Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 822
  • Last Modified:

Wireless WPA2 802.11x IAS Policy Failing To Connect

HI,

We're trying to setup a global WPA2-Enterprise certificate based wireless policy. In the EU I have this working. However my counterpart in the US is having an issue getting it to work. We have 2 CA's one in the EU, one in US which have issued Computer certificates to all desktops & laptops in each location. This has been deployed via a GPO setting. In the EU we have setup an IAS server, which the Wireless APs connect to, and the laptops/desktops authenticate via this, this is the same in the US. We have then setup an EU wireless policy in IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued EUDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - EUDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the US they have setup IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued USDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - USDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the EU, our laptops are connecting to the wireless without issue. However, in the US they are failing. In the US the event log for IAS is showing the following error:

Event Type:        Warning
Event Source:    IAS
Event Category:                None
Event ID:              2
Date:                     9/20/2011
Time:                     4:12:28 AM
User:                     N/A
Computer:          USDC01
Description:
User host/USD1234L-W7.domain.com was denied access.
Fully-Qualified-User-Name = domain.com/US/Computers/Laptops/USD1234L-W7
NAS-IP-Address = 10.10.20.54
NAS-Identifier = USAP01
Called-Station-Identifier = 000e.8e65.9712
Calling-Station-Identifier = 899e.fbfc.10f2
Client-Friendly-Name = USWAP01
Client-IP-Address = 10.10.20.54
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 22234
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = US Wireless Policy
Authentication-Type = PEAP
EAP-Type = <undetermined>
 Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

A successful connection on the EU's IAS event log is as follows:
Event Type:        Information
Event Source:    IAS
Event Category:                None
Event ID:              1
Date:                     9/20/2011
Time:                     9:38:44 AM
User:                     N/A
Computer:          EUDC01
Description:
User host/EUD1234L-W7.domain.com was granted access.
Fully-Qualified-User-Name = domain.com/EU/Computers/Laptops/EUD1234L-W7
NAS-IP-Address = 10.20.1.254
NAS-Identifier = EUSLANCON
Client-Friendly-Name = EULANCON (WiFi Lan Controller)
Client-IP-Address = 10.20.1.254
Calling-Station-Identifier = 00-1f-45-f2-29-2b
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = EU Wifi Policy
Authentication-Type = PEAP
EAP-Type = Smart Card or other certificate

Not sure if the NAS-Port being set as 22234 rather than 1 makes any difference. However, what does stand out is the EAP-Type for some reason is showing as <undetermined> for the US, rather than Smart Card or other certificate. I have tried modifying the EAP-Type in the profile, by removing it, and re-adding it as ‘Smart Card or other certificate’ to see if this helps, but it doesn't seem to have any effect.

Both IAS servers are Windows 2003 SP2. Latptops in each site are a mix of Windows 7 & Windows XP.

Can anyone shed any light on why this works for us in the EU, but not for our US site?
0
bjblackmore
Asked:
bjblackmore
  • 2
1 Solution
 
Darr247Commented:
I think the one in the US is not actually using that wireless policy, for some reason.
0
 
bjblackmoreAuthor Commented:
Think I have resolved this. Turns out the server certificate being presented to the client was the self signed server certificate, not the CA issued server certificate, even though the CA certificate was selected as the one that should be presented in the profile. So I deleted the profile, and recreated it, and this appears to have resolved the situation.
0
 
bjblackmoreAuthor Commented:
Resolved this myself
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now