?
Solved

Assistance in trying to configure IAS RADIUS authentication for wireless network.

Posted on 2009-07-09
6
Medium Priority
?
3,587 Views
Last Modified: 2012-05-07
Hi Everyone,
I am encountering some problems while trying to configure basic IAS RADIUS authentication for my wireless network and I was wondering if anyone could help me.  I believe that I have set up the wireless profile correctly on my wireless controller and on my wireless laptops but it appears as if none of the authentication requests are not being authenticated through the new radius policy that I have set up and instead are being authenticated through the Connection request policy "Use Windows authentication for all user"s. I the error message that appears in the event log is below as well as a snippet from the IAS log file.

Any Assistance in helping me set up my RADIUS authentication would be greatly appreciated.

For my Configuration I have completed the following steps:

Controller configuration:
1)Created a new security profile for my wireless network that uses WPA2 and CCMP-AES data encryption and configured the primary RADIUS server to be my IAS Server

2)I then configured a new ESS profile with an SSID the uses this security profile.

IAS Configuration

1)I created a new RADIUS client that is my wireless controller

2) I then created a new Remote Access Policy to allow members of the domain Users Security group to be granted access to the wireless network.

-For Authentication I  selected the PEAP EAP method and then MS-CHAP V2 authentication.

-For Encryption I then selected all the various encryption types.

3)I then registered the Server in Active Directory.

I then ensured that the users accounts that I would be using to authenticate were configured to Allow Access for the Remote Access permission in AD users and computers.

Wireless Laptop Client configuration:

1)I configured the Vista clients to connect to the wireless network using WPA2-Enterpise security and AES encryption.

2)I then configured the PEAP authentication and then Secured Password (EAP-MSCHAP V2) for the authentication method.


When I attempt to connect to the network and enter in the appropriate user credentials the Wireless Network connection just continues Attempting to authenticate but never successfully does and I receive the below error messages in the event log.



Error in Event log:
 
 A RADIUS message with the Code field set to 4, which is not valid, was received on port 1812 from RADIUS client radiusclient. Valid values of the RADIUS Code field are documented in RFC 2865.
 
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
 
 
IAS Logfile:
 
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:01:46,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 1,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:03:41,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 2,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4136,1,4142,0
172.18.1.201,username2,07/10/2009,18:05:59,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 3,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:10:47,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 4,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:35:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 5,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4136,1,4142,0
172.18.1.201,username,07/10/2009,18:48:00,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 6,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:50:43,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 7,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,4,172.18.1.201,5,2049,30,00-90-0B-10-93-6C:HEDLOC-Secure,31,00-1B-77-1A-DE-32,12,1250,61,19,77,CONNECT 802.11b/g,4108,172.18.1.201,4116,0,4128,Meru Demo,4155,0,4154,Use Windows authentication for all users,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4136,1,4142,0
172.18.1.201,MYDOMAIN\username,07/10/2009,18:51:01,IAS,MYIASSERVER,25,311 1 172.18.1.220 07/10/2009 07:25:14 8,4154,Use Windows authentication for all users,4155,0,4128,Meru Demo,4116,0,4108,172.18.1.201,4136,2,4142,0

Open in new window

0
Comment
Question by:SteveJ-007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 24947703
I don't have a vista machine handy to check this, but during step 2 of the 'Wireless Laptop Client configuration' in the PEAP settings, is there a Configure button next to the picklist where the (EAP-MSCHAP V2) option is selected?

If so, click that Configure button and see what's in there.
0
 

Author Comment

by:SteveJ-007
ID: 25003164
Hi Darr247,
When I click the configure button the only option available is whether or not to automatically use my Windows login name and password. when connecting. the other settings I have  configured are to Not validate a Server certificate and not to cache the user credentials for subsequent connections.  
0
 
LVL 44

Expert Comment

by:Darr247
ID: 25003557
OK, please clarify this part of your original post:

>  ... but it appears as if none of the authentication requests are not
> being authenticated through the new radius policy that I have set
> up and instead are being authenticated through the Connection
> request policy "Use Windows authentication for all user"s.

Because the 'automatically use my Windows login name and password' option in that Configure window should control the behavior that line appears to say you're having a problem with.
Did you try UNchecking it, or are you really not having a problem with that part and I just misinterpreted what you're asking about?
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 

Author Comment

by:SteveJ-007
ID: 25009430
Hi Darr247,
I have tried unchecking the automatically use my Windows login name and password' option and I am prompted to enter additional credentials, so I then enter my domain username and password. The wireless network then attempts to authenticate and never does. I then get the log messages as displayed in the code section above and it appears as if the remote access policy has not been authenticated against.

Also I resolved the event log error message as it was due to my wireless controller using a different port for radius accounting.
0
 
LVL 44

Accepted Solution

by:
Darr247 earned 1500 total points
ID: 25013163
I thought I'd get lucky, but nooooo. ;-)

Are you using your own CA, Thawte, VeriSign, et al, or are you trying to do it without any certs?

You're not migrating to PEAP from LEAP, are you?


Have you seen this webcast?

Using IAS server to set up 802.1x networks (72 mins)
http://support.microsoft.com/kb/842439
Download to view offline
http://download.microsoft.com/download/0/9/0/09027095-aab1-4c9f-83ed-2fa24ac5fc53/wc080404-offline.exe

It's kind of a best practices outline for setting up 802.1x authentication, and maybe it will show where you missed something.
0
 

Author Closing Comment

by:SteveJ-007
ID: 31601499
Great thanks for the advice, I will check out those resources and retrace my steps and hopefully find a step that I have missed.
0

Featured Post

Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question