Solved

Troubleshooting wireless using MS IAS/Certificates and PEAP

Posted on 2010-09-23
8
2,069 Views
Last Modified: 2013-12-09
I've been trying to set up a secure wireless network in our building.
The infrastructure consists of a Cisco WLAN controller WLC2106 with AIR-AP1131AG-E-K9   access points. I'm pretty certain these are configures corrctly as we have a 'guest' WLAN set up and working which uses the built in user authentication.
The Radius server is a Windows 2003 Enterprise server SP1 running IAS. Laptops  are running XP SP3 with Wireless Zero configuration.

I have:
Created a self signed certificate using SelfSSL.exe
Exported the certificate (without the private key)
Created a Group Policy 'PKI policy' that imports the exported certificate into the Trusted Root Certificate Authority and applied it to a test OU containing a test laptop.
Created a Group Policy 'Wifi settings' that sets the Wireless Network Policy with settings:  
Settings 1Settings 2Settings 3Settings 4Settings 5Settings 6
The Radius client in IAS is set with the correct IP for the Cisco Wireless LAN controller The Client-Vendor setting is RADIUS Standard (should it be for this type of LAN controller) and I've redone the shared secret several times to make sure.

I've created a Remote Access Policy:
 Settings 7 Settings 8 Settings 9 Settings 10 Settings 11
 Settings 12 Settings 13 Settings 14  

The test laptop gets the policies, the certificate seems to be present and the wireless profile is set up (and can't be changed on the laptop as it should be when configured by Group Policy). The latop attempts to connect, but sticks on Validating identity. The Wireless controller logs show repeated  Thu Sep 23 09:27:22 2010 RADIUS server 192.168.153.21:1812 failed to respond to request (ID **) for client 00:12:f0:1f:1a:ce / user 'unknown' (thats the MAC of the test laptop.

Where do I troubleshoot from here? I'm willing to provide more info if needed, just let me know.
0
Comment
Question by:SYPTE-IT
  • 4
  • 3
8 Comments
 
LVL 5

Expert Comment

by:RikeR
ID: 33743291
Hi,

Debugging IAS can be tricky. There are two places where you should look for errors. First you can set a logging option in IAS itself. Open IAS and select "Remote Access Logging", double-click local file and select the option you want to log. The log file it creates is formatted terrible, but it can contain some info.
The best info can be found in the event log of the server running IAS. Look under the Application log and you will find the errors you're looking for including possible solutions.

Please check your configuration on setting 7 and 13.
7 because the criteria's are AND, thus in your case: wireless AND domain computers AND domain admins
13 because MS-CHAPv2 isn't selected.

In the Microsoft implementation PEAP works with MS-CHAPv2 forming PEAPv0.

For a comprehensive guide check the Cisco website:
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
0
 
LVL 1

Author Comment

by:SYPTE-IT
ID: 33745520
I've had a look at thay RAS log file previously, as you say the formatting is terrible and I culdn;t make head nor tail of it, despite having http://technet.microsoft.com/en-us/library/bb457018.aspx as a guide (none of the codes in the article seemed to be in my log)

I also can;t see anything in the IAS server event viwer that seems to relate to authentication attempts. Possibly this means that the connection is failing before it gets that far?

I've updated setting 7 to just be wireless and domain computers
I've selected MS-CHAPv2  in setting 13

neither seems to have made a difference
0
 
LVL 1

Author Comment

by:SYPTE-IT
ID: 33752354
here's the WLC WLAN settings, I've a feeling now that the issue is either on the WLC or the link between it and the RADIUS
10.png
0
 
LVL 1

Author Comment

by:SYPTE-IT
ID: 33754946
I've had another look on the IAS server event log, int he system log I can see plenty of  Event ID 3 Source IAS error code 5 http://www.eventid.net/display.asp?eventid=3&eventno=3720&source=IAS&phase=1
However it seems that this is because I am logged on locally to the laptop and it can;t find the domaincontroller for the laptops local PC domain (because it doesn't exist). My understanding was that the PC should be authenticated by the certicate before it was logged on, the local domain issue should be irrelevant?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 9

Expert Comment

by:araberuni
ID: 33759906
Please verify your config using this ref http://microsoftguru.com.au/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/

user 'unknown' ?
User must log on as domain user. Dialin property in AD configured allowed through policy. Please provide a screenshot of WLC logs and Radius Event log.  
0
 
LVL 5

Expert Comment

by:RikeR
ID: 33767394
Can you show the info from the "AAA servers" tab?

On the WLC side you can do some debugging as well. Try these commands:

debug dot1x events enable —In order to configure the debugging of 802.1x events
debug aaa events enable —In order to configure the debugging of AAA events
debug mac addr <mac address> —In order to configure MAC debugging, use the debug mac command
0
 
LVL 1

Accepted Solution

by:
SYPTE-IT earned 0 total points
ID: 33808550
I've managed to sove the problem. My test laptop had some sort of issue with the network card or drivers. It worked OK on an unsecured network but the authentication process when locked down casued it to flood the Access Point and for the WLC to block it!. Another laptop sorted it and it works fine with the settings I had.
0
 
LVL 5

Expert Comment

by:RikeR
ID: 33813197
Hi,

Good news it worked out.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now