[Webinar] Streamline your web hosting managementRegister Today


Troubleshooting wireless using MS IAS/Certificates and PEAP

Posted on 2010-09-23
Medium Priority
Last Modified: 2013-12-09
I've been trying to set up a secure wireless network in our building.
The infrastructure consists of a Cisco WLAN controller WLC2106 with AIR-AP1131AG-E-K9   access points. I'm pretty certain these are configures corrctly as we have a 'guest' WLAN set up and working which uses the built in user authentication.
The Radius server is a Windows 2003 Enterprise server SP1 running IAS. Laptops  are running XP SP3 with Wireless Zero configuration.

I have:
Created a self signed certificate using SelfSSL.exe
Exported the certificate (without the private key)
Created a Group Policy 'PKI policy' that imports the exported certificate into the Trusted Root Certificate Authority and applied it to a test OU containing a test laptop.
Created a Group Policy 'Wifi settings' that sets the Wireless Network Policy with settings:  
Settings 1Settings 2Settings 3Settings 4Settings 5Settings 6
The Radius client in IAS is set with the correct IP for the Cisco Wireless LAN controller The Client-Vendor setting is RADIUS Standard (should it be for this type of LAN controller) and I've redone the shared secret several times to make sure.

I've created a Remote Access Policy:
 Settings 7 Settings 8 Settings 9 Settings 10 Settings 11
 Settings 12 Settings 13 Settings 14  

The test laptop gets the policies, the certificate seems to be present and the wireless profile is set up (and can't be changed on the laptop as it should be when configured by Group Policy). The latop attempts to connect, but sticks on Validating identity. The Wireless controller logs show repeated  Thu Sep 23 09:27:22 2010 RADIUS server failed to respond to request (ID **) for client 00:12:f0:1f:1a:ce / user 'unknown' (thats the MAC of the test laptop.

Where do I troubleshoot from here? I'm willing to provide more info if needed, just let me know.
Question by:SYPTE-IT
  • 4
  • 3

Expert Comment

ID: 33743291

Debugging IAS can be tricky. There are two places where you should look for errors. First you can set a logging option in IAS itself. Open IAS and select "Remote Access Logging", double-click local file and select the option you want to log. The log file it creates is formatted terrible, but it can contain some info.
The best info can be found in the event log of the server running IAS. Look under the Application log and you will find the errors you're looking for including possible solutions.

Please check your configuration on setting 7 and 13.
7 because the criteria's are AND, thus in your case: wireless AND domain computers AND domain admins
13 because MS-CHAPv2 isn't selected.

In the Microsoft implementation PEAP works with MS-CHAPv2 forming PEAPv0.

For a comprehensive guide check the Cisco website:

Author Comment

ID: 33745520
I've had a look at thay RAS log file previously, as you say the formatting is terrible and I culdn;t make head nor tail of it, despite having http://technet.microsoft.com/en-us/library/bb457018.aspx as a guide (none of the codes in the article seemed to be in my log)

I also can;t see anything in the IAS server event viwer that seems to relate to authentication attempts. Possibly this means that the connection is failing before it gets that far?

I've updated setting 7 to just be wireless and domain computers
I've selected MS-CHAPv2  in setting 13

neither seems to have made a difference

Author Comment

ID: 33752354
here's the WLC WLAN settings, I've a feeling now that the issue is either on the WLC or the link between it and the RADIUS
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!


Author Comment

ID: 33754946
I've had another look on the IAS server event log, int he system log I can see plenty of  Event ID 3 Source IAS error code 5 http://www.eventid.net/display.asp?eventid=3&eventno=3720&source=IAS&phase=1
However it seems that this is because I am logged on locally to the laptop and it can;t find the domaincontroller for the laptops local PC domain (because it doesn't exist). My understanding was that the PC should be authenticated by the certicate before it was logged on, the local domain issue should be irrelevant?

Expert Comment

ID: 33759906
Please verify your config using this ref http://microsoftguru.com.au/2010/04/30/complete-guide-to-build-a-cisco-wireless-infrastructure-using-cisco-wlc-5500-cisco-1142-ap-and-microsoft-radius-server/

user 'unknown' ?
User must log on as domain user. Dialin property in AD configured allowed through policy. Please provide a screenshot of WLC logs and Radius Event log.  

Expert Comment

ID: 33767394
Can you show the info from the "AAA servers" tab?

On the WLC side you can do some debugging as well. Try these commands:

debug dot1x events enable —In order to configure the debugging of 802.1x events
debug aaa events enable —In order to configure the debugging of AAA events
debug mac addr <mac address> —In order to configure MAC debugging, use the debug mac command

Accepted Solution

SYPTE-IT earned 0 total points
ID: 33808550
I've managed to sove the problem. My test laptop had some sort of issue with the network card or drivers. It worked OK on an unsecured network but the authentication process when locked down casued it to flood the Access Point and for the WLC to block it!. Another laptop sorted it and it works fine with the settings I had.

Expert Comment

ID: 33813197

Good news it worked out.

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today sees the launch of a new case study, focusing on BYOD technologies we have been working with for some time now.  But with the advent of 802.11ac wireless technologies and the story behind our landmark developments, we would like to share this …
Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question