+ Post New Thread
Results 1 to 7 of 7
Wireless Networks Thread, RADIUS \ EAP-TLS \ Ruckus in Technical; This is beginning to drive me nuts so hoping someone can help shed some light on the matter I'm trying ...
  1. #1
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,648
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66

    RADIUS \ EAP-TLS \ Ruckus

    This is beginning to drive me nuts so hoping someone can help shed some light on the matter

    I'm trying to set up wireless laptops via RADIUS so we can have effectively the same look and feel as a desktop machine i.e. automatic logon to the domain, applying GPOs, profiles etc. Have been trying to get my head around the numerous ways of defining PEAP etc and seem to see two methods...

    EAP-TLS... machine certificate used for authentication cert is auto-enrolled via Group Policy
    PEAP-MSCHAPv2... uses the user credentials to connect (although there seems to be a Computer Account option as well)

    There also seems to be PEAP-EAP-TLS, which as far as I understand is a slightly more secure version of EAP-TLS?

    Have been trying the EAP-TLS method but not having much joy

    - created Enterprise CA
    - set up auto enrolment for clients and the NPS server as per NPS Server Certificate: Configure the Template and Autoenrollment and Deploy Client Computer Certificates
    - create a GPO for the wireless settings, used "Microsoft: Smart Card or other Certificate" as the authentication method (I believe this is EAP-TLS?)
    - set up the NPS server using the wizard, matched the Network Policy to use the same "Microsoft: Smart Card or other Certificate" authentication method
    - set up Ruckus AAA server as "RADIUS" and configured NPS with the ZoneDirector IP address and shared secret

    Logged in as Local Admin on one laptop and tried to connect to the wireless, logic being it should connect as it's authenticating as the machine doing the auth... just sits there saying "Attempting to Authenticate". On the XP SP3 laptop packets go back and forth but on the Win7 it's 0 sent \ 0 received.

    Checking certificates store on both laptops shows machine certificate in Machine\Personal store and CA cert in Machine\Trusted Root Certification Authorities

    Annoyingly I'm seeing very little in log files on the NPS server or on the client, seems like you have to dig quite deep to get anything of use... time for Wireshark? Also noticed this when using machine authentication, do I really need to make these changes just to get EAP-TLS to connect? http://support.microsoft.com/kb/929847

    Any ideas for where I'm going wrong as I can't see it at the moment?
    Last edited by gshaw; 7th June 2012 at 03:59 PM.

  2. #2

    Join Date
    Jun 2012
    Location
    Manchester
    Posts
    12
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    It looks as though you've done everything right. On the NPS server you need to look in Custom Logs, not the Windows Logs (you won't see anything from NPS in there). You should see plenty of logs if you're trying to get a client to associate using Computer Authentication.

    Can you have a look in the log and post any errors you get here?

  3. #3
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,648
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66
    Cracked it

    A couple of changes sorted the problem...

    a) making sure 802.1X EAP was entered on authentication method on the WLAN in Ruckus (someone else set this up for me initially and left it off)
    b) re-creating the shared secret, RADIUS client etc from scratch... start with a really simple secret to make sure it works then go for a complex one later
    c) XP SP3 clients won't auto enrol their certs if you use the 2008 template when following the MS guide to duplicating templates

    Think I might leave my cert template as 2008 due to XP being removed in summer anyway...

    Thanks for the reply, knowing that the method was correct helped go back and find the simple things... I'm a happy RADIUS user now
    Last edited by gshaw; 8th June 2012 at 02:02 PM.

  4. Thanks to gshaw from:

    sparkeh (18th July 2012)

  5. #4

    Join Date
    Jun 2012
    Location
    Manchester
    Posts
    12
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Glad you got it sorted!

  6. #5
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,648
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66
    Nice way to end the week with a bit of success

    Just need to decide whether to stick with EAP-TLS or go PEAP-MSCHAP or PEAP-EAP-TLS... seeing as I have the certificates working OK I guess it's just a matter of deciding how I want the security set up (as far as I understand it)...

    - EAP-TLS... just authenticate the WLAN via machine certificate (set up and working at the moment)
    - PEAP-EAP-TLS... authenticate user and computer via certificates
    - PEAP-MSCHAPv2... basic authentication via Computer account then username \ password

    Just reading another thread on here I'm leaning towards EAP-TLS to avoid the possible Computer Account expiration issue some experienced when machines aren't used for a while. Also wondering if EAP-TLS might work better for any non-MS devices we might use in future (iPads, Android devices etc?)
    Last edited by gshaw; 8th June 2012 at 04:38 PM.

  7. #6

    Join Date
    Dec 2007
    Posts
    863
    Thank Post
    90
    Thanked 164 Times in 139 Posts
    Rep Power
    49
    @gshaw

    Can you recommend any (step by step) guides in relation to getting the Windows 2008 R2 RADIUS up and running?

    Not been successful as yet (but keep trying, much easier as using Hyper-V instance) but once setup would be easier to authenticate our new laptops (with Ruckus) than coding the wireless keys in etc.

    Thanks,


    Update
    Managed to get it working following these 2 articles:
    http://community.spiceworks.com/how_to/show/1455
    http://forums.ruckuswireless.com/forums/8/topics/1278
    Last edited by MYK-IT; 13th June 2012 at 02:38 PM.

  8. #7

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,717
    Thank Post
    1,267
    Thanked 1,639 Times in 1,096 Posts
    Blog Entries
    22
    Rep Power
    504
    Quote Originally Posted by gshaw View Post
    a) making sure 802.1X EAP was entered on authentication method on the WLAN in Ruckus (someone else set this up for me initially and left it off)
    Thanks! This post made me check this and solved the same problem for me!
    I decided to use PEAP-MSCHAPv2 and a check on whether the machine is a domain computer. Therefore all domain machines can join with no extra info supplied but non domain machines are rejected.

SHARE:
+ Post New Thread

Similar Threads

  1. Ruckus, domain not available and EAP-TLS
    By Sheridan in forum Wireless Networks
    Replies: 6
    Last Post: 24th October 2011, 01:21 PM
  2. RADIUS and IAS
    By HodgeHi in forum Wireless Networks
    Replies: 98
    Last Post: 30th April 2009, 10:39 AM
  3. radius with guests
    By strawberry in forum How do you do....it?
    Replies: 9
    Last Post: 16th July 2008, 04:10 PM
  4. HP NX6325 Radius PEAP
    By plexer in forum Wireless Networks
    Replies: 0
    Last Post: 1st December 2006, 10:15 AM
  5. ISA Server 2004 and RADIUS
    By spc-rocket in forum Wireless Networks
    Replies: 0
    Last Post: 11th December 2005, 12:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •