IAS PEAP/MSCHAPv2 with Cisco 1200 Access Point - Help!

I am trying to migrate from WEP to WPA and have setup a test environment where I am trying to use WPA/PEAP/MSCHAPv2 encryption/authentication using the following:

- Cisco 1200 Access Points
- Windows 2003 IAS
- Windows XP SP2 Clients

Setup is as follows:

- Cisco 1200 Access Point
Encryption : ciphers + tkip
Authentication : open+EAP
Key Management : wpa
RADIUS Server : IP configured with key

- IAS on Windows 2003
Policy Conditions: Domain Users, Domain Computers (No specific conditions for authenticaion type)
Authentication Tab: EAP -> Protected EAP
Encryption Tab: MPPE 128 bit
Advanced : Service-Type RADIUS Standard Framed

- Windows XP SP2
At the moment I am using the Dell config to try and connect to my SSID. I have tried all sorts of encryption and authentication schemes:
801.2x and PEAP/MSCHAPv2

authentication requests are reaching the IAS server and when using WPA/Auto and TTLS/MSCHAPv2 I get the following error in the SYSTEM log:

Event Type:      Warning
Event Source:      IAS
Event Category:      None
Event ID:      2
Date:            26/11/2007
Time:            19:33:45
User:            N/A
User NAME1 was denied access.
 Fully-Qualified-User-Name = domain.com/UK/Users/Name1
 NAS-IP-Address =
 NAS-Identifier = <not present>
 Called-Station-Identifier =
 Calling-Station-Identifier =
 Client-Friendly-Name = 1200-Test
 Client-IP-Address =
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 646
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = jllwireless-dubai
 Authentication-Type = EAP
 EAP-Type = <undetermined>
 Reason-Code = 22
 Reason = The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
I have turned on both IAS and RRAS tracing and the following exerts seems useful:
[3472] 11-26 16:37:19:534: Successfully validated windows account.
[3472] 11-26 16:37:19:534: Allowed EAP type: 25
[1920] 11-26 16:37:19:924: EAP NAK; proposed type = 21
[1920] 11-26 16:37:19:924: EAP negotiation failed; no types remaining.
[1920] 11-26 16:37:19:924: Injecting the profile
[1920] 11-26 16:37:19:924: EAP negotiation failed. Rejecting user.

My IAS server has a verisign purchased WLAN SSL certificate and the IAS server has been registered within AD.

If anyone can help me with the setup I would appreciate it.


Who is Participating?

Improve company productivity with a Business Account.Sign Up

mcse2007Connect With a Mentor Commented:
Boy, you chosen a pretty secure wireless configuration but quite difficult to setup without fully understand, certificates, IAS, Group Policy, AD etc.

Why don't you install Certificate Authority in AD - this is a built in service in windows 2003 server - then enrol your users with wireless certificate which they can use for authentication which will give you a better control in wirless security authentication.

Because you are using third party certificate which not issued by your AD, authentication will fail. Good you authorised IAS with AD, but howis your AD validate your users for authentication unless you install
WLAN SSL certificate in your clients and in AD, created the GPO and used that  imported certificate for  using GPO for authentication - AD certificate must match that with your clients certificate wanting to autheticate using WLAN SSL certificate.

What certificate you have installed in IAS, and AD ?

Check PEAP configuration both in IAS and in your client make sure they match the configuration.
check the SSID in IAS and in your access point - they should match.

Troubleshooting links for wireless.

If you decided to pursue the Microsoft Certificate Authority installation, below is a good link:

try "Cisco" as Client Vendor on the IAS Server
nstandAuthor Commented:
No affraid that didnt work
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

nstandAuthor Commented:
Well I finally got it configured, I wasnt far off getting it working in my original post, I put the problems down to the following:

- Cisco 1100 Access Points on change of SSID seem to have a bug where the new SSID wont broadcast. Had to rebuild config from scratch but nothing changed from original post.
- IAS Server - nothing has changed although for neatness I did add the client vendor to Cisco but this was after it was working so dont see this as a problem if not configured
- AD Policy, this is probably the biggest thing to consider. I wasnt pushing out the Signing WLAN Root CA and because they were not already installed on the clients the SSL Tunnel that is setup to exchange MSCHAPv2 tokens was failing to establish. Once I pushed this down to the client everything started working.

I had to ensure that I allowed Domain Computers to authenticate via the IAS server and likewise I needed to enable computer authentication in the policy. Now when I start up a machine it authenticates using the computer to enable any startup scripts and then after logon it swicthes to user authentication.

Another thing I was trying to do was use an Access Point that was connected to an IAS server via a VPN. While I see no reason why this would not I think a local Cisco PIX is doing some TCP Sequence number changes that it shouldnt and its preventing the SSL tunnel being established correctly.  A local AP and IAS works really well now.

Thanks for advise, the MS troubleshooting guide is a decent first step
excellent !

A word of advise, precission is the key making your Wireless Access Point (WAP) talk to yours clients (ie small thing that has been omitted is enough to make your WAP inaccessible).


if you are ok to close this issue you may go ahead and make your points assignment if desire.

nstandAuthor Commented:
Good help docs that were used to resolve issue
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.