Wireless Certificated RAIDUS authentication problems

Hi all,

I'm having a problem getting our new wifi set up and running as desired, so hope someone has come across this before and can point out where I'm going wrong.  I'm fairly new to RADIUS but am pretty sure it's installed and setup correctly.

The end result should be that Domain configured computers (with certificate from our CA) will be able to log onto the WIFI if logged into by a domain user.  Everything else trying to connect will be blocked.

Our setup is as follows:
Windows VIsta/XP clients (using Vista as my test machine)
Netgear WFS709TP wireless management switch.
Windows Server 2008 Std with NPS installed.
Client/Server cert installed on both the Vista and the 2008 boxs

NPS is configured to talk to the Netgear as a valid Authenticator/Client, and is registered in AD.
It currently has 1 connection request policy of
NAS Port Type: Wireless - Other OR Wireless IEEE 802.11
and a single Network Policy of
NAS Port Type: Wireless - Other OR  Wireless IEE 802.11
Machine Groups: <domain>\Domain Computers
User Groups: <domain>\Domain Users OR <domain>\Domain Admins

Authentication method is PEAP with the server's certificate issued from the CA selected, and EAP-CHAPv2
Fast Reconnect is currently disabled for testing purposes.

The Netgear is configured with a visible SSID, WPA2-AES to authenticate against the RADIUS server. Which is configured for the NPS box.

The clients have matching wilreless settings, with Validate Server Certificate selected in the PEAP properties, and our root CA selected in the list.  Again fast reconnect, and also cache settings are disabled for testing purposes.

When trying to connect to the wireless it fails.
On the Network Policy and Access Services event log nothing is displayed
On the client's security log it shows:

A request was made to authenticate to a wireless network.

Subject:
      Security ID:            <domain>\jjennings
      Account Name:            jjennings
      Account Domain:            <domain>
      Logon ID:            0x78782

Network Information:
      Name (SSID):            WirelessTest
      Interface GUID:            {4bb28eb9-c2dd-42b0-8dab-f1fd995997cb}
      Local MAC Address:      00:22:FA:3F:25:F2
      Peer MAC Address:      00:24:B2:46:FA:C0

Additional Information:
      Reason Code:            Explicit Eap failure received (0x50005)
      Error Code:            0x40420110


Which has been quite hard to try and track down what that error means in relation to my setup.

Another thought to mention is that the machine certificates are already being used for VPN access (but not against a radius server) so look to be working and recognised ok on the network.

Any thoughts or suggestions on what I may be doing wrong would be great, and if you need any more info then let me know too.

Thanks in advance!

James
LVL 1
stevepickardAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stevepickardAuthor Commented:
Looks like i've made a little bit of progress from trying random setting combinations.

Removing the Domain Computers entry from the NPS network policy now allows users\computers to connect, but I'm missing how the certificate checking works in this situation.
I've revoked an issued computer cert from the CA, but that computer can still connect to the wireless.

At the moment the only authentication allowed on the NPS is PEAP (EAP-MS CHAP v2) which as far as I understand checks both the client access certificate (PEAP) and domain\username+password (MSCHAPv2).

Or is this certificate checking the other way with the server presenting itself to the client?  And if so, what would I need to change so that the client's machine cert is checked before access is allowed?

Hope that makes sense.

James
Cliff GaliherCommented:
You are missing a significant peice of the puzzle. When Windows boots, it will use a machine certificate to authenticate to the network for access the machine needs, such as to be able to even talk to the RADIUS server, apply machine-level group policies, etc. The fact that you get as far as you do means this peice is working.
When a user logs on to a machine, the machine's certificate is *NOT* used. To use WPA2-Enterprise, each *USER* must also have a certificate on the machine that NPS will check and approve. So when you attempt to log on as yourself, you have no certificate to offer NPS and thus the connection is refused.
You have three choices:
1) Deploy a full PKI infrastructure where users as well as computers have certificates or
2) Configure WPA2-PSK, which does away with certificates for users and computers. Since AD changes computer passwords regularly anyways and the are complex, this is actually quite safe and is my recommended solution. You don't need to revoke a certificate to remove access. Deleting a user account from AD will prevent the user from logging on via any machine, and deleting the computer from AD will delete that account and prevent the machine from logging onto the domain regardless of what user account is used (say if a laptop is stolen for instance.)
3) You can configure computer accounts to use certificates and user accounts to use passwords. This is no easy task, there is a delicate balance to b struck, and I'd strongly discourage thsi path. Either go all certs or none. Trying to do a split scenario takes someone who is comfortable with PKI already a,d based on your psots, I simply don't think this is a headache you want to take on. But it is worth listing as an option as technically it *can* be done.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stevepickardAuthor Commented:
Thanks for the suggestions there cqaliher.

I think i'll stick with the way it is working at the moment, seems tight enough security for our needs, and as you pointed out, anything more is going to be a headache.

It's cleared things up a little, and stopped me goind around in circles :)

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.