Solved

Connect Tablet Running Windows 8.1 to Wireless Network Using RADIUS IAS

Posted on 2013-12-04
13
4,279 Views
Last Modified: 2013-12-10
Experts:

I need to get a tablet running Windows 8.1 connected to our company's wireless network.  I believe I should do this using domain-user authentication.

For the RADIUS, we are using IAS on Windows 2003 R2.  Here are some of the properties about the configuration of this RADIUS server:


For Remote Access Policies:

On the Wireless Properties window, we have:

Policy conditions:
NAS-Port Type matches "Wireless - Other OR Wireless - IEEE 802.11" AND
Windows-Groups matches "ABC\ABCWirelessUser_Sec"
Here, ABC is the domain.



For Connection Request Processing:

Connection Request Policies:

On the Use Windows authentication for all users Properties window, we have:

Policy name: Use Windows authentication for all users

Policy conditions:
Day-And-Time-Restrictions matches: "......
There are no restrictions here.



My laptop can connect to the wireless network.  I believe I am using my AD credentials to authenticate.  I also wonder if I should set the wireless settings on the tablet to be the same as on my laptop.



Here is the setup for my laptop hoping it might help you decide if authentication is via AD using a domain-user account:

On the ABC Employee Wireless Network Properties window, the laptop has:

On the Connection tab:

Name:        ABC Employee
SSID:       ABC Employee
Network type:   Access Point
Network availability:  All users

Connect automatically when this network is in range is checked.



On the Security tab, the laptop has:

Security type:  WPA-Enterprise
Encryption type: TKIP

Choose a network authentication method:
Microsoft: Protected EAP (PEAP)

Remember my credentials for this connection each time I'm logged on is checked.


On the Protected EAP Properties windows, the laptop has:

Validate server certifiace is NOT checked.
Select Authentication Method:
Secured password (EAP-MSCHAP v2) is selected.


On the Advanced settings windows, the laptop has:
On the 802.1X settings tab:
Specify authentication mode is checked.
User or computer authentication  is selected.

I think I should add the tablet to our domain, but I do not know to which OU/Container to do so.  The ABCWirelessUser_Sec is a group in active directory.

Thanks.
--Willie
0
Comment
Question by:willie0-360
  • 9
  • 3
13 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39697748
Is the wireless network (the airo's) by any change managed by a WLC? I recently had issues with windows 8.x machines not being able to connect. After an upgrade of the WLC software (so the airo's get updated as well), they where able to connect.
0
 

Author Comment

by:willie0-360
ID: 39698358
erniebeek:

Thanks for your question.  I should have included that information in my first post.  Actually, these are standalone APs.  I updated the IOS recently since acccording to my manager, Windows 8 would, othewise, not get on the wireless network.

The Cisco Aironet 1240s are running c1240-k9w7-tar.124-25d.JA2.


Thanks again.
--Willie
0
 

Author Comment

by:willie0-360
ID: 39698566
On the RADIUS server, this is the error message we are getting on the Event Viewer:

Event:
Type:  Warning
Event ID: 2

User username was denied access.
Fully-Qualified-User-Name=ABC/ABC/Users/Directors Office/username
NAS-IP-Address=192.168.2.247

NAS-Identifier=ABCAP
NAS-Port-Type=Wireless-IEEE 802.11
NAS-Port = 1823

Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>

Policy-Name = ABC Wireless
Authentication-Type = PEAP
EAP-Type - <undetermined>

Reason-Code = 262
Reason = The supplied message is incomplete.  The signature was not verified.

ABC is the name of the domain, and ABCAP is the name of the access point.

I hope this helps anyone help me to get this tablet connect to the wireless network.

Thanks.
--Willie
0
 

Author Comment

by:willie0-360
ID: 39698809
I believe the problem is that Windows 8 is trying to validate the server certificate, and we are not using one.  

I do not have the tablet with me since the owner is currently working from home with it, but as soon as I get it, if I do, I will test this.  I will let you know how it goes.


Thanks.
--Willie
0
 

Author Comment

by:willie0-360
ID: 39699358
I would say I found the solution.  The only difference is that this is on a laptop and not the tablet I indicated in my first post.  However, since both are running Windows 8, I believe this same solution applies.

There were two problems.  One was that I needed to disable the validation of the certificate, and the second one is that I needed to edit the user's, the person trying to get access to the wireless network, AD profile and in the Dial-in tab, tick Allow access.

To disable the validation of server certificate:

Right click on SSID you want to connect in the list of wireless networks -> SSID Wireless -> Security tab -> Settings (next to Choose a network authentication method) -> Untick Validate server certificate, untick Enable Fast Reconnect.

To edit the user's prodile in AD:

Go to the user’s AD profile, in the Dial-in tab, inside the Remote Access Permission (Dial-in or VPN) section, tick Allow access.

This was my solution to allow Windows 8, running on a laptop, to connect wirelessly.  I will apply these same settings on the tablet as soon as I get a chance.

I will post with an  update.


Thanks.
--Willie
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 39699388
Ok, you're already getting there I see :)

One thing though, if you tick the Allow access, you override the NPS/IAS policy. Not sure if you want that.

I think disabling the certificate check should be enough:
http://support.microsoft.com/kb/838502/en-us
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:willie0-360
ID: 39699503
erniebeek:

I would not want to overwrite the NPS/IAS policy.  However, when I disabled the certificate check, the laptop still did not connect to the wireless network.

From the RADIUS server, this is the error I saw in the logs after disabling the certificate check:

Reason-Code = 65
Reason = The connection attempt failed because remote access permission for the user account was denied. To allow remote access, enable remote access permission for the user account, or, if the user account specifies that access is controlled through the matching remote access policy, enable remote access permission for that remote access policy.


By doing what I did, the laptop was able to connect to the wireless network.

Now, this is just happening with Windows 8.  All others are on Windows 7, and editing the user's AD profile is not necessary.

Do you think it might be something related to the combination of Windows 8 as client and a RADIUS server running on Windows 2003 R2?

What kind of impact overwriting the NPS/IAS policy would bring?  

Thanks.
--Willie
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 39699518
Been re-reading your question......

The tablet (or was it a laptop?) is not joined to the domain? So the user you use to log on to it isn't a domain user?
0
 

Author Comment

by:willie0-360
ID: 39699563
erniebeek:

It was first a tablet, and then a laptop was thrown in.  Both are running Windows 8.  I got the laptop to connect to the wireless network as indicated above.  Regarding the tablet, its owner is using it at this moment, and I do not know when I will get to work on it again.

Both, the laptop and tablet, are in the domain as well as the users.  


Thanks.
--Willie
0
 

Author Comment

by:willie0-360
ID: 39699828
ernibeek:

I went to the user’s AD profile, in the Dial-in tab, inside the Remote Access Permission (Dial-in or VPN) section, I switched

Allow access

and replaced it by

Control access through Remote Access Policy

This is for the laptop's user.  When I first went to the Dial-in tab, the Remote Access Permission (Dial-in or VPN) section had

Deny access

ticked.  I then changed it to

Allow access

but following you suggestion, I switched to

Control access through Remote Access Policy

and the laptop, running Windows 8, connects to the wireless network.

Thanks for that.  I believe sometime next week, I will be able to work on the tablet, and that will complete this work.


--Willie
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39702046
Just one question here...

Have you registered the IAS service in AD?  If you have, the "Control access through Remote Access Policy" should be selected automatically.

If you haven't done this, try it before you edit any user account properties.
0
 

Author Comment

by:willie0-360
ID: 39702718
Hello craigbeck:

Yes, the IAS service is registered in AD.  Actually, that is the one you helped me get working on a different question.  

The problem with this user was that in the Dial-in tab, the Deny access was chosen.  I then selected Allow access.  Later, after ernibeek's suggestion, I tried Control access through Remote Access Policy, and it still connects to the wireless network.

I will follow the same path once I get a chance to work on the tablet.

Thanks.
--Willie
0
 

Author Comment

by:willie0-360
ID: 39710375
I have not gotten the tablet back.  However, since it is running Windows 8 as well as the laptop that we got working, I think it is safe to say that this solution would also apply to the tablet.  After all, Windows 8 is Windows 8 no matter where.

If I am allowed, I will give an update on this.

Thanks for your support.
--Willie
0

Featured Post

Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

Join & Write a Comment

Suggested Solutions

Need WiFi? Often, there are perfectly good networks that don't have WiFi capability - and there's a need to add it.  - Perhaps you have an Ethernet port into a network but no WiFi nearby. - Perhaps you have a powerline extender and no WiFi at the…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now