stevepickard
asked on
Wireless Certificated RAIDUS authentication problems
Hi all,
I'm having a problem getting our new wifi set up and running as desired, so hope someone has come across this before and can point out where I'm going wrong. I'm fairly new to RADIUS but am pretty sure it's installed and setup correctly.
The end result should be that Domain configured computers (with certificate from our CA) will be able to log onto the WIFI if logged into by a domain user. Everything else trying to connect will be blocked.
Our setup is as follows:
Windows VIsta/XP clients (using Vista as my test machine)
Netgear WFS709TP wireless management switch.
Windows Server 2008 Std with NPS installed.
Client/Server cert installed on both the Vista and the 2008 boxs
NPS is configured to talk to the Netgear as a valid Authenticator/Client, and is registered in AD.
It currently has 1 connection request policy of
NAS Port Type: Wireless - Other OR Wireless IEEE 802.11
and a single Network Policy of
NAS Port Type: Wireless - Other OR Wireless IEE 802.11
Machine Groups: <domain>\Domain Computers
User Groups: <domain>\Domain Users OR <domain>\Domain Admins
Authentication method is PEAP with the server's certificate issued from the CA selected, and EAP-CHAPv2
Fast Reconnect is currently disabled for testing purposes.
The Netgear is configured with a visible SSID, WPA2-AES to authenticate against the RADIUS server. Which is configured for the NPS box.
The clients have matching wilreless settings, with Validate Server Certificate selected in the PEAP properties, and our root CA selected in the list. Again fast reconnect, and also cache settings are disabled for testing purposes.
When trying to connect to the wireless it fails.
On the Network Policy and Access Services event log nothing is displayed
On the client's security log it shows:
A request was made to authenticate to a wireless network.
Subject:
Security ID: <domain>\jjennings
Account Name: jjennings
Account Domain: <domain>
Logon ID: 0x78782
Network Information:
Name (SSID): WirelessTest
Interface GUID: {4bb28eb9-c2dd-42b0-8dab-f
Local MAC Address: 00:22:FA:3F:25:F2
Peer MAC Address: 00:24:B2:46:FA:C0
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x40420110
Which has been quite hard to try and track down what that error means in relation to my setup.
Another thought to mention is that the machine certificates are already being used for VPN access (but not against a radius server) so look to be working and recognised ok on the network.
Any thoughts or suggestions on what I may be doing wrong would be great, and if you need any more info then let me know too.
Thanks in advance!
James
I'm having a problem getting our new wifi set up and running as desired, so hope someone has come across this before and can point out where I'm going wrong. I'm fairly new to RADIUS but am pretty sure it's installed and setup correctly.
The end result should be that Domain configured computers (with certificate from our CA) will be able to log onto the WIFI if logged into by a domain user. Everything else trying to connect will be blocked.
Our setup is as follows:
Windows VIsta/XP clients (using Vista as my test machine)
Netgear WFS709TP wireless management switch.
Windows Server 2008 Std with NPS installed.
Client/Server cert installed on both the Vista and the 2008 boxs
NPS is configured to talk to the Netgear as a valid Authenticator/Client, and is registered in AD.
It currently has 1 connection request policy of
NAS Port Type: Wireless - Other OR Wireless IEEE 802.11
and a single Network Policy of
NAS Port Type: Wireless - Other OR Wireless IEE 802.11
Machine Groups: <domain>\Domain Computers
User Groups: <domain>\Domain Users OR <domain>\Domain Admins
Authentication method is PEAP with the server's certificate issued from the CA selected, and EAP-CHAPv2
Fast Reconnect is currently disabled for testing purposes.
The Netgear is configured with a visible SSID, WPA2-AES to authenticate against the RADIUS server. Which is configured for the NPS box.
The clients have matching wilreless settings, with Validate Server Certificate selected in the PEAP properties, and our root CA selected in the list. Again fast reconnect, and also cache settings are disabled for testing purposes.
When trying to connect to the wireless it fails.
On the Network Policy and Access Services event log nothing is displayed
On the client's security log it shows:
A request was made to authenticate to a wireless network.
Subject:
Security ID: <domain>\jjennings
Account Name: jjennings
Account Domain: <domain>
Logon ID: 0x78782
Network Information:
Name (SSID): WirelessTest
Interface GUID: {4bb28eb9-c2dd-42b0-8dab-f
Local MAC Address: 00:22:FA:3F:25:F2
Peer MAC Address: 00:24:B2:46:FA:C0
Additional Information:
Reason Code: Explicit Eap failure received (0x50005)
Error Code: 0x40420110
Which has been quite hard to try and track down what that error means in relation to my setup.
Another thought to mention is that the machine certificates are already being used for VPN access (but not against a radius server) so look to be working and recognised ok on the network.
Any thoughts or suggestions on what I may be doing wrong would be great, and if you need any more info then let me know too.
Thanks in advance!
James
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the suggestions there cqaliher.
I think i'll stick with the way it is working at the moment, seems tight enough security for our needs, and as you pointed out, anything more is going to be a headache.
It's cleared things up a little, and stopped me goind around in circles :)
I think i'll stick with the way it is working at the moment, seems tight enough security for our needs, and as you pointed out, anything more is going to be a headache.
It's cleared things up a little, and stopped me goind around in circles :)
ASKER
Removing the Domain Computers entry from the NPS network policy now allows users\computers to connect, but I'm missing how the certificate checking works in this situation.
I've revoked an issued computer cert from the CA, but that computer can still connect to the wireless.
At the moment the only authentication allowed on the NPS is PEAP (EAP-MS CHAP v2) which as far as I understand checks both the client access certificate (PEAP) and domain\username+password (MSCHAPv2).
Or is this certificate checking the other way with the server presenting itself to the client? And if so, what would I need to change so that the client's machine cert is checked before access is allowed?
Hope that makes sense.
James