Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Assistance in trying to configure IAS RADIUS authentication for wireless network.

Posted on 2009-07-09
6
Medium Priority
?
3,651 Views
Last Modified: 2012-05-07
Hi Everyone,
I am encountering some problems while trying to configure basic IAS RADIUS authentication for my wireless network and I was wondering if anyone could help me.  I believe that I have set up the wireless profile correctly on my wireless controller and on my wireless laptops but it appears as if none of the authentication requests are not being authenticated through the new radius policy that I have set up and instead are being authenticated through the Connection request policy "Use Windows authentication for all user"s. I the error message that appears in the event log is below as well as a snippet from the IAS log file.

Any Assistance in helping me set up my RADIUS authentication would be greatly appreciated.

For my Configuration I have completed the following steps:

Controller configuration:
1)Created a new security profile for my wireless network that uses WPA2 and CCMP-AES data encryption and configured the primary RADIUS server to be my IAS Server

2)I then configured a new ESS profile with an SSID the uses this security profile.

IAS Configuration

1)I created a new RADIUS client that is my wireless controller

2) I then created a new Remote Access Policy to allow members of the domain Users Security group to be granted access to the wireless network.

-For Authentication I  selected the PEAP EAP method and then MS-CHAP V2 authentication.

-For Encryption I then selected all the various encryption types.

3)I then registered the Server in Active Directory.

I then ensured that the users accounts that I would be using to authenticate were configured to Allow Access for the Remote Access permission in AD users and computers.

Wireless Laptop Client configuration:

1)I configured the Vista clients to connect to the wireless network using WPA2-Enterpise security and AES encryption.

2)I then configured the PEAP authentication and then Secured Password (EAP-MSCHAP V2) for the authentication method.


When I attempt to connect to the network and enter in the appropriate user credentials the Wireless Network connection just continues Attempting to authenticate but never successfully does and I receive the below error messages in the event log.



Error in Event log:
 
 A RADIUS message with the Code field set to 4, which is not valid, was received on port 1812 from RADIUS client radiusclient. Valid values of the RADIUS Code field are documented in RFC 2865.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
IAS Logfile:
 
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4136,1,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

Open in new window

0
Comment
Question by:SteveJ-007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 24947703
I don't have a vista machine handy to check this, but during step 2 of the 'Wireless Laptop Client configuration' in the PEAP settings, is there a Configure button next to the picklist where the (EAP-MSCHAP V2) option is selected?

If so, click that Configure button and see what's in there.
0
 

Author Comment

by:SteveJ-007
ID: 25003164
Hi Darr247,
When I click the configure button the only option available is whether or not to automatically use my Windows login name and password. when connecting. the other settings I have  configured are to Not validate a Server certificate and not to cache the user credentials for subsequent connections.  
0
 
LVL 44

Expert Comment

by:Darr247
ID: 25003557
OK, please clarify this part of your original post:

>  ... but it appears as if none of the authentication requests are not
> being authenticated through the new radius policy that I have set
> up and instead are being authenticated through the Connection
> request policy "Use Windows authentication for all user"s.

Because the 'automatically use my Windows login name and password' option in that Configure window should control the behavior that line appears to say you're having a problem with.
Did you try UNchecking it, or are you really not having a problem with that part and I just misinterpreted what you're asking about?
0
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

 

Author Comment

by:SteveJ-007
ID: 25009430
Hi Darr247,
I have tried unchecking the automatically use my Windows login name and password' option and I am prompted to enter additional credentials, so I then enter my domain username and password. The wireless network then attempts to authenticate and never does. I then get the log messages as displayed in the code section above and it appears as if the remote access policy has not been authenticated against.

Also I resolved the event log error message as it was due to my wireless controller using a different port for radius accounting.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 1500 total points
ID: 25013163
I thought I'd get lucky, but nooooo. ;-)

Are you using your own CA, Thawte, VeriSign, et al, or are you trying to do it without any certs?

You're not migrating to PEAP from LEAP, are you?


Have you seen this webcast?

Using IAS server to set up 802.1x networks (72 mins)
http://support.microsoft.com/kb/842439
Download to view offline
http://download.microsoft.com/download/0/9/0/09027095-aab1-4c9f-83ed-2fa24ac5fc53/wc080404-offline.exe

It's kind of a best practices outline for setting up 802.1x authentication, and maybe it will show where you missed something.
0
 

Author Closing Comment

by:SteveJ-007
ID: 31601499
Great thanks for the advice, I will check out those resources and retrace my steps and hopefully find a step that I have missed.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question