Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Wireless Authentication with RADIUS

Posted on 2016-08-11
5
Medium Priority
?
202 Views
Last Modified: 2016-08-12
Hi Experts,

I am looking for some assistance on configuring a Windows Server 2012 RADIUS server. We want this to be able to make users have to authenticate to get on our wireless networks... and maybe if we are successful with this, we would also configure this with our HP Procurve ARUBA 2920 switches.

But firstly, I would like to get this working with our Ubiquti wireless network system.

Steps that I have completed so far.

Set up a brand new (virtual) WinSVR 2012 R2 Std box
Configured Active Directory Certificate Services role
Installed Certificate authority
Configured Network Access Protection role
(registered server in Active Directory) by right-clicking NPS (local) and selecting the register option
Set up the radius clients (our access point management server)
Changed the standard configuration as RADIUS server for 802.1X wireless or Wired Connections and set the EAP type to Microsoft: Secured password (EAP-MSCHAP v2)
Linked a security group configured in AD for authentication.
Specified the RADIUS server details on our AP interface for a wireless network.

When a computer attempts to connect to the wireless network, I do get the login box, I then log in with a user which is included in the security group configured, but this just fails to connect.

I've noticed on a lot of videos on YouTube, that there are some certificate configuring required

if I open Certificate snap-in via MMC on the RADIUS server, and select computer account, then browse down to Personal > Certificates, then right click and select 'Request New Certificate' I am only given the option to select 'Computer' on the request wizard, but apparently I should be able to see 'Domain Controller'

When requesting a certificate from our AD, I am only getting 'Computer' as a choice.?????!?!?
Please can someone advise what I may have missed off?

Thanks
Nathan
0
Comment
Question by:Nathan Lindley
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 4

Expert Comment

by:Wirelessnerd
ID: 41751867
Your problem isn't with the certificate I think.
If your clients do get the prompt your certificate is in order (otherwise the client would reject the attempt before that even, unless you set it to ignore the radius certificate).  
Feel free to verify this: Go in your NPS and edit the EAP-PEAP with ms-chapv2 as inner auth method and you should see the certificate issued.
Make sure your clients trust this certificate (distribute it via AD) and your cert issues are solved.
Try testing with the "ignore server certificate" option on your client and see if that improves anything.

ASlso.. for EAP-PEAP a server certificate is all you need so the computer cert you can request from your CA is sufficient. If your server isn't a domain controller you wont be getting a DC cert for it either.

Still leaves us your problem.
Check Windows event viewer for the authentication attempt. Does it show up? What error?
If it doesn't show up... have you actually set it to use the NPS server on your WLC?
You may have configure it to do wpa2-aes (aka with authentication), but is it using the NPS server to authenticate with or might it be authenticating with an internal database of some sort?

I'm not familiar with Ubiquti so I can't realy help you further on that end.
0
 

Author Comment

by:Nathan Lindley
ID: 41752115
Hi Poohke,

I do get the prompt on the computer ... I have attempted to enter the credentials with the username specifying the domain, and without specifying the domain but these dont work, I cleared out the event viewer, and attempted, but didn't see any event relating to the failed connection attempt.

Here is a screen shot of my Network Policy constraints:
Network-Policy-Comnstraints.PNG
also, this is a screen shot of when I attempt to enroll the computer certiicate on the RADIUS server.
Request-cert-attempt.PNG
Have you set up RADIUS servers before? Perhaps you could go through a step by step to see if I have missed anything out?

Thanks
Nathan
0
 
LVL 4

Accepted Solution

by:
Wirelessnerd earned 1000 total points
ID: 41752457
Hello NAthan,

Yes, I've set up a ton of IAS and NPS servers as I'm a WLAN professional. Although these days most companies are moving away from NPS towards Clearpass or something.

Try double clicking on the "Microsoft: Secured password (EAP-MSCHAP v2)" from your screenshot . You should be able to see if a certificate is used and which one it is. There might be one there already.
Also uncheck all those less secure authentication methods. You don't need them if your WLC is properly configured for EAP-PEAP.

Setting up a CA isn't my business though. Can't help much with that. While I've set up a few for customers asking it, doing it properly and really supporting them is beyond me, sorry.

If you want to go the easy way, just install NPS on a domain controller. Then NPS will simply use the DC certificate and you will be good to go. Don't even need a CA then.


On NPS the config is pretty easy. From my head,
1) enter the radius clients (your WLC or whatever proxy is sending the radius requests).
2) enter a condition. Begin with hours of day and allow all for starters. Once you get everything working ad your user or computer policy that you want to allow.
3) constraints: check if there is a certificate available as explained above
4) check event viewer for authentication, check if logging is enabled (right click your NPS server if i remember correct).
5) if you don't see anything, check your WLC


Again, I think you should verify if there is already a certificate installed. I'm guessing there is. If so, ignore the CA for a while until you have everything working. Pre-configure a WLAN profile on your client with the correct details but uncheck the "verify servercertificate" (again, until everything works) and see if it will connect.
Check your WLC debug logs to find out what is happening with the authentication. Is it forwarding it to the correct NPS server?
0
 

Author Comment

by:Nathan Lindley
ID: 41752503
Thanks Poohke,

I will look through your last comment and check everything, but my most recent finding, is looking at the logs on the server role event viewer.. is this..

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:41:12
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:41:12.998828300Z" />
    <EventRecordID>5450</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="768" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 1000 total points
ID: 41753039
Hi Nathan, is this a duplicate of the other question you have open?

I too am a WLAN professional and poohke raises some good points. If your NPS is on your domain on a member server and yiur CA is local (as per your other post) the NPS will have a CA cert and a computer cert already that should be good. This leads me to believe that the clients either arent configured correctly or they're using a cert from a different CA.

Looking at the log again it seems that your client tried to use PEAP with a cert instead of EAP-MSCHAPv2. Check the client config.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question