How do I configure my Cisco Ap1200 to use my Radius server for Authentication ?

Posted on 2009-07-04
Last Modified: 2013-11-12
I have only one 2003 in my domain running AD and I have installed IAS -Radius server, IIS , and have made the Server the Root CA ,It is also the DNS and DHCP server.
I want to be able to have my Wireless users authenticate against my radius server using a certificate issued by the certificate server. How can I accomplish this?
In the Security settings of the Ap1200 I have configures it to use WPA / the radius server it method of authentication. I inputted the shared key between the AP1200 and the radius server.
I also created a group in the AD called Wireless users. I then created a remote access policy under the IAS and added the group to it. The next step i did was from the wireless client I browsed to my serverIPaddress\certsrv and installed the certificate via my wired LAN. After this I disconnected from the wired network and tried to connect via my WIFI connection. When I do this I get the following error... THE ROOT CERTIFICATE REQUIRED FOR AUTHENTICATION WAS NOT FOUND IN THE CERTIFICATE STORE.... where did I go wrong?
Question by:jbovalley
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3

Assisted Solution

kbhaskar earned 500 total points
ID: 24783091
If you are using the certificate authentication, then try importing the machine cert on to the machine store.

1. mmc
2. Add remove snap-in
3. Certificates
4. Computer Account
5. Choose the certificate to import

Do the same thing for User Certificte as well.

Now try to authenticate.

If you are familiar with 802.1x security, I recommend implementing that for better security. This way you are not compromising the "SHARED SECRET" leakage by users ?

Hope this helps.

Author Comment

ID: 24783815
I am somewhat familar with 801.x security...that is the reason i wanted to go with the radius server and certificates that I would not have to worry shared secret ....I iwas under the assumsion that the user never gets a shared secret, that the user logs in with his domain credentials , as long as he belongs to teh group which I created for wireless clients he will be allowed to download the certificate into his computer and then have access to the WLAN .... Is this incorrect ?

Assisted Solution

kbhaskar earned 500 total points
ID: 24785368
Yes, your understnading is correct.

1. The shared secret is only for encypting the datapackets between client and AP. Once the packet reaches AP, it will only forward radius packets to radius server. Now, at this point the security issues popin! if the radius authentication involves plain text password, any one can sniff packets and extract vital info. If you are doing domain authentication, then the password would be in hash format, if you are using certificate authentication then, it is more safe.

One thing would like to understnad is that, what type of client you are using? is it native wireless client or an industry standard wireless supplicant like Odyssey Access client?

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 24790167
it is the native wireless client that comes with windows thing I noticed though is that in the configuration it gives you the option for Peap and smart does not say anything about Leap....I am not sure but doesn't the Cisco Airnot 1200 uses Laep and not Peap ?
Would I need a different client to be able to connect  ?

Author Comment

ID: 24812235
I did install the certificate. First I browsed tot the cert webpage of teh server  .....\\servername\certsrv and I installed it. When that didnot work i went tot he CA server and exported the certificate to a fold and and then imported it in to client , that still didnot work. ....@ Kbhaskar

Doe anyone know the standard format to set up a Radius server, to use a certificarte that is issues by a CA that is part of a AD  domain ,to authenticate wireless users ?  I tried the setup with guide from  but it didnot work , I tried using both cisco and radius standard as the protocol between the radius client and teh servevr but neither works... Maybe I am overlooking something ? ...any ideas about troubleshooting ? Would love to figure out where the problem stems from so i cacn work on that,,,,maybe it is the radius server and not the CA , not sure.... when i try to logg in with my AD credentials it tell me that I am unable to authenticate....ANY IDEAS APPRECIATED...THANKS

Author Comment

ID: 24834085
ok after some playiing around I got 2 of my client to work !  the problem i am having now is that i am able to connect and authenticate with userA but cannot with userB....I know this problem has to come from the settings on the user but i did the exact same thing to configure both....any ideas ?

Accepted Solution

kbhaskar earned 500 total points
ID: 24841908
Hey, good to know that you got it working.

Now coming to your query: The reason it is not working might be that, the certificate you installed is for a specific user. Now when you use different user login, the client is not presenting proper certificate or you might have not installed a cert for that user ID.

So, try creating a user cert for the second user and install the same on the user container.

Hope this helps.


Author Comment

ID: 24855132
strange thing is that I did do that and it didnot work....i restarted the server and I am now everything works task is to get my radius to also Authenticate my wired connections and my VPN users comming in on a Cisco ASA...that should be fun :)

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question