• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 828
  • Last Modified:

Wireless WPA2 802.11x IAS Policy Failing To Connect

HI,

We're trying to setup a global WPA2-Enterprise certificate based wireless policy. In the EU I have this working. However my counterpart in the US is having an issue getting it to work. We have 2 CA's one in the EU, one in US which have issued Computer certificates to all desktops & laptops in each location. This has been deployed via a GPO setting. In the EU we have setup an IAS server, which the Wireless APs connect to, and the laptops/desktops authenticate via this, this is the same in the US. We have then setup an EU wireless policy in IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued EUDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - EUDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the US they have setup IAS with the following settings:

Policy Conditions:
NAS Port Type: Wireless - IEEE 802.11
Windows Group: Domain\Domain Computers
Authentication Type: EAP

Profile:
Authentication Tab - EAP Methods - PEAP
 - PEAP Properties - Cetificate Issued USDC01.domain.com
 - EAP Type - Smart card or other certificate
 - Smart card or other certificate Properties - Certificate Issued to - USDC01.domain.com
Encryption  Tab - Strongest MPPE 128 bit

Grant remote access permission

In the EU, our laptops are connecting to the wireless without issue. However, in the US they are failing. In the US the event log for IAS is showing the following error:

Event Type:        Warning
Event Source:    IAS
Event Category:                None
Event ID:              2
Date:                     9/20/2011
Time:                     4:12:28 AM
User:                     N/A
Computer:          USDC01
Description:
User host/USD1234L-W7.domain.com was denied access.
Fully-Qualified-User-Name = domain.com/US/Computers/Laptops/USD1234L-W7
NAS-IP-Address = 10.10.20.54
NAS-Identifier = USAP01
Called-Station-Identifier = 000e.8e65.9712
Calling-Station-Identifier = 899e.fbfc.10f2
Client-Friendly-Name = USWAP01
Client-IP-Address = 10.10.20.54
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 22234
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = US Wireless Policy
Authentication-Type = PEAP
EAP-Type = <undetermined>
 Reason-Code = 66
Reason = The user attempted to use an authentication method that is not enabled on the matching remote access policy.

A successful connection on the EU's IAS event log is as follows:
Event Type:        Information
Event Source:    IAS
Event Category:                None
Event ID:              1
Date:                     9/20/2011
Time:                     9:38:44 AM
User:                     N/A
Computer:          EUDC01
Description:
User host/EUD1234L-W7.domain.com was granted access.
Fully-Qualified-User-Name = domain.com/EU/Computers/Laptops/EUD1234L-W7
NAS-IP-Address = 10.20.1.254
NAS-Identifier = EUSLANCON
Client-Friendly-Name = EULANCON (WiFi Lan Controller)
Client-IP-Address = 10.20.1.254
Calling-Station-Identifier = 00-1f-45-f2-29-2b
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 1
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = EU Wifi Policy
Authentication-Type = PEAP
EAP-Type = Smart Card or other certificate

Not sure if the NAS-Port being set as 22234 rather than 1 makes any difference. However, what does stand out is the EAP-Type for some reason is showing as <undetermined> for the US, rather than Smart Card or other certificate. I have tried modifying the EAP-Type in the profile, by removing it, and re-adding it as ‘Smart Card or other certificate’ to see if this helps, but it doesn't seem to have any effect.

Both IAS servers are Windows 2003 SP2. Latptops in each site are a mix of Windows 7 & Windows XP.

Can anyone shed any light on why this works for us in the EU, but not for our US site?
0
bjblackmore
Asked:
bjblackmore
  • 2
1 Solution
 
Darr247Commented:
I think the one in the US is not actually using that wireless policy, for some reason.
0
 
bjblackmoreAuthor Commented:
Think I have resolved this. Turns out the server certificate being presented to the client was the self signed server certificate, not the CA issued server certificate, even though the CA certificate was selected as the one that should be presented in the profile. So I deleted the profile, and recreated it, and this appears to have resolved the situation.
0
 
bjblackmoreAuthor Commented:
Resolved this myself
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now