Solved

Need Help with WPA2 Enterprise and IAS

Posted on 2008-10-06
6
1,783 Views
Last Modified: 2013-11-15
I've got a Windows CE 5.0 device using a Summit Wi-Fi card.  The CE device has the 2.0.17 drivers from Summit (Latest release).

I am using a Linksys Wireless-N Broadband Router as my access point.  The security mode is WPA2 Enterprise.  The encryption method is AES.  The IP address of the RADIUS server is correct (and the AP can ping it), and the shared secret is 4 letters long.  (This is a test to find out how to set up WPA2 Enterprise.)

There is a Windows 2003 Server on the LAN.  I installed IAS to act as the RADIUS server.  I've configured a RADIUS client as the AP.  My remote access policies will grant permission to any user or computer in Domain Users or Domain Computers.  The server is registered in Active Directory.  There is a certificate on the IAS server.

I can see the connection attempts in the IAS logs.  I have no idea what these log entries mean.  Here are two lines from today:

172.16.4.76,MOBI\fnels,10/06/2008,11:13:22,IAS,ZEVON,4,172.16.4.76,30,001ee546c029,31,00172301f9c9,32,001ee546c029,5,49,12,1400,61,19,4108,172.16.4.76,4116,0,4128,TESTWPA2,4155,1,4154,Use Windows authentication for all users,25,311 1 172.16.1.99 10/06/2008 15:12:57 1,4129,MOBI\fnels,4127,5,4149,FredsTest,4130,mobi.local/Engineering/Software Development/Fred Nels,4136,1,4142,0
172.16.4.76,MOBI\fnels,10/06/2008,11:13:22,IAS,ZEVON,25,311 1 172.16.1.99 10/06/2008 15:12:57 1,4130,mobi.local/Engineering/Software Development/Fred Nels,4149,FredsTest,4127,5,4129,MOBI\fnels,4154,Use Windows authentication for all users,4155,1,4108,172.16.4.76,4116,0,4128,TESTWPA2,4136,3,4142,65

On the CE device, I see that the Summit card Associates for a while.  The status then goes to "Not Associated",  and at the same time, the dialog box to collect the user id and password pops up.

I must be close to getting this working.  I am not seeing messages indicating that the user was rejected in the IAS logs.  

I am guessing that the user ID and password that I supply in the dialog box on the CE device ultimately gets authenticated by Active Directory.  The CE device will be part of the Mobi domain once the authentication/authorization succeeds.

Any help would be appreciated.

Thanks!

0
Comment
Question by:Black_Ed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 22656688
Did you configure IAS to provide the vendor Specific attribute as might be required by the Linksys.
Example
http://www.hansenonline.net/Networking/wlanradius.html

The issue is what does IAS send back when the credentials are validated?
0
 

Author Comment

by:Black_Ed
ID: 22658728
How can I find out what IAS sends back?  I thought it might be hidden in the log entries.  The logging on the AP is almost nonexistent.

I'll look at the link and see if that provides the answer.

Thanks for the suggestion!
0
 
LVL 78

Accepted Solution

by:
arnold earned 500 total points
ID: 22660365
Did you setup any reply item rules?
Download radtest: http://www.filetransit.com/view.php?id=23438
Set the windows system on which you install the device as a client on IAS.
Then use the Radius test to transmit an authentication request to the IAS server and see what the response is.
Which Linksys router are you using?  There might be some specific directions included in the documentation.
0
Don't Miss ATEN at InfoComm 2017!

Visit booth #2167 to see the  new ATEN VM3200 32 x 32 Modular Matrix Switch. Other highlights include the VE8950 4K HDMI Over IP Extender, VS1912 12-Port DP Video Wall Media Player  and VK2100 ATEN Control System. Register now with Free Pass Code ATEN288!

 

Author Comment

by:Black_Ed
ID: 22660531
I have it working!

I checked the Event Viewer on the server that is running IAS.  It was showing that the user was being denied access by Active Directory.  I called the Network Admin, and he had to change the user configuration to allow remote authentication (or dial-in authentication, I am not sure).

The Event Viewer now shows that the user is being granted access.  My CE device is showing that the wireless connection is made, and I can ping addresses off the box.

I will post a screen shot of the attribute that needed to be set later on.  (I am waiting for the Network Admin to send it.)
0
 

Author Comment

by:Black_Ed
ID: 22679713
I've added the screen shot of what the Network Admin had to change in Active Directory.  

The User's properties in the "Dial-in" tab had to be changed.  The "Remote Access Permission (Dial-in or VPN)" option had to be changed to "Allow access".  The screen shot has the option circled in red.

Ed
WPA2-Enterprise.JPG
0
 

Author Closing Comment

by:Black_Ed
ID: 31503624
Thanks for your help on this!
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This guide will walk you through the essential considerations and tech stack for building scalable websites. Know how to grow your business the smart way!
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question