Solved

Wireless WPA2 802.11x IAS Policy Failing To Connect

Posted on 2011-09-20
3
818 Views
Last Modified: 2013-12-09
HI,

We're trying to setup a global WPA2-Enterprise certificate based wireless policy. In the EU I have this working. However my counterpart in the US is having an issue getting it to work. We have 2 CA's one in the EU, one in US which have issued Computer certificates to all desktops & laptops in each location. This has been deployed via a GPO setting. In the EU we have setup an IAS server, which the Wireless APs connect to, and the laptops/desktops authenticate via this, this is the same in the US. We have then setup an EU wireless policy in IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued EUDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - EUDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the US they have setup IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued USDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - USDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the EU, our laptops are connecting to the wireless without issue. However, in the US they are failing. In the US the event log for IAS is showing the following error:

Event Type:        Warning
Event Source:    IAS
Event Category:                None
Event ID:              2
Date:                     9/20/2011
Time:                     4:12:28 AM
User:                     N/A
Computer:          USDC01
Description:
User host/USD1234L-W7.domain.com was denied access.
Fully-Qualified-User-Name = domain.com/US/Computers/Laptops/USD1234L-W7
NAS-IP-Address = 10.10.20.54
NAS-Identifier = USAP01
Called-Station-Identifier = 000e.8e65.9712
Calling-Station-Identifier = 899e.fbfc.10f2
Client-Friendly-Name = USWAP01
Client-IP-Address = 10.10.20.54
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 22234
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = US Wireless Policy
Authentication-Type = PEAP
EAP-Type = <undetermined>
 Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

A successful connection on the EU's IAS event log is as follows:
Event Type:        Information
Event Source:    IAS
Event Category:                None
Event ID:              1
Date:                     9/20/2011
Time:                     9:38:44 AM
User:                     N/A
Computer:          EUDC01
Description:
User host/EUD1234L-W7.domain.com was granted access.
Fully-Qualified-User-Name = domain.com/EU/Computers/Laptops/EUD1234L-W7
NAS-IP-Address = 10.20.1.254
NAS-Identifier = EUSLANCON
Client-Friendly-Name = EULANCON (WiFi Lan Controller)
Client-IP-Address = 10.20.1.254
Calling-Station-Identifier = 00-1f-45-f2-29-2b
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = EU Wifi Policy
Authentication-Type = PEAP
EAP-Type = Smart Card or other certificate

Not sure if the NAS-Port being set as 22234 rather than 1 makes any difference. However, what does stand out is the EAP-Type for some reason is showing as <undetermined> for the US, rather than Smart Card or other certificate. I have tried modifying the EAP-Type in the profile, by removing it, and re-adding it as ‘Smart Card or other certificate’ to see if this helps, but it doesn't seem to have any effect.

Both IAS servers are Windows 2003 SP2. Latptops in each site are a mix of Windows 7 & Windows XP.

Can anyone shed any light on why this works for us in the EU, but not for our US site?
0
Comment
Question by:bjblackmore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 36571493
I think the one in the US is not actually using that wireless policy, for some reason.
0
 

Accepted Solution

by:
bjblackmore earned 0 total points
ID: 36572427
Think I have resolved this. Turns out the server certificate being presented to the client was the self signed server certificate, not the CA issued server certificate, even though the CA certificate was selected as the one that should be presented in the profile. So I deleted the profile, and recreated it, and this appears to have resolved the situation.
0
 

Author Closing Comment

by:bjblackmore
ID: 36597696
Resolved this myself
0

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Coaxial cable bending There are several factors that govern the selection of coaxial cable for your Machine to Machine (M2M) application: the location of cable runs, either indoor or outdoor, inside or outside an enclosure, maximum bending and the…
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question