Certificate Help? - Setting up Cisco Aironet 1130AG for WPA using MS Server 2008 NPS RADIUS Authenication


I'm trying to set up a Cisco Aironet 1130AG wireless access point to use WPA - we have been using WEP but are undergoing an IT audit and WPA is a necessity.  In order to use WPA, the Aironet must point to a RADIUS server for authentication.  I have a MS Server 2008 Domain Controller that has the NPS role installed on it, and I want to use domain credentials for authentication to the AP.  

I do have some experience using RADIUS authentication - we have a Cisco ASA that uses IAS in Server 2003 to authenticate SSL VPN traffic, which I had no problem setting up.  However, I don't have much experience with wifi or NPS in Server 2008, and it's different enough from IAS that I'm having trouble.

When I set this up according to some documentation I have found, and then try to connect to the AP, I don't even get prompted for credentials - just get the message that it can't connect to the network.  Digging into the error messages on the laptop I'm trying to connect with yields the following statement:
Result of diagnosis: Problem found
 Issue referred to: EAP Helper Class

Root cause (EAP):
A certificate could not be found that can be used with theis Extensible Authentication Protocol.

Detailed root cause:
EAP failed

Based on this and some internet research, it appears that I will need a server certificate (on the RADIUS server?) and client certificates on each client that wants to connect to the AP.  To be honest, I'm not sure where to begin with that.

Would anyone be kind enough to provide some step-by-step instructions on how to set up a certificate to do this, and specifically how I should set up the Network Policy on the 2008 RADIUS server?  I have searched the internet and found much information, but none specifically addressing how to do this with the Aironet.  I have a pretty good understanding of the Aironet but if there's any special steps that need to be done there, that would be appreciated.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Today may be your lucky day, or maybe not, depending on your answers to my questions!

I have experience in using the Cisco Aeronet 1300 series APs, however I used the LAP versions with a Cisco Wireless LAN Controller. Incredible stuff, and infact I did successfully set this up with a Server 2008 server with Network Policy Server Role installed and performing RADIUS lookups on the server itself. I configured the WLAN Controller to use my Server 2008 server as a radius server, and I was actually taking it a step further to prompt wireless users for their active directory credentials rather than certificates, however certificates is really just a feature of the EAP/EAP-TLS section of authenticating users.

Infact, I even documented all of this as well when i did it because I knew i would forget it all since it was quite complicated, and there was next to no resources on the web for doing it.

So if you could let me know if you are using a WLAN Controller, that would be great and I could probably help you with this. If not, let me know what setup you do have and what configurable options you have, and we may be able to work through it together.

hachempAuthor Commented:
Thanks Sparky.  Unfortunately, we do not have a Cisco Wireless LAN Controller (have always wanted one though!).  However, what you're speaking of is exactly what I want - to prompt users for their AD credentials when they attempt to connect to wifi, and if they're a member of the correct AD group, they pass and they are connected.  I would prefer to bypass the certificate requirement entirely, but I'm afraid I'll be required to use them - do you know if I can do otherwise?

As far as configurable options....wow, there are many on each side of this.  The AP has plenty, but my only requirement there is to use WPA, however that may be.  On the NPS/RADIUS side, once again, many options, but my only requirement is for it to pass them based on AD group membership once they input their creds.  They then should get a DHCP address in the wifi VLAN I have created and all is well.  Is there any more specific info I could give you?  Thanks!

I feel your pain - especially with the task of having to implement the digital certificates side of things! But don't worry, I'm sure we can work trough this.

First off, you are going to be required to create your own CA/PKI and issue these from your server itself. If you do this, you have all sorts of considerations such as deploying the Trusted Root CA certificate to the clients so that it becomes a trusted CA for the clients. This can be done through Group Policy though. To be honoust, you would be best to follow this guide for that part:


As for the Server configuration (restriction based on group, time of day etc is all authorization stuff), that's not really too much of a problem, and it can all be done through NPS.

As for giving them an IP in the correct VLAN, are you going to do this via your WAP or do you want to do this via the server 208 box? You can create multiple DHCP scopes on the server corresponding to your VLANs, and as long as routing is all working correctly (especially DHCP Relay Agent to forward DHCP requests to the DHCP server), the server will pick up on the GIADDR field (detects the IP address of the router the request came from) and dish out an IP based on this address matching a scope it has available.

When I am back in my office tomorrow morning, I will dig out my notes, cross-reference it with my previous work, and post it onto this question for you to look at. I think together, this should give you all the information you need to get this thing kicked into life.

If you have any questions at all in the meantime, please don't hesitate to post again.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

hachempAuthor Commented:
Thanks again Sparky.  I'm fairly confident on the server config (the only part I'm not completely sure about is the network policy under NPS, there's a lot of new options there compared to IAS in 2003), and I've already got a WEP wireless and multiple wired VLANs set up on separate DHCP scopes in 2008 server, so I think I'm good there.  My main worry was the certificate implementation.  I'll check out that link you sent and attempt to set up a CA...will post any questions or issues that I run into.  
hachempAuthor Commented:
OK, so I've installed Certificate Services on the 2K8 box and....not sure what to do next, as far as installing the Trusted Root CA and creating a certificate for wifi access.  I've read through all of the TechNet info from that link and anything else I could find on the subject, but TechNet can get a little hard for me to follow at times, this being one of them.  

First off, I've seen some limitations using Standard server as a CA (such as autoenrollment)...should this concern me?  All of our DCs are running on Standard,.  If need be, we could set up an Enterprise DC, but we'll have to true it up next year, so would prefer not to if possible.

I think if you could give me some basic steps or pointers as to what I'll need do and in what order in regards to the certificates that need to be set up, it would be a great help.  I'm fairly comfortable with Group Policy so I don't think pushing the certs out to the clients will be an issue, but I need to create them first, correct?  Do I need to install IIS on the box in order to create them?  Sorry for all the questions but I'm completely new to setting up an internal CA and creating my own certs.
hachempAuthor Commented:
Giving it to you Sparky for the assistance, even though you kind of bailed on me...:)  Regardless, we got it figured out.
hackemp .. you figured this out? can you please let me knwo how .. i'm having an exactly the same issue
hachempAuthor Commented:
Yes, it took quite a bit of trial and error, but I finally got it working using PEAP and AD authentication.  This article was instrumental in configuring the CA and the certficates  - http://support.microsoft.com/kb/814394.   I pretty much configured verbatim from that article.

One thing I can tell you is definitely use Server 2008 R2 if you're going to use server Standard for your CA.  If you use R1 you will not be able to configure autoenrollment.  Have to use either Standard R2 or Enterprise for that, and obviously Enterprise is much more expensive.

If you have any further questions post back...never hurts to review this stuff as it has been a while.
Hey Guys, Funny.. I am in the same situation as well. We have 5 WAP's with a 2100 WLC. I would like to use Radius with AD authententication, a single mobility group using a dedicated VLAN and subnet. I would also like to create a seperate WLAN for vendor access that is seperate from our LAN traffic. I am using Extreme for my core, Cisco Cat's for my closet switches and Checkpoint for my FW out. Any help? I may post this as well. I was playing around with this but now we need to get this up by the end of the year.

The link below helped tremendously in setting up our 1130's to authenticate users via AD and and certificates.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Hardware

From novice to tech pro — start learning today.