locked
IAS authentication for users in a trusted domain RRS feed

  • Question

  • I've inherited a Windows 2003 IAS server setup from a company which has been bought by my employer.

    It's a standard setup, works seamlessly in their environment but I can't get users from our domain to authenticate against their wireless.

    there is a two way forest trust between the two domains.

    The IAS server has been added to the RAS security group in both domains.

    The IAS server can view the trusted domain, but I get the error "The user attempted to use an authentication method that is not enabled on the matching remote access policy" event ID 2.

    I don't think it could be the client setup, as I've tried the same client machine with the normal domain credentials which works, and then exactly the same machine with the trusted domain user credentials, and it doesn't work.

    Authentication is PEAP

    Any and all ideas/advice welcome

    Tuesday, November 5, 2013 1:32 PM

Answers

  • Hi,

    Firstly, would you please tell us the editions of the DCs in the two domains? Based on my research, if the two forests contain only domains that consist of domain controllers running Windows Server 2003, Standard Edition, Enterprise Edition or Datacenter Edition and there is a two-way trust relationship between forests, IAS supports authentication across forests without a RADIUS proxy.

    Besides, based on my research, PEAP is not supported for VPN or other remote access clients, it only can be used as an authentication method for 802.11 wireless client computers.
    In addition, it seems that you may also encounter this kind of issue if your firmware version is old. Please make sure your firmware is the latest version.

    More information:

    Configure PEAP and EAP methods

    http://technet.microsoft.com/en-us/library/cc784383(v=ws.10).aspx

    How IAS Works

    http://technet.microsoft.com/en-us/library/cc778250(v=ws.10).aspx

    Best regards,

    Susie

    • Proposed as answer by Susie Long Wednesday, November 20, 2013 2:25 AM
    • Marked as answer by Susie Long Monday, November 25, 2013 1:40 AM
    Wednesday, November 6, 2013 6:59 AM

All replies

  • Hi,

    Firstly, would you please tell us the editions of the DCs in the two domains? Based on my research, if the two forests contain only domains that consist of domain controllers running Windows Server 2003, Standard Edition, Enterprise Edition or Datacenter Edition and there is a two-way trust relationship between forests, IAS supports authentication across forests without a RADIUS proxy.

    Besides, based on my research, PEAP is not supported for VPN or other remote access clients, it only can be used as an authentication method for 802.11 wireless client computers.
    In addition, it seems that you may also encounter this kind of issue if your firmware version is old. Please make sure your firmware is the latest version.

    More information:

    Configure PEAP and EAP methods

    http://technet.microsoft.com/en-us/library/cc784383(v=ws.10).aspx

    How IAS Works

    http://technet.microsoft.com/en-us/library/cc778250(v=ws.10).aspx

    Best regards,

    Susie

    • Proposed as answer by Susie Long Wednesday, November 20, 2013 2:25 AM
    • Marked as answer by Susie Long Monday, November 25, 2013 1:40 AM
    Wednesday, November 6, 2013 6:59 AM
  • Hi Susie,

    Thanks for your response.

    To answer your questions:

    Both domains in question are running Windows Server 2003 functional levels

    the trusted domain has Windows 2003 Enterprise DCs

    The trusting domain (which has the IAS server in it) is running Windows 2008r2 Enterprise DCs

    The IAS server itself is running Windows 2003 standard.

    The IAS server is only servicing wireless 802.11 client computers

    All firmwares are up to date.

    I've had a look through the links you posted as well as numerous other "how to's" on the web and the server looks like it's configured exactly as it should be to me.  I'm at a bit of a loss to be honest, am thinking maybe just setting up a radius proxy in the trusted domain anyway.

    Wednesday, November 6, 2013 8:52 AM
  • Hi,

    Thanks for your feedback and sorry for replying so late.

    You can set up a RADIUS proxy to see if the issue persists.

    In addition, if you need further assistance, please feel free to let me know.

    Best regards,

    Susie

    Wednesday, November 13, 2013 9:54 AM