Problem using IAS for WLAN (with WEP)

Hi,


I have a Windows 2003 Server Standard SP1 and a Dlink DWL-900AP+ here. The
AP only has WEP support, not WPA (there is a place where I can enter an
802.1x server so I assume Dynamic WEP should be possible). All clients are
running XP SP2.

I installed certificate services & IAS on the server. For this I followed
the MS documents "Configuring Secure Wireless Access With MS Windows SBS
2003" and "Securing Wireless LANs with certificate services".
I executed each step as I should. All computers receive certificates
automatically through a GPO etc.

I can't get it to work however. I always receive the error "Authentication
failed" in the Windows WLAN utility. I also receive a popup in the system
tray: "Windows was unable to log you onto the network SSID".
Below you can find errors I see in the IAS logfile. I don't know what the
meaning is of each of these fields. Maybe someone here can help me?

--- Begin IAS logfile ---
192.168.168.251,0x,08/22/2005,07:35:30,IAS,SERVER2003,40,2,44,0x00000000000 0000000000000,4,192.168.168.251,5,0,45,1,32,DWL-900AP+,41,0,4108,192.168.168.251,4116,0,4128,Dlink
WLAN AP: DWL-900AP+,4154,Use Windows authentication for all
users,4136,4,4142,0
192.168.168.251,(E-Mail Removed),08/22/2005,09:35:53,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
users,25,311 1 192.168.168.200 08/13/2005 12:42:44
1276,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
192.168.168.251,(E-Mail Removed),08/22/2005,09:35:53,IAS,SERVER2003,25,311
1 192.168.168.200 08/13/2005 12:42:44
1276,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
authentication for all users,4155,1,4128,Dlink WLAN AP:
DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
192.168.168.251,(E-Mail Removed),08/22/2005,09:36:09,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
users,25,311 1 192.168.168.200 08/13/2005 12:42:44
1277,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
192.168.168.251,(E-Mail Removed),08/22/2005,09:36:09,IAS,SERVER2003,25,311
1 192.168.168.200 08/13/2005 12:42:44
1277,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
authentication for all users,4155,1,4128,Dlink WLAN AP:
DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
192.168.168.251,(E-Mail Removed),08/22/2005,09:36:11,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
users,25,311 1 192.168.168.200 08/13/2005 12:42:44
1278,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
192.168.168.251,(E-Mail Removed),08/22/2005,09:36:11,IAS,SERVER2003,25,311
1 192.168.168.200 08/13/2005 12:42:44
1278,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
authentication for all users,4155,1,4128,Dlink WLAN AP:
DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
--- end IAS logfile ---

--- log entries Dlink WLAN AP ---
Aug/22/2005 09:49:48 Send Accounting logout message
(E-Mail Removed)l
Aug/22/2005 09:49:48 EAP-Failure 00-90-4B-54-05-C5
Aug/22/2005 09:49:43 EAP-Request/Identity
Aug/22/2005 09:49:38 EAP-Request/Identity
Aug/22/2005 09:49:33 EAP-Request/Identity
Aug/22/2005 09:49:28 EAP-Request/Identity
Aug/22/2005 09:49:23 EAP-Request/Identity
Aug/22/2005 09:49:18 EAP-Request/Identity
Aug/22/2005 09:49:13 EAP-Request/Identity
Aug/22/2005 09:49:08 EAP-Request/Identity

--- end log entries Dlink WLAN AP ---


At another customers location I succesfully implemented this using WPA & IAS
using a LinkSys 54G AP. Is there something else I need to do if I want to
use WEP instead of WPA?


thanks,

David

Your assumptions about dWEP should be correct if there is dot1x support :-)
Could you post a copy/paste of the error message in IAS' event viewer? Is
IAS matching the correct policy?


"David" <David-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
>
> I have a Windows 2003 Server Standard SP1 and a Dlink DWL-900AP+ here. The
> AP only has WEP support, not WPA (there is a place where I can enter an
> 802.1x server so I assume Dynamic WEP should be possible). All clients are
> running XP SP2.
>
> I installed certificate services & IAS on the server. For this I followed
> the MS documents "Configuring Secure Wireless Access With MS Windows SBS
> 2003" and "Securing Wireless LANs with certificate services".
> I executed each step as I should. All computers receive certificates
> automatically through a GPO etc.
>
> I can't get it to work however. I always receive the error "Authentication
> failed" in the Windows WLAN utility. I also receive a popup in the system
> tray: "Windows was unable to log you onto the network SSID".
> Below you can find errors I see in the IAS logfile. I don't know what the
> meaning is of each of these fields. Maybe someone here can help me?
>
> --- Begin IAS logfile ---
> 192.168.168.251,0x,08/22/2005,07:35:30,IAS,SERVER2003,40,2,44,0x00000000000 0000000000000,4,192.168.168.251,5,0,45,1,32,DWL-900AP+,41,0,4108,192.168.168.251,4116,0,4128,Dlink
> WLAN AP: DWL-900AP+,4154,Use Windows authentication for all
> users,4136,4,4142,0
> 192.168.168.251,(E-Mail Removed),08/22/2005,09:35:53,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
> WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
> users,25,311 1 192.168.168.200 08/13/2005 12:42:44
> 1276,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
> 192.168.168.251,(E-Mail Removed),08/22/2005,09:35:53,IAS,SERVER2003,25,311
> 1 192.168.168.200 08/13/2005 12:42:44
> 1276,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
> authentication for all users,4155,1,4128,Dlink WLAN AP:
> DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:09,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
> WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
> users,25,311 1 192.168.168.200 08/13/2005 12:42:44
> 1277,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:09,IAS,SERVER2003,25,311
> 1 192.168.168.200 08/13/2005 12:42:44
> 1277,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
> authentication for all users,4155,1,4128,Dlink WLAN AP:
> DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:11,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
> WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
> users,25,311 1 192.168.168.200 08/13/2005 12:42:44
> 1278,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:11,IAS,SERVER2003,25,311
> 1 192.168.168.200 08/13/2005 12:42:44
> 1278,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
> authentication for all users,4155,1,4128,Dlink WLAN AP:
> DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
> --- end IAS logfile ---
>
> --- log entries Dlink WLAN AP ---
> Aug/22/2005 09:49:48 Send Accounting logout message
> (E-Mail Removed)l
> Aug/22/2005 09:49:48 EAP-Failure 00-90-4B-54-05-C5
> Aug/22/2005 09:49:43 EAP-Request/Identity
> Aug/22/2005 09:49:38 EAP-Request/Identity
> Aug/22/2005 09:49:33 EAP-Request/Identity
> Aug/22/2005 09:49:28 EAP-Request/Identity
> Aug/22/2005 09:49:23 EAP-Request/Identity
> Aug/22/2005 09:49:18 EAP-Request/Identity
> Aug/22/2005 09:49:13 EAP-Request/Identity
> Aug/22/2005 09:49:08 EAP-Request/Identity
>
> --- end log entries Dlink WLAN AP ---
>
>
> At another customers location I succesfully implemented this using WPA &
> IAS using a LinkSys 54G AP. Is there something else I need to do if I want
> to use WEP instead of WPA?
>
>
> thanks,
>
> David
>

Hello,


Thanks for pointing me in the wright direction. The event log entries had
the following contents:
"Reason = The connection attempt did not match any remote access policy. "
Looking on google I found someone with a similar problem and a bit later it
was fixed.

There are however a few other questions I have.
1) In the book "Configuring Secure Wireless Access With MS Windows SBS
2003", page 10, I was told to request computer certificates. In my situation
I both requested user and computer certificates. I also read on page 8, that
I had to create an IAS policy with access method "Wireless" and user/groups
access members of domain computers. Normal I thought since in that setting
only computer certificates where selected. My IAS policy had the same
entries, thinking it was ok. Apparantly that was also an issue here. After I
removed the user/groups access only by members of domain computers I
succesfully authenticated. I added as user/group access the domain users
group and that also worked. After I disabled all intended purposes of the
computer certificate on a client computer I could still succesfully
authenticate. Once I exported/deleted the user certificate I couldn't get
the wireless connection working. It would appear to me that I am
authenticated by user certificates, not computer certificates. Where can I
change this so computer certificates or both are required?

2) For this question I uploaded a screenshot to a website:
http://users.pandora.be/obsession2001/WERK/WifiCert.jpg
In the first window I had to choose as EAP type PEAP, SmartCard/Certificate
didn't work. Am I correct in thinking that this is because it might not be
supported by the AP?
In the 2nd window I can choose on the bottom SmartCard/Certificate or
Secured Password (EAP-MSCHAPv2) and both work. I chose SmartCard/Certificate
because I assume that's safer. On the properties window (3rd one) of that
certificate, I entered the FQDN of my local CA, and selected the certificate
of that CA. After I close all those windows and try to connect I get
prompted to accept the certificate that I allocated to OWA. This is a
self-signed cert. that I created a year or so ago using selfssl.exe because
I hadn't installed a local CA yet. Later I went back to look at the
properties and I saw in the 3rd window that the text field "connect to these
servers" has been appended with the FQDN assigned to the OWA cert. In the
list one of the OWA certs was also selected. Why is it using that
certificate, and not the one from the local root CA?


thanks,

David





"Thomas K" <(E-Mail Removed)> wrote in message
news:6cGdnZ2dnZ1Dn0zlnZ2dnRm8l96dnZ2dRVny3J2dnZ0@s carlet.biz...
> Your assumptions about dWEP should be correct if there is dot1x support
> :-)
> Could you post a copy/paste of the error message in IAS' event viewer? Is
> IAS matching the correct policy?
>
>
> "David" <David-(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>>
>> I have a Windows 2003 Server Standard SP1 and a Dlink DWL-900AP+ here.
>> The AP only has WEP support, not WPA (there is a place where I can enter
>> an 802.1x server so I assume Dynamic WEP should be possible). All clients
>> are running XP SP2.
>>
>> I installed certificate services & IAS on the server. For this I followed
>> the MS documents "Configuring Secure Wireless Access With MS Windows SBS
>> 2003" and "Securing Wireless LANs with certificate services".
>> I executed each step as I should. All computers receive certificates
>> automatically through a GPO etc.
>>
>> I can't get it to work however. I always receive the error
>> "Authentication failed" in the Windows WLAN utility. I also receive a
>> popup in the system tray: "Windows was unable to log you onto the network
>> SSID".
>> Below you can find errors I see in the IAS logfile. I don't know what the
>> meaning is of each of these fields. Maybe someone here can help me?
>>
>> --- Begin IAS logfile ---
>> 192.168.168.251,0x,08/22/2005,07:35:30,IAS,SERVER2003,40,2,44,0x00000000000 0000000000000,4,192.168.168.251,5,0,45,1,32,DWL-900AP+,41,0,4108,192.168.168.251,4116,0,4128,Dlink
>> WLAN AP: DWL-900AP+,4154,Use Windows authentication for all
>> users,4136,4,4142,0
>> 192.168.168.251,(E-Mail Removed),08/22/2005,09:35:53,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
>> WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
>> users,25,311 1 192.168.168.200 08/13/2005 12:42:44
>> 1276,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
>> 192.168.168.251,(E-Mail Removed),08/22/2005,09:35:53,IAS,SERVER2003,25,311
>> 1 192.168.168.200 08/13/2005 12:42:44
>> 1276,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
>> authentication for all users,4155,1,4128,Dlink WLAN AP:
>> DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
>> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:09,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
>> WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
>> users,25,311 1 192.168.168.200 08/13/2005 12:42:44
>> 1277,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
>> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:09,IAS,SERVER2003,25,311
>> 1 192.168.168.200 08/13/2005 12:42:44
>> 1277,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
>> authentication for all users,4155,1,4128,Dlink WLAN AP:
>> DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
>> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:11,IAS,SERVER2003,4,192.168.168.251,5,0 ,30,00-80-C8-AC-59-8A,31,00-90-4B-54-05-C5,32,DWL-900AP+,12,1380,61,19,4108,192.168.168.251,4116,0,4 128,Dlink
>> WLAN AP: DWL-900AP+,4155,1,4154,Use Windows authentication for all
>> users,25,311 1 192.168.168.200 08/13/2005 12:42:44
>> 1278,4129,Domain\David,4130,Domain\David,4127,5,41 36,1,4142,0
>> 192.168.168.251,(E-Mail Removed),08/22/2005,09:36:11,IAS,SERVER2003,25,311
>> 1 192.168.168.200 08/13/2005 12:42:44
>> 1278,4127,5,4130,Domain\David,4129,Domain\David,41 54,Use Windows
>> authentication for all users,4155,1,4128,Dlink WLAN AP:
>> DWL-900AP+,4116,0,4108,192.168.168.251,4136,3,4142,48
>> --- end IAS logfile ---
>>
>> --- log entries Dlink WLAN AP ---
>> Aug/22/2005 09:49:48 Send Accounting logout message
>> (E-Mail Removed)l
>> Aug/22/2005 09:49:48 EAP-Failure 00-90-4B-54-05-C5
>> Aug/22/2005 09:49:43 EAP-Request/Identity
>> Aug/22/2005 09:49:38 EAP-Request/Identity
>> Aug/22/2005 09:49:33 EAP-Request/Identity
>> Aug/22/2005 09:49:28 EAP-Request/Identity
>> Aug/22/2005 09:49:23 EAP-Request/Identity
>> Aug/22/2005 09:49:18 EAP-Request/Identity
>> Aug/22/2005 09:49:13 EAP-Request/Identity
>> Aug/22/2005 09:49:08 EAP-Request/Identity
>>
>> --- end log entries Dlink WLAN AP ---
>>
>>
>> At another customers location I succesfully implemented this using WPA &
>> IAS using a LinkSys 54G AP. Is there something else I need to do if I
>> want to use WEP instead of WPA?
>>
>>
>> thanks,
>>
>> David
>>
>
>