Authenticate via RADIUS and AD for wirless client

AP - Cisco 1240AG
Radius - IAS
Certificate service installed.
WPA2 enterprise on AP and KTIP

At the moment, after installed the certicate and setup from client end, whenever i try to connect, it require a login account. i have tried several accounts but still cant get in. The client account is in the IAS policy group and have access in the user properties. The error i am getting from the AP is "Station xxxx.xxxx.xxxx Authenticatioin failed".

i had re-entered the ShareKey between the AP and IAS but still the same.
what i really want is to allow the client to use the wireless with easy setup, WITHOUT certificate installation prefer, just via IAS and AD.  

can someone point out what i missed out or provide me the steps to make this work.
thanks in advance
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nappy_dThere are a 1000 ways to skin the technology cat.Commented:
Can you post your config?

Do you have any authentication errors in your IAS event viewer logs?
supra87Author Commented:

see below. this is what i get from the system event log when i try to connect to the wireless WITHOUT
using the certificate.

settings on the client end:
Security type: WPA2-enterprise
Encryption type: TKIP
Authentication method:  PEAP
in the EAP properties, the Auth Method is EAP-MSCHAP v2


User students\student was granted access.
 Fully-Qualified-User-Name = <undetermined>
 NAS-IP-Address =
 NAS-Identifier = ap
 Client-Friendly-Name = Resource Centre
 Client-IP-Address =
 Calling-Station-Identifier = b482.fe6f.65e1
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 38087
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = <none>
 Authentication-Server = <undetermined>
 Policy-Name = <undetermined>
 Authentication-Type = <undetermined>
 EAP-Type = <undetermined>

For more information, see Help and Support Center at
supra87Author Commented:
Forgot to mention, the authentication window keep pop up for enter the username and password.
On the AP log, it's also logged " Authentication failed" message
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

supra87Author Commented:
Further info:
after i changed the shared secret key from both AP and IAS with a longer and mixture of letter, number,symbol, i got a different error from the system event log:

" An Access-Request message was recieved from RADIUS client Resource Centre with a message authenticator attribute that is not valid."

Note: the checkbox in the IAS client setting " Request must contain ...." tick or untick does not make any difference. same error as above.
there are few options what you want achieve. read these articles and verify your settings.


without certificate it will work unfortunately. The unsecure way of delivering wirless is only WPA2 and PSK which i dont recommend.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
supra87Author Commented:
The wireless is working now but i still dont know how. The things i changed from the setup were several different SSID and Secret Share Key. There must be some sort of restrictions on how the SSID or Share key set. i tested with diff share key or SSID and sometimes got diff error message in even log.
i always update the share key of both end IAS and AP. Now i dont use cert, use WAP2 with AD authentication only. Is this secure enought? thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.