Link to home
Create AccountLog in
Avatar of Nathan Lindley
Nathan LindleyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Wireless Authentication with RADIUS

Hi Experts,

I am looking for some assistance on configuring a Windows Server 2012 RADIUS server. We want this to be able to make users have to authenticate to get on our wireless networks... and maybe if we are successful with this, we would also configure this with our HP Procurve ARUBA 2920 switches.

But firstly, I would like to get this working with our Ubiquti wireless network system.

Steps that I have completed so far.

Set up a brand new (virtual) WinSVR 2012 R2 Std box
Configured Active Directory Certificate Services role
Installed Certificate authority
Configured Network Access Protection role
(registered server in Active Directory) by right-clicking NPS (local) and selecting the register option
Set up the radius clients (our access point management server)
Changed the standard configuration as RADIUS server for 802.1X wireless or Wired Connections and set the EAP type to Microsoft: Secured password (EAP-MSCHAP v2)
Linked a security group configured in AD for authentication.
Specified the RADIUS server details on our AP interface for a wireless network.

When a computer attempts to connect to the wireless network, I do get the login box, I then log in with a user which is included in the security group configured, but this just fails to connect.

I've noticed on a lot of videos on YouTube, that there are some certificate configuring required

if I open Certificate snap-in via MMC on the RADIUS server, and select computer account, then browse down to Personal > Certificates, then right click and select 'Request New Certificate' I am only given the option to select 'Computer' on the request wizard, but apparently I should be able to see 'Domain Controller'

User generated image
Please can someone advise what I may have missed off?

Thanks
Nathan
Avatar of Wirelessnerd
Wirelessnerd
Flag of Belgium image

Your problem isn't with the certificate I think.
If your clients do get the prompt your certificate is in order (otherwise the client would reject the attempt before that even, unless you set it to ignore the radius certificate).  
Feel free to verify this: Go in your NPS and edit the EAP-PEAP with ms-chapv2 as inner auth method and you should see the certificate issued.
Make sure your clients trust this certificate (distribute it via AD) and your cert issues are solved.
Try testing with the "ignore server certificate" option on your client and see if that improves anything.

ASlso.. for EAP-PEAP a server certificate is all you need so the computer cert you can request from your CA is sufficient. If your server isn't a domain controller you wont be getting a DC cert for it either.

Still leaves us your problem.
Check Windows event viewer for the authentication attempt. Does it show up? What error?
If it doesn't show up... have you actually set it to use the NPS server on your WLC?
You may have configure it to do wpa2-aes (aka with authentication), but is it using the NPS server to authenticate with or might it be authenticating with an internal database of some sort?

I'm not familiar with Ubiquti so I can't realy help you further on that end.
Avatar of Nathan Lindley

ASKER

Hi Poohke,

I do get the prompt on the computer ... I have attempted to enter the credentials with the username specifying the domain, and without specifying the domain but these dont work, I cleared out the event viewer, and attempted, but didn't see any event relating to the failed connection attempt.

Here is a screen shot of my Network Policy constraints:
User generated image
also, this is a screen shot of when I attempt to enroll the computer certiicate on the RADIUS server.
User generated image
Have you set up RADIUS servers before? Perhaps you could go through a step by step to see if I have missed anything out?

Thanks
Nathan
ASKER CERTIFIED SOLUTION
Avatar of Wirelessnerd
Wirelessnerd
Flag of Belgium image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks Poohke,

I will look through your last comment and check everything, but my most recent finding, is looking at the logs on the server role event viewer.. is this..

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/08/2016 16:41:12
Event ID:      6273
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MARAD001.corporate.local
Description:
Network Policy Server denied access to a user.

Contact the Network Policy Server administrator for more information.

User:
      Security ID:                  CORPORATE\Nathan.Lindley
      Account Name:                  nathan.lindley
      Account Domain:                  CORPORATE
      Fully Qualified Account Name:      corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley

Client Machine:
      Security ID:                  NULL SID
      Account Name:                  -
      Fully Qualified Account Name:      -
      OS-Version:                  -
      Called Station Identifier:            52-D9-E7-A5-10-3A:test
      Calling Station Identifier:            A4-34-D9-67-FA-43

NAS:
      NAS IPv4 Address:            192.168.1.110
      NAS IPv6 Address:            -
      NAS Identifier:                  44d9e7a4103a
      NAS Port-Type:                  Wireless - IEEE 802.11
      NAS Port:                  0

RADIUS Client:
      Client Friendly Name:            MPAP3 - IT Suite
      Client IP Address:                  192.168.1.110

Authentication Details:
      Connection Request Policy Name:      IT Suite
      Network Policy Name:            New
      Authentication Provider:            Windows
      Authentication Server:            MARAD001.corporate.local
      Authentication Type:            PEAP
      EAP Type:                  -
      Account Session Identifier:            -
      Logging Results:                  Accounting information was written to the local log file.
      Reason Code:                  265
      Reason:                        The certificate chain was issued by an authority that is not trusted.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6273</EventID>
    <Version>1</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2016-08-11T15:41:12.998828300Z" />
    <EventRecordID>5450</EventRecordID>
    <Correlation />
    <Execution ProcessID="460" ThreadID="768" />
    <Channel>Security</Channel>
    <Computer>MARAD001.corporate.local</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-21-432469759-3583970380-2158479170-10217</Data>
    <Data Name="SubjectUserName">nathan.lindley</Data>
    <Data Name="SubjectDomainName">CORPORATE</Data>
    <Data Name="FullyQualifiedSubjectUserName">corporate.local/MONEYPLUS GROUP/Manchester/IS Operations/Nathan Lindley</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">-</Data>
    <Data Name="FullyQualifiedSubjectMachineName">-</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">52-D9-E7-A5-10-3A:test</Data>
    <Data Name="CallingStationID">A4-34-D9-67-FA-43</Data>
    <Data Name="NASIPv4Address">192.168.1.110</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">44d9e7a4103a</Data>
    <Data Name="NASPortType">Wireless - IEEE 802.11</Data>
    <Data Name="NASPort">0</Data>
    <Data Name="ClientName">MPAP3 - IT Suite</Data>
    <Data Name="ClientIPAddress">192.168.1.110</Data>
    <Data Name="ProxyPolicyName">IT Suite</Data>
    <Data Name="NetworkPolicyName">New</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">MARAD001.corporate.local</Data>
    <Data Name="AuthenticationType">PEAP</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">265</Data>
    <Data Name="Reason">The certificate chain was issued by an authority that is not trusted.</Data>
    <Data Name="LoggingResult">Accounting information was written to the local log file.</Data>
  </EventData>
</Event>
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account