Solved

Wireless Connections Using RADIUS Authentication

Posted on 2013-06-10
30
640 Views
Last Modified: 2013-10-04
Hello Experts,

I setup RADIUS authentication (Windows Server 2008 R1) for wireless a while back and recently after installing a new AP I am unable to authenticate using multiple notebooks but the ipad's still seem to work. I am at a loss ... because it is happening across many different types of notebooks and a wireless adapter. I have read a few different articles about this and have made some adjustments but it does not seem to want to cooperate.

I have configured the wireless settings for the notebook to disable integrated authentication so it prompts for a user/pass every time now.

The notebook sees the SSID broadcasting and the user is a member of the group allowed that works on the iPad. I have tried with and without domain prefix. When I try to authenticate I get "Windows was unable to connect to SSID_Name".


Thoughts or resources would be appreciated.

Thanks,
Ryan
0
Comment
Question by:Ryan Rood
  • 13
  • 11
  • 6
30 Comments
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39236847
Since iPads are working, and PCs not - then this is most likely du to wrong client settings on PC.
iOS devices are good at determining what authentication settings to use. Win 7 is not.

So if your network policies says that EAP type is PEAP and inner authentication is MsChapv2
you need identical settings on Win7, and also - a typical error is that Win7 thinks it should use machine authentication - but you probably should set this to User (since ipads are on)
Or do you use both machine and user? This is set on Advanced settings for Win 7

Also - look at Event Viewer on NPS server (Event Viewer - Custom View - Server roles - Network Policy server) and look for the error after user have tried to log on.... the error is probably marked as informational event - not failure
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39237415
I second what jakob_di says... the logs are VERY informative.  All of the success and failures will be informational events - the only warnings will be related to service events and not client authentication events.

If you could post some failure logs that would be helpful.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39238273
Ok - I have attached the setup of the RADIUS server. All logs on the NPS look good. Every time I authenticate it says that it has been granted. So it looks like everything is working well on the server. Notebook screen shots to follow.
RADIUS-Config.png
RADIUS-Config2.png
RADIUS-Config3.png
RADIUS-Config4.png
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39238299
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39238367
Can we see the logs anyway??
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39238400
Here are two auth requests.
log1.txt
log2.txt
log3.txt
log4.txt
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39238475
I notice you have a proxy policy in the logs.  Have you configured a connection request policy?
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39239074
Jolly Good information collection :-) Thanks.

First of all, - in radius config 1 picture:
In EAP-types - remove Mschap leaving just PEAP. And also clear all "Less Secure Authentication Methods" (!)

But the Radius have authenticated you, so the rest is up to the wireless to get.
Make sure VLANs and DHCP is working, you won't get an IP until after you've authenticated - but you can be authenticated, but DHCP error will show that you're not connected to wireless.

What wireless system do you have?
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39239273
Updated configuration as per your recommendation on both policies. Using a D-Link DWL-8600AP. No VLANs. DHCP is working if I plug into the network. Do I have to tell RADIUS anything special to pass to DHCP? DHCP is actually on the same server.
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39239293
nope --- The AP will only allow L2 authentication traffic to station until it's successfully authenticated. Then it will hand it over to L3 and DHCP and IP ...

This might look as an AP error ---

try upgrading firmware: http://www.dlink.com/us/en/support/faq/access-points-and-range-extenders/access-points/dwl-series/how-to-upgrade-the-firmware-on-the-dwl-8600ap-managed

here a delightful TFTP server for you PC ... <3: http://tftpd32.jounin.net/tftpd32_download.html
0
 
LVL 20

Expert Comment

by:Jakob Digranes
ID: 39239308
take a look at page 26 here: http://www.dlink.com/-/media/Business_Products/DWL/DWL%208600AP/Manual/DWL_8600AP_Manual_v3_00_EN_US.pdf
What does the client association page say??
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39239311
...just take it back a little... If the iPads work it's less likely to be an AP firmware issue.  Obviously I wouldn't rule it out but it doesn't make sense for it to be ok with some devices and not others.

Are there any logs on the AP?

Do you have WPA and WPA2 enabled on the AP?  If so, do you have AES enabled for use with WPA, and TKIP enabled for use with WPA2?

Lots of clients don't like to use WPA with AES, or WPA2 with TKIP.  This can cause problems with traffic post-authentication.
0
 
LVL 20

Assisted Solution

by:Jakob Digranes
Jakob Digranes earned 250 total points
ID: 39239326
ahh ... iPads working ... was looking for that info, but couldn't find it.
agree - most likely not AP issue then .... (argh -- *$$!!**)
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39239417
Firmware is current at "4.1.0.11".

I don't readily see any logs ... it does have an SSH console but nothing aside from technical logging ... not to monitor things like wireless connections.

I have WPA2, TKIP and AES enabled (and enable pre-authentication).
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39239514
Ok can you disable TKIP and try?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 45

Expert Comment

by:Craig Beck
ID: 39239517
Also, you're not using machine authentication so you should disable pre-authentication.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39239812
Ok - done both. Will try again tomorrow. Side note on pre-authentication, can I create a security group in AD to allow an (AD PC) to authenticate instead?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39240627
You can create a new policy in RADIUS which uses EAP-TLS, and use the Domain Computers condition.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39240869
Same result for the wireless ... still will not connect using WPA2 Enterprise using AES.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39240882
Ok can you verify that a client can connect successfully with NO authentication or encryption?
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39240893
Notebook connects immediately with no security on it and gets an IP Address.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39240925
So maybe there's an encryption issue.

Can you try with WPA2/AES using a preshared key?
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39240945
Connects immediately with no special configuration necessary on the notebook using WPA2.
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 39241027
Sooooooo, I'm going to go out on a limb here...

There were massive problems with NPS in 2008 R1 which were fixed in R2.  This kind of behaviour was exactly what I saw with at least 5 different sites using NPS in R1.

I don't suppose you have a 2008 R2 box you can install the NPS role on to test??
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39242199
Well ... that would be very interesting wouldn't it. I suppose I could download a "test" server and setup NPS on it to see what happens.
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39248676
Ok - 2008 R2 trial installed ... NPS configured. No dice ... this is crazy. Wondering if maybe the device is just not "capable" even though it claims it is.
0
 
LVL 20

Accepted Solution

by:
Jakob Digranes earned 250 total points
ID: 39249136
can you try DOWNGRADING firmware??
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 39249812
+1
0
 
LVL 1

Author Comment

by:Ryan Rood
ID: 39253125
I am going to have a nice chat with Dlink today. Will advise.
0
 
LVL 1

Author Closing Comment

by:Ryan Rood
ID: 39546497
Still not resolved but I appreciate the help. I am going to try and put a new 2012 server out and see if it functions better.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now