techsolve1
asked on
Cisco 2504 Authentication with Radius Server 2012R2
Hi
Im trying to get a Cisco 2504 WLC to authenticate with server 2012R2 as a radius server
Im not having much luck!
any links or setup guides, much appreciated
thanks in advance
Im trying to get a Cisco 2504 WLC to authenticate with server 2012R2 as a radius server
Im not having much luck!
any links or setup guides, much appreciated
thanks in advance
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The NPS EAP certificate... Where did you get the certificate from?
ASKER
I'm presuming its the CA server cert that you are talking about?, the error im getting is the cert chain was issued by an authority that is not trusted
ASKER
Hi Craigbeck
Ive followed your document exactly and everthing has installed succsessfully, the install of server 2012 is brand new
when i try and connect, I keep getting a message "unable to find a cert to log you on to the network" when i try with a different laptop on a differnet domain I get a message in event viewer that the domain is not authenticated which is correct, i presume
Is there something that i am missing
thanks
Ive followed your document exactly and everthing has installed succsessfully, the install of server 2012 is brand new
when i try and connect, I keep getting a message "unable to find a cert to log you on to the network" when i try with a different laptop on a differnet domain I get a message in event viewer that the domain is not authenticated which is correct, i presume
Is there something that i am missing
thanks
ASKER
Ok, everthing works fine from windows 7 onwards, so not going to use XP on network, one question is it an option to use create a cert and get it verified by versign for example and use it for guest users with non domain member laptops, so they can access internet, or is there another way of doing it?
Thanks
Thanks
You need to deploy a slightly different GPO to Windows XP clients. When you create the GPO you get an option for XP or Vista and later, so you should have 2 GPOs for Wireless clients (if you put a blanket GPO across all your devices).
Guests would usually use a captive portal so the portal would need a certificate to enable the users to log in via HTTPS web page, but the connection to the actual wireless network would not need a cert or key.
Guests would usually use a captive portal so the portal would need a certificate to enable the users to log in via HTTPS web page, but the connection to the actual wireless network would not need a cert or key.
ASKER
Hi thanks for the info, much appreciated, could you expand a bit more on the guest access option
Thanks
Thanks
Guest users would connect to a different SSID which is unencrypted and has no authentication on the wireless link itself. You would 'grab' guest users' traffic by sending them to a captive portal either at the gateway or by using RADIUS to send them there.
There are a few appliances that can do this, or you can install a captive portal on a router running DD-WRT (for example).
There are a few appliances that can do this, or you can install a captive portal on a router running DD-WRT (for example).
ASKER
Thanks for the help
ASKER
below is an auth error from event viewer, its a new domain and we are trying to connect with a laptop that is not part of the domain, would this be the reason for this error
What we want to enable is non domain members to auth to the domain with their domain user accounts, ie for ipad and smart phones etc
+ System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 6273
Version 1
Level 0
Task 12552
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2014-07-14T18:28:50.465328
EventRecordID 12385
Correlation
- Execution
[ ProcessID] 516
[ ThreadID] 4388
Channel Security
Computer server.server.LOCAL
Security
- EventData
SubjectUserSid S-1-5-21-126271290-1760273
SubjectUserName server\Administrator
SubjectDomainName server
FullyQualifiedSubjectUserN
SubjectMachineSID S-1-0-0
SubjectMachineName -
FullyQualifiedSubjectMachi
MachineInventory -
CalledStationID 6c-fa-89-64-c0-c0:ASNM Wifi
CallingStationID 00-23-14-a9-1c-cc
NASIPv4Address 10.13.0.2
NASIPv6Address -
NASIdentifier Cisco_c7:98:24
NASPortType Wireless - IEEE 802.11
NASPort 1
ClientName WLC
ClientIPAddress 10.13.0.2
ProxyPolicyName Secure Wireless Connections
NetworkPolicyName Test2
AuthenticationProvider Windows
AuthenticationServer server.LOCAL
AuthenticationType PEAP
EAPType -
AccountSessionIdentifier -
ReasonCode 265
Reason The certificate chain was issued by an authority that is not trusted.
LoggingResult Accounting information was written to the local log file.