Export (0) Print
Expand All
Expand Minimize

Troubleshooting IAS

Published: June 01, 2000
On This Page

Troubleshooting Tools
Troubleshooting Checklist

A common problem with IAS is that a connection attempt is rejected when it should be accepted. Unfortunately, there are a large number of causes for this problem. However, there are a variety of troubleshooting tools that you can use to determine the cause. Also included in this section is a troubleshooting checklist to help you systematically determine the cause of most authentication failures.

Troubleshooting Tools

Windows 2000 includes the following troubleshooting tools for determining the cause of a failed connection attempt:

  • Event logging

  • Microsoft Network Monitor

  • Remote access logging

Event Logging

Based on the Service tab settings on the properties of the IAS server in the Internet Authentication Service administrative tool, rejected, discarded, and successful authentication attempts can be logged in the Windows 2000 system event log. To troubleshoot IAS problems based on the events in the Windows 2000 system event log, see Appendix E.

Microsoft Network Monitor

Beyond checking basic IAS configuration, Microsoft Network Monitor can be used to capture the RADIUS packets for additional analysis. When you use Network Monitor for IAS troubleshooting, consider the following:

  • Network Monitor must be installed on a computer that is running IAS.

  • If you use Network Monitor in a switched network environment, you see only the traffic addressed to the computer that is running Network Monitor.

Network Monitor capture files of RADIUS traffic between IAS and an NAS can be saved as files and sent to Microsoft or a NAS manufacturer for analysis. For more information about installing Network Monitor and using it to capture RADIUS traffic, see Windows 2000 Server online Help.

Remote Access Logging

Based on the Service tab settings found in Local File in Remote Access Logging in the Internet Authentication Service administrative tool, authentication, and accounting requests can be written to the IAS log. From the Local File tab, you can determine the name and location of the IAS log file. Using Windows Explorer, open the IAS log file and view the entries to help determine the cause of the connection attempt failure.

Viewing the IAS log can be very useful in troubleshooting remote access policies. If you have multiple remote access policies configured, you can use the IAS log to determine the name of the remote access policy that either accepted or rejected the connection attempt.

For more information on IAS log file format, see Windows 2000 Server Help.

Troubleshooting Checklist

Refer to the following list when troubleshooting a failed connection attempt with IAS.

  • Are the user credentials correct?

    The user might have entered the wrong user name, domain name, or password. Check the user’s Windows 2000 user name and account password to make sure they are typed correctly and that the account is valid for the domain that IAS is authenticating the user against. IAS can only authenticate user credentials for accounts in the domain in which the IAS server computer is a member and in trusted domains.

  • Are the realm rules configured correctly?

    Realm replacement might be set up incorrectly or in the wrong order, so that after the realm replacement rules are evaluated, the domain controller cannot recognize the domain name or the user name. Verify the realm replacement rules. For more information about realm names or configuring realm replacement, see Windows 2000 Server Help.

  • Is the domain name correct?

    If the IAS server is a member of a domain and the User-Name attribute does not contain a domain name, the domain name of the IAS server is used. To use a domain name that is different from that of the IAS server, set the DefaultDomain registry value to the name of the domain that you want to use on the IAS server. For more information on IAS registry settings, see Appendix F.

    Some NASs automatically strip the domain name from the user name before forwarding it to a RADIUS server. Turn off the feature that strips the domain name from the user name. For more information, see your NAS documentation.

  • Are remote access policies configured correctly?

    A remote access policy might be rejecting the connection. Check the list of policies to make sure that you have not excluded users who must be granted access. Check the IAS log to see which remote access policy rejected the connection and then investigate the conditions, remote access permissions, and profile settings to determine the cause of the rejection. Make the appropriate changes to your remote access policies to accept the connection attempt.

  • Are the configured remote access policies in the right order?

    Remote access policies might be in the wrong order. Authorization is granted or denied by the first policy whose conditions match the connection attempt. Use the Move Up and Move Down buttons to manipulate policy order. More specific policies should be at the top of the list and more general policies should be at the bottom.

  • Is caller ID configured on the user account?

    If caller ID is configured on the user account, verify that the configured number matches the number from which the PPP client is calling.

  • Is the authentication method of the PPP client supported by IAS?

    The PPP client might be trying to authenticate by using an authentication method that is not supported by the IAS server. By default, IAS supports MS-CHAP v2, MS-CHAP v1, CHAP, SPAP, PAP, EAP-MD5 CHAP, and EAP-TLS. For example, the PPP client might be using an EAP type that has not been installed on the IAS server.

  • Is remote access account lockout enabled?

    If remote access account lockout is enabled, previous failed access attempts might have caused the user account to be locked out. If so, manually reset the account and increase the dial-in lockout count. For more information on remote access account lockout, see the section on Security and IAS.

  • What is the remote access permission of the user account?

    The user account might have the remote access permission set to Deny access. If the remote access permission is set to Control access through Remote Access Policy, verify that the remote access permission of the first matching remote access policy is set to Grant remote access permission.

  • Is the IAS-server computer a member of the correct domain?

    If the IAS server is not a member of a domain, then it will authenticate only against the account in the local user database. Add the IAS server to the appropriate Active Directory or Windows NT 4.0 domain.

  • Can the IAS server communicate with the NAS?

    There might be a communication problem between the IAS server and the NAS. Use the ping command to verify that IP communication can occur between the IAS server and the NAS. Verify that there are no firewalls or other types of packet filtering that are preventing the forwarding of RADIUS traffic between the IAS server and the NAS. If no RADIUS-message information appears in the IAS log, check the Windows 2000 event log to see whether the attempt times out.

  • Can the IAS server communicate with the Global Catalog server?

    There might be a communication problem between the IAS server and the Global Catalog server. The Global Catalog server is used during name cracking to resolve the user identity to a user account. Use the ping command to verify that IP communication can occur between the IAS server and the Global Catalog server. Verify that there are no firewalls or other types of packet filtering that are preventing the flow of traffic between the IAS server and the Global Catalog server.

  • Can the IAS server communicate with the domain controller?

    There might be a communication problem between the IAS server and the domain controller. The domain controller is used during user credential validation to verify that the supplied credentials match those of the user account. Use the ping command to verify that IP communication can occur between the IAS server and the domain controller. Verify that there are no firewalls or other types of packet filtering that are preventing the flow of traffic between the IAS server and the domain controller.

  • Are you using CHAP?

    If you are using CHAP, verify that the Active Directory domain of the user account is configured to use plaintext passwords. Also, verify that the user’s password has been changed after the Active Directory domain of the user account has been configured to use plaintext passwords.

  • Are the IAS server and the NAS using an identical shared secret?

    Determine whether the IAS server and the NAS are using the same shared secret. Note that shared secrets are case-sensitive.

  • Does your NAS support non-alphanumeric characters in the shared secret?

    Some NASs do not recognize all of the characters that IAS accepts for a shared secret. You can test this by temporarily changing the shared secret to one with only alphanumeric characters.

  • Is the IAS server discarding the packets from the NAS?

    The NAS might be sending packets that do not correspond to the format expected by the IAS server. Enable the logging of rejected and discarded requests and then check the Windows 2000 system-event log to see if unexpected or malformed packets are being received. If this is the case, you might need to set some vendor-specific attributes in the matching remote access policy profile. Consult your NAS documentation to determine the types of vendor-specific attributes that need to be configured on the IAS server.

  • Is the IAS server a member of the correct domain?

    Verify the domain of which the IAS server is a member. If the domain is correct, verify that there is a trust relationship between the domain of the user credential and the domain to which the IAS server belongs. If the domain of the user credential is in another Active Directory forest, you must configure a RADIUS proxy between the NAS and the IAS servers of each forest.

  • For a Windows 2000 domain, is the IAS-server computer account a member of the RAS and IAS Servers security group?

    In order to be able to access user account properties in a domain, the computer account of the IAS server must be a member of the RAS and IAS Servers security group of that domain. This can be assigned through the Active Directory Users and Computers administrative tool, by registering the IAS server in the Internet Authentication Service administrative tool, or by using the netsh ras add registeredserver command.

  • Are you requiring the signature attribute in each RADIUS request message?

    Verify that the NAS is sending the signature attribute in each RADIUS request message. If it is not, the IAS server will discard all RADIUS request messages that do not have the signature attribute.

  • Is the PPP client using high encryption?

    To use high encryption (128-bit MPPE or 3-DES), the High Encryption Pack must be installed on the PPP client, the Routing and Remote Access server, and the IAS server. Additionally, the matching remote access policy profile must have the Strongest encryption type enabled.

  • Does your NAS require the Framed-Routing attribute?

    Your NAS might require framed routing. By default, the Framed-Routing attribute is not sent in the Access-Accept message.

    To enable the Framed-Routing attribute, complete the following steps:

    1. In the Internet Authentication Service administrative tool, click Remote Access Policies, and then double-click the policy that applies to the users who cannot log on.

    2. Click Edit Profile, click the Advanced tab, and then click Add.

    3. In the list of available RADIUS attributes, double-click Framed-Routing.

    4. Attribute value, click None.

    5. Click OK to save changes to the profile, and then click OK to save changes to the policy.

  • Does your NAS require Van Jacobsen TCP/IP compression?

    Your NAS might require Van Jacobsen TCP/IP compression. To configure IAS to work with Van Jacobsen TCP/IP header compression, complete the following steps:

    1. In the Internet Authentication Service administrative tool, click Remote Access Policies, and then double-click the policy that applies to the users who cannot log on.

    2. Click Edit Profile, click the Advanced tab, and then click Add.

    3. In the list of available RADIUS attributes, double-click Framed-Compression.

    4. In Attribute value, click Van Jacobsen TCP/IP header compression, and then click OK.

    5. Click OK to save changes to the profile, and then click OK to save changes to the policy.

  • Does your NAS require the Framed-MTU attribute?

    If Framed MTU is set on the NAS and not on IAS, users are not able to log on. Check your Framed MTU settings on IAS, and make sure that they match the settings on your NAS.

    To change Framed MTU settings, complete the following steps:

    1. In the Internet Authentication Service administrative tool, click Remote Access Policies, and then double-click the policy that applies to the users who cannot log on.

    2. Click Edit Profile, click the Advanced tab, and then click Add.

    3. In the list of available RADIUS attributes, double-click Framed-MTU.

    4. Click Attribute value, and then type the value that matches the settings for your NAS.

    5. Click OK to save changes to the profile, and then click OK to save changes to the policy.

  • Is the IAS server computer multi-homed?

    If the IAS server computer is returning the Access-Accept message using a different network adapter from the one on which the Access-Request message was received, the NAS may not recognize the message and discard it. In this case, you can add persistent static IP routes to the routing table of the IAS server computer so that the Access-Accept messages to the NAS are sent out on the same interface on which the Access-Request messages are received.

  • Are you using a RADIUS proxy?

    If a request is returned through a RADIUS proxy, the proxy might not support certain extensions that are necessary to support some features. For example:

    • If you want your users to use EAP authentication, the RADIUS proxy must support digital signatures (according to RADIUS extensions).

    • If you want your users to connect using compulsory tunnels, the RADIUS proxy must support encryption of the tunnel password.

    • If you want connections to use Microsoft Encryption, the RADIUS proxy must support encryption of MPPE keys.

    See your RADIUS proxy documentation to make sure that it supports the extensions necessary for the features that you want to use.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft