Solved

SETTING UP RADIUS SERVER USING SERVER 2008

Posted on 2013-06-06
18
983 Views
Last Modified: 2013-07-26
Hi ,

AIM : My AIM is to implement a RADIUS Server using Server 2008 R2 and allow my Cisco Small Business WAP-321 to authenticate clients using domain Credentials.

I want to use EAP-MSCHAP V2 as an authentication protocol to authenticate my wireless clients.

My Setup:
I have a domain controller which is running exchange,DNS and DHCP on it.

And now I have a ESXI Server Box running a SERVER 2008 R2 Enterprise edition, in which I have installed NPS Role and configured the Network Policy Server using the attached document.

Also I have configured my Cisco AP to use this RADIUS Server for Authentication and authentication protocol as WPA Enterprise.

ISSUE:

Now the issue is , when i try to connect my wireless clients , the connections is unsucessfull.

I checked the NPS Logs and it says the below
-----------------------------------------------------------------------------------------------------
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			domain\username
	Account Domain:			domain
	Fully Qualified Account Name:	domain\username

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		D8-67-D9-D1-E9-20:ADRJSLEDFIWMDWOQFDFPE
	Calling Station Identifier:		8C-70-5A-47-B9-AC

NAS:
	NAS IPv4 Address:		192.168.3.251
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		AP-001
	Client IP Address:			192.168.3.251

Authentication Details:
	Connection Request Policy Name:	Wireless Users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		radius.domain.net
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			22
	Reason:				The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


------------------------------------------------------------------------


I have installed any CA on this server.

So please advice me whether I have implement the set-up properly and do advice me how to fix this NPS Authentication issue , so that I can authenticate our clients.

The Document I used to implement my setup is this link below

https://www.mafiasecurity.com/access-control/step-by-step-radius-server-guide/


Please advice
0
Comment
Question by:nirmal_s19
  • 8
  • 7
18 Comments
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 500 total points
ID: 39225173
The error message you get is most likely due to mismatch between settings on PC and server.
The client tries to use a authentication method that the server haven't configured.

But you have a CA setup internally?

If so - configure policies to use PEAP with MsChap av inner method.
Mschap is broken - so you need a secure PEAP tunnel to exchange the MsChap challenge

and never never use the "less secure authentication methods" as they are --- not secure

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/

Try this.

Also - you could post settings on client computer ---
and also you can take a screen shot of constraints --- see my attached picture
NPS-policy.PNG
0
 

Author Comment

by:nirmal_s19
ID: 39226222
Hi,

Im getting a error message when i tried to open the CA and the error code is attached for your reference.

Also i have attached the Client and NPS Server side settings for your examination.

Can you please advice me , how to get this working without certificate.

But also is there a way to install a Standalone CA on this server or use a Certificate from an external certificate authority.

Please advice....
Certificate-Services-Error.PNG
Client-Side-Configuration.png
Server-Side---Connection-Request.png
Server-Side--Network-Policy.png
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39226406
yes --- you can install CA without public Certificate.
The link I sent included setup of an simple internal CA
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39226438
The Certificate error is natural, the service isn't installed. Add Remove roles and you're there.
For the client setup - it looks good.

You clients try to setup a PEAP session, which your server won't allow since it has no certificate to use for the PEAP.

On server side:
- Don't worry with Connection request policies - Those are there for proxying to other servers
- on Network Policies, do the following:
remove Mscap as EAP Type
remove ALL less secure authentication methods
That leaves you with just PEAP - then choose edit PEAP and add MsChap as inner authentication method. But then you need a certificate on NPS server - which you don't have.

quick fix is to use just MsChapV2 as EAP Type (not recommended) - but then your clients must use Mschap only aswell -- in "Choose a network authentication method" --- i must admit that I'm not sure i MsChap is a valid choice there ----
0
 

Author Comment

by:nirmal_s19
ID: 39227616
can i install a standalone CA on this Radius Server box and i dont want an domain based CA.
0
 

Author Comment

by:nirmal_s19
ID: 39227763
Also will there be an issue if i happen to install an Enterprise CA or how should i find out whether there are any CA already installed in the Domain.
0
 

Author Comment

by:nirmal_s19
ID: 39227898
any help please
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39228149
you can have a stand alone CA - but then you'd run into trust issues all the time. You must add root certificate to all PCs then.

No problem having several Enterprise CAs in the domain - other than it might be hard to keep track of all certificates and templates if you have many CAs --- but you don't mess up anything - Just one thing.... Do not add many certificate templates to the new server, and the templates you add - make sure that you create new groups for auto enrollment of certificates, to make sure you don't enroll your test certificates to all domain users... but as long as you make sure no groups other than your new group is set fr autoenrollment, your safe. You set this in your certificate templates when you duplicate and add them to certificate server.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39228180
here's a nice guide for a basic CA installation

http://aaronwalrath.wordpress.com/2010/04/16/install-an-enterprise-certificate-authority-in-windows-2008-r2/

This is based on one CA both root and issuing.

Is your company large or in some special branches, you might need  an ofline root and then subordinate issuing CAs... but for just issuing a certificate to a NPS - you only need the easy setup.
This setup includes bith CA and NPS setup: http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
0
 

Author Comment

by:nirmal_s19
ID: 39228479
I managed to install a standalone CA and got a server certificate issued.

But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".

My AD is running on Server 2003 R2 Servers and this VM Machine which I have installed Server 2008 R2 is a Domain Member Server.

We also have server Exchange 2003 server running on another Server 2003 Box.

I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"

Now...... Do you recommend that I can still Install a CA on this VM with Server 2008 R2 and will my outlook clients or the workstations will they have ahy issues if i install this Entrephrise Root CA.

Should I go ahead installing ENterphrise CA on this VM Box
0
 

Author Comment

by:nirmal_s19
ID: 39228498
Also I forgot to tell you that I've installed Vsphere Server 5.1 on this same VM in which i have planned to install Enterprise CA.
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 500 total points
ID: 39228527
OK --- we'll sort this out.
Could probably have written several pages on how certification works --- but this is the essentials that you need.

Error 1: I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"
That is as expected since you installed a stand-alone certificate server no one is aware that it exists, other than you and the stand-alone server. When an Enterprise CA is setup, it adds quite a few settings in directory container - so that clients looking for a Certificate can find it through a SCP. A stand alone doesn't create a SCP so no one can find it. You could create this manually - but don't bother

ERROR2: But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".
To get PEAP working you need to make sure that both the NPS server trust the certificate the it has, make sure that root certificate for the issued certificate is installed as well, and that the server has the private key to the certificate. But this is not an issue when using Enterprise CA

When you install an Enterprise CA - the only thing (expect design (!)) is not having any templates to begin with, that can start auto enrolling. Depending on what people have done to GPOs in your domain earlier - they might have turned on auto enrollment on entire domain.... if you have templates set up for auto enrollment, all users and computer MIGHT get certificates. But just getting certificates will not break anything - it'll could be a bit troublesome if you later on decide on authenticating clients based on EAP-TLS and certificates ...

Go ahead and install an Enterprise CA, all you need is one certificate for the NPS...

And remember, in a year or so - the certificate expires ans you need to enroll for a new one :-)
0
 

Author Comment

by:nirmal_s19
ID: 39228554
I have checked the GPO Settings on the AD for Domain Default Policy and under User Configuration , Auto Enrolment settings , it is been configured to Enrol for Certificates Automatically"

Should I Disable this Auto Enrolment Feature off before I install this new Root Enterprise CA.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39228560
Yes -- please do
Do the same for Computer Configuration as well
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 39228955
I know this is not addressing the an answer to the issue at hand, but this link has some good how to videos and labs for setting up NPS  

http://technet.microsoft.com/en-US/network/dd420463
0
 

Author Closing Comment

by:nirmal_s19
ID: 39357297
MY NPS SERVER IS WORKING GREAT WITH ENTERPRISE CA
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now