Authenticate via RADIUS and AD for wirless client

AP - Cisco 1240AG
Radius - IAS
Certificate service installed.
WPA2 enterprise on AP and KTIP

At the moment, after installed the certicate and setup from client end, whenever i try to connect, it require a login account. i have tried several accounts but still cant get in. The client account is in the IAS policy group and have access in the user properties. The error i am getting from the AP is "Station xxxx.xxxx.xxxx Authenticatioin failed".

i had re-entered the ShareKey between the AP and IAS but still the same.
what i really want is to allow the client to use the wireless with easy setup, WITHOUT certificate installation prefer, just via IAS and AD.  

can someone point out what i missed out or provide me the steps to make this work.
thanks in advance
Who is Participating?
there are few options what you want achieve. read these articles and verify your settings.


without certificate it will work unfortunately. The unsecure way of delivering wirless is only WPA2 and PSK which i dont recommend.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Can you post your config?

Do you have any authentication errors in your IAS event viewer logs?
supra87Author Commented:

see below. this is what i get from the system event log when i try to connect to the wireless WITHOUT
using the certificate.

settings on the client end:
Security type: WPA2-enterprise
Encryption type: TKIP
Authentication method:  PEAP
in the EAP properties, the Auth Method is EAP-MSCHAP v2


User students\student was granted access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address =
 NAS-Identifier = ap
 Client-Friendly-Name = Resource Centre
 Client-IP-Address =
 Calling-Station-Identifier = b482.fe6f.65e1
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 38087
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = <none>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>

For more information, see Help and Support Center at
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

supra87Author Commented:
Forgot to mention, the authentication window keep pop up for enter the username and password.
On the AP log, it's also logged " Authentication failed" message
supra87Author Commented:
Further info:
after i changed the shared secret key from both AP and IAS with a longer and mixture of letter, number,symbol, i got a different error from the system event log:

" An Access-Request message was recieved from RADIUS client Resource Centre with a message authenticator attribute that is not valid."

Note: the checkbox in the IAS client setting " Request must contain ...." tick or untick does not make any difference. same error as above.
supra87Author Commented:
The wireless is working now but i still dont know how. The things i changed from the setup were several different SSID and Secret Share Key. There must be some sort of restrictions on how the SSID or Share key set. i tested with diff share key or SSID and sometimes got diff error message in even log.
i always update the share key of both end IAS and AP. Now i dont use cert, use WAP2 with AD authentication only. Is this secure enought? thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.