Solved

Wireless Connections Using RADIUS Authentication

Posted on 2013-06-10
30
707 Views
Last Modified: 2013-10-04
Hello Experts,

I setup RADIUS authentication (Windows Server 2008 R1) for wireless a while back and recently after installing a new AP I am unable to authenticate using multiple notebooks but the ipad's still seem to work. I am at a loss ... because it is happening across many different types of notebooks and a wireless adapter. I have read a few different articles about this and have made some adjustments but it does not seem to want to cooperate.

I have configured the wireless settings for the notebook to disable integrated authentication so it prompts for a user/pass every time now.

The notebook sees the SSID broadcasting and the user is a member of the group allowed that works on the iPad. I have tried with and without domain prefix. When I try to authenticate I get "Windows was unable to connect to SSID_Name".


Thoughts or resources would be appreciated.

Thanks,
Ryan
0
Comment
Question by:Ryan Rood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
  • 6
30 Comments
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39236847
Since iPads are working, and PCs not - then this is most likely du to wrong client settings on PC.
iOS devices are good at determining what authentication settings to use. Win 7 is not.

So if your network policies says that EAP type is PEAP and inner authentication is MsChapv2
you need identical settings on Win7, and also - a typical error is that Win7 thinks it should use machine authentication - but you probably should set this to User (since ipads are on)
Or do you use both machine and user? This is set on Advanced settings for Win 7

Also - look at Event Viewer on NPS server (Event Viewer - Custom View - Server roles - Network Policy server) and look for the error after user have tried to log on.... the error is probably marked as informational event - not failure
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39237415
I second what jakob_di says... the logs are VERY informative.  All of the success and failures will be informational events - the only warnings will be related to service events and not client authentication events.

If you could post some failure logs that would be helpful.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39238273
Ok - I have attached the setup of the RADIUS server. All logs on the NPS look good. Every time I authenticate it says that it has been granted. So it looks like everything is working well on the server. Notebook screen shots to follow.
RADIUS-Config.png
RADIUS-Config2.png
RADIUS-Config3.png
RADIUS-Config4.png
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 1

Author Comment

by:Ryan Rood
ID: 39238299
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39238367
Can we see the logs anyway??
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39238400
Here are two auth requests.
log1.txt
log2.txt
log3.txt
log4.txt
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39238475
I notice you have a proxy policy in the logs.  Have you configured a connection request policy?
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39239074
Jolly Good information collection :-) Thanks.

First of all, - in radius config 1 picture:
In EAP-types - remove Mschap leaving just PEAP. And also clear all "Less Secure Authentication Methods" (!)

But the Radius have authenticated you, so the rest is up to the wireless to get.
Make sure VLANs and DHCP is working, you won't get an IP until after you've authenticated - but you can be authenticated, but DHCP error will show that you're not connected to wireless.

What wireless system do you have?
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39239273
Updated configuration as per your recommendation on both policies. Using a D-Link DWL-8600AP. No VLANs. DHCP is working if I plug into the network. Do I have to tell RADIUS anything special to pass to DHCP? DHCP is actually on the same server.
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39239293
nope --- The AP will only allow L2 authentication traffic to station until it's successfully authenticated. Then it will hand it over to L3 and DHCP and IP ...

This might look as an AP error ---

try upgrading firmware: http://www.dlink.com/us/en/support/faq/access-points-and-range-extenders/access-points/dwl-series/how-to-upgrade-the-firmware-on-the-dwl-8600ap-managed

here a delightful TFTP server for you PC ... <3: http://tftpd32.jounin.net/tftpd32_download.html
0
 
LVL 22

Expert Comment

by:Jakob Digranes
ID: 39239308
take a look at page 26 here: http://www.dlink.com/-/media/Business_Products/DWL/DWL%208600AP/Manual/DWL_8600AP_Manual_v3_00_EN_US.pdf
What does the client association page say??
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39239311
...just take it back a little... If the iPads work it's less likely to be an AP firmware issue.  Obviously I wouldn't rule it out but it doesn't make sense for it to be ok with some devices and not others.

Are there any logs on the AP?

Do you have WPA and WPA2 enabled on the AP?  If so, do you have AES enabled for use with WPA, and TKIP enabled for use with WPA2?

Lots of clients don't like to use WPA with AES, or WPA2 with TKIP.  This can cause problems with traffic post-authentication.
0
 
LVL 22

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 250 total points
ID: 39239326
ahh ... iPads working ... was looking for that info, but couldn't find it.
agree - most likely not AP issue then .... (argh -- *$$!!**)
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39239417
Firmware is current at "4.1.0.11".

I don't readily see any logs ... it does have an SSH console but nothing aside from technical logging ... not to monitor things like wireless connections.

I have WPA2, TKIP and AES enabled (and enable pre-authentication).
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39239514
Ok can you disable TKIP and try?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39239517
Also, you're not using machine authentication so you should disable pre-authentication.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39239812
Ok - done both. Will try again tomorrow. Side note on pre-authentication, can I create a security group in AD to allow an (AD PC) to authenticate instead?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39240627
You can create a new policy in RADIUS which uses EAP-TLS, and use the Domain Computers condition.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39240869
Same result for the wireless ... still will not connect using WPA2 Enterprise using AES.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39240882
Ok can you verify that a client can connect successfully with NO authentication or encryption?
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39240893
Notebook connects immediately with no security on it and gets an IP Address.
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39240925
So maybe there's an encryption issue.

Can you try with WPA2/AES using a preshared key?
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39240945
Connects immediately with no special configuration necessary on the notebook using WPA2.
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 39241027
Sooooooo, I'm going to go out on a limb here...

There were massive problems with NPS in 2008 R1 which were fixed in R2.  This kind of behaviour was exactly what I saw with at least 5 different sites using NPS in R1.

I don't suppose you have a 2008 R2 box you can install the NPS role on to test??
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39242199
Well ... that would be very interesting wouldn't it. I suppose I could download a "test" server and setup NPS on it to see what happens.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39248676
Ok - 2008 R2 trial installed ... NPS configured. No dice ... this is crazy. Wondering if maybe the device is just not "capable" even though it claims it is.
0
 
LVL 22

Accepted Solution

by:
Jakob Digranes earned 250 total points
ID: 39249136
can you try DOWNGRADING firmware??
0
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 39249812
+1
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39253125
I am going to have a nice chat with Dlink today. Will advise.
0
 
LVL 1

Author Closing Comment

by:Ryan Rood
ID: 39546497
Still not resolved but I appreciate the help. I am going to try and put a new 2012 server out and see if it functions better.
0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question