Re: Radius Server

From: "James McIllece [MS]" <jamesmci@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 03 Jan 2006 18:45:05 -0800

The shared secret is configured on the IAS server and on the RADIUS client
-- the RADIUS client is your network access server (or NAS -- such as a
wireless access point), it is not an access client (such as an XP client)
computer.

To configure your RADIUS client with a shared secret, see the documentation
for your NAS.

To configure IAS with the shared secret that is the same one that you
configure on your access point, configure the access point as a RADIUS
client in IAS.

For more information, see the Help topic "To edit RADIUS client
configuration" at
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9f2270f6-d9b2-4833-93df-fbebd0e11ce9.mspx

"=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:60332178-996C-4F71-88CF-6B04839ECF3F@xxxxxxxxxxxxx:

> This is the error I am seeing on the Server.
> Microsoft suggests an error with the shared secret.
> How do I ensure the client has that secret which is
> set during the IAS setup. If it is not present on the client
> how do I get it in place.
>
>
> Details
> Product: Windows Operating System
> Event ID: 18
> Source: IAS
> Version: 5.0
> Symbolic Name: RADIUS_E_INVALID_SIGNATURE
> Message: An Access-Request was received from client %1 with a
> signature attribute that is not valid.
>
> Explanation
> This event record indicates that there is a problem with either the
> shared secrets or a RADIUS proxy server.
>
>
> User Action
> The person with administrative rights on the computer needs to verify
> that the secrets on the client network access and RADIUS servers match
> exactly. There are a few rules you must follow for successful shared
> secrets. Shared secrets:
>
> Must be exactly the same on both servers.
> Are case-sensitive.
> Can use any standard alphanumeric and special characters. Using
> combinations of uppercase and lowercase letters, numbers, and special
> characters will make the shared secrets more secure.
> Can be up to 255 characters long. Long shared secrets are more secure
> than shorter ones.
> If the shared secrets match, the problem may be with the RADIUS proxy
> server. Contact the RADIUS proxy manufacturer for assistance.
>
>
> "James McIllece [MS]" wrote:
>
>> "=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
>> in news:86528C6B-0091-4F66-98A8-4B1DC27D7C97@xxxxxxxxxxxxx:
>>
>> > Understood James thats why I used PEAP MS-Chap2 and I set it up
>> > using the link you provided exactly as it says.
>> >
>> > The messages I get when the client tries to connect are:
>> > unable to find certificate
>> > unable to connect to preferred network
>> >
>> > so I'm guessing the client needs the Server Certificate, can I just
>> > export it from the server and import it to the client. How do I go
>> > about this if i can ask?
>> >
>> > "James McIllece [MS]" wrote:
>> >
>> >> "=?Utf-8?B?UmljTmFneQ==?=" <RicNagy@xxxxxxxxxxxxxxxxxxxxxxxxx>
>> >> wrote in news:D7371033-0F02-474D-B80D-2B081199144F@xxxxxxxxxxxxx:
>> >>
>> >> > Just set up a Radius Server at home using WPA and AES configured
>> >> > everything on the Server. I logged in locally to one of my
>> >> > clients and changed its properties. It then goes out and says
>> >> > validating identity. It seems there is supposed to be a
>> >> > certificate on the client? If this is the case is that just
>> >> > issued through certificate server or do I have to do some export
>> >> > import
>> >> >
>> >>
>> >> It depends on the authentication method that you deployed with
>> >> your remote access policy in IAS. A lot of auth methods don't use
>> >> certs. But if you deployed EAP-TLS, you need a server cert and a
>> >> client computer cert. If you deployed PEAP-MS-CHAP v2, you need a
>> >> server cert only, and users are authenticated with password-based
>> >> credentials.
>> >>
>> >> In both cases, clients must trust the CA that issued the server
>> >> cert, which means that the CA cert must be in the Trusted Root
>> >> Certification Authorities certificate store on the client
>> >> computer.
>> >>
>> >> Here is more info on PEAP:
>> >>
>> >> "Step-by-Step Guide for Secure Wireless Deployment for Small
>> >> Office/Home Office or Small Organization Networks"
>> >> http://www.microsoft.com/downloads/details.aspx?familyid=269902e8-f
>> >> c41 - 4eb1-9374-44612e64f0fb&displaylang=en
>> >>
>> >> --
>> >> James McIllece, Microsoft
>> >>
>> >> Please do not send email directly to this alias. This is my
>> >> online account name for newsgroup participation only.
>> >>
>> >> This posting is provided "AS IS" with no warranties, and confers
>> >> no rights.
>> >>
>>
>> You *don't* need the IAS server certificate on the client. What you
>> need on the client is the CA certificate, in the Trusted Root
>> Certification Authorities (TRCA) store. If the CA cert is not there,
>> the client does not trust the CA that issued the IAS server
>> certificate, so the IAS server's authentication attempt with the
>> client fails.
>>
>> To get the CA cert into that store, the easiest method is to plug the
>> wireless computer into the wire if it is a domain member -- then GP
>> will update and the CA cert will be installed automatically.
>> Otherwise you need to use the Certs console on a computer that does
>> have your CA cert in the TRCA store -- export the cert, then transfer
>> it to the client and import it into the TRCA store. Note that you
>> *must* export and import rather than drag and drop the cert, or the
>> process fails.
>>
>> --
>> James McIllece, Microsoft
>>
>> Please do not send email directly to this alias. This is my online
>> account name for newsgroup participation only.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>

--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
.

Prev by Date: Re: Error 678 The remote computer did not respond
Next by Date: Re: Error 678 The remote computer did not respond
Previous by thread: Major problems with 2003 TCP/IP
Next by thread: Re: Internet goes on and off at the PCs of my work place.
Index(es):
- Date
- Thread

Relevant Pages

Re: Authenticate a machine to radius?
... Installing a wireless network card in the PC makes it a wireless client, ... not a RADIUS server, RADIUS proxy, or wireless AP/RADIUS client. ... Make sure the shared secrets on the AP and the IAS server match. ...
(microsoft.public.internet.radius)
Re: Radius Server
... This is the error I am seeing on the Server. ... How do I ensure the client has that secret which is ... There are a few rules you must follow for successful shared secrets. ... >>> which means that the CA cert must be in the Trusted Root ...
(microsoft.public.windows.server.networking)
Re: Problems with FreeBSD PPPOE server
... Problems with FreeBSD PPPOE server ... freeRadius RADIUS server for providing dsl services to clients. ... enable lqr echo ... Sometimes when a client gets disconnected, ...
(freebsd-isp)
Re: Securing Cisco devices using MS IAS (RADIUS) server
... Open up the MMC for the IAS service and connect to the server. ... Clients Container and select New | Client. ... Enter the IP Address of the RADIUS client and the ...
(microsoft.public.win2000.networking)
RE: SecurID Question
... Asif's advice to use RADIUS is OK in theory; ... It entirely depends on the RADIUS Client ... I have never tried RADIUS and SecurID with OpenSSH, so I don't know how well ... The correct prompt is supplied by the ACE/Server RADIUS Server ...
(SSH)