NPS RADIUS with Cisco wlc
Pha
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username as
"username".
On the wireless controller I have use AAA and Radius to a windows 2008
domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP Address
Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178) for
client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain DOMAIN is
established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X authentication
PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with Lightweight
Access Points (all working if I use WPA2-PSK!) with a win2k8 NPS RADIUS
config?? Or anything that I might be missing?? I am getting it working
without certificates for the moment. We do not yet have an enterprise
Certificate Authority, and I believe PEAP-MSCHAPv2 doesnt need certs??
ANY help would be greatly appreciated!
Pha
James McIllece [MS]
news:4BA0ED63-5823-4922...@microsoft.com:
PEAP-MS-CHAP v2 does require a server certificate on the NPS server. The
only exception to this is if you uncheck the "Validate server certificate"
setting on client computers (this can be done per computer or using Group
Policy); but if you do that, security is compromised, so it is not
recommended for production environments.
This deployment guide is recommended:
Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless
Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for deploying
server certificates and also for deploying user and computer certificates.
All of the Foundation Network (for WS08) and Core Network (for WS08 R2)
Guides are at:
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
Pha
I have organised with the one of the guys here a certificate from openssl.
They created a root certificate, which is on the domain controllers with NPS,
I also have the trusted root certificates on my workstation (CA is
domain.com) and I have confirmed in the certificates mmc it is under trusted.
I have "uploaded" to the 2112 wlc a certificate for wireless.domain.com,
from the authority domain.com.
I still cannot get it to connect through Radius, current logs show
Log Name: System
Source: NPS
Date: 15/06/2009 9:07:05 AM
Event ID: 4400
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: dc1.domain.com
Description:
A LDAP connection with domain controller dc1.domain.com for domain DOMAIN is
established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="16384">4400</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-06-14T23:07:05.000Z" />
<EventRecordID>64254</EventRecordID>
<Channel>System</Channel>
<Computer>DC1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>DC1.domain.com</Data>
<Data>DOMAIN</Data>
On NPS server
radius client (xxx = company name)
friendly name xxxwlc01
ip: 10.0.2.3
Vendor name: Radius Standard
shared secret: set ok.
Connection request policy (ran through the wireless 802.1x wizard)
Conditions:
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Client friendly name - xxxmil?
Settings:
no override set
authenticate on this server
Attribute: (username) find domain.com Replace with $
Network Policy
Grant access
ignore dialin properties
Conditions:
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Windows Groups: Domain\domain users
Constraints
Authentication:
EAP type Microsoft: Protected EAP
Less secure auth methods MS-CHAPv2 (user can change password after it expires)
I also to try and test and get working but could remove and will remove
MS-CHAP, CHAP, PAP.
Settings:
Standard: Framed-Protocol PPP
Service type Framed
NAP Enforcement: Allow full network access
Any other ideas would be greatly appreciated if I am missing anything really
obvious?
Pha
James McIllece [MS]
server does. All you need on the 2112 is to enable EAP communication.
And you must issue a certificate to the NPS server that is based on the IAS
and RAS Server certificate template.
The DC will receive a cert automatically but it is not the same as the cert
based on the IAS and RAS Server cert template, and it won't work for PEAP-
MS-CHAP v2 authentication.
In addition, client computers must trust the CA that issued the certificate
-- this concept is covered in the guide I recommended. If you deployed your
own CA, clients must trust it -- and that means that the CA certificate
must exist in the Trusted Root Certification Authorities certificate store
on every client computer that you want to be able to successfully connect
to the network.
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
=?Utf-8?B?UGhh?= <P...@discussions.microsoft.com> wrote in
news:D34DE9CB-7052-48C8...@microsoft.com:
Pha
Those documents were very handy, and I did put the certificate provided to
me on the NPS (DC) and installed into the trusted.
The certificate is instended for the following purposes:
All application policies
We dont have a windows certificate server, just an openSSL cert server (And
I am instructed that I cannot install win cert server on ANY of our windows
servers), so I will be able to use openssl??
I am still trying to tweak and tweak to get this working. Again, appreciate
the documents you sent. I have the nps certificate (named the
servername.domain.com), and i also have that cert in my trusted on my laptop.
I am getting it to the point where it is doing the LDAP lookup, but getting
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 237) for
client 00:22:fb:22:30:10 / user 'unknown'
They only thing at the moment I can see different is the IAS cert, but i was
hoping "all appications" would cover this?
Again, thanks for your help!
Pha
Some more information:
Layer 2 Security WPA+WPA2
MAC Filtering not enabled
WPA+WPA2 Parameters
WPA Policy NOT ENABLED
WPA2 Policy
WPA2 Encryption AES
Auth Key Mgmt 802.1X
There is no layer 3 security assigned.
On the security Tab
RADIUS Authentication Servers
Call Station ID Type: IP Address
Does this look right??
James McIllece [MS]
> The certificate is instended for the following purposes:
> All application policies
This certificate will not work for Server Authentication. The "All" purpose
is different than it appears to be and does not include all purposes for
which a cert can be used. The Server Authentication purpose is represented
by a specific GUID that must be present in the certificate for clients to
be able to use it to authenticate the NPS server.
You must follow the instructions in the guides on deploying a server
certificate exactly or none of this will work.
=?Utf-8?B?UGhh?= <P...@discussions.microsoft.com> wrote in
news:6753DD82-5823-4360...@microsoft.com:
bbia...@gmail.com
Where does one purchase the special type of certificate as required with EKU extension marked as Client Authentication purpose 1.3.6.1.5.5.7.3.2?
I do not want to deploy PKI in active directory but rather prefer to buy this certificate and import it onto the NPS server; Go Daddy and the likes only sell SSL certificates which, as based on the numerous posts here will NOT do.
Thanks