[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Certificate Help?  - Setting up Cisco Aironet 1130AG for WPA using MS Server 2008 NPS RADIUS Authenication

Posted on 2010-04-06
10
Medium Priority
?
2,825 Views
Last Modified: 2013-11-09
Hello,

I'm trying to set up a Cisco Aironet 1130AG wireless access point to use WPA - we have been using WEP but are undergoing an IT audit and WPA is a necessity.  In order to use WPA, the Aironet must point to a RADIUS server for authentication.  I have a MS Server 2008 Domain Controller that has the NPS role installed on it, and I want to use domain credentials for authentication to the AP.  

I do have some experience using RADIUS authentication - we have a Cisco ASA that uses IAS in Server 2003 to authenticate SSL VPN traffic, which I had no problem setting up.  However, I don't have much experience with wifi or NPS in Server 2008, and it's different enough from IAS that I'm having trouble.

When I set this up according to some documentation I have found, and then try to connect to the AP, I don't even get prompted for credentials - just get the message that it can't connect to the network.  Digging into the error messages on the laptop I'm trying to connect with yields the following statement:
_____________________________________________________________________________
Result of diagnosis: Problem found
 Issue referred to: EAP Helper Class

Root cause (EAP):
A certificate could not be found that can be used with theis Extensible Authentication Protocol.

Detailed root cause:
EAP failed
_____________________________________________________________________________

Based on this and some internet research, it appears that I will need a server certificate (on the RADIUS server?) and client certificates on each client that wants to connect to the AP.  To be honest, I'm not sure where to begin with that.

Would anyone be kind enough to provide some step-by-step instructions on how to set up a certificate to do this, and specifically how I should set up the Network Policy on the 2008 RADIUS server?  I have searched the internet and found much information, but none specifically addressing how to do this with the Aironet.  I have a pretty good understanding of the Aironet but if there's any special steps that need to be done there, that would be appreciated.

Thanks!

0
Comment
Question by:hachemp
10 Comments
 
LVL 3

Expert Comment

by:sparky2156
ID: 29950018
Hi,

Today may be your lucky day, or maybe not, depending on your answers to my questions!

I have experience in using the Cisco Aeronet 1300 series APs, however I used the LAP versions with a Cisco Wireless LAN Controller. Incredible stuff, and infact I did successfully set this up with a Server 2008 server with Network Policy Server Role installed and performing RADIUS lookups on the server itself. I configured the WLAN Controller to use my Server 2008 server as a radius server, and I was actually taking it a step further to prompt wireless users for their active directory credentials rather than certificates, however certificates is really just a feature of the EAP/EAP-TLS section of authenticating users.

Infact, I even documented all of this as well when i did it because I knew i would forget it all since it was quite complicated, and there was next to no resources on the web for doing it.

So if you could let me know if you are using a WLAN Controller, that would be great and I could probably help you with this. If not, let me know what setup you do have and what configurable options you have, and we may be able to work through it together.

Thanks.
0
 

Author Comment

by:hachemp
ID: 29950762
Thanks Sparky.  Unfortunately, we do not have a Cisco Wireless LAN Controller (have always wanted one though!).  However, what you're speaking of is exactly what I want - to prompt users for their AD credentials when they attempt to connect to wifi, and if they're a member of the correct AD group, they pass and they are connected.  I would prefer to bypass the certificate requirement entirely, but I'm afraid I'll be required to use them - do you know if I can do otherwise?

As far as configurable options....wow, there are many on each side of this.  The AP has plenty, but my only requirement there is to use WPA, however that may be.  On the NPS/RADIUS side, once again, many options, but my only requirement is for it to pass them based on AD group membership once they input their creds.  They then should get a DHCP address in the wifi VLAN I have created and all is well.  Is there any more specific info I could give you?  Thanks!
0
 
LVL 3

Accepted Solution

by:
sparky2156 earned 2000 total points
ID: 29954130
hachemp,

I feel your pain - especially with the task of having to implement the digital certificates side of things! But don't worry, I'm sure we can work trough this.

First off, you are going to be required to create your own CA/PKI and issue these from your server itself. If you do this, you have all sorts of considerations such as deploying the Trusted Root CA certificate to the clients so that it becomes a trusted CA for the clients. This can be done through Group Policy though. To be honoust, you would be best to follow this guide for that part:

http://technet.microsoft.com/en-us/library/dd348478%28WS.10%29.aspx


As for the Server configuration (restriction based on group, time of day etc is all authorization stuff), that's not really too much of a problem, and it can all be done through NPS.

As for giving them an IP in the correct VLAN, are you going to do this via your WAP or do you want to do this via the server 208 box? You can create multiple DHCP scopes on the server corresponding to your VLANs, and as long as routing is all working correctly (especially DHCP Relay Agent to forward DHCP requests to the DHCP server), the server will pick up on the GIADDR field (detects the IP address of the router the request came from) and dish out an IP based on this address matching a scope it has available.

When I am back in my office tomorrow morning, I will dig out my notes, cross-reference it with my previous work, and post it onto this question for you to look at. I think together, this should give you all the information you need to get this thing kicked into life.

If you have any questions at all in the meantime, please don't hesitate to post again.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:hachemp
ID: 30024395
Thanks again Sparky.  I'm fairly confident on the server config (the only part I'm not completely sure about is the network policy under NPS, there's a lot of new options there compared to IAS in 2003), and I've already got a WEP wireless and multiple wired VLANs set up on separate DHCP scopes in 2008 server, so I think I'm good there.  My main worry was the certificate implementation.  I'll check out that link you sent and attempt to set up a CA...will post any questions or issues that I run into.  
0
 

Author Comment

by:hachemp
ID: 30063164
OK, so I've installed Certificate Services on the 2K8 box and....not sure what to do next, as far as installing the Trusted Root CA and creating a certificate for wifi access.  I've read through all of the TechNet info from that link and anything else I could find on the subject, but TechNet can get a little hard for me to follow at times, this being one of them.  

First off, I've seen some limitations using Standard server as a CA (such as autoenrollment)...should this concern me?  All of our DCs are running on Standard,.  If need be, we could set up an Enterprise DC, but we'll have to true it up next year, so would prefer not to if possible.

I think if you could give me some basic steps or pointers as to what I'll need do and in what order in regards to the certificates that need to be set up, it would be a great help.  I'm fairly comfortable with Group Policy so I don't think pushing the certs out to the clients will be an issue, but I need to create them first, correct?  Do I need to install IIS on the box in order to create them?  Sorry for all the questions but I'm completely new to setting up an internal CA and creating my own certs.
0
 

Author Closing Comment

by:hachemp
ID: 32632548
Giving it to you Sparky for the assistance, even though you kind of bailed on me...:)  Regardless, we got it figured out.
0
 

Expert Comment

by:VincentDefour
ID: 34311989
hackemp .. you figured this out? can you please let me knwo how .. i'm having an exactly the same issue
0
 

Author Comment

by:hachemp
ID: 34313529
Yes, it took quite a bit of trial and error, but I finally got it working using PEAP and AD authentication.  This article was instrumental in configuring the CA and the certficates  - http://support.microsoft.com/kb/814394.   I pretty much configured verbatim from that article.

One thing I can tell you is definitely use Server 2008 R2 if you're going to use server Standard for your CA.  If you use R1 you will not be able to configure autoenrollment.  Have to use either Standard R2 or Enterprise for that, and obviously Enterprise is much more expensive.

If you have any further questions post back...never hurts to review this stuff as it has been a while.
0
 

Expert Comment

by:munisee
ID: 34313536
Hey Guys, Funny.. I am in the same situation as well. We have 5 WAP's with a 2100 WLC. I would like to use Radius with AD authententication, a single mobility group using a dedicated VLAN and subnet. I would also like to create a seperate WLAN for vendor access that is seperate from our LAN traffic. I am using Extreme for my core, Cisco Cat's for my closet switches and Checkpoint for my FW out. Any help? I may post this as well. I was playing around with this but now we need to get this up by the end of the year.

Thanks.
0
 

Expert Comment

by:ronellis10
ID: 34467828
The link below helped tremendously in setting up our 1130's to authenticate users via AD and and certificates.

http://araihan.wordpress.com/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/

0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This blog will spread awareness about Dropbox. We have given the statements based upon our experience. Along with this, there is a section of some new plans that should be added in Dropbox this year. This will make the storage service enhanced from …
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question