• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 227
  • Last Modified:

Problem creating GPO for Internet Authentication Services

I am running SBS 2003 Premium and am trying to configure a Cisco 1100 Aironet wireless access point to use with the Windows Radius server. Here is what I have done so far:

1. Configured the Cisco 1100 with a static local IP, enabled WPA with RADIUS server authentication with TKIP encryption.

2. On the SBS server, I have installed the HotFix 811233 to allow WPA support, installed and configued Certificate Services and cofigured IAS to recognize the wireless access point. Additionally, I have configured the IAS wireless remote access policy and logging.

3. Created a Group Policy object ("Computer Wireless LAN Policy").  Created a Wireless Network (IEEE 802.11) policy.

Under the properties of the Wireless Network policy, I have two tabs (General and Preferred Networks). General is set to all the defaults. Here is the problem: When I go to the Preferred Networks tab and click "Add", nothing happens. No error message or any indication that there is something amiss. I can ping the Cisco 1100 and browse to it's configuration page with no problem, but it will not show up in the Preferred Networks tab. Is there a misconfiguration on the AP or is it something else?

Thank you.
0
ctsuhako
Asked:
ctsuhako
  • 7
  • 7
  • 2
1 Solution
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Did you rerun the Configure Email and Internet Connection Wizard after making all those changes in 1 & 2 above?  ALWAYS a good idea.

Jeff
TechSoEasy
0
 
ctsuhakoAuthor Commented:
No, I haven't rerun the CEICW yet. I will do that first thing in the morning. Do you think that would make a difference?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
YES!
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
ctsuhakoAuthor Commented:
Well, just reran the wizard and no joy.
0
 
Matt_HeuerCommented:
Post the config on your AP.  Theres a good bit of configuration that needs to be done on the ap, the client and the server.

Cole
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Actually, in rereading your question, and then going myself to the Wireless Policy Properties, I see what you are now having a problem with.  It's here:  http://www.microsoft.com/technet/community/columns/cableguy/cg0703.mspx

Make sure that the user account which you are logged into the server under is a member of the Group Policy Creator Owners Security Group.  This is probably what's prohibiting you from finishing up that GPO.  I generally use the built-in administrator account for configuring GPOs.

Jeff
TechSoEasy
0
 
ctsuhakoAuthor Commented:
Here is the config (I'm sure I messed something up in here):

!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1100D
!
no logging console
enable secret 5 $1$kuo.$9OnSP0nlSDPFkZp8SC4ss.
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.0.0.2 auth-port 1812 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
 cache expiry 1
 cache authorization profile admin_cache
 cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
 all
!
aaa session-id common
!
dot11 ssid Cisco1100D
   authentication open eap eap_methods
   authentication key-management wpa
!
!
!
username Cisco password 7 02250D480809
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 !
 ssid Cisco1100D
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 10.0.0.151 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.0.0.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
snmp-server community public RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1812 acct-port 1646 key 7 154258193E1F7D117A3D61131A100157277577426B
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
 transport preferred all
 transport output all
line vty 0 4
 transport preferred all
 transport input all
 transport output all
line vty 5 15
 transport preferred all
 transport input all
 transport output all
!
end

0
 
ctsuhakoAuthor Commented:
Jeff:

I am logged on as admin. Thanks!
0
 
Matt_HeuerCommented:
Youre aironet config looks good. Do the clients trust your CA? Also, how do you have your policies in IAS set up.

Cole
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
You may need to reinstall the Small Business Server administrative tools if they've become corrupted. (No action when clicking that button sounds as if they could be).  This would be done through add/remove programs > Windows Small Business Server 2003.

On the Component Selection screen, change Server Tools to "maintenance" and Administrative Tools to "uninstall" and finish out the wizard.  Then, go back to the same place but change Administrative Tools to "install".  Reapply SBS SP1.

If you have't installed SBS SP1 yet, you would set Administrative Tools to "reinstall" and only run the install wizard once.

This can't hurt to try.

Jeff
TechSoEasy
0
 
ctsuhakoAuthor Commented:
Hi, Jeff:

Followed your above instructions and rebooted. No luck. Drat!
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Have you installed Service Pack 1 yet?

Jeff
TechSoEasy
0
 
ctsuhakoAuthor Commented:
Not yet.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
I just want to confirm with you -- even though you said you are logged on as "admin" can you make sure that the admin is a member of Group Policy Creator Owners Security Group?

Jeff
TechSoEasy
0
 
ctsuhakoAuthor Commented:
Jeff:

The Administrator is a member of the Group Policy Creator Owners Security Group.
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Well, I think it's hard to troubleshoot something like this in this kind of forum.  You may want to review http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_12.mspx?mfr=true to see if there are other ways to configure this to your satisfaction.

Jeff
TechSoEasy
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now