Solved

windows 2008 nps with cisco wireless 4400

Posted on 2012-03-21
28
1,077 Views
Last Modified: 2013-03-05
my setup is 1 windows 2008R2DC  1 windows 2008R2 NPS Radius installed 1 cisco wireless controller  4400 and 2access point
my question is as following
1- i need 2 laptop to get Authenticated throw radius but not join to domain
2- also 2 laptop i need them to authenticated throw radius also join to domain


what i have to do in 1 in 2 what step i have to follow as i found many artical
0
Comment
Question by:leganti
  • 15
  • 11
  • +1
28 Comments
 
LVL 39

Expert Comment

by:footech
ID: 37750661
Before providing any advice, it would be helpful if you could clarify what you're looking for.
1) Are you looking for help setting everything up from scratch?
2) Is the NPS already configured and working?
3) Is the Cisco controller already configured and the access points are talking to it?
4) What type of authentication are you using (PEAP, EAP-TLS, etc.)?
5) What OS are your laptops running?

Let us know what you have done so far, what isn't working, etc.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 37751397
for starters:

#1: If you want laptops to authenticate, but them not be domain joined, you don't have many options:
- You can only authenticate using either EAP-MsChap V2 (username and password) or EAP-TLS using user enrolled certificates.
-
#2: Here you can use either Eap-MsChap V2 or EAP-TLS machine and or user certificates. YOu should however deploy 2-factor authentication authenticating both machines and logged on users
0
 

Author Comment

by:leganti
ID: 37754233
i need to run it from scratch can i run it with out CA for domain and non domain also
0
 

Author Comment

by:leganti
ID: 37761483
1) Are you looking for help setting everything up from scratch?
yes
2) Is the NPS already configured and working?
i have installed but i have some issue with non domain client.
3) Is the Cisco controller already configured and the access points are talking to it?
yes it working fine with preshared key
4) What type of authentication are you using (PEAP, EAP-TLS, etc.)?
i need to work only if it is possible with CA or with out CA .
5) What OS are your laptops running?
windows 7

--------
0
 
LVL 39

Expert Comment

by:footech
ID: 37761590
Can't help you with configuration of the Cisco.  But I would say that you want to use PEAP (and not the Cisco version).  If you only authenticate by user, you can use PEAP with MSChapv2 which only requires a username and password.  Machines will automatically try to use the credentials of the logged on user, which is fine for domain computers.  For non-domain computers, you will want to edit the properties of the wireless connection
shot1Click on the Settings button.  For better security, you can enter the name of the NPS server in the "Connect to these servers field", and also specify a root certificate from a CA that the NPS will be using.  I've never tried setting it up without the NPS having a machine certificate.  But whether the certificate comes from your own CA or is purchased from a publicly trusted third party shouldn't matter, and it's the only certificate you'll need.
shot2Then click on the Configure button, and make sure that the box is unchecked (this is for non-domain computers).
shot3
0
 

Author Comment

by:leganti
ID: 37783963
but how to install ca certificate in windows nps server at first , how to do it still i have problem from server server
thanx for your support footch
0
 
LVL 39

Expert Comment

by:footech
ID: 37784263
You either set up your own CA and from the NPS request a certificate from it, or buy one from a third party that matches the name of your NPS and then install it in the machine certificate store.  Which way have you decided to go?  From your previous posts it sounds like you're leaning towards a 3rd party.  Do you not know how to buy one from them?  Choose one (like GoDaddy), and their site will have all the information you need to purchase one.
0
 

Author Comment

by:leganti
ID: 37784706
i mean i have to request it from nps server then mmc --> certificate--> request or throw web

2- or i have to request it from ca root server which way is correct ..

3- for the client what i have to for non domain , do i have to export it from client joint to domain or from ca root server
0
 

Author Comment

by:leganti
ID: 37784864
1- i have windows nps as memeber server , how to request from the certificate , which way web or command or console , and how to do it.
2- regarding client how to export the certificate and from which server i have to export it. for non domain client.
0
 
LVL 39

Expert Comment

by:footech
ID: 37785226
You haven't answered my question about what CA you will be using (your own or 3rd party), or if you have I can't find your answer.  Once you do I may be able to help you further with generating the CSR.
0
 

Author Comment

by:leganti
ID: 37789211
self sign CA local one
1-how to get the ca certificate for nps server
2-then how to prepare ca certifcate for non domain and domain clients.
0
 
LVL 39

Expert Comment

by:footech
ID: 37789501
With your own CA, you can do the following:
 - on the NPS, open the MMC console and add the certificates snap-in for the local computer
 - go to Personal, right-click and select All Tasks > Request New Certificate.  Follow the prompts to automatically get your certificate.

You don't have to distribute or create a certificate for the clients.  The certificate is only for the NPS.
0
 

Author Comment

by:leganti
ID: 37790725
still not clear for ca am not able to get ca

can you make it clear , as i told i have 1 -nps server and 1- dc 1-wireless controller

i need only the wl non join domain client to access the wireless with AD user ,for the congiuration do i required certificate to install in the nps server and what type of certificate i need for this.
0
 
LVL 39

Expert Comment

by:footech
ID: 37790834
Since you mentioned that you would be using your own CA, I assumed that you already had your own CA set up.

Maybe this will help you.  It provides a walk-through on installing AD Certificate Services to create your own CA (there's also a part 2 and 3 on the site).
http://mihoitpro.blogspot.com/2011/11/8021x-wireless-authentication-windows.html

Here's another guide I have used in the past.  Skip to the section "Installing Certificate Services" since you already have a DC installed.
http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
Once it gets to the section "Installing Network Policy and Access Services", you don't have to install the Routing and Remote Access Services like is shown, but follow the rest.

Both of the above guides should also help you with how to configure the NPS to work with your Cisco controller as the concepts should be the same.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:leganti
ID: 37790986
what kind of certificate i have to create for nps server for example in my case i need non domain user to access wireless
0
 

Author Comment

by:leganti
ID: 37791004
in the second link my question issue certificate how to do it , still i have this issue
0
 

Author Comment

by:leganti
ID: 37791442
can you contact me at itgeek2012@hotmail.com
0
 
LVL 39

Expert Comment

by:footech
ID: 37791622
The certificate for the NPS is the same whether it's a domain or non-domain computer connecting to it.  After the CA is installed, and you follow the process of requesting a certificate through the MMC that I mentioned a couple posts ago you will have a certificate with the correct intended purposes (server authentication).  If I'm misunderstanding you, I'm sorry.  Maybe there's a language barrier.

The guides I posted are pretty comprehensive.  If you're unable to follow them then I think the assistance you need is beyond what can be provided in this forum, and you will have to hire someone to come help you.  Sorry but I limit my involvement to what I can contribute here, so no email communication.
0
 

Author Comment

by:leganti
ID: 37791713
than footech for you greet commant
for the ca this
http://technet.microsoft.com/en-us/library/cc754198.aspx
is must or what.
0
 
LVL 39

Expert Comment

by:footech
ID: 37791752
It's not a must, but if you want to configure certificate autoenrollment for NPS servers it's a useful guide.  If you had a lot of certificates to request and issue, then autoenrollment could save you a lot of time and hassle.  In your case, since you only have one NPS, you can just request the certificate manually.
0
 

Author Comment

by:leganti
ID: 37794847
after my login from my wireless i got this error in nps event log
---------------------------
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  NULL SID
      Account Name:                  980c8249f585
      Account Domain:                  xyz
      Fully Qualified Account Name:      xyz\980c8249f585

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            00-1a-6c-5f-84-c0:cisco-WL
      Calling Station Identifier:            98-0c-82-49-f5-85

NAS:
      NAS IPv4 Address:            192.168.1.1
      NAS IPv6 Address:            -
      NAS Identifier:                  cisco-WLC
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  1

RADIUS Client:
      Client Friendly Name:            ciscowl
      Client IP Address:                  192.168.1.1

Authentication Details:
      Connection Request Policy Name:      Use Windows authentication for all users
      Network Policy Name:            -
      Authentication Provider:            Windows
      Authentication Server:            abc.xyz.com
      Authentication Type:            Unauthenticated
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  8
      Reason:                        The specified user account does not exist.

----------------------------------------------------------
also some time i got this error.
A RADIUS message was received from the invalid RADIUS client IP address 192.168.1.5

this is not my radius client ip address.

also i have attached my current configuration still not working  .
nps00001.jpg
0
 

Author Comment

by:leganti
ID: 37794849
if see account name it display some number not my ad account.
0
 
LVL 39

Expert Comment

by:footech
ID: 37803252
You've got a lot of conditions for your network policy.  Why don't you try something simpler and get it to work before adding so many (see attached).
NPS settings
0
 

Author Comment

by:leganti
ID: 37805824
i have did the same but still unable to connect to the wl and am getting the same error message every time...sorry again to ask you can  but i did this configuration with self sign certifcation.......what step i have to do if i want it with user name and password... i don't need certification ,,,,,,,,, coz i read in artical i have to install certificate in nps server so what you say about it.
0
 

Author Comment

by:leganti
ID: 37806172
finally done i have change the security type in wireless controller to 802.1x and also in my laptop also but i have installed the certificate in the laptop but am able to connect to the wireless even i didn't select validate the certificate , how can i restricted to use ca with username.
0
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 37808723
For PEAP authentication, you need a couple things:
 - To authenticate or confirm the validity of the server you need a certificate for the server (installed on the NPS)
 - To authenticate the client you need a username and password.

If you have your NPS configured correctly, you will only need to provide a username and password to authenticate the client.  However, the clients will also need to trust your root certificate (i.e. have it installed in the Trusted Root Certification Authorities store for the local computer).  Your domain computers should get this automatically.  If not, create a GPO to deploy the root certificate.  Your non-domain computers will need the certificate to be imported manually.

Here's a link to a guide that describes the various settings for your wireless connection.  It's a little bit dated, but the content is still good.
http://www.techrepublic.com/downloads/techrepublics-ultimate-guide-to-enterprise-wireless-lan-security/277380
0
 

Expert Comment

by:Kris_Zawisza
ID: 38952622
Hi,
  I am looking for similar solution as leganti, but in my case I want to allow wireless access to certain groups in AD and should be member of same domain.
I have configured NPS and access point as well. It working fine when the condition is user group on NPS, but in this case any computer (Windows 8) which are not part of the domain can also connect by just entering domain user credential. I want to restrict the access to certain groups in AD and that should be member of Domain..
Need some help from you guys....
0
 
LVL 39

Expert Comment

by:footech
ID: 38954316
@Kris_Zawisza - Please ask as a new question.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now