Link to home
Start Free TrialLog in
Avatar of techsolve1
techsolve1

asked on

Cisco 2504 Authentication with Radius Server 2012R2

Hi

Im trying to get a Cisco 2504 WLC to authenticate with server 2012R2 as a radius server

Im not having much luck!

any links or setup guides, much appreciated

thanks in advance
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of techsolve1
techsolve1

ASKER

Hi Craigbeck

below is an auth error from event viewer, its a new domain and we are trying to connect with a laptop that is not part of the domain, would this be the reason for this error

What we want to enable is non domain members to auth to the domain with their domain user accounts, ie for ipad and smart phones etc

+      System

            -      Provider      
                              [ Name]       Microsoft-Windows-Security-Auditing      
                              [ Guid]       {54849625-5478-4994-A5BA-3E3B0328C30D}      

                  EventID      6273

                  Version      1

                  Level      0

                  Task      12552

                  Opcode      0

                  Keywords      0x8010000000000000

            -      TimeCreated      
                              [ SystemTime]       2014-07-14T18:28:50.465328500Z      

                  EventRecordID      12385

                  Correlation

            -      Execution      
                              [ ProcessID]       516      
                              [ ThreadID]       4388      

                  Channel      Security

                  Computer      server.server.LOCAL

                  Security

-      EventData

            SubjectUserSid      S-1-5-21-126271290-1760273300-628037507-500

            SubjectUserName      server\Administrator

            SubjectDomainName      server

            FullyQualifiedSubjectUserName      server.LOCAL/Users/Administrator

            SubjectMachineSID      S-1-0-0

            SubjectMachineName      -

            FullyQualifiedSubjectMachineName      -

            MachineInventory      -

            CalledStationID      6c-fa-89-64-c0-c0:ASNM Wifi

            CallingStationID      00-23-14-a9-1c-cc

            NASIPv4Address      10.13.0.2

            NASIPv6Address      -

            NASIdentifier      Cisco_c7:98:24

            NASPortType      Wireless - IEEE 802.11

            NASPort      1

            ClientName      WLC

            ClientIPAddress      10.13.0.2

            ProxyPolicyName      Secure Wireless Connections

            NetworkPolicyName      Test2

            AuthenticationProvider      Windows

            AuthenticationServer      server.LOCAL

            AuthenticationType      PEAP

            EAPType      -

            AccountSessionIdentifier      -

            ReasonCode      265

            Reason      The certificate chain was issued by an authority that is not trusted.

            LoggingResult      Accounting information was written to the local log file.
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
The NPS EAP certificate... Where did you get the certificate from?
Avatar of techsolve1
techsolve1

ASKER

I'm presuming its the CA server cert that you are talking about?, the error im getting is the cert chain was issued by an authority that is not trusted
Avatar of techsolve1
techsolve1

ASKER

Hi Craigbeck

Ive followed your document exactly and everthing has installed succsessfully, the install of server 2012 is brand new
when i try and connect, I keep getting a message "unable to find a cert to log you on to the network" when i try with a different laptop on a differnet domain I get a message in event viewer that the domain is not authenticated which is correct, i presume

Is there something that i am missing

thanks
Avatar of techsolve1
techsolve1

ASKER

Ok, everthing works fine from windows 7 onwards, so not going to use XP on network, one question is it an option to use create a cert and get it verified by versign for example and use it for guest users with non domain member laptops, so they can access internet, or is there another way of doing it?

Thanks
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
You need to deploy a slightly different GPO to Windows XP clients.  When you create the GPO you get an option for XP or Vista and later, so you should have 2 GPOs for Wireless clients (if you put a blanket GPO across all your devices).

Guests would usually use a captive portal so the portal would need a certificate to enable the users to log in via HTTPS web page, but the connection to the actual wireless network would not need a cert or key.
Avatar of techsolve1
techsolve1

ASKER

Hi thanks for the info, much appreciated, could you expand a bit more on the guest access option

Thanks
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image
Guest users would connect to a different SSID which is unencrypted and has no authentication on the wireless link itself.  You would 'grab' guest users' traffic by sending them to a captive portal either at the gateway or by using RADIUS to send them there.

There are a few appliances that can do this, or you can install a captive portal on a router running DD-WRT (for example).
Avatar of techsolve1
techsolve1

ASKER

Thanks for the help