Solved

Sonicwall WPA-EAP, RADIUS and IAS on Server 2003

Posted on 2014-04-16
10
563 Views
Last Modified: 2014-05-07
We have a TZ-105W and are having zero luck getting wireless RADIUS to communicate with our 2003 server.  We have followed all the instructions as per
http://www.sonicwall.com/us/en/support/2213.html?fuzeurl=http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7074&SearchType=advanced&referrer=&status=&rfield=&sortmethod=rel&usertype=&formaction=search&subcats=True&keyword=Forward+original+host+header+instead+of+the+actual+one&CatID3=461&match=or
to the best of our ability since there are no guides for the newer OS versions.  We are running the latest 5.9.0.3-117o.

We have WLAN bridged to X0 (LAN) and allowed all traffic from the WLAN to LAN in the firewall settings.  I can confirm that if we change the wireless security to WPA-PSK it works perfectly and the Windows 7 machine has no issues connecting to the network.  When we use WPA-EAP or any of the other EAP versions, there's zero communications to the 2003 server.  The only thing that I can see is in the Sonicwall logs is one ID 518 with an authentication from our client to the SSID radio through the WLAN 802.11 management.

I can confirm that the VPN through RADIUS is working perfectly so it definitely is not an issue with the Sonicwall communicating with the server.  We don't have any defined NAT policies other than the defaults right now but since it works with WPA-PSK I don't think it has anything to do with the NAT policies either.

Any suggestions or stories that this is indeed supported would be appreciated.
0
Comment
Question by:convergint
  • 5
  • 5
10 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40006144
0
 
LVL 10

Author Comment

by:convergint
ID: 40006881
Like I mentioned above, that link is the exact same one we have followed.  And as stated before, there's no IAS events on the server except from our HP wireless access points which are working perfectly with RADIUS and IAS.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40007111
Apologies - The link I posted is a different link to the one you posted but it seems that the link redirects to your original article for some reason.

The page I wanted you to see is...

http://www.sonicwall.com/us/en/support/2213.html?fuzeurl=http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.asp?kbid=6958

If there's nothing in the system log the SonicWall/APs aren't trying to do RADIUS authentication or the RADIUS packet isn't getting to the IAS from the SonicWall/APs.

If packets were getting to the IAS but the configuration was wrong at the IAS you'd see something like "A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx" in the system log if the RADIUS client was unknown or misconfigured, or some other error if the configuration was bad at the IAS side.
0
 
LVL 10

Author Comment

by:convergint
ID: 40008002
Like I said earlier, Sonicwall VPN with RADIUS authentication works perfectly, I can see the IAS logs on our server along with the RADIUS tests done from the built in Sonicwall webpage.

It just looks like the client is connecting to the Sonicwall with authentication details and the Sonicwall is basically ignoring them and not passing them onto the RADIUS server.  It would be nice to have some kind of descriptive log from either the server or Sonicwall but we get a generic Sonicwall log event for the ID 518 when the client sends the authentication to the Sonicwall.

So we know that the client is trying to connect to the Sonicwall wirelessly with WPA-EAP, we also know that it connects perfectly with WPA-PSK (therefore there is no firewall/NAT blocking), and we know the Sonicwall can communicate to the server through IAS RADIUS.  It's just a piece missing in the middle.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40008296
we also know that it connects perfectly with WPA-PSK (therefore there is no firewall/NAT blocking
Hmmm, why do you say that? WPA-PSK doesn't use RADIUS so that's irrelevant.

Can you post some screenshots of the WLAN config please?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 10

Author Comment

by:convergint
ID: 40018196
It's totally relevant as it means that there's no firewall rules blocking traffic from the WLAN to LAN.  If there were rules blocking traffic that would normally explain why there's no RADIUS requests hitting the RADIUS server.

I'll have to turn the Sonicwall back on to get the screenshots but we've checked it many times to compare it to the Sonicwall setup instructions.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40024731
Ok I see where you're coming from now.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40024732
The SonicWall will only forward RADIUS messages to/from the client and RADIUS server.  If the client doesn't try to initiate a connection using the desired credentials/protocol you might not see anything in the log.
0
 
LVL 10

Accepted Solution

by:
convergint earned 0 total points
ID: 40038856
Well we spent half a day with a Sonicwall technician and they couldn't get it to work either but they wouldn't acknowledge it was a problem with their device/firmware either.  They say that somehow our 1000+ fleet of Windows 7 Dell latitude laptops have problems with RADIUS authentication.  I guess that since the laptops all work perfectly with EnGenius, Cisco and HP RADIUS wireless authentication that these vendors must be implementing non standard RADIUS protocols (insert rolling eyes here).

I guess it'll be back to using the HP wireless access points that work perfectly with any laptop.  You just lost a bunch of business Sonicwall......
0
 
LVL 10

Author Closing Comment

by:convergint
ID: 40046628
Unable to resolve through many channels.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now