Re: SBS Wireless policy
- From: Owen Williams [SBS MVP] <Owen@xxxxxxxxxxxxxxxxxx>
- Date: Wed, 13 Dec 2006 21:38:39 -0500
In article <1165634094.948846.200280@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>, ajj3085
@alum.rit.edu says...
Hi, Andy. I see you started a new thread about your wireless issues. I'm
sorry I have not been around for a while. As Dave Nickason said, I had some
other commitments (family-related) that have been taking up much of my time.
I really appreciate Dave helping out here. He and I have worked together quite
a bit over the past year or so to refine this methodolgy.
Let's see if we can make some progress ...
The cert does seem to be on the laptop. The question is I guess, which
one is the right cert? The CA cert created in Owen's document, the one
created by CEIWC?
The cert you want is a Computer (not user) cert generated for hellknight. On
my laptop (PC03-LAP), when I open the "Certificates (Local Computer)" MMC and
look in Personal/Certificates, I see one and only one certificate (split due to
newsgroup posting width limitations):
- - - - -
Issued To Issued By Expiration Date Intended Purposes
PC03-LAP.domain.local ClearViewCA 3/4/2007 Client Authentication,
Server Authentication
- - - - -
Friendly Name Status Certificate Template
<None> Computer
- - - - -
Your MMC display should be VERY similar to this. The only differences should
be "Issued To" (hellknight.domain.local), "Issued By" (your CA name), and
"Expiration Date" (probably late 2007 - default is 1 year from when-issued).
Your initial post in this tread included a detailed "access denied" event.
Thanks for posting that. I see some significant differences between what you
are logging and the "access granted" events I am logging. Here is an example
of a SUCCESSFUL event. I have marked (**) notable differences from your event.
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 12/12/2006
Time: 6:29:21 PM
User: N/A
Computer: PC02-SVR
Description:
User host/PC03-LAP.domain.local was granted access.
**Fully-Qualified-User-Name = DOMAIN\PC03-LAP$
NAS-IP-Address = 172.24.0.9
**NAS-Identifier = 0011500e2bb7
Client-Friendly-Name = Belkin F5D7230-4
Client-IP-Address = 172.24.0.9
Calling-Station-Identifier = 0011500c48fe
**NAS-Port-Type = Wireless - IEEE 802.11
**NAS-Port = 58
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Wireless LAN Access for Domain Computers
Authentication-Type = EAP
**EAP-Type = Smart Card or other certificate
Fully-Qualified-User-Name: Success includes only domain/computer; failure
includes full Active Directory path to computer account. (Perhaps the full
path is included only in failure messages?)
NAS-Identifier: Normally the MAC address of the WAP. I'm concerned you are not
seeing this. Have you verified the WAP's static IP was properly entered in IAS
RADIUS Client setup and the shared secret is IDENTICAL on both? (I keep the
shared secret at or below 22 characters as some WAPs have a limit smaller than
what IAS supports.)
NAS-Port-Type: As specified in IAS Remote Access Policy. Yours shows "<not
present>"
NAS-Port: I'm not 100% sure what this means, but it's always a number when
everything is working. Yours says "<not present>".
EAP-Type: As Dave noted, yours says "<undetermined>" which is a definite
concern.
Concerning AES v. TKIP ... AES is officially supported only with WPA2 although
some widely-used WAPs (even inexpensive consumer-grade ones like the LinkSys
WRT54g) include WPA-AES. AES requires "hardware assist" circuitry which is not
present on all wireless devices. TKIP is supported with WPA and is software-
only. I agree with Dave that you should try setting EVERYTHING (WAP, GPOs,
etc.) to TKIP to see if that works. Once you get that working, you can always
try moving to AES.
The other thing I see at the D-Link web site is that your DWL-G650 is an older
device. There are several versions which require different drivers. You
should be sure you have the most up-to-date firmware and the correct and most-
current drivers for your particular version.
I also see D-Link has a WPA Supplicant available for the RevB version. WinXP
SP2 includes a built-in WPA supplicant and does not normally require 3rd-party
supplicants. But the DWL-G650_revB supplicant includes this info: "Used with
driver 2.36 - 2.42 for WPA support". Now this software pre-dates WinXP SP2,
but I am wondering whether "Used with driver 2.36 - 2.42 for WPA support" means
"we are providing a supplicant because XP [in 2003] does not have one" -OR-
"you MUST use this supplicant to get WPA support." If it's the latter and you
have a RevB, you may need to install that supplicant.
-- Owen Williams [SBS MVP]
.
- Follow-Ups:
- Re: SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- References:
- SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- From: Dave Nickason [SBS MVP]
- Re: SBS Wireless policy
- From: Andy
- Re: SBS Wireless policy
- From: Dave Nickason [SBS MVP]
- Re: SBS Wireless policy
- From: Andy
- SBS Wireless policy
- Prev by Date: Re: No DNS
- Next by Date: SBS - wizard vs. manual
- Previous by thread: Re: SBS Wireless policy
- Next by thread: Re: SBS Wireless policy
- Index(es):
Relevant Pages
|
