Link to home
Start Free TrialLog in
Avatar of convergint
convergintFlag for United States of America

asked on

Sonicwall WPA-EAP, RADIUS and IAS on Server 2003

We have a TZ-105W and are having zero luck getting wireless RADIUS to communicate with our 2003 server.  We have followed all the instructions as per
http://www.sonicwall.com/us/en/support/2213.html?fuzeurl=http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=7074&SearchType=advanced&referrer=&status=&rfield=&sortmethod=rel&usertype=&formaction=search&subcats=True&keyword=Forward+original+host+header+instead+of+the+actual+one&CatID3=461&match=or
to the best of our ability since there are no guides for the newer OS versions.  We are running the latest 5.9.0.3-117o.

We have WLAN bridged to X0 (LAN) and allowed all traffic from the WLAN to LAN in the firewall settings.  I can confirm that if we change the wireless security to WPA-PSK it works perfectly and the Windows 7 machine has no issues connecting to the network.  When we use WPA-EAP or any of the other EAP versions, there's zero communications to the 2003 server.  The only thing that I can see is in the Sonicwall logs is one ID 518 with an authentication from our client to the SSID radio through the WLAN 802.11 management.

I can confirm that the VPN through RADIUS is working perfectly so it definitely is not an issue with the Sonicwall communicating with the server.  We don't have any defined NAT policies other than the defaults right now but since it works with WPA-PSK I don't think it has anything to do with the NAT policies either.

Any suggestions or stories that this is indeed supported would be appreciated.
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Avatar of convergint

ASKER

Like I mentioned above, that link is the exact same one we have followed.  And as stated before, there's no IAS events on the server except from our HP wireless access points which are working perfectly with RADIUS and IAS.
Apologies - The link I posted is a different link to the one you posted but it seems that the link redirects to your original article for some reason.

The page I wanted you to see is...

http://www.sonicwall.com/us/en/support/2213.html?fuzeurl=http://www.fuzeqna.com/sonicwallkb/ext/kbdetail.asp?kbid=6958

If there's nothing in the system log the SonicWall/APs aren't trying to do RADIUS authentication or the RADIUS packet isn't getting to the IAS from the SonicWall/APs.

If packets were getting to the IAS but the configuration was wrong at the IAS you'd see something like "A RADIUS message was received from the invalid. RADIUS client IP address xxx.xxx.xxx.xxx" in the system log if the RADIUS client was unknown or misconfigured, or some other error if the configuration was bad at the IAS side.
Like I said earlier, Sonicwall VPN with RADIUS authentication works perfectly, I can see the IAS logs on our server along with the RADIUS tests done from the built in Sonicwall webpage.

It just looks like the client is connecting to the Sonicwall with authentication details and the Sonicwall is basically ignoring them and not passing them onto the RADIUS server.  It would be nice to have some kind of descriptive log from either the server or Sonicwall but we get a generic Sonicwall log event for the ID 518 when the client sends the authentication to the Sonicwall.

So we know that the client is trying to connect to the Sonicwall wirelessly with WPA-EAP, we also know that it connects perfectly with WPA-PSK (therefore there is no firewall/NAT blocking), and we know the Sonicwall can communicate to the server through IAS RADIUS.  It's just a piece missing in the middle.
we also know that it connects perfectly with WPA-PSK (therefore there is no firewall/NAT blocking
Hmmm, why do you say that? WPA-PSK doesn't use RADIUS so that's irrelevant.

Can you post some screenshots of the WLAN config please?
It's totally relevant as it means that there's no firewall rules blocking traffic from the WLAN to LAN.  If there were rules blocking traffic that would normally explain why there's no RADIUS requests hitting the RADIUS server.

I'll have to turn the Sonicwall back on to get the screenshots but we've checked it many times to compare it to the Sonicwall setup instructions.
Ok I see where you're coming from now.
The SonicWall will only forward RADIUS messages to/from the client and RADIUS server.  If the client doesn't try to initiate a connection using the desired credentials/protocol you might not see anything in the log.
ASKER CERTIFIED SOLUTION
Avatar of convergint
convergint
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Unable to resolve through many channels.