Connect Mac OS X wirelessly to Windows Server 2003 RADIUS server.

I have several Macs on a Windows domain. Domain controller is Server 2003 Standard Edition SP2. Macs are a mix of OS X Mavericks and Yosemite. All Macs are joined to the Windows domain.

I've recently set up the RADIUS server so this my first attempt at getting this type of wireless working on this network.

Server 2003:
Internet Authentication Service (IAS) is installed as well as Certificate Services. Self-signed certificate in place.
I have a Security Group for Wireless users that includes all domain users and domain computers. My laptop shows up in the list of computers.
In IAS I have a Remote Access Policy that includes the Wireless Security Group
I have added the Netgear wireless AP to the RADIUS Clients, its IP address and Shared Secret.
IAS ports are the default 1812, 1645
The laptop I am testing from is a MacBook Pro with Yosemite.

Netgear WNDR3700:
Router is set up in AP mode. WAN and LAN setting links now grayed out of course. Static IP assigned to the router that matches a reserve on the DHCP server.
Both 2.4GHz and 5GHz bands set to WPA/WPA2 Enterprise, RADIUS server ip matches the RADIUS server, port 1812, Shared Secret typed in.
I also set up a guest network if that matters.

When I attempt a wireless connection, the laptop connects to the router, I'm presented with a Username/Password login which I would expect. I enter the creds, the wheel spins then:Authentication server not responding.
What am I missing?

B.T.W., I can connect to the guest network wirelessly using basic WPA2 security and a passphrase. I currently have a static IP on the main network's subnet on the wireless adapter on my laptop.

So I'm thinking I missed something on the RADIUS server configuration.
LVL 38
Tom BeckAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
Can you try hard-coding an IP on one of the adapters and re-test connectivity?  Possible slow DHCP response poisoning your gateway address?
0
Craig BeckCommented:
Does your client trust the IAS self-signed certificate?  Have you imported it into your Mac?
0
Tom BeckAuthor Commented:
I currently have hard coded IP and DNS on the adapter on my laptop.

Import the self-signed certificate? Had not considered that. Does that explain the message "unresponsive".

I'm away from the site until Monday, but I appreciate the suggestions.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

Craig BeckCommented:
It may do.

Authentication happens before IP connectivity is established so whether you have an IP address or not is completely irrelevant.
0
Tom BeckAuthor Commented:
Not making any progress on this. I imported the server certificate into the OS X keychain and set to "always trust". Still getting "The authentication server is unresponsive". I don't see any indication on the server that it is even getting a request for authentication. I have all logging turned on. No events appear on the firewall when I attempt to connect wirelessly to the server.
0
Craig BeckCommented:
Does a different type of device connect without a problem?
0
Tom BeckAuthor Commented:
Like a Windows laptop for example? I can bring one in tomorrow.

The Wireless Policy I created on the IAS server includes Domain Users and Domain Computers. Does that mean one or the other or does it have to be both, domain user using a domain computer?
0
Craig BeckCommented:
In the policy it depends how you do it.

If you set one condition to contain Domain Users, then add another separate condition in that policy to include Domain Users, you need to be in both groups, so that will mean AND.

If you set one condition in the policy to contain both Users and Computers, that will mean OR.

Get what I mean?
0
Tom BeckAuthor Commented:
Yes. I have both in one policy.

Trying Wireshark now to see if I can tell what's happening.
0
Tom BeckAuthor Commented:
From Wireshark, it looks like it never makes any requests to the IAS server for authentication after I hit the "Join" button. Yet I know on the Netgear that I have the IAS server ip address as the RADIUS server.
0
Craig BeckCommented:
You need to test from a different device then.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tom BeckAuthor Commented:
Tried from a Windows 7 laptop, still nothing. The access point does not even seem to be aware of the network although its static ip is on the same subnet. There's no evidence of any communication with the RADIUS server when I hit the Join button after entering my credentials.

The idea does not deserve any more of my time. I am abandoning it. Thanks for the suggestions. Awarding points for that.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.