Hi,

Hussain Al Sayed, Ram Kumar & Waqas made the configuraiton in the IAS and only one Policy is there, when one of the user who is member of the targgeted group tryies to  login, it says username and password is not valid and IAS generate warning as follows;

User zha10264 was denied access.

Fully-Qualified-User-Name = Domain-Name\zha10264

NAS-IP-Address = 172.16.3.3

NAS-Identifier = RCSICiscoWLC01

Called-Station-Identifier = 50-17-ff-34-7c-60:ICT

Calling-Station-Identifier = f0-7b-cb-41-5a-8c

Client-Friendly-Name = ciscowlan

Client-IP-Address = 172.16.3.3

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 13

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server =

Policy-Name =

Authentication-Type = PAP

EAP-Type =

Reason-Code = 16

Reason = Authentication was not successful because an unknown user name or incorrect password was used.

Any help?

HI Ramkumar,

is there shared secret is same on swicth and IAS server ?

Regards

Hi Snadeep,

Its working now correctly as per the following policy criteria; in order

1.NAS-Port-Type Matches Wireless - IEEE 802.11 Or Wireless other

2. Called-Station-ID Matches "ICT.*" AND "Which is the SSID Name we are using

3. Windows-Groups Matches "Domain-Name\SG-GroupName

I have tested this by adding targetted user in the SG-Group and user was able to be authenticated if it's in that Group, if not, error message will appear Username and Password as not valid.

One last question i Have regarding the performance on the IAS Server, we are targeting 900 concurrent user session, will IAS Server 2003 having 2 GB ram and 2.8 GHz x 2 vCPUs will it be enough?

What is your recommendation?

Thanks,

Hussain on behalf of Ram Kumar

HI,

You can check this:

http://technet.microsoft.com/en-us/library/cc758523(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/bb742387.aspx

Hope this helps.

Reagrds

Thanks for your reply, I think is is good article as I'm not running IAS on domain controller:

the domain controller or the computer that contains the global catalog, verify that you have an efficient domain and site topology.

Use the MaxConcurrentApi registry entry (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\ Parameters) to increase the number of multiplexed connections to the domain controller.

Typically you would want to bring up another IAS server and point he WLC to both... If you ahve two WLC's, this allows you to point one WLC1 to Radisu1 and Radius2 for backup and WLC2 to Radius2 for primary and Radius1 for backup.  The 2GB of ram is questionalble as in the past, I have seen a minimum of 8 in production networks, but I'm not a server guys.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Hi Scott,

I've tried to send you PM with attachement yesterday, but PM doesn't have attachment options..

will this file be okay for you?

tsh aaaa show config >C:\IASConfig.txt

Send me a PM with your email and I will reply back.

Sent from Cisco Technical Support iPhone App

Hi Scott,

I have just sent you a PM.

thanks,

Just replied back:)

Sent from Cisco Technical Support iPhone App