no CRP needed.
try checkin MS-CHAP v2
try checkin MS-CHAP v2
ASKER
Here is a print screen of both IAS servers.
IAS-2.doc
IAS-2.doc
check EAP mehtods on 2. server
ASKER
I don't really understand when you say check EAP methods?
ASKER
Do I have to get certficates (CA) working on the windows 2003 server for IAS to work? Beacause I do not have CA working on either the windows 2000 server or 2003.
if your wireless policy says it needs certs, you need a CA - if they do not have validate server certificate checked - they do not need
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
well done
could you post the entire error from event viewer?
Looks like it either can't find a remote access policy that matches the users log in credentials.
Take an extra look at remote access policies that you haven't forgot anything