asked on Wireless Authentication with RADIUS
Hi Experts,
I am looking for some assistance on configuring a Windows Server 2012 RADIUS server. We want this to be able to make users have to authenticate to get on our wireless networks... and maybe if we are successful with this, we would also configure this with our HP Procurve ARUBA 2920 switches.
But firstly, I would like to get this working with our Ubiquti wireless network system.
Steps that I have completed so far.
Set up a brand new (virtual) WinSVR 2012 R2 Std box
Configured Active Directory Certificate Services role
Installed Certificate authority
Configured Network Access Protection role
(registered server in Active Directory) by right-clicking NPS (local) and selecting the register option
Set up the radius clients (our access point management server)
Changed the standard configuration as RADIUS server for 802.1X wireless or Wired Connections and set the EAP type to Microsoft: Secured password (EAP-MSCHAP v2)
Linked a security group configured in AD for authentication.
Specified the RADIUS server details on our AP interface for a wireless network.
When a computer attempts to connect to the wireless network, I do get the login box, I then log in with a user which is included in the security group configured, but this just fails to connect.
I've noticed on a lot of videos on YouTube, that there are some certificate configuring required
if I open Certificate snap-in via MMC on the RADIUS server, and select computer account, then browse down to Personal > Certificates, then right click and select 'Request New Certificate' I am only given the option to select 'Computer' on the request wizard, but apparently I should be able to see 'Domain Controller'
![When requesting a certificate from our AD, I am only getting 'Computer' as a choice.?????!?!?]()
Please can someone advise what I may have missed off?
Thanks
Nathan
I am looking for some assistance on configuring a Windows Server 2012 RADIUS server. We want this to be able to make users have to authenticate to get on our wireless networks... and maybe if we are successful with this, we would also configure this with our HP Procurve ARUBA 2920 switches.
But firstly, I would like to get this working with our Ubiquti wireless network system.
Steps that I have completed so far.
Set up a brand new (virtual) WinSVR 2012 R2 Std box
Configured Active Directory Certificate Services role
Installed Certificate authority
Configured Network Access Protection role
(registered server in Active Directory) by right-clicking NPS (local) and selecting the register option
Set up the radius clients (our access point management server)
Changed the standard configuration as RADIUS server for 802.1X wireless or Wired Connections and set the EAP type to Microsoft: Secured password (EAP-MSCHAP v2)
Linked a security group configured in AD for authentication.
Specified the RADIUS server details on our AP interface for a wireless network.
When a computer attempts to connect to the wireless network, I do get the login box, I then log in with a user which is included in the security group configured, but this just fails to connect.
I've noticed on a lot of videos on YouTube, that there are some certificate configuring required
if I open Certificate snap-in via MMC on the RADIUS server, and select computer account, then browse down to Personal > Certificates, then right click and select 'Request New Certificate' I am only given the option to select 'Computer' on the request wizard, but apparently I should be able to see 'Domain Controller'
Please can someone advise what I may have missed off?
Thanks
Nathan
Network SecurityWindows Server 2012Wireless NetworkingNetwork Architecture
Last Comment
Craig Beck
ASKER
Hi Poohke,
I do get the prompt on the computer ... I have attempted to enter the credentials with the username specifying the domain, and without specifying the domain but these dont work, I cleared out the event viewer, and attempted, but didn't see any event relating to the failed connection attempt.
Here is a screen shot of my Network Policy constraints:
![Network-Policy-Comnstraints.PNG]()
also, this is a screen shot of when I attempt to enroll the computer certiicate on the RADIUS server.
![Request-cert-attempt.PNG]()
Have you set up RADIUS servers before? Perhaps you could go through a step by step to see if I have missed anything out?
Thanks
Nathan
I do get the prompt on the computer ... I have attempted to enter the credentials with the username specifying the domain, and without specifying the domain but these dont work, I cleared out the event viewer, and attempted, but didn't see any event relating to the failed connection attempt.
Here is a screen shot of my Network Policy constraints:
also, this is a screen shot of when I attempt to enroll the computer certiicate on the RADIUS server.
Have you set up RADIUS servers before? Perhaps you could go through a step by step to see if I have missed anything out?
Thanks
Nathan
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks Poohke,
I will look through your last comment and check everything, but my most recent finding, is looking at the logs on the server role event viewer.. is this..
I will look through your last comment and check everything, but my most recent finding, is looking at the logs on the server role event viewer.. is this..
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 11/08/2016 16:41:12
Event ID: 6273
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: CORPORATE\Nathan.Lindley
Account Name: nathan.lindley
Account Domain: CORPORATE
Fully Qualified Account Name: corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 52-D9-E7-A5-10-3A:test
Calling Station Identifier: A4-34-D9-67-FA-43
NAS:
NAS IPv4 Address: 192.168.1.110
NAS IPv6 Address: -
NAS Identifier: 44d9e7a4103a
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 0
RADIUS Client:
Client Friendly Name: MPAP3 - IT Suite
Client IP Address: 192.168.1.110
Authentication Details:
Connection Request Policy Name: IT Suite
Network Policy Name: New
Authentication Provider: Windows
Authentication Server: MARAD001.corporate.local
Authentication Type: PEAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 265
Reason: The certificate chain was issued by an authority that is not trusted.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>6273</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12552</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywor ds>
<TimeCreated SystemTime="2016-08-11T15:41:12.9988 28300Z" />
<EventRecordID>5450</EventRecordID>
<Correlation />
<Execution ProcessID="460" ThreadID="768" />
<Channel>Security</Channel>
<Computer>MARAD001.corporate.local</ Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-43246 9759-35839 70380-2158 479170-102 17</Data>
<Data Name="SubjectUserName">nathan.lindle y</Data>
<Data Name="SubjectDomainName">CORPORATE</ Data>
<Data Name="FullyQualifiedSubjectUserName" >corporate .local/MON EYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
<Data Name="SubjectMachineSID">S-1-0-0</Da ta>
<Data Name="SubjectMachineName">-</Data>
<Data Name="FullyQualifiedSubjectMachineNa me">-</Dat a>
<Data Name="MachineInventory">-</Data>
<Data Name="CalledStationID">52-D9-E7-A5-1 0-3A:test< /Data>
<Data Name="CallingStationID">A4-34-D9-67- FA-43</Dat a>
<Data Name="NASIPv4Address">192.168.1.110< /Data>
<Data Name="NASIPv6Address">-</Data>
<Data Name="NASIdentifier">44d9e7a4103a</D ata>
<Data Name="NASPortType">Wireless - IEEE 802.11</Data>
<Data Name="NASPort">0</Data>
<Data Name="ClientName">MPAP3 - IT Suite</Data>
<Data Name="ClientIPAddress">192.168.1.110 </Data>
<Data Name="ProxyPolicyName">IT Suite</Data>
<Data Name="NetworkPolicyName">New</Data>
<Data Name="AuthenticationProvider">Window s</Data>
<Data Name="AuthenticationServer">MARAD001 .corporate .local</Da ta>
<Data Name="AuthenticationType">PEAP</Data >
<Data Name="EAPType">-</Data>
<Data Name="AccountSessionIdentifier">-</D ata>
<Data Name="ReasonCode">265</Data>
<Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
<Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
</EventData>
</Event>
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
If your clients do get the prompt your certificate is in order (otherwise the client would reject the attempt before that even, unless you set it to ignore the radius certificate).
Feel free to verify this: Go in your NPS and edit the EAP-PEAP with ms-chapv2 as inner auth method and you should see the certificate issued.
Make sure your clients trust this certificate (distribute it via AD) and your cert issues are solved.
Try testing with the "ignore server certificate" option on your client and see if that improves anything.
ASlso.. for EAP-PEAP a server certificate is all you need so the computer cert you can request from your CA is sufficient. If your server isn't a domain controller you wont be getting a DC cert for it either.
Still leaves us your problem.
Check Windows event viewer for the authentication attempt. Does it show up? What error?
If it doesn't show up... have you actually set it to use the NPS server on your WLC?
You may have configure it to do wpa2-aes (aka with authentication), but is it using the NPS server to authenticate with or might it be authenticating with an internal database of some sort?
I'm not familiar with Ubiquti so I can't realy help you further on that end.