Trapeze radius woes

Since we came inthis morning, clients are able to connect to our WEP and unsecured wifi SSIDs, however they are unable to connect to our Radius WIFI. The only change on the network over the weekend has been windows updates installation, and I've rolled them back but still nothing.

I'm pointing my finger at Trapeze, however th contractor is pointing the finger at our network (usual IT story).

Has anyone else had any issues, or can you recmmend anything.

We don't seem to be getting any relevant enties in the certifcate server event logs, so I'm stumped.

Thank goodness for your unfortune (in the nicest possible way that phrase can ever be said).

I've had a similar thing last week and I just thought it was something I'd done and been drastically trying to sort stuff out, but our RADIUS clients are going "Nope, not going to connect" yet the basic Wifi (for iPads etc) is working perfectly and I can join school laptops to it no worries.

I was wondering whether to post, so now I'm kind of glad it's not just me (well, it might still be just me, but it's too similar to be a coincidence me thinks).

I've so far tried reissuing a new RADIUS secret to all WAPs and such, but with no joys, so I've resorted to setting up a backup WiFi system which I've given staff details to access for the time being (though I'm going round laptops still, you know how it is).

So if anyone has any further ideas, I'd be grateful to know too! :)

Quote:

---

Originally Posted by imunro01

Since we came inthis morning, clients are able to connect to our WEP and unsecured wifi SSIDs, however they are unable to connect to our Radius WIFI. The only change on the network over the weekend has been windows updates installation, and I've rolled them back but still nothing.

I'm pointing my finger at Trapeze, however th contractor is pointing the finger at our network (usual IT story).

Has anyone else had any issues, or can you recmmend anything.

We don't seem to be getting any relevant enties in the certifcate server event logs, so I'm stumped.

---

Check the expiration date on the certificate you're using for RADIUS.

Certificates snapin shows 2 sets of certs for the radius. One expires in 2014, and the other in 2017

Quote:

---

Originally Posted by imunro01

Certificates snapin shows 2 sets of certs for the radius. One expires in 2014, and the other in 2017

---

Make sure the Root CA certificate also hasn't expired. Are you using 2003 or 2008 RADIUS servers?

Quote:

---

Originally Posted by gybe78

Make sure the Root CA certificate also hasn't expired. Are you using 2003 or 2008 RADIUS servers?

---

I'm using 2008R2. I can see a few certificates have passed their expiration date, but they're WAY out, not just recently out (of course, this is probably something else I need to fix now .. but never mind).

Some laptops seem to be coming back on stream for our WiFi after the reissue of the Radius Secret (just spotted a couple of staff I know haven't / won't have added the new settings, and sure enough they're connected to the Radius with no issues)

Just to add to this thread I experienced this too on my Trapeze network and it was the certificate that had expired on my RADIUS server.

This Technet article details the fix I used.

Quote:

---

Originally Posted by Tall_Paul

Just to add to this thread I experienced this too on my Trapeze network and it was the certificate that had expired on my RADIUS server.

This Technet article details the fix I used.

---

Been having the same issue myself recently and suspected a certificate just couldn't find where it was! Will try this out this evening. Thanks!

We have a Trapeze system here (though not for much longer) and have had the problem a couple of times - this is the solution we used

----------------------------------------------------------------------------------

On the Radius server, open the IAS logs using the IAS Log Viewer utility and identify when the problem first arose. This will help to identify which certificate is causing the issue.


On the Radius server, create an MMC using the Certificates snap-in. (Note: use Certificates, not Certificate Templates or Certification Authority).
Select snap-in to manage the Computer Account, for the local computer.
Within the MMC, expand certificates (local computer), Personal, Certificates. A number of certificates will be shown.
In the expiration date column, find the certificate that is due to expire 42 days after the issue first arose. If there isn't one, look for a certificate that is due to expire 84 days after the issue first arose.
Once the offending certificate has been identified, scroll to the last column to identify the certificate template for the certificate.
If the certificate template is Subordinate Certificate Authority, do the following:

On the Radius server, open the Certification Authority MMC, usually found under administrative tools.
Under Certification Authority (Local), select the certification authority, usually called something like CA1 Wireless Access.
Right-click All Tasks, 'Renew CA certificate'. .
Follow the wizard through; Certificate services will be stopped and restarted by the wizard and the Enterprise Root Certification Authority should be automatically populated with the name of the Forest Root server.
Once complete and the services are restarted, return to the Certificates MMC created above and check that a new certificate has been issued.
If the certificate template is IAS and Radius Server Authentication, do the following:

Within the MMC created above, right-click the Certificates folder, select All Tasks, Request New Certificate, and click Next.

In the list of Certificate Types, select RAS and IAS Server Authentication then Next.

Leave the friendly name and description blank, click Next then Finish.

OK the success message.

A new Certificate with an expiry date two years from the current date will have been added to the certificate list. It is now necessary to change the RAS policy to use the new certificate.

Review the event ID 2 warnings in the System Event Viewer on the Radius server; identify the policy or policies names. Typically there may be two remote access policies, one for staff and one for students.

On the Radius server, open the Internet Authentication Service MMC, usually found in Administrative Tools.

Open the Remote Access Policies node and locate the relevant policy.

Open its Properties and select Edit Profile. On the Authentication tab, select EAP Methods.

On the Select EAP Providers window, ensure that Smart Card or other certificate is selected and select Edit. A Smart Card or Other Certificate Properties window will open.
In the 'Certificate issues to:' drop-down box there will be a number of entries that appear the same containing the FQDN of the Radius server. Each entry will relate to a different certificate on the Radius server. By selecting the different entries, the Issuer and expiration date are displayed.

Locate the newly created certificate; this should have an expiration date of two years ahead and have something like CA1 Wireless Access as the issuer, not the college name.
Select OK, OK, Apply, OK and OK to return to the IAS MMC.

Repeat this process for any other affected remote access policies.

The issue should now be resolved. Under certain circumstances it will be necessary to boot the wireless devices onto the wired network in order for them to obtain a new client certificate before they can authenticate wirelessly.

---------------------------------------------------------------

Hope this helps

Steve

We're still no further forward with this, and after having the wireless people spend half a day on the problem, and getting no-where I received the following reply:-

Quote:

---

the Juniper/Trapeze MX wireless controller is in fact communicating effectively with your Network Policy Server and that basic user authentication is taking place.

The issue with your system lies within your server farm and has manifested itself by preventing Network policy server from overruling the dial in settings on your active directory. It is also evident that the Certificate Services Web front end Is no longer running on any of your Domain Controller servers (this was set up on either DC1 or DC2 during the summer break when the school refurbishment was in progress).

The authentication issues you are experiencing appear deep rooted in your system and will require major work on the Active Directory system and domain controllers as well as work on certificates and Network Policy Servers. This issue is not with the Trapeze / Juniper controller.

---

At my wits end with it now so any input is helpful..

Quote:

---

Originally Posted by imunro01

We're still no further forward with this, and after having the wireless people spend half a day on the problem, and getting no-where I received the following reply:-



At my wits end with it now so any input is helpful..

---

Who on earth has replied back to you with that? Unless you have made those significant changes they mention I would be going mad at a 'buck passing' unhelpful reply like that.

We went home on the Friday with the WiFi working, and came in on the Monday to it no longer working. No changes have been made to AD during that time, and they sent over 6 hours trying to get it working.

After installing a new NPS server, and setting up new certificate, they left site saying it should be working but just wasn't and they would set up a test lab. Their reply a week later is the one I posted,

It's not RM is it?

Whoever it is need to be back and fixing it sharpish. You've been treated disgracefully.

It's not RM, but it would be unprofessional to name the company. I really hoping you guys can give me some pointers.

ARGH .. I'm still struggling here .. I thought I'd got it sorted as a couple of laptops were connecting, but turns out not.. ARGH..

So, I've set up a backup WiFi SSID with standard WPA2 (so I've been round putting the code in for everyone etc) but then this doesn't seem to like connecting all the time for different users, so a user has to log on who has logged on previously, which then activates the Wireless to connect and then they can log off and someone else can log on ..

I'm having one of those "I really don't want to go into work" times at the moment just because of how stressful this is.. Need to get RADIUS back up and running, but hey, that's just not happening and I can't for the life of me see why it's not working!

Does anyone know of any good how-to / step by step guides in case I'm missing something stupidly obvious?