Solved

Wireless Authentication with RADIUS

Posted on 2016-08-11
5
64 Views
Last Modified: 2016-08-12
Hi Experts,

I am looking for some assistance on configuring a Windows Server 2012 RADIUS server. We want this to be able to make users have to authenticate to get on our wireless networks... and maybe if we are successful with this, we would also configure this with our HP Procurve ARUBA 2920 switches.

But firstly, I would like to get this working with our Ubiquti wireless network system.

Steps that I have completed so far.

Set up a brand new (virtual) WinSVR 2012 R2 Std box
Configured Active Directory Certificate Services role
Installed Certificate authority
Configured Network Access Protection role
(registered server in Active Directory) by right-clicking NPS (local) and selecting the register option
Set up the radius clients (our access point management server)
Changed the standard configuration as RADIUS server for 802.1X wireless or Wired Connections and set the EAP type to Microsoft: Secured password (EAP-MSCHAP v2)
Linked a security group configured in AD for authentication.
Specified the RADIUS server details on our AP interface for a wireless network.

When a computer attempts to connect to the wireless network, I do get the login box, I then log in with a user which is included in the security group configured, but this just fails to connect.

I've noticed on a lot of videos on YouTube, that there are some certificate configuring required

if I open Certificate snap-in via MMC on the RADIUS server, and select computer account, then browse down to Personal > Certificates, then right click and select 'Request New Certificate' I am only given the option to select 'Computer' on the request wizard, but apparently I should be able to see 'Domain Controller'

When requesting a certificate from our AD, I am only getting 'Computer' as a choice.?????!?!?
Please can someone advise what I may have missed off?

Thanks
Nathan
0
Comment
Question by:Nathan Lindley
  • 2
  • 2
5 Comments
 
LVL 2

Expert Comment

by:Wirelessnerd
ID: 41751867
Your problem isn't with the certificate I think.
If your clients do get the prompt your certificate is in order (otherwise the client would reject the attempt before that even, unless you set it to ignore the radius certificate).  
Feel free to verify this: Go in your NPS and edit the EAP-PEAP with ms-chapv2 as inner auth method and you should see the certificate issued.
Make sure your clients trust this certificate (distribute it via AD) and your cert issues are solved.
Try testing with the "ignore server certificate" option on your client and see if that improves anything.

ASlso.. for EAP-PEAP a server certificate is all you need so the computer cert you can request from your CA is sufficient. If your server isn't a domain controller you wont be getting a DC cert for it either.

Still leaves us your problem.
Check Windows event viewer for the authentication attempt. Does it show up? What error?
If it doesn't show up... have you actually set it to use the NPS server on your WLC?
You may have configure it to do wpa2-aes (aka with authentication), but is it using the NPS server to authenticate with or might it be authenticating with an internal database of some sort?

I'm not familiar with Ubiquti so I can't realy help you further on that end.
0
 

Author Comment

by:Nathan Lindley
ID: 41752115
Hi Poohke,

I do get the prompt on the computer ... I have attempted to enter the credentials with the username specifying the domain, and without specifying the domain but these dont work, I cleared out the event viewer, and attempted, but didn't see any event relating to the failed connection attempt.

Here is a screen shot of my Network Policy constraints:
Network-Policy-Comnstraints.PNG
also, this is a screen shot of when I attempt to enroll the computer certiicate on the RADIUS server.
Request-cert-attempt.PNG
Have you set up RADIUS servers before? Perhaps you could go through a step by step to see if I have missed anything out?

Thanks
Nathan
0
 
LVL 2

Accepted Solution

by:
Wirelessnerd earned 250 total points
ID: 41752457
Hello NAthan,

Yes, I've set up a ton of IAS and NPS servers as I'm a WLAN professional. Although these days most companies are moving away from NPS towards Clearpass or something.

Try double clicking on the "Microsoft: Secured password (EAP-MSCHAP v2)" from your screenshot . You should be able to see if a certificate is used and which one it is. There might be one there already.
Also uncheck all those less secure authentication methods. You don't need them if your WLC is properly configured for EAP-PEAP.

Setting up a CA isn't my business though. Can't help much with that. While I've set up a few for customers asking it, doing it properly and really supporting them is beyond me, sorry.

If you want to go the easy way, just install NPS on a domain controller. Then NPS will simply use the DC certificate and you will be good to go. Don't even need a CA then.


On NPS the config is pretty easy. From my head,
1) enter the radius clients (your WLC or whatever proxy is sending the radius requests).
2) enter a condition. Begin with hours of day and allow all for starters. Once you get everything working ad your user or computer policy that you want to allow.
3) constraints: check if there is a certificate available as explained above
4) check event viewer for authentication, check if logging is enabled (right click your NPS server if i remember correct).
5) if you don't see anything, check your WLC


Again, I think you should verify if there is already a certificate installed. I'm guessing there is. If so, ignore the CA for a while until you have everything working. Pre-configure a WLAN profile on your client with the correct details but uncheck the "verify servercertificate" (again, until everything works) and see if it will connect.
Check your WLC debug logs to find out what is happening with the authentication. Is it forwarding it to the correct NPS server?
0
 

Author Comment

by:Nathan Lindley
ID: 41752503
Thanks Poohke,

I will look through your last comment and check everything, but my most recent finding, is looking at the logs on the server role event viewer.. is this..

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:41:12
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:41:12.998828300Z" />
    <EventRecordID>5450</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="768" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>
0
 
LVL 45

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 41753039
Hi Nathan, is this a duplicate of the other question you have open?

I too am a WLAN professional and poohke raises some good points. If your NPS is on your domain on a member server and yiur CA is local (as per your other post) the NPS will have a CA cert and a computer cert already that should be good. This leads me to believe that the clients either arent configured correctly or they're using a cert from a different CA.

Looking at the log again it seems that your client tried to use PEAP with a cert instead of EAP-MSCHAPv2. Check the client config.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now