Solved

Cisco Wirless 561 RAdius athentication on 2012 server

Posted on 2015-01-12
7
280 Views
Last Modified: 2015-03-07
I have 5 Cisco Wireless 561 AP's ( Small business ) . The can form a cluster without a controller.  I would like my users to authenticate using their Active directory credentials. I followed some online instructions in seating up NPS ,but I still can't connect to wifi using AD credentials. On the cisco AP, there is no way of testing authentication and in the 2012 server, I don't see any logs in event viewer on anything failing.  I am not sure if I need a certificate server on runing on my 2012 server on not. Thank you for your help.
0
Comment
Question by:netcomp
  • 4
  • 3
7 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40546062
Check the custom logs in the event viewer on the server.

If you still can't see anything check...

1] The APs are configured to send RADIUS to the correct IP.

2] The shared secret is correct.

3] The firewall on the server is allowing RADIUS (TCP/UDP 1812 and 1813).
0
 
LVL 1

Author Comment

by:netcomp
ID: 40547596
Great. Under the custom logs I am no seeing the following error. On the cisco I have the following options: WPA, WPA2, Enable pre-authentication , Cipher Suites:        TKIP       CCMP (AES) .   What is NOT check is  WPA2 and Pre-authentication . The rest are checked.  When I uncheck WPA and check WPA2, it tells me unable to join network, but when I have WPA checked and WPA unchecked, I get a loin error. ( on the mobile device or computer)



The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          1/13/2015 3:32:05 PM
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      GERDC.Gelect.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  GELECT\testtest
      Account Name:                  Gelect\testtest
      Account Domain:                  GELECT
      Fully Qualified Account Name:      GELECT\testtest

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            18-9C-5D-3C-B6-C1:GERRD
      Calling Station Identifier:            78-FD-94-0C-8B-6E

NAS:
      NAS IPv4 Address:            192.168.13.50
      NAS IPv6 Address:            -
      NAS Identifier:                  -
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            WPA561B
      Client IP Address:                  192.168.13.50

Authentication Details:
      Connection Request Policy Name:      Secure Wirless WAP561
      Network Policy Name:            Secure Wirless WAP561
      Authentication Provider:            Windows
      Authentication Server:            GERDC.Gelect.local
      Authentication Type:            EAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  22
      Reason:                        The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40547709
OK have you got a certificate on your server?  If not you can't process EAP-style logins.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 1

Author Comment

by:netcomp
ID: 40550064
No , I don't have a certificate on my server. How could I get on on their. Do I have to buy one from Godaddy or can it be installed on the server using the Certificate authority program? Any help with configuring the certificate would be helpful.  
One another note, management would like to know who is connecting to wifi and from what device. Is there any way to accomplished that via NPS or on the Cisco AP? Thank you,
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 40550083
If you have your own Certificate Authority running on your domain you can issue a cert to your NPS server (it's just a computer certificate).  That will let the NPS process EAP-style logins.  If you don't have a CA on your domain you can install a self-signed certificate on the NPS, or you can purchase a 3rd-party cert, but that will only let you use PEAP-MSChapV2, not EAP-TLS (so no computer authentication via certificate - just AD user logins).

Here's a great link to help you get things going...

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/115988-nps-wlc-config-000.html

There's a bit about Wireless LAN Controllers, but you can ignore that.

With what you've got now you 'can' pull some useful info from the logs about who is logging in to the network, but not from what device.  For that you'd need something that profiles devices upon connection, or a proper MDM solution.
0
 
LVL 1

Author Comment

by:netcomp
ID: 40550216
I am not sure what is the difference between certificate login ( EAP-TLS) and PeA-MSchapv2. I assume that authenticates users based on the account that is already logged into their PC. I actually want the users to enter their username and password because I would even use this on their mobile devices ( iphone/Ipad).   Do I still need to install the cert authority.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 40550717
No you can use self-signed or 3rd-party cert on NPS then.

EAP-TLS is where the computer itself authenticates using a certificate from your own CA.  This is a good idea if you want computer GPOs to apply to a machine before the user logs in.

PEAP-MSChapV2 is the user/pass type where the computer doesn't get a network connection until the user logs in.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Exchange and Domain Controller 3 31
Debug script powershell wmi 3 15
Schannel error 70 on Exchange CAS and Mailbox servers 4 26
Power shell 4 29
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question