Solved

IAS PEAP/MSCHAPv2 with Cisco 1200 Access Point - Help!

Posted on 2007-11-26
7
5,789 Views
Last Modified: 2013-11-12
I am trying to migrate from WEP to WPA and have setup a test environment where I am trying to use WPA/PEAP/MSCHAPv2 encryption/authentication using the following:

- Cisco 1200 Access Points
- Windows 2003 IAS
- Windows XP SP2 Clients

Setup is as follows:

- Cisco 1200 Access Point
Encryption : ciphers + tkip
Authentication : open+EAP
Key Management : wpa
RADIUS Server : IP configured with key

- IAS on Windows 2003
Policy Conditions: Domain Users, Domain Computers (No specific conditions for authenticaion type)
Authentication Tab: EAP -> Protected EAP
Encryption Tab: MPPE 128 bit
Advanced : Service-Type RADIUS Standard Framed

- Windows XP SP2
At the moment I am using the Dell config to try and connect to my SSID. I have tried all sorts of encryption and authentication schemes:
WPA/Auto and PEAP/MSCHAPv2
WPA/Auto and TTLS/MSCHAPv2
WPA/Auto and TLS/MSCHAPv2
801.2x and PEAP/MSCHAPv2

authentication requests are reaching the IAS server and when using WPA/Auto and TTLS/MSCHAPv2 I get the following error in the SYSTEM log:

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            26/11/2007
Time:            19:33:45
User:            N/A
Computer:      
Description:
User NAME1 was denied access.
 Fully-Qualified-User-Name = domain.com/UK/Users/Name1
 NAS-IP-Address = 10.2.2.1
 NAS-Identifier = <not present>
 Called-Station-Identifier =
 Calling-Station-Identifier =
 Client-Friendly-Name = 1200-Test
 Client-IP-Address = 10.1.1.2
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 646
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = jllwireless-dubai
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 22
 Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
   
I have turned on both IAS and RRAS tracing and the following exerts seems useful:
[3472] 11-26 16:37:19:534: Successfully validated windows account.
[3472] 11-26 16:37:19:534: Allowed EAP type: 25
[1920] 11-26 16:37:19:924: EAP NAK; proposed type = 21
[1920] 11-26 16:37:19:924: EAP negotiation failed; no types remaining.
[1920] 11-26 16:37:19:924: Injecting the profile
[1920] 11-26 16:37:19:924: EAP negotiation failed. Rejecting user.

My IAS server has a verisign purchased WLAN SSL certificate and the IAS server has been registered within AD.

If anyone can help me with the setup I would appreciate it.

Thanks

nstand
0
Comment
Question by:nstand
  • 3
  • 3
7 Comments
 
LVL 31

Expert Comment

by:merowinger
ID: 20358243
try "Cisco" as Client Vendor on the IAS Server
0
 
LVL 4

Author Comment

by:nstand
ID: 20359378
No affraid that didnt work
0
 
LVL 7

Accepted Solution

by:
mcse2007 earned 500 total points
ID: 20390845
Boy, you chosen a pretty secure wireless configuration but quite difficult to setup without fully understand, certificates, IAS, Group Policy, AD etc.

Why don't you install Certificate Authority in AD - this is a built in service in windows 2003 server - then enrol your users with wireless certificate which they can use for authentication which will give you a better control in wirless security authentication.

Because you are using third party certificate which not issued by your AD, authentication will fail. Good you authorised IAS with AD, but howis your AD validate your users for authentication unless you install
WLAN SSL certificate in your clients and in AD, created the GPO and used that  imported certificate for  using GPO for authentication - AD certificate must match that with your clients certificate wanting to autheticate using WLAN SSL certificate.

What certificate you have installed in IAS, and AD ?

Check PEAP configuration both in IAS and in your client make sure they match the configuration.
check the SSID in IAS and in your access point - they should match.

Troubleshooting links for wireless.
http://technet2.microsoft.com/windowsserver/en/library/ecc10b32-898a-435f-9d5c-01c25fb4d1f61033.mspx?mfr=true

If you decided to pursue the Microsoft Certificate Authority installation, below is a good link:
http://www.petri.co.il/install_windows_server_2003_ca.htm


0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Author Comment

by:nstand
ID: 20391305
Well I finally got it configured, I wasnt far off getting it working in my original post, I put the problems down to the following:

- Cisco 1100 Access Points on change of SSID seem to have a bug where the new SSID wont broadcast. Had to rebuild config from scratch but nothing changed from original post.
- IAS Server - nothing has changed although for neatness I did add the client vendor to Cisco but this was after it was working so dont see this as a problem if not configured
- AD Policy, this is probably the biggest thing to consider. I wasnt pushing out the Signing WLAN Root CA and because they were not already installed on the clients the SSL Tunnel that is setup to exchange MSCHAPv2 tokens was failing to establish. Once I pushed this down to the client everything started working.

I had to ensure that I allowed Domain Computers to authenticate via the IAS server and likewise I needed to enable computer authentication in the policy. Now when I start up a machine it authenticates using the computer to enable any startup scripts and then after logon it swicthes to user authentication.

Another thing I was trying to do was use an Access Point that was connected to an IAS server via a VPN. While I see no reason why this would not I think a local Cisco PIX is doing some TCP Sequence number changes that it shouldnt and its preventing the SSL tunnel being established correctly.  A local AP and IAS works really well now.

Thanks for advise, the MS troubleshooting guide is a decent first step
0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20392573
excellent !

A word of advise, precission is the key making your Wireless Access Point (WAP) talk to yours clients (ie small thing that has been omitted is enough to make your WAP inaccessible).

0
 
LVL 7

Expert Comment

by:mcse2007
ID: 20394725
nstand,

if you are ok to close this issue you may go ahead and make your points assignment if desire.

mcse2007
0
 
LVL 4

Author Closing Comment

by:nstand
ID: 31411064
Good help docs that were used to resolve issue
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

In this article I will describe how to setup a Cisco WLC 5508 to work with Apple's Bonjour protocol across VLANs.  I will also discuss using screen mirroring and Airplay on an AppleTV v3.  This article covers the wireless network only and requires m…
Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now