+ Post New Thread
Page 4 of 7 FirstFirst 1234567 LastLast
Results 46 to 60 of 99
Wireless Networks Thread, RADIUS and IAS in Technical; Hello, Let me first say, your document is amazing. Thank you so much for granularity of details you presented. I ...
  1. #46

    Join Date
    Jun 2008
    Location
    Maryland
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Radius Authentication without CA

    Hello,

    Let me first say, your document is amazing. Thank you so much for granularity of details you presented.

    I am currently setting up IAS-2003, DD-WRTv24, WPA-Enterprise on my network and I have a couple questions. I am stuck at the wireless clients saying "validating identity" when they are trying to join the network. I think its because I dont have the certificates copied to the clients.

    1) How is the wireless client validating the CA? Is it doing it through the DD-WRTv24 AP? I thought it just passes the username/password. But does it really pass the information for the CA look up?

    2)Is there away to do the IAS-Radius authentication without the certificates? I would rather not have to copy the certs to all the wireless clients that are not in the domain.

    thanks so much for the help, michael

  2. #47

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,325
    Thank Post
    622
    Thanked 1,577 Times in 1,414 Posts
    Rep Power
    413
    Just change the wireless settings on your clients to not require the server certificate.

    Ben

  3. #48
    contink's Avatar
    Join Date
    Jul 2006
    Location
    South Yorkshire
    Posts
    3,791
    Thank Post
    303
    Thanked 327 Times in 233 Posts
    Rep Power
    118
    Just to add my thanks for that document which got me through todays nightmare relatively intact.

    For anyone else in the "fun" zone a couple of quick pointers:
    1. Make sure if you're using a different VLAN on a WFS709TP that is actually has access to a port that can forward to the Radius server
    2. Make sure you don't just set the rules to allow specific PC's you need to allow the actual users on them too! (That's the last 2 hours I wasted!)
    3. If your Radius server is on a DC it'll already have a security cert issued to it (which might sound obvious but it had me puzzled for a little bit)

    Otherwise excellent and I'll be wiki'ing some of the finer points about the netgear WLAN controller soon.. I think it's needed.

  4. Thanks to contink from:

    OverWorked (19th February 2009)

  5. #49
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,025
    Thank Post
    157
    Thanked 58 Times in 46 Posts
    Rep Power
    29
    Just want to thanks for the document that was posted a while ago, i've now managed to configure my laptop trolley with WPA and radius authentication using a certificate as well. I'm well impressed at how easy it was to follow.

    Thanks again

  6. #50
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I have been asked by the LEA to tighten our wireless security as we are using WEP. Followed Asok's excellent howto and everything seems to be in place. However I am receiving an authentication failed when trying to connect manually from a wireless client laptop. Below is the entry in the logs:

    User JSCHS\ajones_laptop was denied access.
    Fully-Qualified-User-Name = JSCHS\ajones_laptop
    NAS-IP-Address = 172.16.64.11
    NAS-Identifier = <not present>
    Called-Station-Identifier = 00-1A-70-A6-19-72:linksys-n
    Calling-Station-Identifier = 00-14-A5-0E-8A-38
    Client-Friendly-Name = LinkSys WAP4400N T6
    Client-IP-Address = 172.16.64.11
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 0
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = <undetermined>
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 48
    Reason = The connection attempt did not match any remote access policy.

    Can anyone help please.

  7. #51
    dezt's Avatar
    Join Date
    Dec 2005
    Location
    Lancs
    Posts
    1,025
    Thank Post
    157
    Thanked 58 Times in 46 Posts
    Rep Power
    29
    I've just looked at our radius server and could not find the same error you have got, but by comparing your IAS record and mine, i have the poicy name listed under Authentication server when someone is granted access. At a guess i would say double check your IAS remote access policy. If need be delete it and build a new one.

  8. #52

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by jsnetman View Post
    I have been asked by the LEA to tighten our wireless security as we are using WEP. Followed Asok's excellent howto and everything seems to be in place. However I am receiving an authentication failed when trying to connect manually from a wireless client laptop. Below is the entry in the logs:

    User JSCHS\ajones_laptop was denied access.
    Fully-Qualified-User-Name = JSCHS\ajones_laptop
    NAS-IP-Address = 172.16.64.11
    NAS-Identifier = <not present>
    Called-Station-Identifier = 00-1A-70-A6-19-72:linksys-n
    Calling-Station-Identifier = 00-14-A5-0E-8A-38
    Client-Friendly-Name = LinkSys WAP4400N T6
    Client-IP-Address = 172.16.64.11
    NAS-Port-Type = Wireless - IEEE 802.11
    NAS-Port = 0
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>
    Policy-Name = <undetermined>
    Authentication-Type = EAP
    EAP-Type = <undetermined>
    Reason-Code = 48
    Reason = The connection attempt did not match any remote access policy.

    Can anyone help please.
    Hi there,

    It seems that the policies that you have does not match the request that is sent by the clients so it uses the default deny rule which is to deny access.

    Make sure that your policies are correct and it catches the user you are tryign to login. You need to make sure that it ctaches the computer (machine) as well as the user.

    Ash.

  9. #53
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    Thanks Ashok, after a bit of tinkering and a reboot of the servers all is well. But because I was stuck I do not have time to reconfig all the access points. I will have to come in one Saturday and complete the project.

  10. #54

    Join Date
    Sep 2008
    Posts
    7
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Thanks for the excellent documentation. I have configured my IAS Server, deployed certificate and group policy. I am currently tested one client and the wireless hangs with a status of Validating identity.

    The wireless point I am testing is a ProCurve Wireless Access Point 10ag, I have entered the IP Address, IP Port and Radius Secret.

    On the server I get the following error;

    Event Type: Error
    Event Source: IAS
    Event Category: None
    Event ID: 16
    Date: 05/11/2008
    Time: 10:19:24
    User: N/A
    Computer: servK301
    Description:
    A RADIUS message with the Code field set to 1, which is not valid, was received on port 1646 from RADIUS client Server Cup HP Procurve. Valid values of the RADIUS Code field are documented in RFC 2865.

    For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.

    Thanks in advance

  11. #55
    tomscaper's Avatar
    Join Date
    Jul 2006
    Posts
    814
    Thank Post
    118
    Thanked 29 Times in 15 Posts
    Rep Power
    22
    I have been playing around with this for a while now, and am about to give up, went through all the documentation and set up up IAS and created a group policy and certificates using selfssl. I configured the wireless access point to look at the radius server, and set it using WPA and TKIP, on the machine i want wireless to connect from, it just get the error that it could not authenticate.
    Not sure where i could of went wrong, or if it is the access point or some setting i have missed.

  12. #56

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,325
    Thank Post
    622
    Thanked 1,577 Times in 1,414 Posts
    Rep Power
    413
    Have a look at Elektron from Periodik Labs: Elektron RADIUS Server for Wireless Security you can download a trial of it.

    We use it for our radius server.

    Ben

  13. #57
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    Don't know what help this will give. I had the same sort of problem but could not determine what the problem was eventually I ran a windows update rebooted server and magically it sprang to life. Keep fiddling it is well worth it to secure your wireless. We had to under LEA guidelines. One thing I did do after reading an MS whitepaper on preparing AD for radius server was enable reverse encryption of passwords at domain level and reset the user password I was testing. Someone please tell me if you do not have to enable reverse encryption as I read somewhere else its a slight wekening of security.

  14. #58

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by tomscaper View Post
    I have been playing around with this for a while now, and am about to give up, went through all the documentation and set up up IAS and created a group policy and certificates using selfssl. I configured the wireless access point to look at the radius server, and set it using WPA and TKIP, on the machine i want wireless to connect from, it just get the error that it could not authenticate.
    Not sure where i could of went wrong, or if it is the access point or some setting i have missed.
    Have you created the Remote Access Polices and do they contain the right groups i.e. groups which has computer and or users.

    Also make sure that the shared secret is correctly entered on both the AP as well as the enty in IAS.

    The following hotfixes that i know of :

    IAS Server (2003)
    - 323538
    - 931533
    - 883659


    Windows XP wireless fixes

    - 893357
    - 917021
    - 923154

    Windows Vista

    - 932063

    Ash.
    Last edited by spc-rocket; 6th November 2008 at 03:12 PM.

  15. #59
    tomscaper's Avatar
    Join Date
    Jul 2006
    Posts
    814
    Thank Post
    118
    Thanked 29 Times in 15 Posts
    Rep Power
    22
    Quote Originally Posted by ashok View Post
    Have you created the Remote Access Polices and do they contain the right groups i.e. groups which has computer and or users.

    Also make sure that the shared secret is correctly entered on both the AP as well as the enty in IAS.

    Ash.
    Yeah i have the groups set up right, i have created a group called wireless and put the laptops in that group, is that all i need to do. I have checked that the shared secret is the same.
    I am just trying now to create the certificate again as i think i made a mistake last time. Other than that i cant think of anything else.

  16. #60

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by tomscaper View Post
    Yeah i have the groups set up right, i have created a group called wireless and put the laptops in that group, is that all i need to do. I have checked that the shared secret is the same.
    I am just trying now to create the certificate again as i think i made a mistake last time. Other than that i cant think of anything else.
    Hiya,

    Can you provide the following:

    - is the laptop/desktop joined to the domain?
    - what is wireless card vendor? Intel, Broadcom etc
    - If its a self-signed cert have to imported to the trusted root certification authority?

    some screenshots of the remote access policies would also help.

    Ash.

SHARE:
+ Post New Thread
Page 4 of 7 FirstFirst 1234567 LastLast

Similar Threads

  1. radius with guests
    By strawberry in forum How do you do....it?
    Replies: 9
    Last Post: 16th July 2008, 04:10 PM
  2. How does Radius work?
    By ranj in forum Wireless Networks
    Replies: 3
    Last Post: 4th January 2008, 12:42 PM
  3. Radius Testing Software
    By plexer in forum Wireless Networks
    Replies: 0
    Last Post: 25th September 2007, 04:00 PM
  4. HP NX6325 Radius PEAP
    By plexer in forum Wireless Networks
    Replies: 0
    Last Post: 1st December 2006, 10:15 AM
  5. ISA Server 2004 and RADIUS
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 11th December 2005, 12:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •