Re: 802.1x wireless lan how to?

OK, I got it working as Owen describes. The short story:

- Configured ISA to allow certificate auto enrollment

- WPA ? WPA2 - switched everything to WPA with TKIP instead of having some
set for WPA with AES and some WPA2 with AES.



I still can't believe MS has not released a GPO extension to use WPA2, which
is now required for all hardware that's "wi-fi certified." I can't escape
the idea that I must be wrong about this, but if there is one, I sure can't
find it anywhere.





"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uQqXDcvQGHA.5924@xxxxxxxxxxxxxxxxxxxxxxx
I'm in the middle of the same thing. Two things: Are you sure your
wireless client PC is getting the certificate from the server using auto
enrollment? Is this SBS Standard or Premium - I just got ISA 2004 to
allow certificate auto enrollment after a couple of days of battle.
You'll see an app log failure at system startup (relating to rpc) if auto
enrollment is failing. If it's succeeding, you should be able to view it
in Certificates. On the client PC, open it in the mmc as Owen's doc
describes, and look for the certificate in the same place (personal).

Secondly, the GPO does not support WPA2. You need to use WPA with AES if
everything supports it, or WPA with TKIP otherwise. I ran into an issue
choosing WPA2 with AES on the access point, while the GPO was pushing out
WPA with AES to the laptop. My access point does not support WPA with
AES, so the laptop was not connecting to the AP.

Assuming you've got everything set to WPA and your shared secrets match,
etc. look in the IAS log to see if the WAP is connecting to the RADIUS
server. I think Owen's paper is incorrect and IAS logging is enabled by
default, but if there's no log there, just enable logging using his
instructions and restart the AP to see if it connects. That'll rule out
the AP and IAS, leaving something on the client PC (and therefore in the
GPO that's making the settings on the client PC). The log will be
something like C:\WINDOWS\system32\LogFiles\IN060306.log.

BTW, it seems that if you have a certificate issue while everything else
is working OK, the client PC will give you a clear error indicating that
when it tries to connect.

I'm off to try this again now that I've got cert auto enrollment working.
If you're having an ISA 2004 issue with this post back and I'll give you
the details. If it doesn't work, I'm going for the admin companion book
and I'll let you know what I find that differs from Owen's article. As
for Owen's doc, so far I've found him to be right on the money. My
problems have been with ISA 2004, which was released for SBS after he
wrote the article, and my own error in using WPA and WPA2 interchangeably
when, at least in the case of my AP, they are not interchangeable.




"Gary V." <salarmy@xxxxxxxxxxxx> wrote in message
news:1141783641.488455.136480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have tried a how to from W. Owen Williams, Jr. and tried
hansenonline.net guild. The first used Certificate and the other used
PEAP, Both never authenticate to the domain. My AP can do all kinds of
Radius, WPA, WPA2, AES, and TKIP, as do the wireless cards. I have
tried computer groups and user groups. The Group Policy pushed the
SSID/Lan settings to the computer fine, then a restart and the wireless
does not conect. I CAN'T GET IT TO WORK! Installing SBS is way easier
then this.

Does anyone have a guild that they have got to work? I do not have the
admin companion for sbs 2003 chap 15, however if I can't get anything
else to work and someone can assure me that that works 100% then I'll
buy it myself. (My work does not think I need another computer book)

Please Help,
and Thank You for your time
Gary V.





.

Relevant Pages

  • Re: WPA-AES = WPA2 ?
    ... Are WPA compatible devices that use AES instead of TKIP WPA2 compatible? ... There does seem to be some difference in WPA2 and WPA which extends beyond AES usage. ...
    (alt.internet.wireless)
  • Re: Wireless-ethernet bridge with WPA-PSK (AES) ?
    ... Both AES and TKIP are offered in both WPA and WPA2. ...
    (alt.internet.wireless)
  • Re: WPA-AES = WPA2 ?
    ... Are WPA compatible devices that use ... > AES instead of TKIP WPA2 compatible? ...
    (alt.internet.wireless)
  • Re: TKIP versus AES?
    ... This just came up in one of our meetings and after everything I read, ... it seems like WPA w/ AES would be WPA2, but if anyone has a link to ...
    (alt.internet.wireless)
  • Re: WPA with IAS and PEAP-EAP-TLS Auth. and CA on W2003 standard
    ... went with straight computer authentication. ... mandatory WPA as my authentication method and TKIP as my encryption method ... are being deployed and the Radius server is validating them correctly, ... > A) For server obtain a certificate based on "RAS and IAS servers ...
    (microsoft.public.internet.radius)