Connect Mac OS X wirelessly to Windows Server 2003 RADIUS server.
I have several Macs on a Windows domain. Domain controller is Server 2003 Standard Edition SP2. Macs are a mix of OS X Mavericks and Yosemite. All Macs are joined to the Windows domain.
I've recently set up the RADIUS server so this my first attempt at getting this type of wireless working on this network.
Server 2003:
Netgear WNDR3700:
When I attempt a wireless connection, the laptop connects to the router, I'm presented with a Username/Password login which I would expect. I enter the creds, the wheel spins then:
What am I missing?
B.T.W., I can connect to the guest network wirelessly using basic WPA2 security and a passphrase. I currently have a static IP on the main network's subnet on the wireless adapter on my laptop.
So I'm thinking I missed something on the RADIUS server configuration.
I've recently set up the RADIUS server so this my first attempt at getting this type of wireless working on this network.
Server 2003:
Internet Authentication Service (IAS) is installed as well as Certificate Services. Self-signed certificate in place.
I have a Security Group for Wireless users that includes all domain users and domain computers. My laptop shows up in the list of computers.
In IAS I have a Remote Access Policy that includes the Wireless Security Group
I have added the Netgear wireless AP to the RADIUS Clients, its IP address and Shared Secret.
IAS ports are the default 1812, 1645
The laptop I am testing from is a MacBook Pro with Yosemite.Netgear WNDR3700:
Router is set up in AP mode. WAN and LAN setting links now grayed out of course. Static IP assigned to the router that matches a reserve on the DHCP server.
Both 2.4GHz and 5GHz bands set to WPA/WPA2 Enterprise, RADIUS server ip matches the RADIUS server, port 1812, Shared Secret typed in.
I also set up a guest network if that matters.
When I attempt a wireless connection, the laptop connects to the router, I'm presented with a Username/Password login which I would expect. I enter the creds, the wheel spins then:
What am I missing?
B.T.W., I can connect to the guest network wirelessly using basic WPA2 security and a passphrase. I currently have a static IP on the main network's subnet on the wireless adapter on my laptop.
So I'm thinking I missed something on the RADIUS server configuration.
Chris H
Can you try hard-coding an IP on one of the adapters and re-test connectivity? Possible slow DHCP response poisoning your gateway address?
Does your client trust the IAS self-signed certificate? Have you imported it into your Mac?
ASKER
I currently have hard coded IP and DNS on the adapter on my laptop.
Import the self-signed certificate? Had not considered that. Does that explain the message "unresponsive".
I'm away from the site until Monday, but I appreciate the suggestions.
Import the self-signed certificate? Had not considered that. Does that explain the message "unresponsive".
I'm away from the site until Monday, but I appreciate the suggestions.
It may do.
Authentication happens before IP connectivity is established so whether you have an IP address or not is completely irrelevant.
Authentication happens before IP connectivity is established so whether you have an IP address or not is completely irrelevant.
ASKER
Not making any progress on this. I imported the server certificate into the OS X keychain and set to "always trust". Still getting "The authentication server is unresponsive". I don't see any indication on the server that it is even getting a request for authentication. I have all logging turned on. No events appear on the firewall when I attempt to connect wirelessly to the server.
Does a different type of device connect without a problem?
ASKER
Like a Windows laptop for example? I can bring one in tomorrow.
The Wireless Policy I created on the IAS server includes Domain Users and Domain Computers. Does that mean one or the other or does it have to be both, domain user using a domain computer?
The Wireless Policy I created on the IAS server includes Domain Users and Domain Computers. Does that mean one or the other or does it have to be both, domain user using a domain computer?
In the policy it depends how you do it.
If you set one condition to contain Domain Users, then add another separate condition in that policy to include Domain Users, you need to be in both groups, so that will mean AND.
If you set one condition in the policy to contain both Users and Computers, that will mean OR.
Get what I mean?
If you set one condition to contain Domain Users, then add another separate condition in that policy to include Domain Users, you need to be in both groups, so that will mean AND.
If you set one condition in the policy to contain both Users and Computers, that will mean OR.
Get what I mean?
ASKER
Yes. I have both in one policy.
Trying Wireshark now to see if I can tell what's happening.
Trying Wireshark now to see if I can tell what's happening.
ASKER
From Wireshark, it looks like it never makes any requests to the IAS server for authentication after I hit the "Join" button. Yet I know on the Netgear that I have the IAS server ip address as the RADIUS server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tried from a Windows 7 laptop, still nothing. The access point does not even seem to be aware of the network although its static ip is on the same subnet. There's no evidence of any communication with the RADIUS server when I hit the Join button after entering my credentials.
The idea does not deserve any more of my time. I am abandoning it. Thanks for the suggestions. Awarding points for that.
The idea does not deserve any more of my time. I am abandoning it. Thanks for the suggestions. Awarding points for that.