IAS/RADIUS error on some XPsp2 clients

[Guest]

Running IAS on 2003 standard server on one member server and one DC to
authenticate (machine only) to a wireless network. Setup per MS
documentation. All clients are XP sp2. Using group policy to deploy 802.1X
settings to clients (first acquisition of this policy by clients is over the
wire). At random times clients are refused entry to the wireless network with
the following error:

Here is the error from both IAS servers:

Access request for user host/RO-MLR52-02.instruct.rhnet.org was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 10.12.12.146
NAS-Identifier = <not present>
Called-Station-Identifier = 00-90-0B-08-5A-88:Roth
Calling-Station-Identifier = 00-13-CE-55-92-1D
Client-Friendly-Name = Meru #2
Client-IP-Address = 10.12.12.146
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 4128
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 3
Reason = The Remote Authentication Dial-In User Service (RADIUS) request
was not properly formatted.

------------------------------

Refreshing GP over the wire and then restarting the machine fixes the
problem for a while - nothing else seems to correct the issue. I have checked
all relevant policies (wireless; network startup - wait for network, turned
off slow link detection) and can see no problem - all the clients that still
work seem to pull their policies just fine.

We've turned on logging for all of this on both the server and the client
but my untrained eyes can locate no smoking gun. I will post those if anybody
wants to see them.

 

[Ron Lowe]

Running IAS on 2003 standard server on one member server and one DC to
authenticate (machine only) to a wireless network. Setup per MS
documentation. All clients are XP sp2. Using group policy to deploy 802.1X
settings to clients (first acquisition of this policy by clients is over
the
wire). At random times clients are refused entry to the wireless network
with
the following error:

Here is the error from both IAS servers:

Access request for user host/RO-MLR52-02.instruct.rhnet.org was discarded.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 10.12.12.146
NAS-Identifier = <not present>
Called-Station-Identifier = 00-90-0B-08-5A-88:Roth
Calling-Station-Identifier = 00-13-CE-55-92-1D
Client-Friendly-Name = Meru #2
Client-IP-Address = 10.12.12.146
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 4128
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 3
Reason = The Remote Authentication Dial-In User Service (RADIUS) request
was not properly formatted.

------------------------------

Refreshing GP over the wire and then restarting the machine fixes the
problem for a while - nothing else seems to correct the issue. I have
checked
all relevant policies (wireless; network startup - wait for network,
turned
off slow link detection) and can see no problem - all the clients that
still
work seem to pull their policies just fine.

We've turned on logging for all of this on both the server and the client
but my untrained eyes can locate no smoking gun. I will post those if
anybody
wants to see them.

Pure voodo, but:

When I had "RADIUS request was not properly formatted" errors from a client,
it seemed to be down to the RADIUS server certificate not being trusted by
the client. This in turn was due to my local CA root cert not being
properly installed on the client ( which it should have been, it's pushed to
the clients by group policy. ) I can't see why that sould cause this error,
but there you are.

Try disabling the option to verify the server cert ( on the client ) as a
test.
Then try a manual install of the Root Cert in the Trusted Root Certs store.

Also, ensure the client system time /date are correct, if it's miles off,
the cert may not be within it's validity period.