Wireless Connections Using RADIUS Authentication
Hello Experts,
I setup RADIUS authentication (Windows Server 2008 R1) for wireless a while back and recently after installing a new AP I am unable to authenticate using multiple notebooks but the ipad's still seem to work. I am at a loss ... because it is happening across many different types of notebooks and a wireless adapter. I have read a few different articles about this and have made some adjustments but it does not seem to want to cooperate.
I have configured the wireless settings for the notebook to disable integrated authentication so it prompts for a user/pass every time now.
The notebook sees the SSID broadcasting and the user is a member of the group allowed that works on the iPad. I have tried with and without domain prefix. When I try to authenticate I get "Windows was unable to connect to SSID_Name".
Thoughts or resources would be appreciated.
Thanks,
Ryan
I setup RADIUS authentication (Windows Server 2008 R1) for wireless a while back and recently after installing a new AP I am unable to authenticate using multiple notebooks but the ipad's still seem to work. I am at a loss ... because it is happening across many different types of notebooks and a wireless adapter. I have read a few different articles about this and have made some adjustments but it does not seem to want to cooperate.
I have configured the wireless settings for the notebook to disable integrated authentication so it prompts for a user/pass every time now.
The notebook sees the SSID broadcasting and the user is a member of the group allowed that works on the iPad. I have tried with and without domain prefix. When I try to authenticate I get "Windows was unable to connect to SSID_Name".
Thoughts or resources would be appreciated.
Thanks,
Ryan
I second what jakob_di says... the logs are VERY informative. All of the success and failures will be informational events - the only warnings will be related to service events and not client authentication events.
If you could post some failure logs that would be helpful.
If you could post some failure logs that would be helpful.
ASKER
Ok - I have attached the setup of the RADIUS server. All logs on the NPS look good. Every time I authenticate it says that it has been granted. So it looks like everything is working well on the server. Notebook screen shots to follow.
RADIUS-Config.png
RADIUS-Config2.png
RADIUS-Config3.png
RADIUS-Config4.png
RADIUS-Config.png
RADIUS-Config2.png
RADIUS-Config3.png
RADIUS-Config4.png
ASKER
Notebook configuration.
notebook1.png
notebook2.png
notebook3.png
notebook4.png
notebook5.png
notebook6.png
notebook1.png
notebook2.png
notebook3.png
notebook4.png
notebook5.png
notebook6.png
Can we see the logs anyway??
I notice you have a proxy policy in the logs. Have you configured a connection request policy?
Jolly Good information collection :-) Thanks.
First of all, - in radius config 1 picture:
In EAP-types - remove Mschap leaving just PEAP. And also clear all "Less Secure Authentication Methods" (!)
But the Radius have authenticated you, so the rest is up to the wireless to get.
Make sure VLANs and DHCP is working, you won't get an IP until after you've authenticated - but you can be authenticated, but DHCP error will show that you're not connected to wireless.
What wireless system do you have?
First of all, - in radius config 1 picture:
In EAP-types - remove Mschap leaving just PEAP. And also clear all "Less Secure Authentication Methods" (!)
But the Radius have authenticated you, so the rest is up to the wireless to get.
Make sure VLANs and DHCP is working, you won't get an IP until after you've authenticated - but you can be authenticated, but DHCP error will show that you're not connected to wireless.
What wireless system do you have?
ASKER
Updated configuration as per your recommendation on both policies. Using a D-Link DWL-8600AP. No VLANs. DHCP is working if I plug into the network. Do I have to tell RADIUS anything special to pass to DHCP? DHCP is actually on the same server.
nope --- The AP will only allow L2 authentication traffic to station until it's successfully authenticated. Then it will hand it over to L3 and DHCP and IP ...
This might look as an AP error ---
try upgrading firmware: http://www.dlink.com/us/en/support/faq/access-points-and-range-extenders/access-points/dwl-series/how-to-upgrade-the-firmware-on-the-dwl-8600ap-managed
here a delightful TFTP server for you PC ... <3: http://tftpd32.jounin.net/tftpd32_download.html
This might look as an AP error ---
try upgrading firmware: http://www.dlink.com/us/en/support/faq/access-points-and-range-extenders/access-points/dwl-series/how-to-upgrade-the-firmware-on-the-dwl-8600ap-managed
here a delightful TFTP server for you PC ... <3: http://tftpd32.jounin.net/tftpd32_download.html
take a look at page 26 here: http://www.dlink.com/-/media/Business_Products/DWL/DWL%208600AP/Manual/DWL_8600AP_Manual_v3_00_EN_US.pdf
What does the client association page say??
What does the client association page say??
...just take it back a little... If the iPads work it's less likely to be an AP firmware issue. Obviously I wouldn't rule it out but it doesn't make sense for it to be ok with some devices and not others.
Are there any logs on the AP?
Do you have WPA and WPA2 enabled on the AP? If so, do you have AES enabled for use with WPA, and TKIP enabled for use with WPA2?
Lots of clients don't like to use WPA with AES, or WPA2 with TKIP. This can cause problems with traffic post-authentication.
Are there any logs on the AP?
Do you have WPA and WPA2 enabled on the AP? If so, do you have AES enabled for use with WPA, and TKIP enabled for use with WPA2?
Lots of clients don't like to use WPA with AES, or WPA2 with TKIP. This can cause problems with traffic post-authentication.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Firmware is current at "4.1.0.11".
I don't readily see any logs ... it does have an SSH console but nothing aside from technical logging ... not to monitor things like wireless connections.
I have WPA2, TKIP and AES enabled (and enable pre-authentication).
I don't readily see any logs ... it does have an SSH console but nothing aside from technical logging ... not to monitor things like wireless connections.
I have WPA2, TKIP and AES enabled (and enable pre-authentication).
Ok can you disable TKIP and try?
Also, you're not using machine authentication so you should disable pre-authentication.
ASKER
Ok - done both. Will try again tomorrow. Side note on pre-authentication, can I create a security group in AD to allow an (AD PC) to authenticate instead?
You can create a new policy in RADIUS which uses EAP-TLS, and use the Domain Computers condition.
ASKER
Same result for the wireless ... still will not connect using WPA2 Enterprise using AES.
Ok can you verify that a client can connect successfully with NO authentication or encryption?
ASKER
Notebook connects immediately with no security on it and gets an IP Address.
So maybe there's an encryption issue.
Can you try with WPA2/AES using a preshared key?
Can you try with WPA2/AES using a preshared key?
ASKER
Connects immediately with no special configuration necessary on the notebook using WPA2.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well ... that would be very interesting wouldn't it. I suppose I could download a "test" server and setup NPS on it to see what happens.
ASKER
Ok - 2008 R2 trial installed ... NPS configured. No dice ... this is crazy. Wondering if maybe the device is just not "capable" even though it claims it is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am going to have a nice chat with Dlink today. Will advise.
ASKER
Still not resolved but I appreciate the help. I am going to try and put a new 2012 server out and see if it functions better.
iOS devices are good at determining what authentication settings to use. Win 7 is not.
So if your network policies says that EAP type is PEAP and inner authentication is MsChapv2
you need identical settings on Win7, and also - a typical error is that Win7 thinks it should use machine authentication - but you probably should set this to User (since ipads are on)
Or do you use both machine and user? This is set on Advanced settings for Win 7
Also - look at Event Viewer on NPS server (Event Viewer - Custom View - Server roles - Network Policy server) and look for the error after user have tried to log on.... the error is probably marked as informational event - not failure