Solved

How do I configure my Cisco Ap1200 to use my Radius server for Authentication ?

Posted on 2009-07-04
8
952 Views
Last Modified: 2013-11-12
I have only one 2003 in my domain running AD and I have installed IAS -Radius server, IIS , and have made the Server the Root CA ,It is also the DNS and DHCP server.
I want to be able to have my Wireless users authenticate against my radius server using a certificate issued by the certificate server. How can I accomplish this?
In the Security settings of the Ap1200 I have configures it to use WPA / the radius server it method of authentication. I inputted the shared key between the AP1200 and the radius server.
I also created a group in the AD called Wireless users. I then created a remote access policy under the IAS and added the group to it. The next step i did was from the wireless client I browsed to my serverIPaddress\certsrv and installed the certificate via my wired LAN. After this I disconnected from the wired network and tried to connect via my WIFI connection. When I do this I get the following error... THE ROOT CERTIFICATE REQUIRED FOR AUTHENTICATION WAS NOT FOUND IN THE CERTIFICATE STORE.... where did I go wrong?
0
Comment
Question by:jbovalley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 1

Assisted Solution

by:kbhaskar
kbhaskar earned 500 total points
ID: 24783091
If you are using the certificate authentication, then try importing the machine cert on to the machine store.

1. mmc
2. Add remove snap-in
3. Certificates
4. Computer Account
5. Choose the certificate to import

Do the same thing for User Certificte as well.

Now try to authenticate.

If you are familiar with 802.1x security, I recommend implementing that for better security. This way you are not compromising the "SHARED SECRET" leakage by users ?

Hope this helps.
-Bhaskara
0
 

Author Comment

by:jbovalley
ID: 24783815
I am somewhat familar with 801.x security...that is the reason i wanted to go with the radius server and certificates ...so that I would not have to worry shared secret ....I iwas under the assumsion that the user never gets a shared secret, that the user logs in with his domain credentials , as long as he belongs to teh group which I created for wireless clients he will be allowed to download the certificate into his computer and then have access to the WLAN .... Is this incorrect ?
0
 
LVL 1

Assisted Solution

by:kbhaskar
kbhaskar earned 500 total points
ID: 24785368
Yes, your understnading is correct.

1. The shared secret is only for encypting the datapackets between client and AP. Once the packet reaches AP, it will only forward radius packets to radius server. Now, at this point the security issues popin! if the radius authentication involves plain text password, any one can sniff packets and extract vital info. If you are doing domain authentication, then the password would be in hash format, if you are using certificate authentication then, it is more safe.

One thing would like to understnad is that, what type of client you are using? is it native wireless client or an industry standard wireless supplicant like Odyssey Access client?

-bhaskar
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:jbovalley
ID: 24790167
it is the native wireless client that comes with windows Xp....one thing I noticed though is that in the configuration it gives you the option for Peap and smart  card...it does not say anything about Leap....I am not sure but doesn't the Cisco Airnot 1200 uses Laep and not Peap ?
Would I need a different client to be able to connect  ?
0
 

Author Comment

by:jbovalley
ID: 24812235
I did install the certificate. First I browsed tot the cert webpage of teh server  .....\\servername\certsrv and I installed it. When that didnot work i went tot he CA server and exported the certificate to a fold and and then imported it in to client , that still didnot work. ....@ Kbhaskar

Doe anyone know the standard format to set up a Radius server, to use a certificarte that is issues by a CA that is part of a AD  domain ,to authenticate wireless users ?  I tried the setup with guide from  http://www.hansenonline.net/Networking/wlanradius.html  but it didnot work , I tried using both cisco and radius standard as the protocol between the radius client and teh servevr but neither works... Maybe I am overlooking something ? ...any ideas about troubleshooting ? Would love to figure out where the problem stems from so i cacn work on that,,,,maybe it is the radius server and not the CA , not sure.... when i try to logg in with my AD credentials it tell me that I am unable to authenticate....ANY IDEAS APPRECIATED...THANKS
0
 

Author Comment

by:jbovalley
ID: 24834085
ok after some playiing around I got 2 of my client to work !  the problem i am having now is that i am able to connect and authenticate with userA but cannot with userB....I know this problem has to come from the settings on the user but i did the exact same thing to configure both....any ideas ?
0
 
LVL 1

Accepted Solution

by:
kbhaskar earned 500 total points
ID: 24841908
Hey, good to know that you got it working.

Now coming to your query: The reason it is not working might be that, the certificate you installed is for a specific user. Now when you use different user login, the client is not presenting proper certificate or you might have not installed a cert for that user ID.

So, try creating a user cert for the second user and install the same on the user container.

Hope this helps.

Thanks
Bhaskar
0
 

Author Comment

by:jbovalley
ID: 24855132
strange thing is that I did do that and it didnot work....i restarted the server and I am now everything works fine......next task is to get my radius to also Authenticate my wired connections and my VPN users comming in on a Cisco ASA...that should be fun :)
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question