Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4384
  • Last Modified:

Connect Tablet Running Windows 8.1 to Wireless Network Using RADIUS IAS

Experts:

I need to get a tablet running Windows 8.1 connected to our company's wireless network.  I believe I should do this using domain-user authentication.

For the RADIUS, we are using IAS on Windows 2003 R2.  Here are some of the properties about the configuration of this RADIUS server:


For Remote Access Policies:

On the Wireless Properties window, we have:

Policy conditions:
NAS-Port Type matches "Wireless - Other OR Wireless - IEEE 802.11" AND
Windows-Groups matches "ABC\ABCWirelessUser_Sec"
Here, ABC is the domain.



For Connection Request Processing:

Connection Request Policies:

On the Use Windows authentication for all users Properties window, we have:

Policy name: Use Windows authentication for all users

Policy conditions:
Day-And-Time-Restrictions matches: "......
There are no restrictions here.



My laptop can connect to the wireless network.  I believe I am using my AD credentials to authenticate.  I also wonder if I should set the wireless settings on the tablet to be the same as on my laptop.



Here is the setup for my laptop hoping it might help you decide if authentication is via AD using a domain-user account:

On the ABC Employee Wireless Network Properties window, the laptop has:

On the Connection tab:

Name:        ABC Employee
SSID:       ABC Employee
Network type:   Access Point
Network availability:  All users

Connect automatically when this network is in range is checked.



On the Security tab, the laptop has:

Security type:  WPA-Enterprise
Encryption type: TKIP

Choose a network authentication method:
Microsoft: Protected EAP (PEAP)

Remember my credentials for this connection each time I'm logged on is checked.


On the Protected EAP Properties windows, the laptop has:

Validate server certifiace is NOT checked.
Select Authentication Method:
Secured password (EAP-MSCHAP v2) is selected.


On the Advanced settings windows, the laptop has:
On the 802.1X settings tab:
Specify authentication mode is checked.
User or computer authentication  is selected.

I think I should add the tablet to our domain, but I do not know to which OU/Container to do so.  The ABCWirelessUser_Sec is a group in active directory.

Thanks.
--Willie
0
willie0-360
Asked:
willie0-360
  • 9
  • 3
1 Solution
 
Ernie BeekCommented:
Is the wireless network (the airo's) by any change managed by a WLC? I recently had issues with windows 8.x machines not being able to connect. After an upgrade of the WLC software (so the airo's get updated as well), they where able to connect.
0
 
willie0-360Author Commented:
erniebeek:

Thanks for your question.  I should have included that information in my first post.  Actually, these are standalone APs.  I updated the IOS recently since acccording to my manager, Windows 8 would, othewise, not get on the wireless network.

The Cisco Aironet 1240s are running c1240-k9w7-tar.124-25d.JA2.


Thanks again.
--Willie
0
 
willie0-360Author Commented:
On the RADIUS server, this is the error message we are getting on the Event Viewer:

Event:
Type:  Warning
Event ID: 2

User username was denied access.
Fully-Qualified-User-Name=ABC/ABC/Users/Directors Office/username
NAS-IP-Address=192.168.2.247

NAS-Identifier=ABCAP
NAS-Port-Type=Wireless-IEEE 802.11
NAS-Port = 1823

Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>

Policy-Name = ABC Wireless
Authentication-Type = PEAP
EAP-Type - <undetermined>

Reason-Code = 262
Reason = The supplied message is incomplete.  The signature was not verified.

ABC is the name of the domain, and ABCAP is the name of the access point.

I hope this helps anyone help me to get this tablet connect to the wireless network.

Thanks.
--Willie
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
willie0-360Author Commented:
I believe the problem is that Windows 8 is trying to validate the server certificate, and we are not using one.  

I do not have the tablet with me since the owner is currently working from home with it, but as soon as I get it, if I do, I will test this.  I will let you know how it goes.


Thanks.
--Willie
0
 
willie0-360Author Commented:
I would say I found the solution.  The only difference is that this is on a laptop and not the tablet I indicated in my first post.  However, since both are running Windows 8, I believe this same solution applies.

There were two problems.  One was that I needed to disable the validation of the certificate, and the second one is that I needed to edit the user's, the person trying to get access to the wireless network, AD profile and in the Dial-in tab, tick Allow access.

To disable the validation of server certificate:

Right click on SSID you want to connect in the list of wireless networks -> SSID Wireless -> Security tab -> Settings (next to Choose a network authentication method) -> Untick Validate server certificate, untick Enable Fast Reconnect.

To edit the user's prodile in AD:

Go to the user’s AD profile, in the Dial-in tab, inside the Remote Access Permission (Dial-in or VPN) section, tick Allow access.

This was my solution to allow Windows 8, running on a laptop, to connect wirelessly.  I will apply these same settings on the tablet as soon as I get a chance.

I will post with an  update.


Thanks.
--Willie
0
 
Ernie BeekCommented:
Ok, you're already getting there I see :)

One thing though, if you tick the Allow access, you override the NPS/IAS policy. Not sure if you want that.

I think disabling the certificate check should be enough:
http://support.microsoft.com/kb/838502/en-us
0
 
willie0-360Author Commented:
erniebeek:

I would not want to overwrite the NPS/IAS policy.  However, when I disabled the certificate check, the laptop still did not connect to the wireless network.

From the RADIUS server, this is the error I saw in the logs after disabling the certificate check:

Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.


By doing what I did, the laptop was able to connect to the wireless network.

Now, this is just happening with Windows 8.  All others are on Windows 7, and editing the user's AD profile is not necessary.

Do you think it might be something related to the combination of Windows 8 as client and a RADIUS server running on Windows 2003 R2?

What kind of impact overwriting the NPS/IAS policy would bring?  

Thanks.
--Willie
0
 
Ernie BeekCommented:
Been re-reading your question......

The tablet (or was it a laptop?) is not joined to the domain? So the user you use to log on to it isn't a domain user?
0
 
willie0-360Author Commented:
erniebeek:

It was first a tablet, and then a laptop was thrown in.  Both are running Windows 8.  I got the laptop to connect to the wireless network as indicated above.  Regarding the tablet, its owner is using it at this moment, and I do not know when I will get to work on it again.

Both, the laptop and tablet, are in the domain as well as the users.  


Thanks.
--Willie
0
 
willie0-360Author Commented:
ernibeek:

I went to the user’s AD profile, in the Dial-in tab, inside the Remote Access Permission (Dial-in or VPN) section, I switched

Allow access

and replaced it by

Control access through Remote Access Policy

This is for the laptop's user.  When I first went to the Dial-in tab, the Remote Access Permission (Dial-in or VPN) section had

Deny access

ticked.  I then changed it to

Allow access

but following you suggestion, I switched to

Control access through Remote Access Policy

and the laptop, running Windows 8, connects to the wireless network.

Thanks for that.  I believe sometime next week, I will be able to work on the tablet, and that will complete this work.


--Willie
0
 
Craig BeckCommented:
Just one question here...

Have you registered the IAS service in AD?  If you have, the "Control access through Remote Access Policy" should be selected automatically.

If you haven't done this, try it before you edit any user account properties.
0
 
willie0-360Author Commented:
Hello craigbeck:

Yes, the IAS service is registered in AD.  Actually, that is the one you helped me get working on a different question.  

The problem with this user was that in the Dial-in tab, the Deny access was chosen.  I then selected Allow access.  Later, after ernibeek's suggestion, I tried Control access through Remote Access Policy, and it still connects to the wireless network.

I will follow the same path once I get a chance to work on the tablet.

Thanks.
--Willie
0
 
willie0-360Author Commented:
I have not gotten the tablet back.  However, since it is running Windows 8 as well as the laptop that we got working, I think it is safe to say that this solution would also apply to the tablet.  After all, Windows 8 is Windows 8 no matter where.

If I am allowed, I will give an update on this.

Thanks for your support.
--Willie
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 9
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now