Solved

Assistance in trying to configure IAS RADIUS authentication for wireless network.

Posted on 2009-07-09
6
3,395 Views
Last Modified: 2012-05-07
Hi Everyone,
I am encountering some problems while trying to configure basic IAS RADIUS authentication for my wireless network and I was wondering if anyone could help me.  I believe that I have set up the wireless profile correctly on my wireless controller and on my wireless laptops but it appears as if none of the authentication requests are not being authenticated through the new radius policy that I have set up and instead are being authenticated through the Connection request policy "Use Windows authentication for all user"s. I the error message that appears in the event log is below as well as a snippet from the IAS log file.

Any Assistance in helping me set up my RADIUS authentication would be greatly appreciated.

For my Configuration I have completed the following steps:

Controller configuration:
1)Created a new security profile for my wireless network that uses WPA2 and CCMP-AES data encryption and configured the primary RADIUS server to be my IAS Server

2)I then configured a new ESS profile with an SSID the uses this security profile.

IAS Configuration

1)I created a new RADIUS client that is my wireless controller

2) I then created a new Remote Access Policy to allow members of the domain Users Security group to be granted access to the wireless network.

-For Authentication I  selected the PEAP EAP method and then MS-CHAP V2 authentication.

-For Encryption I then selected all the various encryption types.

3)I then registered the Server in Active Directory.

I then ensured that the users accounts that I would be using to authenticate were configured to Allow Access for the Remote Access permission in AD users and computers.

Wireless Laptop Client configuration:

1)I configured the Vista clients to connect to the wireless network using WPA2-Enterpise security and AES encryption.

2)I then configured the PEAP authentication and then Secured Password (EAP-MSCHAP V2) for the authentication method.


When I attempt to connect to the network and enter in the appropriate user credentials the Wireless Network connection just continues Attempting to authenticate but never successfully does and I receive the below error messages in the event log.



Error in Event log:
 

 A RADIUS message with the Code field set to 4, which is not valid, was received on port 1812 from RADIUS client radiusclient. Valid values of the RADIUS Code field are documented in RFC 2865.
 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 

IAS Logfile:
 

172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4136,1,4142,0

172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4136,1,4142,0

172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4136,1,4142,0

172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4136,1,4142,0

172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4136,1,4142,0

172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4136,1,4142,0

172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4136,1,4142,0

172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4136,1,4142,0

172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

Open in new window

0
Comment
Question by:SteveJ-007
  • 3
  • 3
6 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 24947703
I don't have a vista machine handy to check this, but during step 2 of the 'Wireless Laptop Client configuration' in the PEAP settings, is there a Configure button next to the picklist where the (EAP-MSCHAP V2) option is selected?

If so, click that Configure button and see what's in there.
0
 

Author Comment

by:SteveJ-007
ID: 25003164
Hi Darr247,
When I click the configure button the only option available is whether or not to automatically use my Windows login name and password. when connecting. the other settings I have  configured are to Not validate a Server certificate and not to cache the user credentials for subsequent connections.  
0
 
LVL 44

Expert Comment

by:Darr247
ID: 25003557
OK, please clarify this part of your original post:

>  ... but it appears as if none of the authentication requests are not
> being authenticated through the new radius policy that I have set
> up and instead are being authenticated through the Connection
> request policy "Use Windows authentication for all user"s.

Because the 'automatically use my Windows login name and password' option in that Configure window should control the behavior that line appears to say you're having a problem with.
Did you try UNchecking it, or are you really not having a problem with that part and I just misinterpreted what you're asking about?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:SteveJ-007
ID: 25009430
Hi Darr247,
I have tried unchecking the automatically use my Windows login name and password' option and I am prompted to enter additional credentials, so I then enter my domain username and password. The wireless network then attempts to authenticate and never does. I then get the log messages as displayed in the code section above and it appears as if the remote access policy has not been authenticated against.

Also I resolved the event log error message as it was due to my wireless controller using a different port for radius accounting.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 500 total points
ID: 25013163
I thought I'd get lucky, but nooooo. ;-)

Are you using your own CA, Thawte, VeriSign, et al, or are you trying to do it without any certs?

You're not migrating to PEAP from LEAP, are you?


Have you seen this webcast?

Using IAS server to set up 802.1x networks (72 mins)
http://support.microsoft.com/kb/842439
Download to view offline
http://download.microsoft.com/download/0/9/0/09027095-aab1-4c9f-83ed-2fa24ac5fc53/wc080404-offline.exe

It's kind of a best practices outline for setting up 802.1x authentication, and maybe it will show where you missed something.
0
 

Author Closing Comment

by:SteveJ-007
ID: 31601499
Great thanks for the advice, I will check out those resources and retrace my steps and hopefully find a step that I have missed.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now