Solved

How do I configure my Cisco Ap1200 to use my Radius server for Authentication ?

Posted on 2009-07-04
8
932 Views
Last Modified: 2013-11-12
I have only one 2003 in my domain running AD and I have installed IAS -Radius server, IIS , and have made the Server the Root CA ,It is also the DNS and DHCP server.
I want to be able to have my Wireless users authenticate against my radius server using a certificate issued by the certificate server. How can I accomplish this?
In the Security settings of the Ap1200 I have configures it to use WPA / the radius server it method of authentication. I inputted the shared key between the AP1200 and the radius server.
I also created a group in the AD called Wireless users. I then created a remote access policy under the IAS and added the group to it. The next step i did was from the wireless client I browsed to my serverIPaddress\certsrv and installed the certificate via my wired LAN. After this I disconnected from the wired network and tried to connect via my WIFI connection. When I do this I get the following error... THE ROOT CERTIFICATE REQUIRED FOR AUTHENTICATION WAS NOT FOUND IN THE CERTIFICATE STORE.... where did I go wrong?
0
Comment
Question by:jbovalley
  • 5
  • 3
8 Comments
 
LVL 1

Assisted Solution

by:kbhaskar
kbhaskar earned 500 total points
ID: 24783091
If you are using the certificate authentication, then try importing the machine cert on to the machine store.

1. mmc
2. Add remove snap-in
3. Certificates
4. Computer Account
5. Choose the certificate to import

Do the same thing for User Certificte as well.

Now try to authenticate.

If you are familiar with 802.1x security, I recommend implementing that for better security. This way you are not compromising the "SHARED SECRET" leakage by users ?

Hope this helps.
-Bhaskara
0
 

Author Comment

by:jbovalley
ID: 24783815
I am somewhat familar with 801.x security...that is the reason i wanted to go with the radius server and certificates ...so that I would not have to worry shared secret ....I iwas under the assumsion that the user never gets a shared secret, that the user logs in with his domain credentials , as long as he belongs to teh group which I created for wireless clients he will be allowed to download the certificate into his computer and then have access to the WLAN .... Is this incorrect ?
0
 
LVL 1

Assisted Solution

by:kbhaskar
kbhaskar earned 500 total points
ID: 24785368
Yes, your understnading is correct.

1. The shared secret is only for encypting the datapackets between client and AP. Once the packet reaches AP, it will only forward radius packets to radius server. Now, at this point the security issues popin! if the radius authentication involves plain text password, any one can sniff packets and extract vital info. If you are doing domain authentication, then the password would be in hash format, if you are using certificate authentication then, it is more safe.

One thing would like to understnad is that, what type of client you are using? is it native wireless client or an industry standard wireless supplicant like Odyssey Access client?

-bhaskar
0
 

Author Comment

by:jbovalley
ID: 24790167
it is the native wireless client that comes with windows Xp....one thing I noticed though is that in the configuration it gives you the option for Peap and smart  card...it does not say anything about Leap....I am not sure but doesn't the Cisco Airnot 1200 uses Laep and not Peap ?
Would I need a different client to be able to connect  ?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jbovalley
ID: 24812235
I did install the certificate. First I browsed tot the cert webpage of teh server  .....\\servername\certsrv and I installed it. When that didnot work i went tot he CA server and exported the certificate to a fold and and then imported it in to client , that still didnot work. ....@ Kbhaskar

Doe anyone know the standard format to set up a Radius server, to use a certificarte that is issues by a CA that is part of a AD  domain ,to authenticate wireless users ?  I tried the setup with guide from  http://www.hansenonline.net/Networking/wlanradius.html  but it didnot work , I tried using both cisco and radius standard as the protocol between the radius client and teh servevr but neither works... Maybe I am overlooking something ? ...any ideas about troubleshooting ? Would love to figure out where the problem stems from so i cacn work on that,,,,maybe it is the radius server and not the CA , not sure.... when i try to logg in with my AD credentials it tell me that I am unable to authenticate....ANY IDEAS APPRECIATED...THANKS
0
 

Author Comment

by:jbovalley
ID: 24834085
ok after some playiing around I got 2 of my client to work !  the problem i am having now is that i am able to connect and authenticate with userA but cannot with userB....I know this problem has to come from the settings on the user but i did the exact same thing to configure both....any ideas ?
0
 
LVL 1

Accepted Solution

by:
kbhaskar earned 500 total points
ID: 24841908
Hey, good to know that you got it working.

Now coming to your query: The reason it is not working might be that, the certificate you installed is for a specific user. Now when you use different user login, the client is not presenting proper certificate or you might have not installed a cert for that user ID.

So, try creating a user cert for the second user and install the same on the user container.

Hope this helps.

Thanks
Bhaskar
0
 

Author Comment

by:jbovalley
ID: 24855132
strange thing is that I did do that and it didnot work....i restarted the server and I am now everything works fine......next task is to get my radius to also Authenticate my wired connections and my VPN users comming in on a Cisco ASA...that should be fun :)
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now