configuring NPS as RADIUS for wireless access point

[blin]

I had setup IAS as RADIUS for my wireless APs and that was very easy. However, with NPS on server 2008, I can't get it to work!

I had put in the same settings via NPS wizards to setup the PEAP for the wireless APs and I can't get wireless clients to authenticate! If I set the wireless APs using WPA2-PSK, all the wireless clients can connect so the wireless infrastructure seems to be working fine.

I have tried a Linksys WRT610N, WRVS4400N, and a Netgear WNDR3700 all supporting WPA2 Enterprise and none seems to be working. Wireless clients are Windows 7 laptops and also windows mobile 6.1/6.5 devices.

I had ran thru the NPS wireles 802.1X guide and followed step by step and still doesn't work!

[blin]

OK. Here are some configs:
DC IP: 192.168.6.29 (Server 2008 R2, server name: Lunar)
WirelessAP: 192.168.6.2 (WRVS4400N)
Gateway: 192.168.6.1 (WRVS4400N)

On wireless AP:
Security: WPA2 Enterprise
Wireless Isolation: Disabled
Encryption: AES
RADIUS Server: 192.168.6.29
RADIUS Port: 1812
Shared Key: <Same as NPS>
Key Renewal: 3600 seconds

On NPS (DC Lunar)
RADIUS Clients:
WRVS4400N, IP: 192.168.6.2, Shared secret <Same as WAP>, Vendor name: RADIUS Standard.

CRP: (Setup via the NPS secure wireless wizard)
Secure Wireless Connection - Enabled-Processing order 1 - Source Unspecified
Type of network access server: unspecified
Conditions: NAS Port Type Wireless-Other OR Wireless -IEEE 802.11
nothing is checked in the setting tab.

Network Policies
Secure Wireless Connectios - Enabled - Processing Order 1- Access Type Grant Access - Source Unspecified
Ignore user account dial-in properties - Checked.
Type of network access server: unspecified
Conditions: NAS Port Type Wireless-Other OR Wireless-IEEE 802.11, Windows Group Domain\domain admins od Domain\wireless users
Constraints: EAP Types: MS: PEAP, Cert issued - domain issued cert from ADCS. Fast Reconnect disabled. EAP types EAP-MSCHAP v2
Constraints: Less secure authentication methods: MS-CHAP-v2, MS-CHAP
Settings-Standard-Framed-Protocol PPP, Service-Type Framed.
NAP Enforcement: Allow full network access, Auto remediation checked.

Client (Windows 7 ultimate laptop)
Intel WifiLink 1000
Security: WPA2-Enterprise
Encryption: AES
Network Authentication Method: MS PEAP
PEAP Settings: Validate server cert: Unchecked.
PEAP Settings: Authentication Method: EAP-MSCHAP v2
Fast Reconnect disabled.
Advanced settings - 802.1X settings - nothing checked
802.11 settings -Enable PMK caching checked. all values default, FIPS disabled.

[blin]

On the NPS machine, the NPS logs have the following entries (Laptop Dauntless is from a different domain):
"LUNAR","IAS",01/14/2010,10:33:03,1,"host/Dauntless.domain2",,"00-18-39-A7-86-AD:SGLORY","00-1E-64-06-49-78",,,,"192.168.6.2",0,0,"192.168.6.2","WRVS4400N Wireless",,,19,"CONNECT 11Mbps 802.11b",,,7,,0,"311 1 192.168.6.29 12/26/2009 13:14:58 71",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:03,3,,,,,,,,,,0,"192.168.6.2","WRVS4400N Wireless",,,,,,,7,,7,"311 1 192.168.6.29 12/26/2009 13:14:58 71",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:25,1,"host/Dauntless.domain2",,"00-18-39-A7-86-AD:SGLORY","00-1E-64-06-49-78",,,,"192.168.6.2",0,0,"192.168.6.2","WRVS4400N Wireless",,,19,"CONNECT 11Mbps 802.11b",,,7,,0,"311 1 192.168.6.29 12/26/2009 13:14:58 72",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:25,3,,,,,,,,,,0,"192.168.6.2","WRVS4400N Wireless",,,,,,,7,,7,"311 1 192.168.6.29 12/26/2009 13:14:58 72",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:41,1,"host/Dauntless.domain2",,"00-18-39-A7-86-AD:SGLORY","00-1E-64-06-49-78",,,,"192.168.6.2",0,0,"192.168.6.2","WRVS4400N Wireless",,,19,"CONNECT 11Mbps 802.11b",,,7,,0,"311 1 192.168.6.29 12/26/2009 13:14:58 73",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:41,3,,,,,,,,,,0,"192.168.6.2","WRVS4400N Wireless",,,,,,,7,,7,"311 1 192.168.6.29 12/26/2009 13:14:58 73",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:53,1,"host/Dauntless.domain2",,"00-18-39-A7-86-AD:SGLORY","00-1E-64-06-49-78",,,,"192.168.6.2",0,0,"192.168.6.2","WRVS4400N Wireless",,,19,"CONNECT 11Mbps 802.11b",,,7,,0,"311 1 192.168.6.29 12/26/2009 13:14:58 74",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:33:53,3,,,,,,,,,,0,"192.168.6.2","WRVS4400N Wireless",,,,,,,7,,7,"311 1 192.168.6.29 12/26/2009 13:14:58 74",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:34:53,1,"host/Dauntless.domain2",,"00-18-39-A7-86-AD:SGLORY","00-1E-64-06-49-78",,,,"192.168.6.2",0,0,"192.168.6.2","WRVS4400N Wireless",,,19,"CONNECT 11Mbps 802.11b",,,7,,0,"311 1 192.168.6.29 12/26/2009 13:14:58 75",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,
"LUNAR","IAS",01/14/2010,10:34:53,3,,,,,,,,,,0,"192.168.6.2","WRVS4400N Wireless",,,,,,,7,,7,"311 1 192.168.6.29 12/26/2009 13:14:58 75",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Secure Wireless Connections",1,,,,

[blin]

On the W7 client, The following events were also logged under WLAN-Autoconfig

11006 and 8004. Failure Reason: The authenticator is no longer present.

[blin]

What events do you see in Event Viewer on NPS under Custom Views\Server Roles\Network Policy and Access Services?

You should see events in the range 6272-6274. These events should provide details about the policies that are being matched and any error codes that might be generated. These are usually a little easier to decipher than the logs, at least for me =)

[blin]

From the IAS log, it seems that the client attempt to authenticate itself without proper authentication type. Please double check whether the clients have the proper certificates (computer/user) enrolled.



Support WebCast: IEEE 802.11 Wireless LAN Security with Microsoft Windows

http://support.microsoft.com/kb/927865







Value shown in example
Attribute
Description

LUNAR
ComputerName
The name of the server where the packet was received (this is an IAS-internal attribute).

"IAS"
ServiceName
The name of the service that generated the record—IAS or the Routing and Remote Access service (this is an IAS-internal attribute).

01/14/2010
Record-Date
The date at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).

10:33:53
Record-Time
The time at the NPS or Routing and Remote Access server (this is an IAS-internal attribute).

1
Packet-Type
The type of packet, which can be:

· 1 = Access-Request

· 2 = Access-Accept

· 3 = Access-Reject

· 4 = Accounting-Request

This is an IAS-internal attribute.

host/Dauntless.domain2
User-Name
The user identity, as specified by the user.


Fully-Qualified-Distinguished-Name
The user name in canonical format (this is an IAS-internal attribute).

",,"00-18-39-A7-86-AD:SGLORY"
Called-Station-ID
The phone number dialed by the user.

00-1E-64-06-49-78
Calling-Station-ID
The phone number from which the call originated.

192.168.6.2
NAS-IP-Address
The IP address of the network access server originating the request.

0
NAS-Port
The physical port number of the network access server originating the request.

0
Client-Vendor
The manufacturer of the network access server (this is an IAS-internal attribute).

192.168.6.2
Client-IP-Address
The IP address of the RADIUS client (this is an IAS-internal attribute).

WRVS4400N Wireless
Client-Friendly-Name
The friendly name for the RADIUS client (this is an IAS-internal attribute).

19
NAS-Port-Type
The type of physical port that is used by the network access server originating the request.

CONNECT 11Mbps 802.11b
Connect-Info
Information that is used by the network access server to specify the type of connection made. Typical information includes connection speed and data encoding protocols.

7
Authentication-Type
The authentication scheme, which is used to verify the user and can be:

· 1 = PAP

· 2 = CHAP

· 3 = MS-CHAP

· 4 = MS-CHAP v2

· 5 = EAP

· 7 = None

· 8 = Custom

This is an IAS-internal attribute.

0
Reason-Code
The reason for rejecting a user, which can be:

· 0 = IAS_SUCCESS

This is an IAS-internal attribute.

311 1 192.168.6.29 12/26/2009 13:14:58 75
Class
The attribute that is sent to the client in an Access-Accept packet.

Secure Wireless Connections
Proxy-Policy-Name
The name of the connection request policy that matched the connection request.

1
Provider-Type
Specifies the location where authentication occurs. Possible values are 0, 1, and 2. A value of 0 indicates that no authentication occurred. A value of 1 indicates that authentication occurs on the local NPS server. A value of 2 indicates that the connection request is forwarded to a remote RADIUS server for authentication.

[blin]

I somehow got it solved. I had to select and force User authentication on the client as it will attempt machine authorization first.

However, I have another related problem on another Server 2008 machine. Seems that the even when the wireless AP sends the request to the NPS via IPv4, NPS responds with its IPv6 address and confused the heck out of the Wireless AP which does not support IPv6. Is there anyway around this?

[blin]

The initial question was answered so I've marked this as answered. There is another question about IPv6. I know you can simply disable IPv6 on the interface, but this may not be the ideal solution. If this is still causing problems, please create a new post with the new question. The ideal forum for this is the Network Infrastructure Servers forum (http://social.technet.microsoft.com/For ... IS/threads).

[blin]

Using this doc

http://www.cisco.com/en/US/products/hw/ ... d035.shtml

I have configured router (not ACS) - this conf was quite simple.

I have problem with NAP - there are so many options to "check" I have configured one policy but nothing is working and I don't know what...

Is there datailed step by step walkthrough?

[blin]

You can use the 802.1X step by step.