Solved

Wireless WPA2 802.11x IAS Policy Failing To Connect

Posted on 2011-09-20
3
806 Views
Last Modified: 2013-12-09
HI,

We're trying to setup a global WPA2-Enterprise certificate based wireless policy. In the EU I have this working. However my counterpart in the US is having an issue getting it to work. We have 2 CA's one in the EU, one in US which have issued Computer certificates to all desktops & laptops in each location. This has been deployed via a GPO setting. In the EU we have setup an IAS server, which the Wireless APs connect to, and the laptops/desktops authenticate via this, this is the same in the US. We have then setup an EU wireless policy in IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued EUDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - EUDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the US they have setup IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued USDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - USDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the EU, our laptops are connecting to the wireless without issue. However, in the US they are failing. In the US the event log for IAS is showing the following error:

Event Type:        Warning
Event Source:    IAS
Event Category:                None
Event ID:              2
Date:                     9/20/2011
Time:                     4:12:28 AM
User:                     N/A
Computer:          USDC01
Description:
User host/USD1234L-W7.domain.com was denied access.
Fully-Qualified-User-Name = domain.com/US/Computers/Laptops/USD1234L-W7
NAS-IP-Address = 10.10.20.54
NAS-Identifier = USAP01
Called-Station-Identifier = 000e.8e65.9712
Calling-Station-Identifier = 899e.fbfc.10f2
Client-Friendly-Name = USWAP01
Client-IP-Address = 10.10.20.54
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 22234
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = US Wireless Policy
Authentication-Type = PEAP
EAP-Type = <undetermined>
 Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

A successful connection on the EU's IAS event log is as follows:
Event Type:        Information
Event Source:    IAS
Event Category:                None
Event ID:              1
Date:                     9/20/2011
Time:                     9:38:44 AM
User:                     N/A
Computer:          EUDC01
Description:
User host/EUD1234L-W7.domain.com was granted access.
Fully-Qualified-User-Name = domain.com/EU/Computers/Laptops/EUD1234L-W7
NAS-IP-Address = 10.20.1.254
NAS-Identifier = EUSLANCON
Client-Friendly-Name = EULANCON (WiFi Lan Controller)
Client-IP-Address = 10.20.1.254
Calling-Station-Identifier = 00-1f-45-f2-29-2b
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = EU Wifi Policy
Authentication-Type = PEAP
EAP-Type = Smart Card or other certificate

Not sure if the NAS-Port being set as 22234 rather than 1 makes any difference. However, what does stand out is the EAP-Type for some reason is showing as <undetermined> for the US, rather than Smart Card or other certificate. I have tried modifying the EAP-Type in the profile, by removing it, and re-adding it as ‘Smart Card or other certificate’ to see if this helps, but it doesn't seem to have any effect.

Both IAS servers are Windows 2003 SP2. Latptops in each site are a mix of Windows 7 & Windows XP.

Can anyone shed any light on why this works for us in the EU, but not for our US site?
0
Comment
Question by:bjblackmore
  • 2
3 Comments
 
LVL 44

Expert Comment

by:Darr247
ID: 36571493
I think the one in the US is not actually using that wireless policy, for some reason.
0
 

Accepted Solution

by:
bjblackmore earned 0 total points
ID: 36572427
Think I have resolved this. Turns out the server certificate being presented to the client was the self signed server certificate, not the CA issued server certificate, even though the CA certificate was selected as the one that should be presented in the profile. So I deleted the profile, and recreated it, and this appears to have resolved the situation.
0
 

Author Closing Comment

by:bjblackmore
ID: 36597696
Resolved this myself
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

In this article I will describe how to setup a Cisco WLC 5508 to work with Apple's Bonjour protocol across VLANs.  I will also discuss using screen mirroring and Airplay on an AppleTV v3.  This article covers the wireless network only and requires m…
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now