Advertisement

11.26.2007 at 12:24PM PST, ID: 22983382
[x]
Attachment Details

IAS PEAP/MSCHAPv2 with Cisco 1200 Access Point - Help!

Asked by nstand in Wireless Local Area Network, Wireless Networking, 802.11 Wireless Access Points

Tags: ias, cisco

I am trying to migrate from WEP to WPA and have setup a test environment where I am trying to use WPA/PEAP/MSCHAPv2 encryption/authentication using the following:

- Cisco 1200 Access Points
- Windows 2003 IAS
- Windows XP SP2 Clients

Setup is as follows:

- Cisco 1200 Access Point
Encryption : ciphers + tkip
Authentication : open+EAP
Key Management : wpa
RADIUS Server : IP configured with key

- IAS on Windows 2003
Policy Conditions: Domain Users, Domain Computers (No specific conditions for authenticaion type)
Authentication Tab: EAP -> Protected EAP
Encryption Tab: MPPE 128 bit
Advanced : Service-Type RADIUS Standard Framed

- Windows XP SP2
At the moment I am using the Dell config to try and connect to my SSID. I have tried all sorts of encryption and authentication schemes:
WPA/Auto and PEAP/MSCHAPv2
WPA/Auto and TTLS/MSCHAPv2
WPA/Auto and TLS/MSCHAPv2
801.2x and PEAP/MSCHAPv2

authentication requests are reaching the IAS server and when using WPA/Auto and TTLS/MSCHAPv2 I get the following error in the SYSTEM log:

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            26/11/2007
Time:            19:33:45
User:            N/A
Computer:      
Description:
User NAME1 was denied access.
 Fully-Qualified-User-Name = domain.com/UK/Users/Name1
 NAS-IP-Address = 10.2.2.1
 NAS-Identifier = <not present>
 Called-Station-Identifier =
 Calling-Station-Identifier =
 Client-Friendly-Name = 1200-Test
 Client-IP-Address = 10.1.1.2
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 646
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = jllwireless-dubai
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 22
 Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
   
I have turned on both IAS and RRAS tracing and the following exerts seems useful:
[3472] 11-26 16:37:19:534: Successfully validated windows account.
[3472] 11-26 16:37:19:534: Allowed EAP type: 25
[1920] 11-26 16:37:19:924: EAP NAK; proposed type = 21
[1920] 11-26 16:37:19:924: EAP negotiation failed; no types remaining.
[1920] 11-26 16:37:19:924: Injecting the profile
[1920] 11-26 16:37:19:924: EAP negotiation failed. Rejecting user.

My IAS server has a verisign purchased WLAN SSL certificate and the IAS server has been registered within AD.

If anyone can help me with the setup I would appreciate it.

Thanks

nstandStart Free Trial
[+][-]11.27.2007 at 06:53AM PST, ID: 20358243

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11.27.2007 at 09:01AM PST, ID: 20359378

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12.02.2007 at 03:46AM PST, ID: 20390845

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Wireless Local Area Network, Wireless Networking, 802.11 Wireless Access Points
Tags: ias, cisco
Sign Up Now!
Solution Provided By: mcse2007
Participating Experts: 2
Solution Grade: C
 
 
[+][-]12.02.2007 at 07:52AM PST, ID: 20391305

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]12.02.2007 at 02:19PM PST, ID: 20392573

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]12.03.2007 at 03:13AM PST, ID: 20394725

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628