[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 744
  • Last Modified:

Wireless Connections Using RADIUS Authentication

Hello Experts,

I setup RADIUS authentication (Windows Server 2008 R1) for wireless a while back and recently after installing a new AP I am unable to authenticate using multiple notebooks but the ipad's still seem to work. I am at a loss ... because it is happening across many different types of notebooks and a wireless adapter. I have read a few different articles about this and have made some adjustments but it does not seem to want to cooperate.

I have configured the wireless settings for the notebook to disable integrated authentication so it prompts for a user/pass every time now.

The notebook sees the SSID broadcasting and the user is a member of the group allowed that works on the iPad. I have tried with and without domain prefix. When I try to authenticate I get "Windows was unable to connect to SSID_Name".


Thoughts or resources would be appreciated.

Thanks,
Ryan
0
Ryan Rood
Asked:
Ryan Rood
  • 13
  • 11
  • 6
4 Solutions
 
Jakob DigranesSenior ConsultantCommented:
Since iPads are working, and PCs not - then this is most likely du to wrong client settings on PC.
iOS devices are good at determining what authentication settings to use. Win 7 is not.

So if your network policies says that EAP type is PEAP and inner authentication is MsChapv2
you need identical settings on Win7, and also - a typical error is that Win7 thinks it should use machine authentication - but you probably should set this to User (since ipads are on)
Or do you use both machine and user? This is set on Advanced settings for Win 7

Also - look at Event Viewer on NPS server (Event Viewer - Custom View - Server roles - Network Policy server) and look for the error after user have tried to log on.... the error is probably marked as informational event - not failure
0
 
Craig BeckCommented:
I second what jakob_di says... the logs are VERY informative.  All of the success and failures will be informational events - the only warnings will be related to service events and not client authentication events.

If you could post some failure logs that would be helpful.
0
 
Ryan RoodAuthor Commented:
Ok - I have attached the setup of the RADIUS server. All logs on the NPS look good. Every time I authenticate it says that it has been granted. So it looks like everything is working well on the server. Notebook screen shots to follow.
RADIUS-Config.png
RADIUS-Config2.png
RADIUS-Config3.png
RADIUS-Config4.png
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
Ryan RoodAuthor Commented:
0
 
Craig BeckCommented:
Can we see the logs anyway??
0
 
Ryan RoodAuthor Commented:
Here are two auth requests.
log1.txt
log2.txt
log3.txt
log4.txt
0
 
Craig BeckCommented:
I notice you have a proxy policy in the logs.  Have you configured a connection request policy?
0
 
Jakob DigranesSenior ConsultantCommented:
Jolly Good information collection :-) Thanks.

First of all, - in radius config 1 picture:
In EAP-types - remove Mschap leaving just PEAP. And also clear all "Less Secure Authentication Methods" (!)

But the Radius have authenticated you, so the rest is up to the wireless to get.
Make sure VLANs and DHCP is working, you won't get an IP until after you've authenticated - but you can be authenticated, but DHCP error will show that you're not connected to wireless.

What wireless system do you have?
0
 
Ryan RoodAuthor Commented:
Updated configuration as per your recommendation on both policies. Using a D-Link DWL-8600AP. No VLANs. DHCP is working if I plug into the network. Do I have to tell RADIUS anything special to pass to DHCP? DHCP is actually on the same server.
0
 
Jakob DigranesSenior ConsultantCommented:
nope --- The AP will only allow L2 authentication traffic to station until it's successfully authenticated. Then it will hand it over to L3 and DHCP and IP ...

This might look as an AP error ---

try upgrading firmware: http://www.dlink.com/us/en/support/faq/access-points-and-range-extenders/access-points/dwl-series/how-to-upgrade-the-firmware-on-the-dwl-8600ap-managed

here a delightful TFTP server for you PC ... <3: http://tftpd32.jounin.net/tftpd32_download.html
0
 
Jakob DigranesSenior ConsultantCommented:
take a look at page 26 here: http://www.dlink.com/-/media/Business_Products/DWL/DWL%208600AP/Manual/DWL_8600AP_Manual_v3_00_EN_US.pdf
What does the client association page say??
0
 
Craig BeckCommented:
...just take it back a little... If the iPads work it's less likely to be an AP firmware issue.  Obviously I wouldn't rule it out but it doesn't make sense for it to be ok with some devices and not others.

Are there any logs on the AP?

Do you have WPA and WPA2 enabled on the AP?  If so, do you have AES enabled for use with WPA, and TKIP enabled for use with WPA2?

Lots of clients don't like to use WPA with AES, or WPA2 with TKIP.  This can cause problems with traffic post-authentication.
0
 
Jakob DigranesSenior ConsultantCommented:
ahh ... iPads working ... was looking for that info, but couldn't find it.
agree - most likely not AP issue then .... (argh -- *$$!!**)
0
 
Ryan RoodAuthor Commented:
Firmware is current at "4.1.0.11".

I don't readily see any logs ... it does have an SSH console but nothing aside from technical logging ... not to monitor things like wireless connections.

I have WPA2, TKIP and AES enabled (and enable pre-authentication).
0
 
Craig BeckCommented:
Ok can you disable TKIP and try?
0
 
Craig BeckCommented:
Also, you're not using machine authentication so you should disable pre-authentication.
0
 
Ryan RoodAuthor Commented:
Ok - done both. Will try again tomorrow. Side note on pre-authentication, can I create a security group in AD to allow an (AD PC) to authenticate instead?
0
 
Craig BeckCommented:
You can create a new policy in RADIUS which uses EAP-TLS, and use the Domain Computers condition.
0
 
Ryan RoodAuthor Commented:
Same result for the wireless ... still will not connect using WPA2 Enterprise using AES.
0
 
Craig BeckCommented:
Ok can you verify that a client can connect successfully with NO authentication or encryption?
0
 
Ryan RoodAuthor Commented:
Notebook connects immediately with no security on it and gets an IP Address.
0
 
Craig BeckCommented:
So maybe there's an encryption issue.

Can you try with WPA2/AES using a preshared key?
0
 
Ryan RoodAuthor Commented:
Connects immediately with no special configuration necessary on the notebook using WPA2.
0
 
Craig BeckCommented:
Sooooooo, I'm going to go out on a limb here...

There were massive problems with NPS in 2008 R1 which were fixed in R2.  This kind of behaviour was exactly what I saw with at least 5 different sites using NPS in R1.

I don't suppose you have a 2008 R2 box you can install the NPS role on to test??
0
 
Ryan RoodAuthor Commented:
Well ... that would be very interesting wouldn't it. I suppose I could download a "test" server and setup NPS on it to see what happens.
0
 
Ryan RoodAuthor Commented:
Ok - 2008 R2 trial installed ... NPS configured. No dice ... this is crazy. Wondering if maybe the device is just not "capable" even though it claims it is.
0
 
Jakob DigranesSenior ConsultantCommented:
can you try DOWNGRADING firmware??
0
 
Craig BeckCommented:
+1
0
 
Ryan RoodAuthor Commented:
I am going to have a nice chat with Dlink today. Will advise.
0
 
Ryan RoodAuthor Commented:
Still not resolved but I appreciate the help. I am going to try and put a new 2012 server out and see if it functions better.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 13
  • 11
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now