Radius Problems - Cannot find DC

Hi all,

I recently added a wireless layer to our network. I decided to use
Radius for authentication and security since it offered the highest
level of security for the devices that will be connecting. However, if
a device tries to authenticate with the server, it fails. The event
viewer shows 3 events:

IAS / Information / Event 5050:

A LDAP connection with domain controller server.jarr.local for domain
JARR is established.


IAS / Error / Event 5052:

There is no domain controller available for domain JARR.LOCAL.


IAS / Error / Event 3:

Access request for user JARR.LOCAL\Kingsley was discarded.
Fully-Qualified-User-Name = JARR.LOCAL\Kingsley
NAS-IP-Address = 10.0.1.5
NAS-Identifier = 0014bfd7155a
Called-Station-Identifier = 0014bfd7155a
Calling-Station-Identifier = 00092d5330c1
Client-Friendly-Name = Wireless Access Point (Linksys WRT54GS)
Client-IP-Address = 10.0.1.5
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 34
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 5
Reason = The user account domain cannot be accessed.



I've done a bit of searching around, but I cannot find any information
that helps me to solve it. The IAS service is running on the actual DC

Any help that you give me would be highly appreciated,

Thanks

KJ



kj@kingj.net

Experiments show that this only occors with clients running Pocket PC.
Any ideas why?

Greetings,

The 5052 error usually means that there is a problem with the trust or that
the IAS Server is not registered with AD. I would check these things. You
might want to check out this document written for Windows 2000. Same would
go for 2003.

http://www.windowsnetworking.com/kba...1xclients.html

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hi all,
>
> I recently added a wireless layer to our network. I decided to use
> Radius for authentication and security since it offered the highest
> level of security for the devices that will be connecting. However, if
> a device tries to authenticate with the server, it fails. The event
> viewer shows 3 events:
>
> IAS / Information / Event 5050:
>
> A LDAP connection with domain controller server.jarr.local for domain
> JARR is established.
>
>
> IAS / Error / Event 5052:
>
> There is no domain controller available for domain JARR.LOCAL.
>
>
> IAS / Error / Event 3:
>
> Access request for user JARR.LOCAL\Kingsley was discarded.
> Fully-Qualified-User-Name = JARR.LOCAL\Kingsley
> NAS-IP-Address = 10.0.1.5
> NAS-Identifier = 0014bfd7155a
> Called-Station-Identifier = 0014bfd7155a
> Calling-Station-Identifier = 00092d5330c1
> Client-Friendly-Name = Wireless Access Point (Linksys WRT54GS)
> Client-IP-Address = 10.0.1.5
> NAS-Port-Type = Wireless - IEEE 802.11
> NAS-Port = 34
> Proxy-Policy-Name = Use Windows authentication for all users
> Authentication-Provider = Windows
> Authentication-Server = <undetermined>
> Reason-Code = 5
> Reason = The user account domain cannot be accessed.
>
>
>
> I've done a bit of searching around, but I cannot find any information
> that helps me to solve it. The IAS service is running on the actual DC
>
> Any help that you give me would be highly appreciated,
>
> Thanks
>
> KJ
>

Ok, registering the service in Active Directory (via the IAS interface)
causes it to inform me that it is already registered. The server is a
member of the "RAS and IAS Servers" group.

As I said, all the other computers connect fine through the new
wireless setup but the pocket pc causes that error message to appear in
the event log. I do get a prompt for username / password on the Pocket
Pc and it is a correct username / password combination that is part of
the authorised group.

Thanks for your help so far,

KJ

Im not that familiar with PocketPCs, However,
If you set up your connection and use Terminal Server after your connected
you should be able to authenticate through the term service (on the
pocketPC). Once you enter the Radius credentials you should get a successful
notification. Clicking OK on the term window should allow you to be logged
in through Radius.

Hope this helps,
--
Louis Vitiello Jr.
------------------------------
MCSE, MCSA, MCP, A+/N+
ERCP XP Pro / Net Concepts

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Ok, registering the service in Active Directory (via the IAS interface)
> causes it to inform me that it is already registered. The server is a
> member of the "RAS and IAS Servers" group.
>
> As I said, all the other computers connect fine through the new
> wireless setup but the pocket pc causes that error message to appear in
> the event log. I do get a prompt for username / password on the Pocket
> Pc and it is a correct username / password combination that is part of
> the authorised group.
>
> Thanks for your help so far,
>
> KJ
>

I tried using Terminal Server to connect to the server whilst the
Pocket PC was attempting to auth with the AP but I got "server could
not be found" error messsage.

For the setup of this security, I followed the "Securing WLANs with
PEAP and Passwords". It said that I needed to "install the CA
certificate of your network CA into the Trusted Root CA store of all
Pocket PCs that need to connect to the WLAN. To do this, you must
export the certificate from the CA". The command it provided to do this
was:

certutil -ca.cert rootca.cer

However, when I tried to run this, it created the following error:

CertUtil: -ca.cert command FAILED: 0x80070057 (WIN32: 87)
CertUtil: The parameter is incorrect.

In the end, I exported a certificate from the the user account that is
trying to log on to the WLAN with the pocket pc and installed the
certificate on it. I'm beginning to think this is why the Pocket PC
isn't working with the WLAN. If I could solve the error that the
certutil -ca.cert rootca.cer command causes, I might be able to get
it working.

But how to I fix the error?

Thanks for all you help so far,

KJ