• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 905
  • Last Modified:

IAS (radius) on 2003

I have IAS running on a windows 2000 DNS server.  I have been using this IAS as a radius server for about a year with my wireless devices.  All has worked fine.  I'm using Protected EAP (PEAP), WPA, TKIP.  The laptops autumatic log into the wireless with their DNS login.  I started setting up another server with IAS for a backup.  This time it was on a windows 2003 server.  I set up IAS the same but I keep getting this error "Reason Code = 49, The connection attempted did not match any conneciton request policy"  I can connect to the old IAS (windows 2000) fine, but not the new IAS (windows 2003).
0
kevingattis
Asked:
kevingattis
  • 11
  • 9
1 Solution
 
Jakob DigranesSenior ConsultantCommented:
looks like there something wrong yes ...
could you post the entire error from event viewer?

Looks like it either can't find a remote access policy that matches the users log in credentials.
Take an extra look at remote access policies that you haven't forgot anything
0
 
kevingattisAuthor Commented:
Here is the complete error message.

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            12/21/2009
Time:            8:15:03 AM
User:            N/A
Computer:      RADIUS
Description:
User AUTUMNCORP\99-27 was denied access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = 190.150.142.164
 NAS-Identifier = 99-TEST
 Called-Station-Identifier = 0023.eb1f.5e30
 Calling-Station-Identifier = 001f.e298.7f23
 Client-Friendly-Name = 99 TEST
 Client-IP-Address = 190.150.142.164
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 431
 Proxy-Policy-Name = <none>
 Authentication-Provider = <undetermined>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>
 Reason-Code = 49
 Reason = The connection attempt did not match
 any connection request policy.

For more information,
 see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....    
0
 
Jakob DigranesSenior ConsultantCommented:
Are you sure you have the same remote access policy in the new IAS?
the error clearly states that the client cannot gain access since it doesn't fulfill any of the criteria that is set to allow access.

this could be because there's something wrong or missing in the remote access policy - or this could be because the client sends the request the wrong way. Could you post the remote access policy?
feel free to gray out the IPs and names if you like
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
kevingattisAuthor Commented:
Here is a print screen of my remote access policy, Open it in Word Pad.

Also, after working with IAS yesterday the error message has changed a little.  The NAS port number has changed.

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            12/22/2009
Time:            9:02:19 AM
User:            N/A
Computer:      RADIUS
Description:
User AUTUMNCORP\99-27 was denied access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address = 190.150.142.164
 NAS-Identifier = 99-TEST
 Called-Station-Identifier = 0023.eb1f.5e30
 Calling-Station-Identifier = 001f.e298.7f23
 Client-Friendly-Name = 99 TEST
 Client-IP-Address = 190.150.142.164
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 257
 Proxy-Policy-Name = <none>
 Authentication-Provider = <undetermined>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>
 Reason-Code = 49
 Reason = The connection attempt did not match
 any connection request policy.
 

For more information, see Help and Support Center
 at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00               ....
IAS-Remote-Access-Policy.doc
0
 
Jakob DigranesSenior ConsultantCommented:
try adding wireless 802.11 as medium where you have the group defined
0
 
kevingattisAuthor Commented:
Are you talking about under -> IAS, Remote Access Policy, Policy Conditions "NAS-Port-Type matches Wireless - IEE 802.11"?

I added it there but still got the same result.
0
 
kevingattisAuthor Commented:
I have noticed that the only server that I can run IAS is on the main DNS server.

Every other server I install IAS I get the same error message.  
0
 
Jakob DigranesSenior ConsultantCommented:
Huh ... ? that doesn't really make sense. I guess your main DNS is also DC.
Try download Windows 2003 server support tools and run netdiag.exe from command
Download: http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

Do this on one of the IAS that isn't working
0
 
kevingattisAuthor Commented:
Ok here is the result from the netdiag.exe.
netdiag.txt
0
 
Jakob DigranesSenior ConsultantCommented:
ok

so you obviously have secure connection to DCs. (thought you might had that broken ...)
could you click EDIT on policy and post those settings here?
0
 
kevingattisAuthor Commented:
Is this the information you want?
IAS.doc
0
 
kevingattisAuthor Commented:
Do I need to setup a Connection Request Policie, I have noticed that their are no CRP's listed.
0
 
Jakob DigranesSenior ConsultantCommented:
no CRP needed.
try checkin MS-CHAP v2
0
 
kevingattisAuthor Commented:
Here is a print screen of both IAS servers.  
IAS-2.doc
0
 
Jakob DigranesSenior ConsultantCommented:
check EAP mehtods on 2. server
0
 
kevingattisAuthor Commented:
I don't really understand when you say check EAP methods?
0
 
kevingattisAuthor Commented:
Do I have to get certficates (CA) working on the windows 2003 server for IAS to work?  Beacause I do not have CA working on either the windows 2000 server or 2003.
0
 
Jakob DigranesSenior ConsultantCommented:
if your wireless policy says it needs certs, you need a CA - if they do not have validate server certificate checked - they do not need
0
 
kevingattisAuthor Commented:
I have finally got IAS to work.

After I added a Conneciton Request Policy and a Remote Radius Server Group in IAS it started authenicating wireless laptops.

Thanks for all the help, I never thought I would get this to work.
0
 
Jakob DigranesSenior ConsultantCommented:
well done
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now