[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1086
  • Last Modified:

SETTING UP RADIUS SERVER USING SERVER 2008

Hi ,

AIM : My AIM is to implement a RADIUS Server using Server 2008 R2 and allow my Cisco Small Business WAP-321 to authenticate clients using domain Credentials.

I want to use EAP-MSCHAP V2 as an authentication protocol to authenticate my wireless clients.

My Setup:
I have a domain controller which is running exchange,DNS and DHCP on it.

And now I have a ESXI Server Box running a SERVER 2008 R2 Enterprise edition, in which I have installed NPS Role and configured the Network Policy Server using the attached document.

Also I have configured my Cisco AP to use this RADIUS Server for Authentication and authentication protocol as WPA Enterprise.

ISSUE:

Now the issue is , when i try to connect my wireless clients , the connections is unsucessfull.

I checked the NPS Logs and it says the below
-----------------------------------------------------------------------------------------------------
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
	Security ID:			NULL SID
	Account Name:			domain\username
	Account Domain:			domain
	Fully Qualified Account Name:	domain\username

Client Machine:
	Security ID:			NULL SID
	Account Name:			-
	Fully Qualified Account Name:	-
	OS-Version:			-
	Called Station Identifier:		D8-67-D9-D1-E9-20:ADRJSLEDFIWMDWOQFDFPE
	Calling Station Identifier:		8C-70-5A-47-B9-AC

NAS:
	NAS IPv4 Address:		192.168.3.251
	NAS IPv6 Address:		-
	NAS Identifier:			-
	NAS Port-Type:			Wireless - IEEE 802.11
	NAS Port:			0

RADIUS Client:
	Client Friendly Name:		AP-001
	Client IP Address:			192.168.3.251

Authentication Details:
	Connection Request Policy Name:	Wireless Users
	Network Policy Name:		-
	Authentication Provider:		Windows
	Authentication Server:		radius.domain.net
	Authentication Type:		EAP
	EAP Type:			-
	Account Session Identifier:		-
	Logging Results:			Accounting information was written to the local log file.
	Reason Code:			22
	Reason:				The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.


------------------------------------------------------------------------


I have installed any CA on this server.

So please advice me whether I have implement the set-up properly and do advice me how to fix this NPS Authentication issue , so that I can authenticate our clients.

The Document I used to implement my setup is this link below

https://www.mafiasecurity.com/access-control/step-by-step-radius-server-guide/


Please advice
0
nirmal_s19
Asked:
nirmal_s19
  • 8
  • 7
2 Solutions
 
Jakob DigranesSenior ConsultantCommented:
The error message you get is most likely due to mismatch between settings on PC and server.
The client tries to use a authentication method that the server haven't configured.

But you have a CA setup internally?

If so - configure policies to use PEAP with MsChap av inner method.
Mschap is broken - so you need a secure PEAP tunnel to exchange the MsChap challenge

and never never use the "less secure authentication methods" as they are --- not secure

http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/ 

Try this.

Also - you could post settings on client computer ---
and also you can take a screen shot of constraints --- see my attached picture
NPS-policy.PNG
0
 
nirmal_s19Author Commented:
Hi,

Im getting a error message when i tried to open the CA and the error code is attached for your reference.

Also i have attached the Client and NPS Server side settings for your examination.

Can you please advice me , how to get this working without certificate.

But also is there a way to install a Standalone CA on this server or use a Certificate from an external certificate authority.

Please advice....
Certificate-Services-Error.PNG
Client-Side-Configuration.png
Server-Side---Connection-Request.png
Server-Side--Network-Policy.png
0
 
Jakob DigranesSenior ConsultantCommented:
yes --- you can install CA without public Certificate.
The link I sent included setup of an simple internal CA
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Jakob DigranesSenior ConsultantCommented:
The Certificate error is natural, the service isn't installed. Add Remove roles and you're there.
For the client setup - it looks good.

You clients try to setup a PEAP session, which your server won't allow since it has no certificate to use for the PEAP.

On server side:
- Don't worry with Connection request policies - Those are there for proxying to other servers
- on Network Policies, do the following:
remove Mscap as EAP Type
remove ALL less secure authentication methods
That leaves you with just PEAP - then choose edit PEAP and add MsChap as inner authentication method. But then you need a certificate on NPS server - which you don't have.

quick fix is to use just MsChapV2 as EAP Type (not recommended) - but then your clients must use Mschap only aswell -- in "Choose a network authentication method" --- i must admit that I'm not sure i MsChap is a valid choice there ----
0
 
nirmal_s19Author Commented:
can i install a standalone CA on this Radius Server box and i dont want an domain based CA.
0
 
nirmal_s19Author Commented:
Also will there be an issue if i happen to install an Enterprise CA or how should i find out whether there are any CA already installed in the Domain.
0
 
nirmal_s19Author Commented:
any help please
0
 
Jakob DigranesSenior ConsultantCommented:
you can have a stand alone CA - but then you'd run into trust issues all the time. You must add root certificate to all PCs then.

No problem having several Enterprise CAs in the domain - other than it might be hard to keep track of all certificates and templates if you have many CAs --- but you don't mess up anything - Just one thing.... Do not add many certificate templates to the new server, and the templates you add - make sure that you create new groups for auto enrollment of certificates, to make sure you don't enroll your test certificates to all domain users... but as long as you make sure no groups other than your new group is set fr autoenrollment, your safe. You set this in your certificate templates when you duplicate and add them to certificate server.
0
 
Jakob DigranesSenior ConsultantCommented:
here's a nice guide for a basic CA installation

http://aaronwalrath.wordpress.com/2010/04/16/install-an-enterprise-certificate-authority-in-windows-2008-r2/

This is based on one CA both root and issuing.

Is your company large or in some special branches, you might need  an ofline root and then subordinate issuing CAs... but for just issuing a certificate to a NPS - you only need the easy setup.
This setup includes bith CA and NPS setup: http://www.fatofthelan.com/technical/using-windows-2008-for-radius-authentication/
0
 
nirmal_s19Author Commented:
I managed to install a standalone CA and got a server certificate issued.

But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".

My AD is running on Server 2003 R2 Servers and this VM Machine which I have installed Server 2008 R2 is a Domain Member Server.

We also have server Exchange 2003 server running on another Server 2003 Box.

I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"

Now...... Do you recommend that I can still Install a CA on this VM with Server 2008 R2 and will my outlook clients or the workstations will they have ahy issues if i install this Entrephrise Root CA.

Should I go ahead installing ENterphrise CA on this VM Box
0
 
nirmal_s19Author Commented:
Also I forgot to tell you that I've installed Vsphere Server 5.1 on this same VM in which i have planned to install Enterprise CA.
0
 
Jakob DigranesSenior ConsultantCommented:
OK --- we'll sort this out.
Could probably have written several pages on how certification works --- but this is the essentials that you need.

Error 1: I run a command called "certutil -config - -ping" to check whether there are any CA installed and it said "No Active Certificate Authorities Found"
That is as expected since you installed a stand-alone certificate server no one is aware that it exists, other than you and the stand-alone server. When an Enterprise CA is setup, it adds quite a few settings in directory container - so that clients looking for a Certificate can find it through a SCP. A stand alone doesn't create a SCP so no one can find it. You could create this manually - but don't bother

ERROR2: But the NAP server give the same error that "The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server".
To get PEAP working you need to make sure that both the NPS server trust the certificate the it has, make sure that root certificate for the issued certificate is installed as well, and that the server has the private key to the certificate. But this is not an issue when using Enterprise CA

When you install an Enterprise CA - the only thing (expect design (!)) is not having any templates to begin with, that can start auto enrolling. Depending on what people have done to GPOs in your domain earlier - they might have turned on auto enrollment on entire domain.... if you have templates set up for auto enrollment, all users and computer MIGHT get certificates. But just getting certificates will not break anything - it'll could be a bit troublesome if you later on decide on authenticating clients based on EAP-TLS and certificates ...

Go ahead and install an Enterprise CA, all you need is one certificate for the NPS...

And remember, in a year or so - the certificate expires ans you need to enroll for a new one :-)
0
 
nirmal_s19Author Commented:
I have checked the GPO Settings on the AD for Domain Default Policy and under User Configuration , Auto Enrolment settings , it is been configured to Enrol for Certificates Automatically"

Should I Disable this Auto Enrolment Feature off before I install this new Root Enterprise CA.
0
 
Jakob DigranesSenior ConsultantCommented:
Yes -- please do
Do the same for Computer Configuration as well
0
 
yo_beeDirector of ITCommented:
I know this is not addressing the an answer to the issue at hand, but this link has some good how to videos and labs for setting up NPS  

http://technet.microsoft.com/en-US/network/dd420463
0
 
nirmal_s19Author Commented:
MY NPS SERVER IS WORKING GREAT WITH ENTERPRISE CA
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now