IAS server blues (Can't get 802.1x to work)

I am deploying a new Wireless LAN with DLINK's DES1228 Managed Wireless AP
Switch and DWL 3140 Access points. The connection initiates and then fails
on authentication. This is 802.1x with WPA, EAP and AES. Certificate
services have been deployed to authenticate the machines as well as the users
and it appears that the certificates are deploying correctly. The event
viewer shows...

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 5/8/2008
Time: 11:53:16 AM
User: N/A
Computer: RAD1
Description:
User Max was denied access.
Fully-Qualified-User-Name = MyDomain.net/InformationTechnology/Maxwell J.
Smart
NAS-IP-Address = 0.0.0.0
NAS-Identifier = DWL-3140_WLS_SW
Called-Station-Identifier = 00-1e-58-2c-0a-72
Calling-Station-Identifier = 00-16-6f-07-69-d5
Client-Friendly-Name = AP_8
Client-IP-Address = 10.1.0.197
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 0
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Connections to other access servers
Authentication-Type = EAP
EAP-Type = Smart Card or other certificate
Reason-Code = 23
Reason = Unexpected error. Possible error in server or client configuration.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 27 03 09 80 '..Â?

--
IAS Log Sampl
0.0.0.0,Max,05/08/2008,09:15:13,IAS,RAD1,40,2,44,0x000000000000000000000000,4,0.0.0.0,5,0,45,1,32,DWL-3140_WLS_SW,41,0,4108,10.1.0.195,4116,0,4128,AP_6,4154,Use Windows authentication for all users,4136,4,4142,0
0.0.0.0,max,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,4,0.0.0.0,5,0,30,00-1e-58-2c-0a-70,31,00-16-6f-07-69-d5,32,DWL-3140_WLS_SW,12,1380,61,19,4108,10.1.0.196,4116,0,4155,1,4154,Use
Windows authentication for all
users,4129,MyDomain\Max,4127,5,4149,Connections to other access
servers,25,311 1 10.1.0.28 05/08/2008 13:41:55 108,4132,Smart Card or other
certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
Smart,4136,1,4142,0
0.0.0.0,sjha,05/08/2008,09:26:36,IAS,RAD1,4128,AP_7,25,311 1 10.1.0.28
05/08/2008 13:41:55 108,4132,Smart Card or other
certificate,4130,MyDomain.net/InformationTechnology/Maxwell J.
Smart,4149,Connections to other access
servers,4108,10.1.0.196,4116,0,4127,5,4155,1,4154,Use Windows authentication
for all users,4129,MyDomain\Max,4136,3,4142,23
The log files for IAS show similar

This was setup using the "Secure Wireless Access Point Configuration" guide.

I found the guide for interpreting IAS logs but just my luck Unknown error
23 is just that - unknown (someday I hope to get a known error) This appears
to be an authentication failure note that in the IAS log code 4136 has the
value of 3 which is user access denied. I need to figure out why the user
access is being denied. any help will be greatly apprecated.

Steve

Meinolf
Fri May 09 01:58:38 PDT 2008

Hello Steve,

Did you check this one, even if the error code is different, because you
are also using certificates:
http://support.microsoft.com/kb/838502

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Reason-Code = 23
>

v-mileli
Fri May 09 04:23:21 PDT 2008

Hello Steve,

Thanks for your post.

For Reason Code 23 is a generic unexpected error that can't be sorted, we
can't get more information about the reason of the error from it.

Reason-Code = 23
SymbolicName = IASP_UNEXPECTED_EAP_ERROR
error. Possible error in server or client configuration

Possible reasons to this could be the corruption in the Access Point or an
expired Certificate. Please check the certificates on IAS and clients.

To troubleshoot the issue, we usually need to spend quite some time to
perform steps to find the problem causer due to complexity on technical
side. I appreciate your understanding and cooperation during the
troubleshooting process.

If this issue is urgent, we highly recommend you contact Microsoft Product
Support Services so that a dedicated support professional can resolve the
issue for you in the most efficient way. The Public Partner Newsgroup
Support is mainly for non-urgent break fix issues where a response within
24-hours is acceptable.

http://support.microsoft.com/?LN=en-us&scid=gp%3Ben-us%3Bofferprophone&x=3&y
=11

http://support.microsoft.com/common/international.aspx

For further investigation, could you please collect these information and
send to me?

1) Network Monitor trace on the IAS server to get the EAP message:
============

Download the NetMon3.1 from the following link:
http://www.microsoft.com/downloads/details.aspx?FamilyID=18b1d59d-f4d8-4213-
8d17-2f6dde7d7aac&DisplayLang=en


2) IAS Logging:
============

Go to IAS Server, go to command prompt and type the following command
"netsh ras set tracing * enable" (without the quotation marks).
Repro the issue and then, compress and email me with the C:\winodws\debug
folder.

3) Networking Edition MPS_Report log:
============

Download the Network Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\network\bin\cab directory.

4) Directory Edition of MPS_Report log:
============

Download the Directory Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_DirSvc.EXE>, run it on the SBS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\Setup\Lite\Cab directory.

5) Event log from client computer:
============

a. On the wireless client computer, click Start -> Run, type EVENTVWR and
click OK.
b. Right click Application event, select ?Save Log File As???, save it as