ctsuhako
asked on
Problem creating GPO for Internet Authentication Services
I am running SBS 2003 Premium and am trying to configure a Cisco 1100 Aironet wireless access point to use with the Windows Radius server. Here is what I have done so far:
1. Configured the Cisco 1100 with a static local IP, enabled WPA with RADIUS server authentication with TKIP encryption.
2. On the SBS server, I have installed the HotFix 811233 to allow WPA support, installed and configued Certificate Services and cofigured IAS to recognize the wireless access point. Additionally, I have configured the IAS wireless remote access policy and logging.
3. Created a Group Policy object ("Computer Wireless LAN Policy"). Created a Wireless Network (IEEE 802.11) policy.
Under the properties of the Wireless Network policy, I have two tabs (General and Preferred Networks). General is set to all the defaults. Here is the problem: When I go to the Preferred Networks tab and click "Add", nothing happens. No error message or any indication that there is something amiss. I can ping the Cisco 1100 and browse to it's configuration page with no problem, but it will not show up in the Preferred Networks tab. Is there a misconfiguration on the AP or is it something else?
Thank you.
1. Configured the Cisco 1100 with a static local IP, enabled WPA with RADIUS server authentication with TKIP encryption.
2. On the SBS server, I have installed the HotFix 811233 to allow WPA support, installed and configued Certificate Services and cofigured IAS to recognize the wireless access point. Additionally, I have configured the IAS wireless remote access policy and logging.
3. Created a Group Policy object ("Computer Wireless LAN Policy"). Created a Wireless Network (IEEE 802.11) policy.
Under the properties of the Wireless Network policy, I have two tabs (General and Preferred Networks). General is set to all the defaults. Here is the problem: When I go to the Preferred Networks tab and click "Add", nothing happens. No error message or any indication that there is something amiss. I can ping the Cisco 1100 and browse to it's configuration page with no problem, but it will not show up in the Preferred Networks tab. Is there a misconfiguration on the AP or is it something else?
Thank you.
ASKER
No, I haven't rerun the CEICW yet. I will do that first thing in the morning. Do you think that would make a difference?
YES!
ASKER
Well, just reran the wizard and no joy.
Post the config on your AP. Theres a good bit of configuration that needs to be done on the ap, the client and the server.
Cole
Cole
Actually, in rereading your question, and then going myself to the Wireless Policy Properties, I see what you are now having a problem with. It's here: http://www.microsoft.com/technet/community/columns/cableguy/cg0703.mspx
Make sure that the user account which you are logged into the server under is a member of the Group Policy Creator Owners Security Group. This is probably what's prohibiting you from finishing up that GPO. I generally use the built-in administrator account for configuring GPOs.
Jeff
TechSoEasy
Make sure that the user account which you are logged into the server under is a member of the Group Policy Creator Owners Security Group. This is probably what's prohibiting you from finishing up that GPO. I generally use the built-in administrator account for configuring GPOs.
Jeff
TechSoEasy
ASKER
Here is the config (I'm sure I messed something up in here):
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1100D
!
no logging console
enable secret 5 $1$kuo.$9OnSP0nlSDPFkZp8SC 4ss.
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.2 auth-port 1812 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
!
dot11 ssid Cisco1100D
authentication open eap eap_methods
authentication key-management wpa
!
!
!
username Cisco password 7 02250D480809
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid Cisco1100D
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.151 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
snmp-server community public RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1812 acct-port 1646 key 7 154258193E1F7D117A3D61131A 1001572775 77426B
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input all
transport output all
line vty 5 15
transport preferred all
transport input all
transport output all
!
end
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco1100D
!
no logging console
enable secret 5 $1$kuo.$9OnSP0nlSDPFkZp8SC
!
ip subnet-zero
!
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.0.0.2 auth-port 1812 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server tacacs+ tac_admin
cache expiry 1
cache authorization profile admin_cache
cache authentication profile admin_cache
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa cache profile admin_cache
all
!
aaa session-id common
!
dot11 ssid Cisco1100D
authentication open eap eap_methods
authentication key-management wpa
!
!
!
username Cisco password 7 02250D480809
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid Cisco1100D
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.0.0.151 255.255.255.0
no ip route-cache
!
ip default-gateway 10.0.0.2
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
snmp-server community public RO
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.0.0.2 auth-port 1812 acct-port 1646 key 7 154258193E1F7D117A3D61131A
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
transport preferred all
transport input all
transport output all
line vty 5 15
transport preferred all
transport input all
transport output all
!
end
ASKER
Jeff:
I am logged on as admin. Thanks!
I am logged on as admin. Thanks!
Youre aironet config looks good. Do the clients trust your CA? Also, how do you have your policies in IAS set up.
Cole
Cole
You may need to reinstall the Small Business Server administrative tools if they've become corrupted. (No action when clicking that button sounds as if they could be). This would be done through add/remove programs > Windows Small Business Server 2003.
On the Component Selection screen, change Server Tools to "maintenance" and Administrative Tools to "uninstall" and finish out the wizard. Then, go back to the same place but change Administrative Tools to "install". Reapply SBS SP1.
If you have't installed SBS SP1 yet, you would set Administrative Tools to "reinstall" and only run the install wizard once.
This can't hurt to try.
Jeff
TechSoEasy
On the Component Selection screen, change Server Tools to "maintenance" and Administrative Tools to "uninstall" and finish out the wizard. Then, go back to the same place but change Administrative Tools to "install". Reapply SBS SP1.
If you have't installed SBS SP1 yet, you would set Administrative Tools to "reinstall" and only run the install wizard once.
This can't hurt to try.
Jeff
TechSoEasy
ASKER
Hi, Jeff:
Followed your above instructions and rebooted. No luck. Drat!
Followed your above instructions and rebooted. No luck. Drat!
Have you installed Service Pack 1 yet?
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Not yet.
I just want to confirm with you -- even though you said you are logged on as "admin" can you make sure that the admin is a member of Group Policy Creator Owners Security Group?
Jeff
TechSoEasy
Jeff
TechSoEasy
ASKER
Jeff:
The Administrator is a member of the Group Policy Creator Owners Security Group.
The Administrator is a member of the Group Policy Creator Owners Security Group.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Jeff
TechSoEasy