Troubleshooting wireless using MS IAS/Certificates and PEAP

Posted on 2010-09-23
Last Modified: 2013-12-09
I've been trying to set up a secure wireless network in our building.
The infrastructure consists of a Cisco WLAN controller WLC2106 with AIR-AP1131AG-E-K9   access points. I'm pretty certain these are configures corrctly as we have a 'guest' WLAN set up and working which uses the built in user authentication.
The Radius server is a Windows 2003 Enterprise server SP1 running IAS. Laptops  are running XP SP3 with Wireless Zero configuration.

I have:
Created a self signed certificate using SelfSSL.exe
Exported the certificate (without the private key)
Created a Group Policy 'PKI policy' that imports the exported certificate into the Trusted Root Certificate Authority and applied it to a test OU containing a test laptop.
Created a Group Policy 'Wifi settings' that sets the Wireless Network Policy with settings:  
Settings 1Settings 2Settings 3Settings 4Settings 5Settings 6
The Radius client in IAS is set with the correct IP for the Cisco Wireless LAN controller The Client-Vendor setting is RADIUS Standard (should it be for this type of LAN controller) and I've redone the shared secret several times to make sure.

I've created a Remote Access Policy:
 Settings 7 Settings 8 Settings 9 Settings 10 Settings 11
 Settings 12 Settings 13 Settings 14  

The test laptop gets the policies, the certificate seems to be present and the wireless profile is set up (and can't be changed on the laptop as it should be when configured by Group Policy). The latop attempts to connect, but sticks on Validating identity. The Wireless controller logs show repeated  Thu Sep 23 09:27:22 2010 RADIUS server failed to respond to request (ID **) for client 00:12:f0:1f:1a:ce / user 'unknown' (thats the MAC of the test laptop.

Where do I troubleshoot from here? I'm willing to provide more info if needed, just let me know.
Question by:SYPTE-IT
  • 4
  • 3

Expert Comment

ID: 33743291

Debugging IAS can be tricky. There are two places where you should look for errors. First you can set a logging option in IAS itself. Open IAS and select "Remote Access Logging", double-click local file and select the option you want to log. The log file it creates is formatted terrible, but it can contain some info.
The best info can be found in the event log of the server running IAS. Look under the Application log and you will find the errors you're looking for including possible solutions.

Please check your configuration on setting 7 and 13.
7 because the criteria's are AND, thus in your case: wireless AND domain computers AND domain admins
13 because MS-CHAPv2 isn't selected.

In the Microsoft implementation PEAP works with MS-CHAPv2 forming PEAPv0.

For a comprehensive guide check the Cisco website:

Author Comment

ID: 33745520
I've had a look at thay RAS log file previously, as you say the formatting is terrible and I culdn;t make head nor tail of it, despite having as a guide (none of the codes in the article seemed to be in my log)

I also can;t see anything in the IAS server event viwer that seems to relate to authentication attempts. Possibly this means that the connection is failing before it gets that far?

I've updated setting 7 to just be wireless and domain computers
I've selected MS-CHAPv2  in setting 13

neither seems to have made a difference

Author Comment

ID: 33752354
here's the WLC WLAN settings, I've a feeling now that the issue is either on the WLC or the link between it and the RADIUS
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Author Comment

ID: 33754946
I've had another look on the IAS server event log, int he system log I can see plenty of  Event ID 3 Source IAS error code 5
However it seems that this is because I am logged on locally to the laptop and it can;t find the domaincontroller for the laptops local PC domain (because it doesn't exist). My understanding was that the PC should be authenticated by the certicate before it was logged on, the local domain issue should be irrelevant?

Expert Comment

ID: 33759906
Please verify your config using this ref

user 'unknown' ?
User must log on as domain user. Dialin property in AD configured allowed through policy. Please provide a screenshot of WLC logs and Radius Event log.  

Expert Comment

ID: 33767394
Can you show the info from the "AAA servers" tab?

On the WLC side you can do some debugging as well. Try these commands:

debug dot1x events enable —In order to configure the debugging of 802.1x events
debug aaa events enable —In order to configure the debugging of AAA events
debug mac addr <mac address> —In order to configure MAC debugging, use the debug mac command

Accepted Solution

SYPTE-IT earned 0 total points
ID: 33808550
I've managed to sove the problem. My test laptop had some sort of issue with the network card or drivers. It worked OK on an unsecured network but the authentication process when locked down casued it to flood the Access Point and for the WLC to block it!. Another laptop sorted it and it works fine with the settings I had.

Expert Comment

ID: 33813197

Good news it worked out.

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question