+ Post New Thread
Results 1 to 9 of 9
Wireless Networks Thread, Troubleshooting a RADIUS wireless lan in Technical; I'm currently covering for absent technical staff at one of our associated academies. Amongst other things, they are having a ...
  1. #1

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144

    Troubleshooting a RADIUS wireless lan

    I'm currently covering for absent technical staff at one of our associated academies. Amongst other things, they are having a lot of problems with their wireless network, which the principal has asked me to look at while I'm there, as their current technical staff are a little out of their depth with the complexity of the system (by their own admission)

    The system is a RADIUS enabled wireless network, using PEAP-MSCHAP v2 authentication and WPA encryption. It works, but it only works after a user has logged on via a cabled link, it will not let users log on wirelessly. As you can imagine this is a little bit of a problem.

    We have an engineer from the company who support the systems in the school visiting tomorrow, unfortunitely this is a different company to the one that installed the system. I understand this is not the first time they have visited and So far they have been un-able to get the system to work correctly. Apprently it did work up until July time when as far as I can work out the certificate expired on the clients, which messed the whole thing up. This part was fixed, but it's never worked properly since then according to the people I've spoken to.

    Because the support company have had more than one attempt at fixing this, I'm not holding out a lot of hope of them fixing it this time, so I'm hoping I can gather some information from fellow edugeekers to help me guide the engineer if they don't seem to be getting anywhere. I've never worked with a wireless network using 802.11x authentication before, although I do understand the principles behind it, so any helpful suggestions or comments appreciated, so I can at least help the engineer tomorrow if they are struggling.

    Many thanks,

    Mike.

  2. #2

    Join Date
    Jan 2008
    Location
    Kingston Upon Thames
    Posts
    102
    Thank Post
    11
    Thanked 22 Times in 20 Posts
    Rep Power
    17
    Hi Mike,

    Sounds like your computers are not authenticating, only your users are. i.e. your systems are not getting any network connection until a user actually logs on. This is why users who had previously logged on through the LAN can get on with their cached credentials and then access the network.

    I have had some experiance in a test enviroment here with this, using Windows IAS as RADIUS and group policy to deploy the settings to XP SP2 clients. If you are using the same, I can probably help you.

    Could you send me some info about the setup (as far as you know), and I will dig out some of our settings.

    David

  3. Thanks to dyoung5 from:

    maniac (22nd October 2008)

  4. #3
    djdohboy's Avatar
    Join Date
    Aug 2008
    Location
    Watford, Hertfordshire
    Posts
    55
    Thank Post
    0
    Thanked 7 Times in 6 Posts
    Rep Power
    14
    couple of things you could look at:

    Event viewer for the RADIUS server looking at the IAS errors to see what info is being passed to the server and see why its being rejected.

    run this command at the cmd window on the radius server: "netsh ras set tr * en" this will enable Logging, all files will be stored in the following directory,%windir%\tracing. to disable logging use this command "netsh ras set tr * dis", look in the tracing folder for a log called IASSAM this will show you how the requests are being processed.

    the other thing is, what version of windows server is the Certificate authority? if its 2003 enterprise you can use autoenroll for the certificates.

    Hope this helps

    any questions feel free to PM me, ive just had to rebuild a 3com managed wireless system using radius and peap in a forest, as you can imagine ive come across a hell of a lot of problems lol be glad to help out if I can.

  5. Thanks to djdohboy from:

    maniac (22nd October 2008)

  6. #4

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,037
    Thank Post
    209
    Thanked 425 Times in 306 Posts
    Rep Power
    144
    Quote Originally Posted by dyoung5 View Post
    Sounds like your computers are not authenticating, only your users are. i.e. your systems are not getting any network connection until a user actually logs on. This is why users who had previously logged on through the LAN can get on with their cached credentials and then access the network.
    Yes, I figured as much, but I personally don't know where to look or what to change to rectify this. Incidently it lets no one log on, even if they have logged on before, as credentials are not cached (student laptops) staff laptops do work, as credentials are cached.


    Quote Originally Posted by dyoung5 View Post
    I have had some experiance in a test enviroment here with this, using Windows IAS as RADIUS and group policy to deploy the settings to XP SP2 clients. If you are using the same, I can probably help you.

    Could you send me some info about the setup (as far as you know), and I will dig out some of our settings.

    David
    I'm afraid I don't know a lot more, other than the network is using RADIUS and PEAP-MSCHAP v2 and WPA encryption, and the settings are distributed through a Group policy which is being applied correctly according to a GPresult and resultent set of policiy modelling in GPMC. I'm pretty sure it is using IAS although I've yet to discover which server is hosting this as I'm not familure enough with the setup. It's a pretty standard W2k3 domain, 3DCs, storage server, exchange etc. and the servers all seem to be in good health.

    Quote Originally Posted by djdohboy
    any questions feel free to PM me, ive just had to rebuild a 3com managed wireless system using radius and peap in a forest, as you can imagine ive come across a hell of a lot of problems lol be glad to help out if I can.
    Thanks for the offer, I may send you a PM tomorrow morning if you don't mind if the engineer from the support company isn't getting anywhere. Like I say, they've had at least 2 attempts at fixing this, so hopefully they'll send an engineer who actually understands 802.11x systems this time, as I understand the last two engineers wern't up to much. (Some support eh, but that's another issue entirely) And I think the servers are all 2003 Standard edition.

    The only reason I care so much is the principal of the academy I'm covering in is also the principal of the academy I normally work in, so I think he'd be extreemly pleased if I can resolve this issue for him, and as per usual, I love a challenge!

    Many thanks,

    Mike.

  7. #5
    pooley's Avatar
    Join Date
    Sep 2005
    Location
    S Wales
    Posts
    1,129
    Thank Post
    77
    Thanked 118 Times in 99 Posts
    Rep Power
    66
    Are the users or the computers added to the wireless security group ?

    Computers should be added to the security group that allow wireless access not the user.

  8. #6

    Join Date
    Apr 2006
    Location
    Bamber Bridge
    Posts
    192
    Thank Post
    3
    Thanked 10 Times in 10 Posts
    Rep Power
    18
    I set up RADIUS with out wireless network and had similar problems to this. To rectify it I had to add the domain computers to my access rule in IAS. This then allows the machine to authenticate and then when a user logs on it re authenticates as a user so they can access a wider range of network resources using their credentials.

  9. #7
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    IIRC, when we first setup our RADIUS server similar to yours we had to setup the wireless policy and then gpupdate every laptop while connected to the LAN using a wired link.

    This transferred the necessary certificates for the CA and allowed the WLAN to authenticate properly.

    You might want to check that the CA has been renewed properly and has recognised authority according to the laptops given what you've said above.

  10. #8

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    If I were a betting man I would put my money that your wireless network has been setup following this:

    http://www.microsoft.com/downloads/d...displaylang=en

    There is a troubleshooting section in the document, have a nose through it but I am pretty familiar with it as this is how our wireless is configured, I would look at:

    Check IAS service is running ok, are the radius clients listed correctly and shared secrets match up. Check the WLAN Access groups (There are 3 on the domain) - are the machine accounts member of the correct groups.. are the users accounts / groups also members of the correct groups. Have they pulled down the certificate setup for use with IAS through group policy? Is the system clock correct on the clients (if wildly out the certificate can be seen as invalid/expired) - check on the clients or GPO that they have the tick boxed checked to authenticate as a computer when computer information is available. Finally, have the domain controllers had the correct GPOs applied to them that are generated as part of this wireless infrastructure.

    Good luck with it.

  11. #9

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,278
    Thank Post
    615
    Thanked 1,567 Times in 1,407 Posts
    Rep Power
    412
    If the machines are setup to authenticate then I don't see how having user reauthentication then gives a user access to more resources?

    To test that your radius is auth correctly have a look at: Periodik Labs: Elektron RADIUS Server for Wireless Security

    Also I'd look at using the Juniper Odessey client on your wireless devices if only to help troubleshoot as the logging and diagnostics is a lot better than the built in windows supplicant.

    Ben

SHARE:
+ Post New Thread

Similar Threads

  1. Wireless and RADIUS
    By jamin100 in forum Wireless Networks
    Replies: 8
    Last Post: 22nd July 2008, 10:50 PM
  2. Wireless LAN name change on Netgear
    By MrsGrinch in forum Wireless Networks
    Replies: 1
    Last Post: 30th June 2008, 08:04 AM
  3. Wireless 802.1x RADIUS authentication using IAS server
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 3rd January 2008, 06:15 PM
  4. Wireless Network away from LAN
    By gshaw in forum Wireless Networks
    Replies: 2
    Last Post: 19th December 2007, 01:16 PM
  5. Intel PRO/Wireless 2011B LAN Access Point
    By Joedetic in forum Hardware
    Replies: 10
    Last Post: 22nd May 2006, 03:49 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •