Wireless Radius Clients

Discussion in 'Server Networking' started by Steven, Mar 7, 2006.

  1. Steven

    Steven Guest

    Hello MVP,

    I am setting up a Wireless Network and trying to take advantage of IAS with
    EAP-TLS in Windows Server 2003. The client is prompted for a cert but when I
    select the cert it just tries and tries then prompts me again. This
    continues....
    I have a linksys wrk54g using WPA - Radius. I have both user certs and
    computer certs on the client. I have a computer cert on the IAS server. Auto
    entrollment is working as it should.

    Note: I am using L2TP/IPsec successfully over the same Windows system. Also
    note that currently I am having to just use WEP which hopefully is just
    temporary.

    Any help would be greatly apprciated.
     
    Steven, Mar 7, 2006
    #1
    1. Advertisements

  2. In
    I just did this recently using a Cisco Aironet 1231 and it's still pretty
    fresh in my mind. I didn't use WEP, not necessary since I used WPA and
    TKIP.Works great.

    I'm assuming you used a Windows 2003 Enterprise for the CA to give you the
    ability to duplicate the User and Computer certs to create your
    autoenrollment certs, and in the certs, you are allowing user and computer
    certs to login.

    From what you've posted, if you've verified by checking the workstation
    (certifcates snap-in) that it has received a cert thru autoenrollment, and
    depending on how the clients wireless interfaces are setup, whether static
    settings or controlling the clients thru a GPO, it should pretty much work.

    Are you using a GPO for a wireless policy? If so, what do you have set in
    there as far as the client settings (WPA, WEP, SSID, etc)?

    Is the key length on the CA and the certs no larger than 1024? Cisco, and
    what I understand many others, do not support keys larger than 1024. If it
    keeps prompting you for the cert, than that may be a better guess as to why
    this is happening.

    Make sure your RADIUS Linksys client and IAS server shared secrets match.
    (You'd be suprised how this one can be easily overlooked).

    Did you create an IAS policy to allow 802.1?
    Controlling access by groups in the IAS policy? If so, are the users part of
    that group?

    What do the ISA logs, ISA server and client Event viewer logs, and possibly
    the Linksys logs say? Any errors on the Event logs on the CA?

    Sorry for all the questions, too many places this can go wrong, and need to
    narrow it down.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Assimilation Imminent. Resistance is Futile
    Infinite Diversities in Infinite Combinations

    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy.
     
    Ace Fekay [MVP], Mar 8, 2006
    #2
    1. Advertisements

  3. Steven

    Steven Guest

    Thanks for your reply Ace,

    I have done everything by the book. As I said, my L2TP/IPSec is working
    perfectly from the same computer. It uses the computer cert and the user
    cert. I suspect the problem may be my Linksys as it is a router and not a AP
    however it does have the Radius selection under security. When I select it I
    point it to my Radius IP address and then give the linksys a static IP and
    set it as a Radius Client. Yes I tried using WPA TKIP - Radius on that end.
    Trying to move away from WEP. I haven't set a Wireless GPO yet, i won't do
    that untill I can successfully connect manually. Would love to get what you
    have but don't want to spend 600 bucks. I have a small SOHO for testing only.
    Looking at USR5450 for only 150.

    Below is an ISA log:

    Access request for user was discarded.
    Fully-Qualified-User-Name = XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven
    XXXXXX NAS-IP-Address = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
    Called-Station-Identifier = 00-12-17-e0-e3-2b Calling-Station-Identifier =
    00-0e-35-7b-2d-8e Client-Friendly-Name = Wireless Linksys Client-IP-Address =
    192.168.16.28 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = <not present>
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows Authentication-Server = <undetermined>
    Reason-Code = 9 Reason = The request was discarded by a third-party extension
    DLL file.

    Lastly - I set up the IAS policy with the wizard and selected cert, then
    select the server cert. Same way L2TP works. Its policy number 1.

    Hope all this helps and thanks again for your help.
     
    Steven, Mar 8, 2006
    #3
  4. In
    Hi Steve,

    This part of the log grabbed my attention:
    Curious what that 3rd party DLL is it referring to that discarded the
    authentication request?? Something else installed?

    Is your key length greater than 1024? Windows with L2TP/IPSec will support
    larger keys, but not the wireless devices, AP or not. They're maxxed at
    1024.

    Anything in the Event logs?

    Ace
     
    Ace Fekay [MVP], Mar 8, 2006
    #4
  5. Steven

    Steven Guest

    I saw that too and wondered, but isn't the authenticator the AP? Which
    forwards requests to the Authentication Server? Meaning the AP is the
    problem?
    The keys are 1024. This is a SBS 2003 Premium DC. Nothing 3rd party should
    be interfereing here. This is a very clean server and SOHO testing
    environment. The Windows policy in IAS was made by the wizard. I removed it
    and that didn't change anything. Nothing else in the even t logs.

    Any suggestions?
     
    Steven, Mar 8, 2006
    #5
  6. Steven

    Steven Guest

    I think the problem has to be somewhere with setting up the linksys as the
    radius client. Since its a router and not an actual AP it may not be working
    right. And although it has a Radius setting under Security it doesn't have a
    secret key part, only a phrase for the wireless encryption key, the WPA TKIP.
    Know where I can get an actual radius AP for cheap ( testing purposes ).

    Correct me if you think I am wrong.
     
    Steven, Mar 8, 2006
    #6
  7. Steven

    Steven Guest

    I think the problem has to be somewhere with setting up the linksys as the
    radius client. Since its a router and not an actual AP it may not be working
    right. And although it has a Radius setting under Security it doesn't have a
    secret key part, only a phrase for the wireless encryption key, the WPA TKIP.
    Know where I can get an actual radius AP for cheap ( testing purposes ).

    Correct me if you think I am wrong.
     
    Steven, Mar 8, 2006
    #7
  8. Steven

    Steven Guest

    Ace - just wanted to let you know I went out and purchased and actual AP and
    now everything works great. Sorry to waste you time.
     
    Steven, Mar 9, 2006
    #8
  9. Wow, so it was the Linksys. I honestly *assumed* that thing would work with
    certs, but then come to think about it, I wasn't sure.

    What did you get for an AP?

    Ace
     
    Ace Fekay [MVP], Mar 9, 2006
    #9
  10. Steven

    Steven Guest

    I got a Linksys AP for 79.

    Can I ask ya one more question??? Is there a way to auto enroll user certs
    the same way ya do computer certs or do they have to pull down from webpage?

    Steve
    MCSA, MCSE
     
    Steven, Mar 9, 2006
    #10
  11. In
    Yes, you can. Just duplicate the User certificate and call it "Autoenroll
    User", and set it up permissions to allow authenticated users to autoenroll.
    Of course the issuing CA needs to be 2003 Enterprise Edition to be able to
    duplicate that sort of cert. Once done, you can setup autoenrollment in a
    GPO in AD.

    If you need links, I'll have to dig them up for you. Let me know...

    Ace
     
    Ace Fekay [MVP], Mar 9, 2006
    #11
  12. Steven

    Steven Guest

    Thanks. yup I've already duplicated the user cert and set the permissions
    however when I go to the CA msc to add the new template it does not appear in
    the window. I have the user GPO set to auto enroll. My KB article had a
    "comma" after requirements for i.e., Windows Server 2003, Enterprise Edition.
    So does it have to be Enterprise or can it be just Windows Server 2003?

    http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/ed80211.mspx

    page 7 of 32
     
    Steven, Mar 9, 2006
    #12
  13. Steven

    Steven Guest

    Ok I lied, I have 2 questions... :)

    On reboot of wireless clients I get the following error:

    Event Type: Warning
    Event Source: Microsoft Firewall
    Event Category: None
    Event ID: 21171
    Date: 3/9/2006
    Time: 12:13:53 PM
    User: N/A
    Computer: JAMINT
    Description:
    The VPN connection attempt by user JAMICONS\STEVEF-NB$ from VPN client IP
    address 000e357b2d8e could not be established.

    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    Data:
    0000: 21 00 04 c0 !..À

    Appears to be policy issue. I have RRAS and IAS on same server (SBS)
    Wireless policy created by IAS wizard as first in line. Computer cert may not
    be applying??? Can not connect via hood untill user logs on. Could be ISA
    2004 issue???

    But once I log in everything is fine.

    Any ideas.
     
    Steven, Mar 9, 2006
    #13
  14. Steven

    Steven Guest

    Ignore this. This issues with computer cert $ resolved.

    Just need to autoenroll user accounts and I'm finished. As I said earlier, I
    can duplicate the template but when I go to add it, it does not appear in the
    window. Note the there is already a "user" there. Maybe there can only be one
    of each type?? And if so wouldn't that type just auto enroll if GPO user
    setting is set to auto enroll???
     
    Steven, Mar 9, 2006
    #14
  15. In
    That;s because the issuing CA MUST be Enterprise Edition. Standard Editions
    will NOT work. That's why it doesn't show up as a template. The article you
    gave me, although I don't see page numbers, but just searched on
    'enterprise' and got this (it looks like it might be page 7 of 32):

    "Additionally, if you want to take advantage of autoenrollment for computer
    certificates, use Windows 2000 Server or Windows Server 2003 Certificate
    Services and create an enterprise CA at the issuer CA level. If you want to
    take advantage of autoenrollment for user certificates, use Windows Server
    2003, Enterprise Edition, or Windows Server 2003, Datacenter Edition,
    Certificate Services and create an enterprise CA at the issuer CA level."

    Ace
     
    Ace Fekay [MVP], Mar 10, 2006
    #15
  16. Steven

    Steven Guest

    It was the "comma" that threw me.

    Well... I'm done then, thanks for your time.
     
    Steven, Mar 10, 2006
    #16
  17. In
    No prob Steve. Sorry about the revelation!

    Ace
     
    Ace Fekay [MVP], Mar 10, 2006
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.