Re: Anyone got 802.1x working on a wireless network?
- From: "Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Mar 2006 12:21:29 -0500
Thanks for the update. I've found a lot of similar issues with hardware,
including that I had to get "generic" drivers from Intel for one
recent-model Dell Latitude where the Dell drivers don't support WPA2 with
PSK. (I'm using 802.1x in the office but I set up the users' home routers
with WPA2 PSK with AES).
I agree that all this is worth the effort. In a twisted way, I'm thinking
that if it's this hard for us, it'll be impossible for the drive-by guy in
the parking lot.
There are some ISA 2004 issues with the certificates, so if you run into
anything like that, see the thread from Gary V. starting on 3/7. You'll
find a link to Owen Williams' doc on setting all this up, which is what I
used. Also some info about getting certificate auto enrollment to work with
ISA.
"Karl Middleton" <nospam@xxxxxxxxxx> wrote in message
news:ONGDEKYRGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
Dave
Thanks for posting a reply.
I do have an update because since I asked the question I have succeeded in
getting 802.1x authentication working for my wireless.
However, there are plenty of gotchas.
First, my working scenario is:
- DLink DWL2100AP with the latest firmware as downloaded from the DLink
Website
- Fully patched SBS2003 SP1 with Certificate Services and IAS added on and
configured as per the MS Technet article
- HP nx7010 laptop with inbuilt Intel 2200 wireless NIC with latest HP
softpaqs installed and latest 2200 driver from Intel. Windows XP SP2 fully
patch is the OS
- GPOs configured as per MS technet article for WPA, TKIP, etc. Note that
the GP Results page on SBS2003 won't show WPA, only WEP settings: a bug
methinks.
The reason for my frustration was that I started this process using the
Belkin 4 port wireless ADSL router modem VoIP box as resold by iinet in
Australia. The Belkin box supports 802.1x and VLANs. I have partitioned it
into two VLANs so one could VLAN could act as my DMZ on the external NIC
of the SBS box and the rest would be the internal VLAN on the internal NIC
on the SBS box. A bug in the Belkin box stops 802.1x from working if any
of the ports is on a difference VLAN. If I ran the Belkin box with no
VLANs it would then properly authenticate with 802.1x.
The next piece of frustration is with wireless NICs from other
manufacturers apart from the inbuilt NIC. I tried a Netgear WG511v2 and a
DLink DWL-G650+. The latest drivers were downloaded from the respective
manufacturers websites and installed on the same HP laptop. The onboard
NIC was disabled and testing commenced. The IAS logs showed the Netgear
NIC attempting to log on but failing with RADIUS code 2. If I changed the
GPO to user authentication, the Netgear NIC will start and let the user
log on. However, I want it to accept the computer logon so GPO processing,
etc can happen before a user logs in. Otherwise, stuff like login scripts
do not work at all.
The DLink network card refused to work at all so I gave up on it.
Bottom line is that it appears that wireless networking for all the hype
is still an inexact science. I am pleased that I got the Intel wireless
NIC working but frustrated that other manufacturers do not have their act
together. The consumer grade manufacturers like Netgear and DLink offer
dreadful support and lousy drivers. I would probably have greater success
if I bought a "real" networking company's product EG: Cisco, 3Com, etc but
even then I have had my fair share of fun with gear from the "big guys"
So, if you want to give it a go, it does work but be prepared for a LOT of
experimentation and substitution.
Personally I reckon it is worth the effort. I can say to customers that I
can properly guarantee a secure wireless network now. Especially if I
added machine certificates to the mix! Now off to try and make the machine
certificates work....
Best Regards
Karl from Oz
"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:OGPUQ6jQGHA.3872@xxxxxxxxxxxxxxxxxxxxxxx
Sorry I missed this when you posted it. I'm wrestling with the same
thing myself. Let me give you a few pointers and if you're still
watching this thread post back:
- Probably the best step-by-step guide is in the SBS Admin Companion book
by Jason Gerend from MS Press. It appears that there's a second edition
coming out around now that's probably worth waiting for - the original
was pre-SP1. Owen Williams, who posts here, wrote a great step-by-step
guide, but it's not currently available on the web AFAIK.
- All your hardware, software, and drivers need to support WPA plus the
authentication you're using (TKIP is always supported, AES may or may not
be). The group policy for WS03 apparently won't let you choose WPA2,
which is AES and better than regular WPA. I'm surprised by this and
would like to find out I'm wrong, but I have not been able to see any way
to enable WPA2 in a WS03 GPO.
- XP SP2 and WS03 (or SBS) SP1 should get you up to speed as far as
Windows goes. As for your wireless NIC, see if you can choose WPA
manually. If not, you need new NIC drivers. You also need to be able to
support "WPA with RADIUS" or something similarly named in the wireless
access point.
- One of my problems is that the GPO will let me choose WPA with AES, but
my access point will only let me choose WPA with TKIP or WPA2 with AES.
So the laptop gets configured with WPA with AES, which prevents it from
connecting to the WAP. So I have to get everything set to WPA with TKIP
because the access point won't accept WPA with AES. Short answer -
everything has to agree.
- ISA 2004 can block some of the things you're relying on. Specifically,
certificate auto enrollment will fail. I'm told that if you install the
ISA patch from KB 897716 or SP2, and turn off strict RPC compliance, auto
enrollment will work. I'll be trying that this evening.
- One thing I do have working is that my WAP is connecting with IAS OK.
I see that in both the IAS log and the WAP log. If you're not getting a
log entry from the WAP's fixed IP, you've got a RADIUS issue. One
suggestion for that would be to try a shorter key (maybe 20 characters).
If you're generating a random "shared secret" and pasting it into the IAS
and WAP settings, that could be part of the problem if the key is longer
than the WAP will accept and it's getting truncated not to match that in
IAS.
If you have other questions after reading all this, please post back.
"Karl Middleton" <nospam@xxxxxxxxxx> wrote in message
news:Osb6auzPGHA.1696@xxxxxxxxxxxxxxxxxxxxxxx
Good afternoon NG,
Has anyone out there in SBS world ever got 802.1x PEAP working for their
SBS network? Does anyone know of an idiotproof step by step guide that
is proven to work?
I have followed the sequence of events to the letter on Technet at
http://go.microsoft.com/fwlink/?LinkId=49453 but without success.
I have tried it with both a Belkin F1PI241EGau and a D-Link DWL2100Ap
wireless access point without success.
I am not sufficiently familiar with Certificate Authority or IAS to
fully understand what the Technet article is telling me to do.
If I turn off the 802.1x I can get the group policy objects detailed in
the Technet article to "autoconfigure" the wireless client so that part
appears to be working.
If I turn 802.1x back on, I can't see the wireless AP issuing a RADIUS
request on the server in the IAS logs or using Network Monitor.
If anyone has a good article I can refer to, I would be very grateful.
Best Regards
Karl from Oz
.
- References:
- Anyone got 802.1x working on a wireless network?
- From: Karl Middleton
- Re: Anyone got 802.1x working on a wireless network?
- From: Dave Nickason [SBS MVP]
- Re: Anyone got 802.1x working on a wireless network?
- From: Karl Middleton
- Anyone got 802.1x working on a wireless network?
- Prev by Date: Re: Windows SharePoint Service - Fails
- Next by Date: RE: Small business server set up
- Previous by thread: Re: Anyone got 802.1x working on a wireless network?
- Next by thread: Re: Is this a hardware issue - DELL SERVER?
- Index(es):
Relevant Pages
|
