Re: Wireless Radius Clients
- From: Steven <Steven@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 8 Mar 2006 07:31:27 -0800
Thanks for your reply Ace,
I have done everything by the book. As I said, my L2TP/IPSec is working
perfectly from the same computer. It uses the computer cert and the user
cert. I suspect the problem may be my Linksys as it is a router and not a AP
however it does have the Radius selection under security. When I select it I
point it to my Radius IP address and then give the linksys a static IP and
set it as a Radius Client. Yes I tried using WPA TKIP - Radius on that end.
Trying to move away from WEP. I haven't set a Wireless GPO yet, i won't do
that untill I can successfully connect manually. Would love to get what you
have but don't want to spend 600 bucks. I have a small SOHO for testing only.
Looking at USR5450 for only 150.
Below is an ISA log:
Access request for user stevef@xxxxxxxxxxxxx was discarded.
Fully-Qualified-User-Name = XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven
XXXXXX NAS-IP-Address = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
Called-Station-Identifier = 00-12-17-e0-e3-2b Calling-Station-Identifier =
00-0e-35-7b-2d-8e Client-Friendly-Name = Wireless Linksys Client-IP-Address =
192.168.16.28 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows Authentication-Server = <undetermined>
Reason-Code = 9 Reason = The request was discarded by a third-party extension
DLL file.
Lastly - I set up the IAS policy with the wizard and selected cert, then
select the server cert. Same way L2TP works. Its policy number 1.
Hope all this helps and thanks again for your help.
--
Steve
"Ace Fekay [MVP]" wrote:
In news:8F814973-64C4-4070-B024-74A9D660E7E9@xxxxxxxxxxxxx,.
Steven <Steven@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I commented on
below:
Hello MVP,
I am setting up a Wireless Network and trying to take advantage of
IAS with EAP-TLS in Windows Server 2003. The client is prompted for a
cert but when I select the cert it just tries and tries then prompts
me again. This continues....
I have a linksys wrk54g using WPA - Radius. I have both user certs and
computer certs on the client. I have a computer cert on the IAS
server. Auto entrollment is working as it should.
Note: I am using L2TP/IPsec successfully over the same Windows
system. Also note that currently I am having to just use WEP which
hopefully is just temporary.
Any help would be greatly apprciated.
I just did this recently using a Cisco Aironet 1231 and it's still pretty
fresh in my mind. I didn't use WEP, not necessary since I used WPA and
TKIP.Works great.
I'm assuming you used a Windows 2003 Enterprise for the CA to give you the
ability to duplicate the User and Computer certs to create your
autoenrollment certs, and in the certs, you are allowing user and computer
certs to login.
From what you've posted, if you've verified by checking the workstation
(certifcates snap-in) that it has received a cert thru autoenrollment, and
depending on how the clients wireless interfaces are setup, whether static
settings or controlling the clients thru a GPO, it should pretty much work.
Are you using a GPO for a wireless policy? If so, what do you have set in
there as far as the client settings (WPA, WEP, SSID, etc)?
Is the key length on the CA and the certs no larger than 1024? Cisco, and
what I understand many others, do not support keys larger than 1024. If it
keeps prompting you for the cert, than that may be a better guess as to why
this is happening.
Make sure your RADIUS Linksys client and IAS server shared secrets match.
(You'd be suprised how this one can be easily overlooked).
Did you create an IAS policy to allow 802.1?
Controlling access by groups in the IAS policy? If so, are the users part of
that group?
What do the ISA logs, ISA server and client Event viewer logs, and possibly
the Linksys logs say? Any errors on the Event logs on the CA?
Sorry for all the questions, too many places this can go wrong, and need to
narrow it down.
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations
"Very funny Scotty. Now, beam down my clothes."
The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.
- Follow-Ups:
- Re: Wireless Radius Clients
- From: Ace Fekay [MVP]
- Re: Wireless Radius Clients
- References:
- Re: Wireless Radius Clients
- From: Ace Fekay [MVP]
- Re: Wireless Radius Clients
- Prev by Date: Re: Maximum number of open sockets
- Next by Date: Re: WINS
- Previous by thread: Re: Wireless Radius Clients
- Next by thread: Re: Wireless Radius Clients
- Index(es):
Relevant Pages
|
