Assistance in trying to configure IAS RADIUS authentication for wireless network.

Hi Everyone,
I am encountering some problems while trying to configure basic IAS RADIUS authentication for my wireless network and I was wondering if anyone could help me.  I believe that I have set up the wireless profile correctly on my wireless controller and on my wireless laptops but it appears as if none of the authentication requests are not being authenticated through the new radius policy that I have set up and instead are being authenticated through the Connection request policy "Use Windows authentication for all user"s. I the error message that appears in the event log is below as well as a snippet from the IAS log file.

Any Assistance in helping me set up my RADIUS authentication would be greatly appreciated.

For my Configuration I have completed the following steps:

Controller configuration:
1)Created a new security profile for my wireless network that uses WPA2 and CCMP-AES data encryption and configured the primary RADIUS server to be my IAS Server

2)I then configured a new ESS profile with an SSID the uses this security profile.

IAS Configuration

1)I created a new RADIUS client that is my wireless controller

2) I then created a new Remote Access Policy to allow members of the domain Users Security group to be granted access to the wireless network.

-For Authentication I  selected the PEAP EAP method and then MS-CHAP V2 authentication.

-For Encryption I then selected all the various encryption types.

3)I then registered the Server in Active Directory.

I then ensured that the users accounts that I would be using to authenticate were configured to Allow Access for the Remote Access permission in AD users and computers.

Wireless Laptop Client configuration:

1)I configured the Vista clients to connect to the wireless network using WPA2-Enterpise security and AES encryption.

2)I then configured the PEAP authentication and then Secured Password (EAP-MSCHAP V2) for the authentication method.


When I attempt to connect to the network and enter in the appropriate user credentials the Wireless Network connection just continues Attempting to authenticate but never successfully does and I receive the below error messages in the event log.



Error in Event log:
 
 A RADIUS message with the Code field set to 4, which is not valid, was received on port 1812 from RADIUS client radiusclient. Valid values of the RADIUS Code field are documented in RFC 2865.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
IAS Logfile:
 
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4136,1,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

Open in new window

SteveJ-007Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darr247Commented:
I don't have a vista machine handy to check this, but during step 2 of the 'Wireless Laptop Client configuration' in the PEAP settings, is there a Configure button next to the picklist where the (EAP-MSCHAP V2) option is selected?

If so, click that Configure button and see what's in there.
0
SteveJ-007Author Commented:
Hi Darr247,
When I click the configure button the only option available is whether or not to automatically use my Windows login name and password. when connecting. the other settings I have  configured are to Not validate a Server certificate and not to cache the user credentials for subsequent connections.  
0
Darr247Commented:
OK, please clarify this part of your original post:

>  ... but it appears as if none of the authentication requests are not
> being authenticated through the new radius policy that I have set
> up and instead are being authenticated through the Connection
> request policy "Use Windows authentication for all user"s.

Because the 'automatically use my Windows login name and password' option in that Configure window should control the behavior that line appears to say you're having a problem with.
Did you try UNchecking it, or are you really not having a problem with that part and I just misinterpreted what you're asking about?
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

SteveJ-007Author Commented:
Hi Darr247,
I have tried unchecking the automatically use my Windows login name and password' option and I am prompted to enter additional credentials, so I then enter my domain username and password. The wireless network then attempts to authenticate and never does. I then get the log messages as displayed in the code section above and it appears as if the remote access policy has not been authenticated against.

Also I resolved the event log error message as it was due to my wireless controller using a different port for radius accounting.
0
Darr247Commented:
I thought I'd get lucky, but nooooo. ;-)

Are you using your own CA, Thawte, VeriSign, et al, or are you trying to do it without any certs?

You're not migrating to PEAP from LEAP, are you?


Have you seen this webcast?

Using IAS server to set up 802.1x networks (72 mins)
http://support.microsoft.com/kb/842439
Download to view offline
http://download.microsoft.com/download/0/9/0/09027095-aab1-4c9f-83ed-2fa24ac5fc53/wc080404-offline.exe

It's kind of a best practices outline for setting up 802.1x authentication, and maybe it will show where you missed something.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SteveJ-007Author Commented:
Great thanks for the advice, I will check out those resources and retrace my steps and hopefully find a step that I have missed.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.