Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2126
  • Last Modified:

Troubleshooting wireless using MS IAS/Certificates and PEAP

I've been trying to set up a secure wireless network in our building.
The infrastructure consists of a Cisco WLAN controller WLC2106 with AIR-AP1131AG-E-K9   access points. I'm pretty certain these are configures corrctly as we have a 'guest' WLAN set up and working which uses the built in user authentication.
The Radius server is a Windows 2003 Enterprise server SP1 running IAS. Laptops  are running XP SP3 with Wireless Zero configuration.

I have:
Created a self signed certificate using SelfSSL.exe
Exported the certificate (without the private key)
Created a Group Policy 'PKI policy' that imports the exported certificate into the Trusted Root Certificate Authority and applied it to a test OU containing a test laptop.
Created a Group Policy 'Wifi settings' that sets the Wireless Network Policy with settings:  
Settings 1Settings 2Settings 3Settings 4Settings 5Settings 6
The Radius client in IAS is set with the correct IP for the Cisco Wireless LAN controller The Client-Vendor setting is RADIUS Standard (should it be for this type of LAN controller) and I've redone the shared secret several times to make sure.

I've created a Remote Access Policy:
 Settings 7 Settings 8 Settings 9 Settings 10 Settings 11
 Settings 12 Settings 13 Settings 14  

The test laptop gets the policies, the certificate seems to be present and the wireless profile is set up (and can't be changed on the laptop as it should be when configured by Group Policy). The latop attempts to connect, but sticks on Validating identity. The Wireless controller logs show repeated  Thu Sep 23 09:27:22 2010 RADIUS server failed to respond to request (ID **) for client 00:12:f0:1f:1a:ce / user 'unknown' (thats the MAC of the test laptop.

Where do I troubleshoot from here? I'm willing to provide more info if needed, just let me know.
  • 4
  • 3
1 Solution

Debugging IAS can be tricky. There are two places where you should look for errors. First you can set a logging option in IAS itself. Open IAS and select "Remote Access Logging", double-click local file and select the option you want to log. The log file it creates is formatted terrible, but it can contain some info.
The best info can be found in the event log of the server running IAS. Look under the Application log and you will find the errors you're looking for including possible solutions.

Please check your configuration on setting 7 and 13.
7 because the criteria's are AND, thus in your case: wireless AND domain computers AND domain admins
13 because MS-CHAPv2 isn't selected.

In the Microsoft implementation PEAP works with MS-CHAPv2 forming PEAPv0.

For a comprehensive guide check the Cisco website:
SYPTE-ITAuthor Commented:
I've had a look at thay RAS log file previously, as you say the formatting is terrible and I culdn;t make head nor tail of it, despite having as a guide (none of the codes in the article seemed to be in my log)

I also can;t see anything in the IAS server event viwer that seems to relate to authentication attempts. Possibly this means that the connection is failing before it gets that far?

I've updated setting 7 to just be wireless and domain computers
I've selected MS-CHAPv2  in setting 13

neither seems to have made a difference
SYPTE-ITAuthor Commented:
here's the WLC WLAN settings, I've a feeling now that the issue is either on the WLC or the link between it and the RADIUS
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

SYPTE-ITAuthor Commented:
I've had another look on the IAS server event log, int he system log I can see plenty of  Event ID 3 Source IAS error code 5
However it seems that this is because I am logged on locally to the laptop and it can;t find the domaincontroller for the laptops local PC domain (because it doesn't exist). My understanding was that the PC should be authenticated by the certicate before it was logged on, the local domain issue should be irrelevant?
Please verify your config using this ref

user 'unknown' ?
User must log on as domain user. Dialin property in AD configured allowed through policy. Please provide a screenshot of WLC logs and Radius Event log.  
Can you show the info from the "AAA servers" tab?

On the WLC side you can do some debugging as well. Try these commands:

debug dot1x events enable —In order to configure the debugging of 802.1x events
debug aaa events enable —In order to configure the debugging of AAA events
debug mac addr <mac address> —In order to configure MAC debugging, use the debug mac command
SYPTE-ITAuthor Commented:
I've managed to sove the problem. My test laptop had some sort of issue with the network card or drivers. It worked OK on an unsecured network but the authentication process when locked down casued it to flood the Access Point and for the WLC to block it!. Another laptop sorted it and it works fine with the settings I had.

Good news it worked out.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now