Re: NPS RADIUS with Cisco wlc
- From: Pha <Pha@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 17 Jun 2009 17:33:02 -0700
Hi James,
Some more information:
Layer 2 Security WPA+WPA2
MAC Filtering not enabled
WPA+WPA2 Parameters
WPA Policy NOT ENABLED
WPA2 Policy
WPA2 Encryption AES
Auth Key Mgmt 802.1X
There is no layer 3 security assigned.
On the security Tab
RADIUS Authentication Servers
Call Station ID Type: IP Address
Does this look right??
"James McIllece [MS]" wrote:
The Cisco 2112 doesn't need a certificate for PEAP-MS-CHAP v2, only the NPS.
server does. All you need on the 2112 is to enable EAP communication.
And you must issue a certificate to the NPS server that is based on the IAS
and RAS Server certificate template.
The DC will receive a cert automatically but it is not the same as the cert
based on the IAS and RAS Server cert template, and it won't work for PEAP-
MS-CHAP v2 authentication.
In addition, client computers must trust the CA that issued the certificate
-- this concept is covered in the guide I recommended. If you deployed your
own CA, clients must trust it -- and that means that the CA certificate
must exist in the Trusted Root Certification Authorities certificate store
on every client computer that you want to be able to successfully connect
to the network.
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.
=?Utf-8?B?UGhh?= <Pha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:D34DE9CB-7052-48C8-B493-0454453BB1AC@xxxxxxxxxxxxx:
Thanks for this info James.
I have organised with the one of the guys here a certificate from
openssl. They created a root certificate, which is on the domain
controllers with NPS, I also have the trusted root certificates on my
workstation (CA is domain.com) and I have confirmed in the
certificates mmc it is under trusted.
I have "uploaded" to the 2112 wlc a certificate for
wireless.domain.com, from the authority domain.com.
I still cannot get it to connect through Radius, current logs show
Log Name: System
Source: NPS
Date: 15/06/2009 9:07:05 AM
Event ID: 4400
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: dc1.domain.com
Description:
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="NPS" />
<EventID Qualifiers="16384">4400</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-06-14T23:07:05.000Z" />
<EventRecordID>64254</EventRecordID>
<Channel>System</Channel>
<Computer>DC1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>DC1.domain.com</Data>
<Data>DOMAIN</Data>
On NPS server
radius client (xxx = company name)
friendly name xxxwlc01
ip: 10.0.2.3
Vendor name: Radius Standard
shared secret: set ok.
Connection request policy (ran through the wireless 802.1x wizard)
Conditions:
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Client friendly name - xxxmil?
Settings:
no override set
authenticate on this server
Attribute: (username) find domain.com Replace with $
Network Policy
Grant access
ignore dialin properties
Conditions:
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Windows Groups: Domain\domain users
Constraints
Authentication:
EAP type Microsoft: Protected EAP
Less secure auth methods MS-CHAPv2 (user can change password after it
expires) I also to try and test and get working but could remove and
will remove MS-CHAP, CHAP, PAP.
Settings:
Standard: Framed-Protocol PPP
Service type Framed
NAP Enforcement: Allow full network access
Any other ideas would be greatly appreciated if I am missing anything
really obvious?
Pha
"James McIllece [MS]" wrote:
=?Utf-8?B?UGhh?= <Pha@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:4BA0ED63-5823-4922-AD42-2B77A19FC30D@xxxxxxxxxxxxx:
Hi,
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username
as "username".
On the wireless controller I have use AAA and Radius to a windows
2008 domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP
Address Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178)
for client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X
authentication PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with
Lightweight Access Points (all working if I use WPA2-PSK!) with a
win2k8 NPS RADIUS config?? Or anything that I might be missing?? I
am getting it working without certificates for the moment. We do
not yet have an enterprise Certificate Authority, and I believe
PEAP-MSCHAPv2 doesnt need certs??
ANY help would be greatly appreciated!
Pha
PEAP-MS-CHAP v2 does require a server certificate on the NPS server.
The only exception to this is if you uncheck the "Validate server
certificate" setting on client computers (this can be done per
computer or using Group Policy); but if you do that, security is
compromised, so it is not recommended for production environments.
This deployment guide is recommended:
Foundation Network Companion Guide: Deploying 802.1X Authenticated
Wireless Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for
deploying server certificates and also for deploying user and
computer certificates.
All of the Foundation Network (for WS08) and Core Network (for WS08
R2) Guides are at:
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no
rights.
- References:
- NPS RADIUS with Cisco wlc
- From: Pha
- Re: NPS RADIUS with Cisco wlc
- From: James McIllece [MS]
- Re: NPS RADIUS with Cisco wlc
- From: Pha
- Re: NPS RADIUS with Cisco wlc
- From: James McIllece [MS]
- NPS RADIUS with Cisco wlc
- Prev by Date: Re: NPS RADIUS with Cisco wlc
- Next by Date: Re: NPS RADIUS with Cisco wlc
- Previous by thread: Re: NPS RADIUS with Cisco wlc
- Next by thread: RE: IAS Service will not stay running, new W2k3 Server
- Index(es):
Relevant Pages
|
Loading
