Solved

Assistance in trying to configure IAS RADIUS authentication for wireless network.

Posted on 2009-07-09
6
3,432 Views
Last Modified: 2012-05-07
Hi Everyone,
I am encountering some problems while trying to configure basic IAS RADIUS authentication for my wireless network and I was wondering if anyone could help me.  I believe that I have set up the wireless profile correctly on my wireless controller and on my wireless laptops but it appears as if none of the authentication requests are not being authenticated through the new radius policy that I have set up and instead are being authenticated through the Connection request policy "Use Windows authentication for all user"s. I the error message that appears in the event log is below as well as a snippet from the IAS log file.

Any Assistance in helping me set up my RADIUS authentication would be greatly appreciated.

For my Configuration I have completed the following steps:

Controller configuration:
1)Created a new security profile for my wireless network that uses WPA2 and CCMP-AES data encryption and configured the primary RADIUS server to be my IAS Server

2)I then configured a new ESS profile with an SSID the uses this security profile.

IAS Configuration

1)I created a new RADIUS client that is my wireless controller

2) I then created a new Remote Access Policy to allow members of the domain Users Security group to be granted access to the wireless network.

-For Authentication I  selected the PEAP EAP method and then MS-CHAP V2 authentication.

-For Encryption I then selected all the various encryption types.

3)I then registered the Server in Active Directory.

I then ensured that the users accounts that I would be using to authenticate were configured to Allow Access for the Remote Access permission in AD users and computers.

Wireless Laptop Client configuration:

1)I configured the Vista clients to connect to the wireless network using WPA2-Enterpise security and AES encryption.

2)I then configured the PEAP authentication and then Secured Password (EAP-MSCHAP V2) for the authentication method.


When I attempt to connect to the network and enter in the appropriate user credentials the Wireless Network connection just continues Attempting to authenticate but never successfully does and I receive the below error messages in the event log.



Error in Event log:
 
 A RADIUS message with the Code field set to 4, which is not valid, was received on port 1812 from RADIUS client radiusclient. Valid values of the RADIUS Code field are documented in RFC 2865.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
IAS Logfile:
 
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4136,1,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

Open in new window

0
Comment
Question by:SteveJ-007
  • 3
  • 3
6 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 24947703
I don't have a vista machine handy to check this, but during step 2 of the 'Wireless Laptop Client configuration' in the PEAP settings, is there a Configure button next to the picklist where the (EAP-MSCHAP V2) option is selected?

If so, click that Configure button and see what's in there.
0
 

Author Comment

by:SteveJ-007
ID: 25003164
Hi Darr247,
When I click the configure button the only option available is whether or not to automatically use my Windows login name and password. when connecting. the other settings I have  configured are to Not validate a Server certificate and not to cache the user credentials for subsequent connections.  
0
 
LVL 44

Expert Comment

by:Darr247
ID: 25003557
OK, please clarify this part of your original post:

>  ... but it appears as if none of the authentication requests are not
> being authenticated through the new radius policy that I have set
> up and instead are being authenticated through the Connection
> request policy "Use Windows authentication for all user"s.

Because the 'automatically use my Windows login name and password' option in that Configure window should control the behavior that line appears to say you're having a problem with.
Did you try UNchecking it, or are you really not having a problem with that part and I just misinterpreted what you're asking about?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:SteveJ-007
ID: 25009430
Hi Darr247,
I have tried unchecking the automatically use my Windows login name and password' option and I am prompted to enter additional credentials, so I then enter my domain username and password. The wireless network then attempts to authenticate and never does. I then get the log messages as displayed in the code section above and it appears as if the remote access policy has not been authenticated against.

Also I resolved the event log error message as it was due to my wireless controller using a different port for radius accounting.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 500 total points
ID: 25013163
I thought I'd get lucky, but nooooo. ;-)

Are you using your own CA, Thawte, VeriSign, et al, or are you trying to do it without any certs?

You're not migrating to PEAP from LEAP, are you?


Have you seen this webcast?

Using IAS server to set up 802.1x networks (72 mins)
http://support.microsoft.com/kb/842439
Download to view offline
http://download.microsoft.com/download/0/9/0/09027095-aab1-4c9f-83ed-2fa24ac5fc53/wc080404-offline.exe

It's kind of a best practices outline for setting up 802.1x authentication, and maybe it will show where you missed something.
0
 

Author Closing Comment

by:SteveJ-007
ID: 31601499
Great thanks for the advice, I will check out those resources and retrace my steps and hopefully find a step that I have missed.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question