+ Post New Thread
Results 1 to 4 of 4
Windows Server 2000/2003 Thread, 802.1x Authentication With IAS in Technical; I am trying to get radius authentication setup on some new AP's that I'm going to deploy that will host ...
  1. #1

    Join Date
    May 2013
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    802.1x Authentication With IAS

    I am trying to get radius authentication setup on some new AP's that I'm going to deploy that will host both Staff and Open Guest Wireless.

    I have 8 of the EnGenius EAP350s
    They are Setup to do WPA2-Enterprise
    Radius Server Points to the IAS/Primary Domain Controller Which is a windows 2000 Server
    Shared Secret Matches the one Set for the Client in IAS

    IAS Remote Access Policy Setup as follows

    Conditions:
    Windows Group Matches - Domain\WirelessUsers AND
    NAS-Port Type Matches "Wireless - IEEE 802.11 or Wireless-Other"
    Grant Remote Access Permission

    Profile:
    Dial In Restricted to Media Wireless- IEEE 802.11 and Wireless-Other
    Encryption: Strongest
    Authentication: PEAP - Certificate is Set to the Domain Controllers Certificate (number of Retries =2 And allow client to change password after expired is checked)

    I did delete the Frame-Protocol PPP under Advanced.


    User Account I am testing with is in the WirelessUsers Group and the user is allowed to Dial in to the server.


    I can connect if I manually make a wifi profile on windows 7 and change the to User Authentication and also disable Validate the Server Certificate. Both of those settings are required for it to work.
    I am pushing the Domain controllers certificate out from group policy under Computer Configuration->Windows Settings->Security Settings->Public Key Pollicies->Trusted Root Certification Authority
    I also see this certificate under the wifi profile where it says Trusted Root Certification Authority on windows 7.

    I would like it to automatically do user authentication and have the certificate either trusted or just have the pop-up (on non domain computer) that say connect or terminate because it could not be validated.

    However if I try the connection Automatically it says; Failed because of user user account (or something like that)


    Here are the logs from my AP if I do an automatic connection (this is windows doing Multiple attempts I assume)
    May 24 15:07:01 EAP350 daemon.warn hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
    May 24 15:07:01 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: disassociated
    May 24 15:07:01 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated
    May 24 15:06:57 EAP350 daemon.warn hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
    May 24 15:06:57 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: disassociated
    May 24 15:06:57 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated
    May 24 15:06:53 EAP350 daemon.warn hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
    May 24 15:06:53 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: disassociated
    May 24 15:06:53 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated
    May 24 15:06:49 EAP350 daemon.warn hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
    May 24 15:06:49 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: disassociated
    May 24 15:06:49 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: disassociated
    May 24 15:06:49 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated
    May 24 15:06:48 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: disassociated
    May 24 15:06:48 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated
    May 24 15:06:35 EAP350 daemon.warn hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: could not extract EAP-Message from RADIUS message
    May 24 15:06:35 EAP350 daemon.warn hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: authentication failed - EAP type: 0 (Unknown)
    May 24 15:06:35 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: Supplicant used different EAP type: 1 (Identity)
    May 24 15:06:35 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated


    This is what a Successful Manual connection looks like:
    May 24 15:41:19 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 WPA: pairwise key handshake completed (RSN)
    May 24 15:41:19 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.1X: authenticated - EAP type: 25 (PEAP)
    May 24 15:41:19 EAP350 daemon.info hostapd: ath0: STA 8c:70:5a:6f:1e:74 IEEE 802.11: associated


    Any Ideas would be appreciated. I would like it to work automatically with single-signon obviously pushing wifi setting through GP is not an option on windows 2000 server. But I would also like a prompt to come up for username and password when non-domain machine connect so I can enter Domain\user and password. I tried this with a DDWRT based router (in AP only mode) to make sure it was not just the APs and I get the same results. I had this working at a previous Job in a with previous job and windows 2003/2008 domain environment with Aruba APs.

    Thanks,
    Jason

  2. #2

    Join Date
    May 2013
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Windows 2000 does not support everything needed for it to work.

    Solution here: 802.1x Authentication With IAS

    Thread Can Be Closed

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    12,963
    Thank Post
    586
    Thanked 1,494 Times in 1,340 Posts
    Rep Power
    397
    Win7 clients on a 2000 domain? Ouch.

    Ben

  4. #4

    Join Date
    May 2013
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Public Library Budget, Enough said

    I'm hoping to upgrade all 4 this fiscal year though.

SHARE:
+ Post New Thread

Similar Threads

  1. 802.1x authentication - HP Procurve network
    By pantscat in forum Wired Networks
    Replies: 12
    Last Post: 16th July 2012, 08:41 AM
  2. Replies: 5
    Last Post: 21st January 2011, 08:40 AM
  3. 802.1x-Radius Wireless Authentication
    By jayemm in forum Wireless Networks
    Replies: 5
    Last Post: 22nd September 2009, 10:50 AM
  4. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •