Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Connect Tablet Running Windows 8.1 to Wireless Network Using RADIUS IAS

Posted on 2013-12-04
Medium Priority
Last Modified: 2013-12-10

I need to get a tablet running Windows 8.1 connected to our company's wireless network.  I believe I should do this using domain-user authentication.

For the RADIUS, we are using IAS on Windows 2003 R2.  Here are some of the properties about the configuration of this RADIUS server:

For Remote Access Policies:

On the Wireless Properties window, we have:

Policy conditions:
NAS-Port Type matches "Wireless - Other OR Wireless - IEEE 802.11" AND
Windows-Groups matches "ABC\ABCWirelessUser_Sec"
Here, ABC is the domain.

For Connection Request Processing:

Connection Request Policies:

On the Use Windows authentication for all users Properties window, we have:

Policy name: Use Windows authentication for all users

Policy conditions:
Day-And-Time-Restrictions matches: "......
There are no restrictions here.

My laptop can connect to the wireless network.  I believe I am using my AD credentials to authenticate.  I also wonder if I should set the wireless settings on the tablet to be the same as on my laptop.

Here is the setup for my laptop hoping it might help you decide if authentication is via AD using a domain-user account:

On the ABC Employee Wireless Network Properties window, the laptop has:

On the Connection tab:

Name:        ABC Employee
SSID:       ABC Employee
Network type:   Access Point
Network availability:  All users

Connect automatically when this network is in range is checked.

On the Security tab, the laptop has:

Security type:  WPA-Enterprise
Encryption type: TKIP

Choose a network authentication method:
Microsoft: Protected EAP (PEAP)

Remember my credentials for this connection each time I'm logged on is checked.

On the Protected EAP Properties windows, the laptop has:

Validate server certifiace is NOT checked.
Select Authentication Method:
Secured password (EAP-MSCHAP v2) is selected.

On the Advanced settings windows, the laptop has:
On the 802.1X settings tab:
Specify authentication mode is checked.
User or computer authentication  is selected.

I think I should add the tablet to our domain, but I do not know to which OU/Container to do so.  The ABCWirelessUser_Sec is a group in active directory.

Question by:willie0-360
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
LVL 35

Expert Comment

by:Ernie Beek
ID: 39697748
Is the wireless network (the airo's) by any change managed by a WLC? I recently had issues with windows 8.x machines not being able to connect. After an upgrade of the WLC software (so the airo's get updated as well), they where able to connect.

Author Comment

ID: 39698358

Thanks for your question.  I should have included that information in my first post.  Actually, these are standalone APs.  I updated the IOS recently since acccording to my manager, Windows 8 would, othewise, not get on the wireless network.

The Cisco Aironet 1240s are running c1240-k9w7-tar.124-25d.JA2.

Thanks again.

Author Comment

ID: 39698566
On the RADIUS server, this is the error message we are getting on the Event Viewer:

Type:  Warning
Event ID: 2

User username was denied access.
Fully-Qualified-User-Name=ABC/ABC/Users/Directors Office/username

NAS-Port-Type=Wireless-IEEE 802.11
NAS-Port = 1823

Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>

Policy-Name = ABC Wireless
Authentication-Type = PEAP
EAP-Type - <undetermined>

Reason-Code = 262
Reason = The supplied message is incomplete.  The signature was not verified.

ABC is the name of the domain, and ABCAP is the name of the access point.

I hope this helps anyone help me to get this tablet connect to the wireless network.

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?


Author Comment

ID: 39698809
I believe the problem is that Windows 8 is trying to validate the server certificate, and we are not using one.  

I do not have the tablet with me since the owner is currently working from home with it, but as soon as I get it, if I do, I will test this.  I will let you know how it goes.


Author Comment

ID: 39699358
I would say I found the solution.  The only difference is that this is on a laptop and not the tablet I indicated in my first post.  However, since both are running Windows 8, I believe this same solution applies.

There were two problems.  One was that I needed to disable the validation of the certificate, and the second one is that I needed to edit the user's, the person trying to get access to the wireless network, AD profile and in the Dial-in tab, tick Allow access.

To disable the validation of server certificate:

Right click on SSID you want to connect in the list of wireless networks -> SSID Wireless -> Security tab -> Settings (next to Choose a network authentication method) -> Untick Validate server certificate, untick Enable Fast Reconnect.

To edit the user's prodile in AD:

Go to the user’s AD profile, in the Dial-in tab, inside the Remote Access Permission (Dial-in or VPN) section, tick Allow access.

This was my solution to allow Windows 8, running on a laptop, to connect wirelessly.  I will apply these same settings on the tablet as soon as I get a chance.

I will post with an  update.

LVL 35

Accepted Solution

Ernie Beek earned 2000 total points
ID: 39699388
Ok, you're already getting there I see :)

One thing though, if you tick the Allow access, you override the NPS/IAS policy. Not sure if you want that.

I think disabling the certificate check should be enough:

Author Comment

ID: 39699503

I would not want to overwrite the NPS/IAS policy.  However, when I disabled the certificate check, the laptop still did not connect to the wireless network.

From the RADIUS server, this is the error I saw in the logs after disabling the certificate check:

Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.

By doing what I did, the laptop was able to connect to the wireless network.

Now, this is just happening with Windows 8.  All others are on Windows 7, and editing the user's AD profile is not necessary.

Do you think it might be something related to the combination of Windows 8 as client and a RADIUS server running on Windows 2003 R2?

What kind of impact overwriting the NPS/IAS policy would bring?  

LVL 35

Expert Comment

by:Ernie Beek
ID: 39699518
Been re-reading your question......

The tablet (or was it a laptop?) is not joined to the domain? So the user you use to log on to it isn't a domain user?

Author Comment

ID: 39699563

It was first a tablet, and then a laptop was thrown in.  Both are running Windows 8.  I got the laptop to connect to the wireless network as indicated above.  Regarding the tablet, its owner is using it at this moment, and I do not know when I will get to work on it again.

Both, the laptop and tablet, are in the domain as well as the users.  


Author Comment

ID: 39699828

I went to the user’s AD profile, in the Dial-in tab, inside the Remote Access Permission (Dial-in or VPN) section, I switched

Allow access

and replaced it by

Control access through Remote Access Policy

This is for the laptop's user.  When I first went to the Dial-in tab, the Remote Access Permission (Dial-in or VPN) section had

Deny access

ticked.  I then changed it to

Allow access

but following you suggestion, I switched to

Control access through Remote Access Policy

and the laptop, running Windows 8, connects to the wireless network.

Thanks for that.  I believe sometime next week, I will be able to work on the tablet, and that will complete this work.

LVL 47

Expert Comment

by:Craig Beck
ID: 39702046
Just one question here...

Have you registered the IAS service in AD?  If you have, the "Control access through Remote Access Policy" should be selected automatically.

If you haven't done this, try it before you edit any user account properties.

Author Comment

ID: 39702718
Hello craigbeck:

Yes, the IAS service is registered in AD.  Actually, that is the one you helped me get working on a different question.  

The problem with this user was that in the Dial-in tab, the Deny access was chosen.  I then selected Allow access.  Later, after ernibeek's suggestion, I tried Control access through Remote Access Policy, and it still connects to the wireless network.

I will follow the same path once I get a chance to work on the tablet.


Author Comment

ID: 39710375
I have not gotten the tablet back.  However, since it is running Windows 8 as well as the laptop that we got working, I think it is safe to say that this solution would also apply to the tablet.  After all, Windows 8 is Windows 8 no matter where.

If I am allowed, I will give an update on this.

Thanks for your support.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolve DNS query failed errors for Exchange
In this article, we’ll look at how to deploy ProxySQL.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question