I'll mostly agree on your assessment of ACS, though as tightly as the MS solution is connected with AD it has its own issues (while IAS may be stable, AD is problematic for many admins). Steelbelted works fine, its simply too expensive for what it does. A far better solution is Radiator, which has a myriad of back end options and handles more vendor EAP implementations than I've seen anywhere else.
http://www.open.com.au/radiator/technical.html
Discussion on:
View:
Show:
IAS and AD are rock solid in my experience if they're architected and configured correctly.
Steelbelted would be fine if you're not running an AD shop and you're using something like Novell. It's half the price of Cisco ACS but that still ain't cheap compared to IAS.
Steelbelted would be fine if you're not running an AD shop and you're using something like Novell. It's half the price of Cisco ACS but that still ain't cheap compared to IAS.
Hello
We have built up a number of thin clients from old PCs, that are not members of our AD domain so that they can autologon and present to the user a logon screen to a Terminal Server. Now management has asked "Can we make them wireless". Because IAS authentication depends on the PCs being in a domain and autologon to a domain is not supported then I say the answer is no. Is there a way that IAS clients do not have to be a member of a domain or is there another brand of RADIUS Server that can overcome this. Also replacing our homegrown thin clients with manufactured ones is considered a last resort. Or does anyone else have another solution to this problem.
We have built up a number of thin clients from old PCs, that are not members of our AD domain so that they can autologon and present to the user a logon screen to a Terminal Server. Now management has asked "Can we make them wireless". Because IAS authentication depends on the PCs being in a domain and autologon to a domain is not supported then I say the answer is no. Is there a way that IAS clients do not have to be a member of a domain or is there another brand of RADIUS Server that can overcome this. Also replacing our homegrown thin clients with manufactured ones is considered a last resort. Or does anyone else have another solution to this problem.
I know it is an old question but I didn't find the answer after a few searches so I wanted to get it out there / share what I found.
The server side stays the same as in this article except for the section where you write the ISA wireless policy. I had no domain members attaching so I only put in Domain Members (vs. that AND Domain Computers). I did not test it with both since I had no clients that were domain members. If you try everything else here and it won't work, come back this.
On an XP client, make sure you have SP3, and then the trick is disabling several things in the properties for the particular wireless connection.
Do Not:
Authenticate as a machine
Authenticate as a guest
Verify the server cert (probably only if your using a self issued cert for this one)
or attempt to use the local credentials
To see those you have to go several layers deep in the settings. Make sure you find and deselect all. Otherwise, if everything else is right, you should get "unknown username or password" errors in the server applications logs and get tripped up (it will say your waiting for an IP, on the client, but you did not really get that far in the process).
Apples worked pretty easily / didn't require all the fuss.
The server side stays the same as in this article except for the section where you write the ISA wireless policy. I had no domain members attaching so I only put in Domain Members (vs. that AND Domain Computers). I did not test it with both since I had no clients that were domain members. If you try everything else here and it won't work, come back this.
On an XP client, make sure you have SP3, and then the trick is disabling several things in the properties for the particular wireless connection.
Do Not:
Authenticate as a machine
Authenticate as a guest
Verify the server cert (probably only if your using a self issued cert for this one)
or attempt to use the local credentials
To see those you have to go several layers deep in the settings. Make sure you find and deselect all. Otherwise, if everything else is right, you should get "unknown username or password" errors in the server applications logs and get tripped up (it will say your waiting for an IP, on the client, but you did not really get that far in the process).
Apples worked pretty easily / didn't require all the fuss.
Hopefully this is a decent summary:
I am doing verbatim by George's guide (ulti-guide ent wan security).
The AP's are Cisco 1130's (ver 12.4) and the RADIUS server is Win2k3. Self-signed cert that is on the domain machines via GP.
I am a step by step guy and when things get out of sorts I get thrown for a loop sometimes.
Everything goes like George says, except the Excel spreadsheet config. I am not using a VLAN and I get in the CLI:
No VLANs configured in MBSSID mod
e. Dot11Radio0 not started
I seem to get around this through the web-interface by setting GuestMode/InF settings (global ssid manager) to Single BSSID and Set Single Guest Mode SSID to 'myssid' - at that point the radios come on.
My ultimate goal is a single SSID/radius config, push WZC policy to domain machines, domain users use their account to authenticate... they have the self-signed cert on the machine already. I would also like to let non-domain machines be authenticaed with domain user accounts with PEAP but not have to have them install our self-signed cert - is that even possible?
First off I need to get the AP communicating with the RADIUS server. :0)
Interesting note, right-clicking on IAS in the config console brought up (Register Server in Active Directory) - it implied (in the descript) that IAS wouldnt check against domain groups unless this was done. The server is 2k3 like I said, but not a DC or anything. Anyone else com across that? It still didnt help my situation... the AP keeps losing the RADIUS server (it's dead it says, then alive after another client logon attempt) and/or says auth failed...
I am doing verbatim by George's guide (ulti-guide ent wan security).
The AP's are Cisco 1130's (ver 12.4) and the RADIUS server is Win2k3. Self-signed cert that is on the domain machines via GP.
I am a step by step guy and when things get out of sorts I get thrown for a loop sometimes.
Everything goes like George says, except the Excel spreadsheet config. I am not using a VLAN and I get in the CLI:
No VLANs configured in MBSSID mod
e. Dot11Radio0 not started
I seem to get around this through the web-interface by setting GuestMode/InF settings (global ssid manager) to Single BSSID and Set Single Guest Mode SSID to 'myssid' - at that point the radios come on.
My ultimate goal is a single SSID/radius config, push WZC policy to domain machines, domain users use their account to authenticate... they have the self-signed cert on the machine already. I would also like to let non-domain machines be authenticaed with domain user accounts with PEAP but not have to have them install our self-signed cert - is that even possible?
First off I need to get the AP communicating with the RADIUS server. :0)
Interesting note, right-clicking on IAS in the config console brought up (Register Server in Active Directory) - it implied (in the descript) that IAS wouldnt check against domain groups unless this was done. The server is 2k3 like I said, but not a DC or anything. Anyone else com across that? It still didnt help my situation... the AP keeps losing the RADIUS server (it's dead it says, then alive after another client logon attempt) and/or says auth failed...
I recommend updating your WAPs to the lastest IOS.
Had the same issue with the template, so I don't use it. I have no need for a guest SSID. Nice to know that the tool is there if I ever need it, but it doesn't apply to my situation so I use my own configs.
If you are asking about non-domain computers and not installing the cert, then you may want to re-read the guide and make sure you fully grasp the concept of PEAP. Or, you can always implement LEAP - tie yourself to Cisco equipment and utilites and all the other headaches it causes!
Assuming you've verified connectivity between your WAPs and IAS server, I would guess that the IOS update would solve the problem.
Had the same issue with the template, so I don't use it. I have no need for a guest SSID. Nice to know that the tool is there if I ever need it, but it doesn't apply to my situation so I use my own configs.
If you are asking about non-domain computers and not installing the cert, then you may want to re-read the guide and make sure you fully grasp the concept of PEAP. Or, you can always implement LEAP - tie yourself to Cisco equipment and utilites and all the other headaches it causes!
Assuming you've verified connectivity between your WAPs and IAS server, I would guess that the IOS update would solve the problem.
I've never had any show-stopper issues with AD nor have I known anyone with any major issues with AD. This assumes that it's a clean deployment.
I was wondering how complex it will be move from LEAP to PEAP? Ideally i would like to have them both running along side each other for some times as all my 1000 windows xp sp2 clients are configured to use LEAP using IntelProSet utility. This will buy me some times to get them reconfigured...
My RADIUS is currently peformed through a CISCO WLSE 1230 box that talks to my AD via a Cisco WinAgent. I suppose what I am sking is whether IAS will support LEAP.
Theo
My RADIUS is currently peformed through a CISCO WLSE 1230 box that talks to my AD via a Cisco WinAgent. I suppose what I am sking is whether IAS will support LEAP.
Theo
I don't know what I'm missing but I just cannot get this to work. I've setup everything based on the guide but I get the following error every time:
no sg in radius-timers: ctx 0xF74B64 sg 0x0000
RADIUS/DECODE: parse response no app start;FAIL
RADIUS/DECODE: parse response; FAIL
Client xxxx.xxxx.xxxx Failed: EAP reason 1
I can ping my server and I can ping my WAP but it appears my WAP and RADIUS Server cannot talk.
no sg in radius-timers: ctx 0xF74B64 sg 0x0000
RADIUS/DECODE: parse response no app start;FAIL
RADIUS/DECODE: parse response; FAIL
Client xxxx.xxxx.xxxx Failed: EAP reason 1
I can ping my server and I can ping my WAP but it appears my WAP and RADIUS Server cannot talk.
Please give more context about your architecture, equipment used, how it's set up.
Did you follow my guide exactly?
Did you follow my guide exactly?
I did follow the guide word for word only making changes for the naming conventions on my existing equipment.
Equipment:
Cisco 1240ag WAP (I'm configuring for Wirless G)
Server: IBM x345 running Windows SBS 2003 (Dual-Honed NIC, 1 for internal & 1 for External)
Client: Wyse V90 Thin Client (Windows XPe SP2) w/Linksys A+G Wireless PC-Card
Network: 10.x.x.x/24
First I should note that our existing server is primarily for transitional work on our new database system. The actual network in place is a VAX and our real servers won't be up for a few weeks (x2 Windows 2K3 Servers, x2 Red Hat Linux Servers). I'm doing proof of concept as we are going to deploy wireless thin clients for workstations in our warehouse.
The problem I'm have as mentioned earlier is that my wireless client cannot authenticate with the RADIUS Server and based on debugging for AAA my WAP is unable to contact the RADIUS server. Because of this I cannot get machine authentication to work so I can't login into the domain from the login window on my Wyse XP client.
Internally my server is set to 10.1.1.10/24 and my WAP is at 10.1.1.240/24. I've tried both 1812/1813 and 1645/1646 for ports to the RADIUS server and no luck (note: netstat -o does not list the ports).
the only theory I could think of is that our DSL service DHCP server is on and assigns addresses from a different subnet. But even when I statistically assign an IP address on the same subnet on my wireless client it still does not.
I believe that covers the sum of the scenario.
Almost forgot! I am running AD and this is the DC and the global catalog is on this server.
Equipment:
Cisco 1240ag WAP (I'm configuring for Wirless G)
Server: IBM x345 running Windows SBS 2003 (Dual-Honed NIC, 1 for internal & 1 for External)
Client: Wyse V90 Thin Client (Windows XPe SP2) w/Linksys A+G Wireless PC-Card
Network: 10.x.x.x/24
First I should note that our existing server is primarily for transitional work on our new database system. The actual network in place is a VAX and our real servers won't be up for a few weeks (x2 Windows 2K3 Servers, x2 Red Hat Linux Servers). I'm doing proof of concept as we are going to deploy wireless thin clients for workstations in our warehouse.
The problem I'm have as mentioned earlier is that my wireless client cannot authenticate with the RADIUS Server and based on debugging for AAA my WAP is unable to contact the RADIUS server. Because of this I cannot get machine authentication to work so I can't login into the domain from the login window on my Wyse XP client.
Internally my server is set to 10.1.1.10/24 and my WAP is at 10.1.1.240/24. I've tried both 1812/1813 and 1645/1646 for ports to the RADIUS server and no luck (note: netstat -o does not list the ports).
the only theory I could think of is that our DSL service DHCP server is on and assigns addresses from a different subnet. But even when I statistically assign an IP address on the same subnet on my wireless client it still does not.
I believe that covers the sum of the scenario.
Almost forgot! I am running AD and this is the DC and the global catalog is on this server.
What wireless supplicant (client software) are you using? XP SP2 client or some third party client?
Are you using Microsoft IAS RADIUS?
Can your AP ping your your RADIUS server? Is there a firewall blocking?
Be aware that if you use an overly complex RADIUS secret with some special characters, I've seen it run in to issues. You want complex random RADIUS secrets, but you want to stick with alpha-numeric upper/lower.
Are you following my Aironet template from this tutorial?
Are you using Microsoft IAS RADIUS?
Can your AP ping your your RADIUS server? Is there a firewall blocking?
Be aware that if you use an overly complex RADIUS secret with some special characters, I've seen it run in to issues. You want complex random RADIUS secrets, but you want to stick with alpha-numeric upper/lower.
Are you following my Aironet template from this tutorial?
- I am using the XP2 wireless client. For the most part I have avoided using the Linksys client.
- I am using microsoft IAS RADIUS
- Fancy that... I used a port scanner and it returns that ports 1812,1813,1645,1646 are in fact closed. However, the the best of my knowledge I have di
sabled the firewall. I also created exceptions for the ports and still showing as closed.
- For testing purposes I used a very basic 5 character alpha RADIUS Secret. In production I will use a complex secret based on your advice.
- I am following the aironet template. I will note that when I use mbssid it will typically comeback stating no VLAN's are being used and shutsdown my 2.4GHz radio. When I remove it it works fine.
It would appear that my problem continues to be closed RADIUS ports. Despite creating exceptions in the firewall and even shutting the firewall off.
*I did some more investigation and downloaded Microsoft's Port Query tool, below are the results:
UDP Port 1812 (radius service): Listening or Filtered
UDP Port 1813 (radacct service): Listening or Filtered
UDP Port 1645 (unknown service): Listening or Filtered
UDP Port 1812 (unknown service): Listening or Filtered
- I am using microsoft IAS RADIUS
- Fancy that... I used a port scanner and it returns that ports 1812,1813,1645,1646 are in fact closed. However, the the best of my knowledge I have di
sabled the firewall. I also created exceptions for the ports and still showing as closed.
- For testing purposes I used a very basic 5 character alpha RADIUS Secret. In production I will use a complex secret based on your advice.
- I am following the aironet template. I will note that when I use mbssid it will typically comeback stating no VLAN's are being used and shutsdown my 2.4GHz radio. When I remove it it works fine.
It would appear that my problem continues to be closed RADIUS ports. Despite creating exceptions in the firewall and even shutting the firewall off.
*I did some more investigation and downloaded Microsoft's Port Query tool, below are the results:
UDP Port 1812 (radius service): Listening or Filtered
UDP Port 1813 (radacct service): Listening or Filtered
UDP Port 1645 (unknown service): Listening or Filtered
UDP Port 1812 (unknown service): Listening or Filtered
There was a crazy bug in some of the Aironets last year that would fail to properly draw power from 802.3af unless you actually told it what MAC address it was connected to on the Ethernet port. I don't know why they put in such design but the Cisco Product Manager grimaced when I asked him about that. The bug would shut down the radios and refuse to turn them on. They were going to fix this bug last I heard. Be sure you?re upgrading to the latest IOS on the Aironet and that might help.
If ports are being blocked, that is an obvious problem then
. But my tip on not using special characters (even if it boosts the entropy of the RADIUS secret) stands. Same thing with using special characters in WPA PSK keys because some devices will in fact have problems. It sounds like you?re having a little too much complexity and there is always a reason for these issues, you just need to find them with good old fashion detective work.
If you're using a Microsoft tool to test the ports, you may be doing it in reverse. You're not trying to test the port from the server to the AP, you're trying to access those ports from the AP to the server. I'd suggest putting the AP on the same subnet just to do a sanity check and get it all working before you go for a more complex topology.
If ports are being blocked, that is an obvious problem then
. But my tip on not using special characters (even if it boosts the entropy of the RADIUS secret) stands. Same thing with using special characters in WPA PSK keys because some devices will in fact have problems. It sounds like you?re having a little too much complexity and there is always a reason for these issues, you just need to find them with good old fashion detective work.If you're using a Microsoft tool to test the ports, you may be doing it in reverse. You're not trying to test the port from the server to the AP, you're trying to access those ports from the AP to the server. I'd suggest putting the AP on the same subnet just to do a sanity check and get it all working before you go for a more complex topology.
I was using the port tool from my workstation to test the server ports. I'll get my Aironet setup so I can connect without any authentication and use the port tool again to confirm the status of the ports via the Aironet connection.
Thank you for your time and effort!
Thank you for your time and effort!
It appears I have exercised my demons. The problem was two fold:
#1 - If my default gateway is not set to the RADIUS Server the thing just does not want to fire off.
#2 - The "Windows XP Fast Logon Optimization" feature seems to have been lending to my woes. I went in and disabled it and I've been firing on all cylinders ever since.
http://support.microsoft.com/default.aspx?scid=kb;en-us;305293
#1 - If my default gateway is not set to the RADIUS Server the thing just does not want to fire off.
#2 - The "Windows XP Fast Logon Optimization" feature seems to have been lending to my woes. I went in and disabled it and I've been firing on all cylinders ever since.
http://support.microsoft.com/default.aspx?scid=kb;en-us;305293
That's why I mentioned not to use fast login on my PEAP guide. I thought I mentioned that in this guide too. Fast login will cause some massive headaches. It's not compatible with Cisco nor have I ever found any benefits for it either.
First off - thanks for the wonderful step-by-step article series. Just saved me a ton of heartburn.
I did find one setting for IAS that got left out here that I think most people will want.
In the Advanced tab under the Profile, you should click Add... and pick the property called Ignore-User-Dialin-Properties, and set it to TRUE.
Otherwise IAS will try to pull the settings off the "Dialin" tab on the AD account that is authenticating to your wireless, which doesn't really make sense for a non-dialin connection. Various connection problems and baffling denials may result.
Credit to http://msgoodies.blogspot.com/2004/10/msnpallowdialin-script-and-mixed-mode.html for pointing this out.
I did find one setting for IAS that got left out here that I think most people will want.
In the Advanced tab under the Profile, you should click Add... and pick the property called Ignore-User-Dialin-Properties, and set it to TRUE.
Otherwise IAS will try to pull the settings off the "Dialin" tab on the AD account that is authenticating to your wireless, which doesn't really make sense for a non-dialin connection. Various connection problems and baffling denials may result.
Credit to http://msgoodies.blogspot.com/2004/10/msnpallowdialin-script-and-mixed-mode.html for pointing this out.
I prefer to leave that setting in - that is my way of denying wireless access to any user. It might add a little bit of headache to the troubleshooting process, but at least I have a way of dealing with wireless abusers, while still allowing them to use a wired network connection.
Great Article. I used most of info in order to set up IAS with AD integrated accounts. Everything work beautifull, however only one issue I have.
When users log on and connect to the network, they are asked to "Process their
logon information for the network MYNETWORK". As simple as it sounds for regular users it could be too much. Is there any way to get windows to automatically process this information instead of approving CA every time they reboot their machine.
When users log on and connect to the network, they are asked to "Process their
logon information for the network MYNETWORK". As simple as it sounds for regular users it could be too much. Is there any way to get windows to automatically process this information instead of approving CA every time they reboot their machine.
I'm not aware of the issue you're talking about. Please be more specific.
I have radius on 2003 server talking to 3com wireless AP. I am using active directory group policy to roll out wireless settings and client certificate to clients that need access to wireless AP. Everything works, execept every time client reassociates with AP balloon pops up asking "Click here to process logon information for the network MYNETWORK". After user clicks on it, window pops up with message:"The root CA for the server's certificate is: SERVERNAME if this is the correct certificate, click ok to connect and you will not see this message again. Click cancel to drop connection."
As far as certificate goes, I created self-signed certificate on radius server and exported public key which I'm deploying via AD GP.
My guess is that I'm getting this message because certificate does not come from CA that is Active Directory CA and therefore needs to confirm authenticity every time user client connects.
Unfortunatelly, I don't have access to server acting as Enterprise CA so it's not easy for me to test it. I wanted to confirm that this is the issue before I escalate this to our Enterprise IT group requesting certificate from Enterprise CA.
Thank you kindly for any suggestion you may have.
As far as certificate goes, I created self-signed certificate on radius server and exported public key which I'm deploying via AD GP.
My guess is that I'm getting this message because certificate does not come from CA that is Active Directory CA and therefore needs to confirm authenticity every time user client connects.
Unfortunatelly, I don't have access to server acting as Enterprise CA so it's not easy for me to test it. I wanted to confirm that this is the issue before I escalate this to our Enterprise IT group requesting certificate from Enterprise CA.
Thank you kindly for any suggestion you may have.
You need that self-signed cert in the Group Policy at the root for trusted certificate authorities. The instructions in this article shows the exact procedure and I'm assuming you followed it. I'm not sure why you're seeing that popup since I've never seen it. Can you do a screen shot for it?
What client OS are you running? XP SP2 with latest patch (not included in automatic update)? Windows Vista?
What client OS are you running? XP SP2 with latest patch (not included in automatic update)? Windows Vista?
Thank you very much. Your title of previos message has turn on a light bulb in my brain. I applied certificate Group Policy on OU not on the root. I was trying to be a smartass and have one GP for wireless users.
Sorry for bothering you with such an obvious solution.
Anyway, all works now like a charm.
Answer to your questions: I was using XP SP2 for client testing.
Thankyou for great article on wireless.
Sorry for bothering you with such an obvious solution.
Anyway, all works now like a charm.
Answer to your questions: I was using XP SP2 for client testing.
Thankyou for great article on wireless.
I made the same mistake once. You can do at OU level but it must cover the computer accounts. Those certificate policies get applied to the computer and not to the user. It has no effect on user accounts.
So, if I apply the policy at the OU level, there aren't any problems as long as I move the computers into a sub-OU under the main OU?
Structure something like:
Branch offices
- office 1
- FT employees
- PT employees
- contractors
- Computers
- managed
- unmanaged
- wireless
- office 2 (etc)
As long as the PKI policy is applied to the "Branch Offices" OU, I should be fine. Computers are moved into one of the sub-OUs (managed, unmanaged, wireless) to deploy other settings (WSUS, and other security policies).
Structure something like:
Branch offices
- office 1
- FT employees
- PT employees
- contractors
- Computers
- managed
- unmanaged
- wireless
- office 2 (etc)
As long as the PKI policy is applied to the "Branch Offices" OU, I should be fine. Computers are moved into one of the sub-OUs (managed, unmanaged, wireless) to deploy other settings (WSUS, and other security policies).
Just make sure you don't over do the levels of OUs because it weighs down the Active Directory.
I have a question. If you add the domain computers to the user group; does this allow the PC to authenticate without a legitimate user name and password? I wouldn't want that in case of a stolen laptop or something.
If a computer is stolen, you should delete that computer from the domain. It's just like when a user account is compromised or a user leaves the company, you have to delete or disable the account.
If you fail to delete the computer off the domain, the computer will be able to connect to the network BUT it will not allow a user to log in to it and use it. If a user logs in using a non-domain user account or a domain user account that doesn't have rights to use Wireless, they won't get any network access even if the machine is able to authenticate.
If you fail to delete the computer off the domain, the computer will be able to connect to the network BUT it will not allow a user to log in to it and use it. If a user logs in using a non-domain user account or a domain user account that doesn't have rights to use Wireless, they won't get any network access even if the machine is able to authenticate.
i had the same error message, in my case was that the certificate had expired and it needed to be reviwed, however this could also be if you have 'validate server certificate' on your xp client but you are not using certificate on the clienst so just uncheck that option under authentication
For those who are wondering about Windows Server 2008, Network Policy Server replaced IAS, but there's RADIUS Clients and Servers and as for Remote Access Policies, it's now just Policies and that there are three of the types under Policies: Connection Request Policies, Network Policies, and Health Policies. For health policies (not about RADIUS, though), you can configure System Health Validators like enabling firewall, make sure a computer's updated with latest patches from Microsoft, make sure anti-virus is enabled, etc. For choosing Wireless as a method for access, I didn't see anything when creating a new Connection Request Policy.
However, Windows Server 2008, as I know it, is in beta for right now, and I won't bother learning how to configure a RADIUS server, which I did already, so I'm still learning and beta-testing Windows Server 2008.
However, Windows Server 2008, as I know it, is in beta for right now, and I won't bother learning how to configure a RADIUS server, which I did already, so I'm still learning and beta-testing Windows Server 2008.
First of all, thanks for writing a great article. I wish I found this at the time when I needed it 8 months ago. I had to set up IAS the hard way by reading through all of MS's documents. Not an easy task. But thanks to this document, I've been able to optimize a lot of settings within IAS. I do have one problem still that this article does not touch.
I've set up wireless using certificates from our CA and a root cert on the clients. I have the clients running Windows XP SP2 and it's set to validate the server certificate each time it connects. This always works fine. The problem is that this cert validation is only one way. (ie. client to server) I'm still able to connect to my access points without a certificate on the client. I've been looking for a way to force the IAS server to check that the client has a valid cert. No luck with this yet. Maybe I'm looking int the wrong area.
The only thing I have found is that it's possible to add an object identifier to the RADIUS server. This is an attribute on the Advanced tab of "Edit Dial-in Profile". It's called Allowed-Certificate-OID. I've tried playing with this by adding all types of OID's but still can't get this working for the life of me. Does anyone know a way to do this? Your help is appreciated.
I've set up wireless using certificates from our CA and a root cert on the clients. I have the clients running Windows XP SP2 and it's set to validate the server certificate each time it connects. This always works fine. The problem is that this cert validation is only one way. (ie. client to server) I'm still able to connect to my access points without a certificate on the client. I've been looking for a way to force the IAS server to check that the client has a valid cert. No luck with this yet. Maybe I'm looking int the wrong area.
The only thing I have found is that it's possible to add an object identifier to the RADIUS server. This is an attribute on the Advanced tab of "Edit Dial-in Profile". It's called Allowed-Certificate-OID. I've tried playing with this by adding all types of OID's but still can't get this working for the life of me. Does anyone know a way to do this? Your help is appreciated.
Very simple solution if you want to force client side certificates. Don't use PEAP, use EAP-TLS which requires a user certificate on the client machine. Note that user certificates have to be manually issued unless you have a Win2003 Enterprise Edition Certificate Authority.
We have a wireless network with two Cisco 1242AG APs with the users authenticating to a radius server running on Microsoft IAS. They have been able to authenticate until today. The error log in the IAS server gives an error: "check the certification revocation list." Any idea why authentication would stop?
It works, but then...it doesn't.
At first, using my old Atheros based 5001x internal NIC with the WZC, I get auth rejects. I am capturing traffic from a SPAN on my switch, so I can see the wired traffic. The IAS server rejects my client- not sure if I am missing a setup step for the client side...then I thought the chipset may not support higher level security features...
After obtaining a card that supports 802.1x and AES (NetGear WAG511) I was able to connect to the AP and authenticate, but now I can't get an address from my DHCP server...AND I had to use the NetGear utility- the WZC doesn't authenticate according to login credentials.
I have a 2003 server running all services for this test (I wouldn't bog this server down in production, it is just for testing that I loaded all services). AD for DC, IIS, IAS, DHCP, DNS/WINS...I have a Cisco 1131AP (tried RADIUS Standard and Cisco) no worky.
When I use a plain old weak Open/WEP configuration with my AP, I can get an address from DHCP...but when I enabled advanced security (802.1x/PEAP/AES) I can auth, but no IP from DHCP...ideas?
It would be nice to use the windows WZC for this to tie in the group policy for client config...but I am obviously missing something.
-E
At first, using my old Atheros based 5001x internal NIC with the WZC, I get auth rejects. I am capturing traffic from a SPAN on my switch, so I can see the wired traffic. The IAS server rejects my client- not sure if I am missing a setup step for the client side...then I thought the chipset may not support higher level security features...
After obtaining a card that supports 802.1x and AES (NetGear WAG511) I was able to connect to the AP and authenticate, but now I can't get an address from my DHCP server...AND I had to use the NetGear utility- the WZC doesn't authenticate according to login credentials.
I have a 2003 server running all services for this test (I wouldn't bog this server down in production, it is just for testing that I loaded all services). AD for DC, IIS, IAS, DHCP, DNS/WINS...I have a Cisco 1131AP (tried RADIUS Standard and Cisco) no worky.
When I use a plain old weak Open/WEP configuration with my AP, I can get an address from DHCP...but when I enabled advanced security (802.1x/PEAP/AES) I can auth, but no IP from DHCP...ideas?
It would be nice to use the windows WZC for this to tie in the group policy for client config...but I am obviously missing something.
-E
2600 router (on a stick)
2900xl switch
1131ap
IAS server
When I set everything to the native VLAN, it works fine. When I set an SSID to a tagged VLAN3, the authentication works, but everything thereafter fails.
I tapped the connection between the 1131ap and the 2900xl switch and ran a network analyzer. I noticed the tagged frames are Ethernet Type2. It appears that this may be causing an issue with the 2900 switch. I will try to find another switch and see what happens...anyone aware of known issues? Should I be using a particular switch/OS of any kind?
The WZC doesn't work at all for me. I can use a Netgear WAG511 with the Netgear utility, but not with the WZC...I tried everything. I can PEAP auth with TKIP using the Netgear WLAN utility, but when I try the windows utility, I get reject messages from the IAS server. I set the WZC up as described in the article for GPO using the windows utility (on tech republic) ...lotta questions, sorry...I will keep plugin away.
2900xl switch
1131ap
IAS server
When I set everything to the native VLAN, it works fine. When I set an SSID to a tagged VLAN3, the authentication works, but everything thereafter fails.
I tapped the connection between the 1131ap and the 2900xl switch and ran a network analyzer. I noticed the tagged frames are Ethernet Type2. It appears that this may be causing an issue with the 2900 switch. I will try to find another switch and see what happens...anyone aware of known issues? Should I be using a particular switch/OS of any kind?
The WZC doesn't work at all for me. I can use a Netgear WAG511 with the Netgear utility, but not with the WZC...I tried everything. I can PEAP auth with TKIP using the Netgear WLAN utility, but when I try the windows utility, I get reject messages from the IAS server. I set the WZC up as described in the article for GPO using the windows utility (on tech republic) ...lotta questions, sorry...I will keep plugin away.
Make sure you turn off all the proprietary cisco extensions. Make sure you update to the latest firmware on your Cisco AP. Try using PEAP auth with WPA-TKIP mode since AES wasn't working back in 2006 when I last configured one. Turn off fast reconnect mode in Windows Wi-Fi client.
First, thanks a lot for this George- really good stuff man. You know your stuff.
Sorry for the excessive posts...but I got this working with the windows wireless config. I had a bit of a mess with the CA and trusted root (my bad). I started over and fixed it.
I still have the VLAN tag issue though...once I obtain another switch I will see what happens.
Good on ya!
Sorry for the excessive posts...but I got this working with the windows wireless config. I had a bit of a mess with the CA and trusted root (my bad). I started over and fixed it.
I still have the VLAN tag issue though...once I obtain another switch I will see what happens.
Good on ya!
That will mess up a Cisco AP fast and I found out the hard way. Also, AES was pretty much broken on Cisco APs as of 2006, I don't know if they fixed it by now.
this is the great website!the explaination is detail and easy to understand.but i'm using fedora core 2 and install with freeradius 1.1.6. may i know where can i get the guidelines/configuration such as this website for the linux free radius?
thank you:)
thank you:)
This is a lovely tech note but this did not include, configuration and importation of domain users to the radius server
femi
femi
Look at the step where I tell it to permit all domain users and domain computers. The IAS server is attached to your Active Directory and you're redirecting authentication requests from IAS directly to the AD.
This is how it should be done and you should never try to import and replicate a user database as it becomes a maintenance headache.
This is how it should be done and you should never try to import and replicate a user database as it becomes a maintenance headache.
Many thanks for this guide it is spot on. I do have a question though.
I have this working like a charm with access points that are on the same subnet as the Radius Server (IAS), but as soon as i put an access point on a different subnet clients fail to authenticate.
I have tried all the normal things from the second subnet.
- pinging the server works
- tracert shows the routing is as it should be
Any insight you have is more than welcome (hopefully its some thing simple i have missed!)
Andy
I have this working like a charm with access points that are on the same subnet as the Radius Server (IAS), but as soon as i put an access point on a different subnet clients fail to authenticate.
I have tried all the normal things from the second subnet.
- pinging the server works
- tracert shows the routing is as it should be
Any insight you have is more than welcome (hopefully its some thing simple i have missed!)
Andy
AP doesn't need to be in same subnet as IAS but IAS has to allow incoming address of AP. So if you change the IP of the AP, you're going to have to change the list of permitted APs.
The errors should show up in the IAS logs.
The errors should show up in the IAS logs.
i think i have done that, can you point me in the the right direction as to where to look for that setting?
Yes, in IAS. I show you how to do that in this tutorial. Look at figure XX and YY, it shows you exactly what you need to do and add access points to your RADIUS server ACL.
I'm not able to get this working:
C:\>netsh aaaa show config c:\IAS.txt
Failed attempting to show the aaaa configuration.
Dumps aaaa configuration info in script form.
Running IAS on Server 2003 Enterprise. Right now I only have 2 clients configured, but eventually I'll have several hundred. I need to make sure I'm able to backup and restore the configuration before I spend anymore time getting it setup.
C:\>netsh aaaa show config c:\IAS.txt
Failed attempting to show the aaaa configuration.
Dumps aaaa configuration info in script form.
Running IAS on Server 2003 Enterprise. Right now I only have 2 clients configured, but eventually I'll have several hundred. I need to make sure I'm able to backup and restore the configuration before I spend anymore time getting it setup.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
