Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


IAS PEAP/MSCHAPv2 with Cisco 1200 Access Point - Help!

Posted on 2007-11-26
Medium Priority
Last Modified: 2013-11-12
I am trying to migrate from WEP to WPA and have setup a test environment where I am trying to use WPA/PEAP/MSCHAPv2 encryption/authentication using the following:

- Cisco 1200 Access Points
- Windows 2003 IAS
- Windows XP SP2 Clients

Setup is as follows:

- Cisco 1200 Access Point
Encryption : ciphers + tkip
Authentication : open+EAP
Key Management : wpa
RADIUS Server : IP configured with key

- IAS on Windows 2003
Policy Conditions: Domain Users, Domain Computers (No specific conditions for authenticaion type)
Authentication Tab: EAP -> Protected EAP
Encryption Tab: MPPE 128 bit
Advanced : Service-Type RADIUS Standard Framed

- Windows XP SP2
At the moment I am using the Dell config to try and connect to my SSID. I have tried all sorts of encryption and authentication schemes:
801.2x and PEAP/MSCHAPv2

authentication requests are reaching the IAS server and when using WPA/Auto and TTLS/MSCHAPv2 I get the following error in the SYSTEM log:

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            26/11/2007
Time:            19:33:45
User:            N/A
User NAME1 was denied access.
 Fully-Qualified-User-Name = domain.com/UK/Users/Name1
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Called-Station-Identifier =
 Calling-Station-Identifier =
 Client-Friendly-Name = 1200-Test
 Client-IP-Address =
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 646
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = jllwireless-dubai
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 22
 Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I have turned on both IAS and RRAS tracing and the following exerts seems useful:
[3472] 11-26 16:37:19:534: Successfully validated windows account.
[3472] 11-26 16:37:19:534: Allowed EAP type: 25
[1920] 11-26 16:37:19:924: EAP NAK; proposed type = 21
[1920] 11-26 16:37:19:924: EAP negotiation failed; no types remaining.
[1920] 11-26 16:37:19:924: Injecting the profile
[1920] 11-26 16:37:19:924: EAP negotiation failed. Rejecting user.

My IAS server has a verisign purchased WLAN SSL certificate and the IAS server has been registered within AD.

If anyone can help me with the setup I would appreciate it.


Question by:nstand
  • 3
  • 3
LVL 31

Expert Comment

ID: 20358243
try "Cisco" as Client Vendor on the IAS Server

Author Comment

ID: 20359378
No affraid that didnt work

Accepted Solution

mcse2007 earned 1000 total points
ID: 20390845
Boy, you chosen a pretty secure wireless configuration but quite difficult to setup without fully understand, certificates, IAS, Group Policy, AD etc.

Why don't you install Certificate Authority in AD - this is a built in service in windows 2003 server - then enrol your users with wireless certificate which they can use for authentication which will give you a better control in wirless security authentication.

Because you are using third party certificate which not issued by your AD, authentication will fail. Good you authorised IAS with AD, but howis your AD validate your users for authentication unless you install
WLAN SSL certificate in your clients and in AD, created the GPO and used that  imported certificate for  using GPO for authentication - AD certificate must match that with your clients certificate wanting to autheticate using WLAN SSL certificate.

What certificate you have installed in IAS, and AD ?

Check PEAP configuration both in IAS and in your client make sure they match the configuration.
check the SSID in IAS and in your access point - they should match.

Troubleshooting links for wireless.

If you decided to pursue the Microsoft Certificate Authority installation, below is a good link:

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.


Author Comment

ID: 20391305
Well I finally got it configured, I wasnt far off getting it working in my original post, I put the problems down to the following:

- Cisco 1100 Access Points on change of SSID seem to have a bug where the new SSID wont broadcast. Had to rebuild config from scratch but nothing changed from original post.
- IAS Server - nothing has changed although for neatness I did add the client vendor to Cisco but this was after it was working so dont see this as a problem if not configured
- AD Policy, this is probably the biggest thing to consider. I wasnt pushing out the Signing WLAN Root CA and because they were not already installed on the clients the SSL Tunnel that is setup to exchange MSCHAPv2 tokens was failing to establish. Once I pushed this down to the client everything started working.

I had to ensure that I allowed Domain Computers to authenticate via the IAS server and likewise I needed to enable computer authentication in the policy. Now when I start up a machine it authenticates using the computer to enable any startup scripts and then after logon it swicthes to user authentication.

Another thing I was trying to do was use an Access Point that was connected to an IAS server via a VPN. While I see no reason why this would not I think a local Cisco PIX is doing some TCP Sequence number changes that it shouldnt and its preventing the SSL tunnel being established correctly.  A local AP and IAS works really well now.

Thanks for advise, the MS troubleshooting guide is a decent first step

Expert Comment

ID: 20392573
excellent !

A word of advise, precission is the key making your Wireless Access Point (WAP) talk to yours clients (ie small thing that has been omitted is enough to make your WAP inaccessible).


Expert Comment

ID: 20394725

if you are ok to close this issue you may go ahead and make your points assignment if desire.


Author Closing Comment

ID: 31411064
Good help docs that were used to resolve issue

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question