Troubleshooting a RADIUS wireless lan

[maniac]

I'm currently covering for absent technical staff at one of our associated academies. Amongst other things, they are having a lot of problems with their wireless network, which the principal has asked me to look at while I'm there, as their current technical staff are a little out of their depth with the complexity of the system (by their own admission)

 

The system is a RADIUS enabled wireless network, using PEAP-MSCHAP v2 authentication and WPA encryption. It works, but it only works after a user has logged on via a cabled link, it will not let users log on wirelessly. As you can imagine this is a little bit of a problem.

 

We have an engineer from the company who support the systems in the school visiting tomorrow, unfortunitely this is a different company to the one that installed the system. I understand this is not the first time they have visited and So far they have been un-able to get the system to work correctly. Apprently it did work up until July time when as far as I can work out the certificate expired on the clients, which messed the whole thing up. This part was fixed, but it's never worked properly since then according to the people I've spoken to.

 

Because the support company have had more than one attempt at fixing this, I'm not holding out a lot of hope of them fixing it this time, so I'm hoping I can gather some information from fellow edugeekers to help me guide the engineer if they don't seem to be getting anywhere. I've never worked with a wireless network using 802.11x authentication before, although I do understand the principles behind it, so any helpful suggestions or comments appreciated, so I can at least help the engineer tomorrow if they are struggling.

 

Many thanks,

 

Mike.

[dyoung5]

Hi Mike,

 

Sounds like your computers are not authenticating, only your users are. i.e. your systems are not getting any network connection until a user actually logs on. This is why users who had previously logged on through the LAN can get on with their cached credentials and then access the network.

 

I have had some experiance in a test enviroment here with this, using Windows IAS as RADIUS and group policy to deploy the settings to XP SP2 clients. If you are using the same, I can probably help you.

 

Could you send me some info about the setup (as far as you know), and I will dig out some of our settings.

 

David

[djdohboy]

couple of things you could look at:

 

Event viewer for the RADIUS server looking at the IAS errors to see what info is being passed to the server and see why its being rejected.

 

run this command at the cmd window on the radius server: "netsh ras set tr * en" this will enable Logging, all files will be stored in the following directory,%windir%\tracing. to disable logging use this command "netsh ras set tr * dis", look in the tracing folder for a log called IASSAM this will show you how the requests are being processed.

 

the other thing is, what version of windows server is the Certificate authority? if its 2003 enterprise you can use autoenroll for the certificates.

 

Hope this helps

 

any questions feel free to PM me, ive just had to rebuild a 3com managed wireless system using radius and peap in a forest, as you can imagine ive come across a hell of a lot of problems lol be glad to help out if I can.

[maniac]

Sounds like your computers are not authenticating, only your users are. i.e. your systems are not getting any network connection until a user actually logs on. This is why users who had previously logged on through the LAN can get on with their cached credentials and then access the network.

 

Yes, I figured as much, but I personally don't know where to look or what to change to rectify this. Incidently it lets no one log on, even if they have logged on before, as credentials are not cached (student laptops) staff laptops do work, as credentials are cached.

 

 

I have had some experiance in a test enviroment here with this, using Windows IAS as RADIUS and group policy to deploy the settings to XP SP2 clients. If you are using the same, I can probably help you.

 

Could you send me some info about the setup (as far as you know), and I will dig out some of our settings.

 

David

 

I'm afraid I don't know a lot more, other than the network is using RADIUS and PEAP-MSCHAP v2 and WPA encryption, and the settings are distributed through a Group policy which is being applied correctly according to a GPresult and resultent set of policiy modelling in GPMC. I'm pretty sure it is using IAS although I've yet to discover which server is hosting this as I'm not familure enough with the setup. It's a pretty standard W2k3 domain, 3DCs, storage server, exchange etc. and the servers all seem to be in good health.

 

any questions feel free to PM me, ive just had to rebuild a 3com managed wireless system using radius and peap in a forest, as you can imagine ive come across a hell of a lot of problems lol be glad to help out if I can.

 

Thanks for the offer, I may send you a PM tomorrow morning if you don't mind if the engineer from the support company isn't getting anywhere. Like I say, they've had at least 2 attempts at fixing this, so hopefully they'll send an engineer who actually understands 802.11x systems this time, as I understand the last two engineers wern't up to much. (Some support eh, but that's another issue entirely) And I think the servers are all 2003 Standard edition.

 

The only reason I care so much is the principal of the academy I'm covering in is also the principal of the academy I normally work in, so I think he'd be extreemly pleased if I can resolve this issue for him, and as per usual, I love a challenge!

 

Many thanks,

 

Mike.

[pooley]

Are the users or the computers added to the wireless security group ?

 

Computers should be added to the security group that allow wireless access not the user.

[Ste_Harve]

I set up RADIUS with out wireless network and had similar problems to this. To rectify it I had to add the domain computers to my access rule in IAS. This then allows the machine to authenticate and then when a user logs on it re authenticates as a user so they can access a wider range of network resources using their credentials.

[contink]

IIRC, when we first setup our RADIUS server similar to yours we had to setup the wireless policy and then gpupdate every laptop while connected to the LAN using a wired link.

 

This transferred the necessary certificates for the CA and allowed the WLAN to authenticate properly.

 

You might want to check that the CA has been renewed properly and has recognised authority according to the laptops given what you've said above.

[ssiruuk2]

If I were a betting man I would put my money that your wireless network has been setup following this:

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en

 

There is a troubleshooting section in the document, have a nose through it but I am pretty familiar with it as this is how our wireless is configured, I would look at:

 

Check IAS service is running ok, are the radius clients listed correctly and shared secrets match up. Check the WLAN Access groups (There are 3 on the domain) - are the machine accounts member of the correct groups.. are the users accounts / groups also members of the correct groups. Have they pulled down the certificate setup for use with IAS through group policy? Is the system clock correct on the clients (if wildly out the certificate can be seen as invalid/expired) - check on the clients or GPO that they have the tick boxed checked to authenticate as a computer when computer information is available. Finally, have the domain controllers had the correct GPOs applied to them that are generated as part of this wireless infrastructure.

 

Good luck with it.

[plexer]

If the machines are setup to authenticate then I don't see how having user reauthentication then gives a user access to more resources?

 

To test that your radius is auth correctly have a look at: Periodik Labs: Elektron RADIUS Server for Wireless Security

 

Also I'd look at using the Juniper Odessey client on your wireless devices if only to help troubleshoot as the logging and diagnostics is a lot better than the built in windows supplicant.

 

Ben