Hello all,
I’d really appreciate some direction as I tried to setup a Cisco 1242 Series WAP as a Radius Client with 802.1x authentication on a Windows Server 2003 R2 DC running IAS/RADIUS,DNS,DHCP.
Scenario:
I have 2 machines running Windows XP Pro SP2 and a Windows Tablet portable that I need to authenticate to a Windows Server 2003 R2 DC (This is the only server in the infrastructure) via a Cisco Aironet 1242AG Wireless Access Point. These 2 tablet PC?s will need to access resources on the server. The Cisco Aironet WAP does support Radius authentication. There are also some wired PC?s on the network that will communicate directly via the switched network. The Aironet is also plugged into the switched network.
It seemed that we were getting close to authenticating via IAS but just would not connect to the Cisco Wireless Access point. At one time IAS was logging an error message but even the IAS errors disappeared after a while, leading me to believe that the communication between the wireless client and IAS just was not there anymore.
Steps I took following Microsoft’s 170 page pdf and a Cisco post which showed he got it working:
I went the Securing WLANS with PEAP-MSCHAPV2 route after reading most of the 170 pg Microsoft pdf located at the link below.
http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
.
1. The wireless clients were hardwired and promoted to the domain first so that the computer accounts were generated.
2. A Global security group called WLAN Access was created in AD.
3. The user accounts and machine accounts were added to this group.
4. The user accounts had their Active Directory Dial-In user Property set to Allow Access.
5. The Windows Server 2003 server was added to the RAS and IAS Server group in AD.
Microsoft provided an msi package filled with scripts along with the document above that automated alot of the process. Although the Microsoft Document was based on WEP, it highly advised against going the WPA route if the client’s supported WPA which they did.
6. I installed the CA successfully using the script, setup the CA for an IAS certificate template successfully using the script, and also linked up an IAS server Certificated enrollment GPO to the domain successfully using their script.
At this point, I did not use any more of their automated scripts as I was going to setup the Wireless clients manually since there were only two of them. Atleast I hope I didn’t have too as I understood that when going the PEAP route, the server is the only machine that requires a certificate.
7. On the Windows 2003 R2 Standard Ed Server, I added the Cisco 1242 Aironet WAP as a Radius Client and provided the Shared Key.
8. Consoled into the Cisco Aironet 1242 WAP and configured the SSID, the Radius Server’s IP, the shared secret,etc. Config for both the Cisco 1200 Aironet:
http://tekchicago.com/Aironet1242_IASTrouble.htm
I created an HTML page here http://tekchicago.com/Aironet1242_IASTrouble.htm
with most of my configuration except for the Wireless Client Setup.
Since there were only two Wireless clients that needed to authenticate, I understood that I can set the Wireless clients manually. I believe they had automatically picked up that it was an 802.1x setup and pre-configured itself.
Questions:
Has anybody setup 802.1x using a Cisco Aironet 1200 series and Windows server 2003 before and got it too work? If so, pleaaaaaaaaaaaaassssssse provide some documentation.
Since there are only two machines, should I follow the rest of Microsoft’s documentation and push out the wireless client settings using a GPO?
Based on my configs and needs, how should the wireless clients be setup?
I’ll be checking this post throughout the day and will appreciate any expertise or previous experience. Thanks alot!
Best Regards,
Shah
