Solved

RADIUS Server on Windows 2008 not working

Posted on 2013-02-06
18
617 Views
Last Modified: 2013-03-11
Hi,

I have got a virtual machine running Windows Server 2008 with AD and NPS.

I have configured NPS and got a certificate available for laptops connecting. However, it is not allowing a Win7 and WinXP to connect to the server through the Cisco.

On Win7, it comes up with the WAP key and I have entered it, but it fails.

But on an Apple device, connecting to RADIUS, it has a username and password. Not a WAP key.

Any ideas why Win7 and WinXP laptops are not connecting to RADIUS?

Regards
HorshamIT
0
Comment
Question by:Tony
  • 10
  • 7
18 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 38859450
Make sure you set Wireless Setting on WinXP and Wi7 to use WPA2-Enterprise (preferably - same as you've set on Cisco) and to use the same encryption as you've set on Radius.
most likely PEAP-MsChap V2

Apple devices detect settings automatically
Win7 might detect settings automatically
Win XP don't

more here: http://www.eduroam.ie/userdocs/winxp-peap.php You must ofcourse change settings to correspond to your NPS settings
0
 
LVL 1

Author Comment

by:Tony
ID: 38859864
Hi,

Thanks for the reply.

I have attached the settings on the Cisco (Cisco.jpg) and also by adding the Win7 to the network manually (Manual.jpg) and by going the Network And Sharing Centre quicklaunch (Standard.jpg).

Regards
HorshamIT
Manual.PNG
Standard.PNG
Cisco.jpg
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38861486
Windows 7 should tell you it couldn't connect if you let it automatically find the network.  If it's asking for a WPA key I'd guess you've either configured a GPO to enforce the wireless settings and it's wrong, or your AP is advertising the wrong security type to the client.

With your manual configuration you probably need to untick the 'Validate Server Certificate' box in the Authentication settings box where you have configured the WLAN on your Win7 machine.

Check this out...

http://danielmiessler.com/blog/how-to-use-wpa-2-enterprise-in-windows-7
0
 
LVL 1

Author Comment

by:Tony
ID: 38875078
Hi,

I did post a reply but somehow it's gone.

I have tried the above and got through all the stages, however after the final stage it did not give me a username and password box. We also need to find out if RADIUS or WPA2 - Enterprise is supported by XP as most of our company is still running XP as the OS.

I have attached my server config to see if anything has been set up incorrectly.

Regards
HorshamIT
UKHORSHCSDT4444-0451.jpg
UKHORSHCSDT4444-0450.jpg
UKHORSHCSDT4444-0449.jpg
UKHORSHCSDT4444-0448.jpg
UKHORSHCSDT4444-0447.jpg
UKHORSHCSDT4444-0446.jpg
UKHORSHCSDT4444-0445.jpg
UKHORSHCSDT4444-0444.jpg
UKHORSHCSDT4444-0443.jpg
UKHORSHCSDT4444-0442.jpg
UKHORSHCSDT4444-0441.jpg
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 500 total points
ID: 38875178
Ok, a few things here.

First, you've configured a remote RADIUS group, yet you don't want or need this if you are authenticating requests on that server.  Remove the RADIUS server group and undo the forwarding options in UKHORSHCSDT4444-0447.jpg and UKHORSHCSDT4444-0448.jpg.
Basically, if you only have one RADIUS or NPS server you don't need to do anything with the Connection Request Policy.  All you need is a Network Policy.

You've set the type of access server as DHCP server.  You don't need this either.  Just leave it as Unspecified.

UKHORSHCSDT4444-0445.jpg - untick the two options at the bottom of the page to test.  You shouldn't need those to be selected unless you are actually using NAP and some special RADIUS attributes.
0
 
LVL 1

Author Comment

by:Tony
ID: 38875767
Hi Craig,

Thanks for your help but, I have done what you have advised and have still got problems connecting and also a few concerns.

At the moment, we have only tested one Cisco in a controlled environment but in the future, when it goes live we will have 10+ in the same setup so the settings i changed in your first paragraph will affect multiple NPS servers.

Also each of our sites have got their own DHCP range given out by DHCP servers on site, so is setting the type of access also going to stop that.

However my concern is the settings on the client pc is still not alloing me to connect or not showing a username/password box unless I manually configure it.

Regards
HorshamIT
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 38875826
Ok, the number of APs or NPS servers isn't an issue.  To use multiple NPS servers you should configure them on the APs as RADIUS servers.  If you use just one NPS server to handle the initial RADIUS request then forward to multiple servers you are actually removing the redundancy as your APs will only be looking at the first NPS server and not the others.

So, if you have two NPS servers (for example), configure them both on your APs and set them in priority order (primary and backup) so you can use them all without the complex configuration at the RADIUS server side.

The fact that you have a DHCP server isn't an issue at all here.  Setting the RADIUS server type won't give you any benefit at all, so it's only ever going to cause you problems if anything.

Can you delete the manual WLAN profile you created on the client and let it detect the WLAN itself, then post a screenshot from the Security tab (which includes the type of authentication, etc), and the Advanced settings within that tab?
0
 
LVL 1

Author Comment

by:Tony
ID: 38875846
Please see screenshots of complete computer configuration for RADIUS server
1.PNG
2.PNG
3.PNG
4.PNG
5.PNG
6.PNG
7.PNG
8.PNG
9.PNG
10.PNG
11.PNG
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38876075
In image 9, you need to specify User Authentication.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:Tony
ID: 38876116
Hi Craig,

Sorry I took the screenshots after setting that.

Can I ask why it is still being affected or is their any other software required for RADIUS to run e.g. SQL or ForeFront. is the server also being a cause running AD or other features that are making RADIUS fail.

Regards
HorshamIT
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38876190
That's why I wanted a screenshot of what Windows thinks it is seeing - not what you've specifically set, but it's ok as long as you have set the User Authentication option.

There isn't any other software required for RADIUS to work - it is all contained within the NPS role.

Can you provide some of the NPS logs from the server?  You'll find them in Custom Logs, not the usual System log as you used to with IAS.
0
 
LVL 1

Author Comment

by:Tony
ID: 38879349
Please see attached custom logs.
RADIUS-Server.xml
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38879894
There's nothing in those logs!

Maybe you've not allowed ports 1812 and 1813 through the firewall on the NPS server.

Can you ping the AP from the NPS server?
0
 
LVL 1

Author Comment

by:Tony
ID: 38879945
Hi Craig,

Please see attached.

What I might do is go back to my snapshot before NPS and go through the stages again but I have looked at what I have done against a Youtube tutorial and I do not know how I have mucked up.

Regards
HorshamIT
UKHORSHCSDT4444-0005.jpg
UKHORSHCSDT4444-0006.jpg
UKHORSHCSDT4444-0007.jpg
0
 
LVL 1

Author Comment

by:Tony
ID: 38885416
Hi,

Just an update, I have reset NPS and setted up the connections shown in the previous posts.

I have still got the same issue with RADIUS not allowing Win7 and WinXP from connecting.

Regards
Max
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38885741
Set the firewall rule to work for any profile.  At the moment it's just configured for the Domain profile.

You really need to be seeing something in the NPS logs, even if it's just something about an invalid NAS client.  The fact that there is absolutely nothing there suggests the AP can't talk to the RADIUS server.
0
 
LVL 1

Author Comment

by:Tony
ID: 38888420
Hi Craig,

I have now set the firewall to disabled. For the NPS logs, my server is not showing any errors since 12/02/2013.

I have also noticed that the Win7 setup is doing what it should do as it keeps trying to connect when I open the available networks list.

However I cannot get the Win7 laptop to connect to the network other than via the trusty cable.

I will look back into this in 2 weeks time as I will be on leave after tomorrow. If you wouldn't mind pointing in the direction of websites that show a complete setup step by step as the video tutorial: http://bit.ly/XE2zHg shows the complete setup and have followed this quite a few times now.

Regards
HorshamIT
0
 
LVL 1

Author Closing Comment

by:Tony
ID: 38973582
Although i have still not been able to resolve the issue, we have put this on back burner as we are not going with this method and my manager does not wish me to spend time on this at present.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now