Re: SBS Wireless policy

Owen wrote:
In article <1166443120.195333.94770@xxxxxxxxxxxxxxxxxxxxxxxxxxx>, ajj3085
@alum.rit.edu says...

I know it's not what you were hoping for, but it is progress! At least the
laptop now recognizes YOUR wireless network is there.

Yes, I had no doubt about that, although I wouldn't be surprised
anymore if a Dlink router didn't work right with a Dlink access card...
I had a DI-624 router / AP that after an hour or so of working no
longer routed packets from itself to my Linksys router (which is hooked
to the cable modem). Internal networking worked, but you couldn't get
to the internet anymore over wireless (wired was still fine).. but I
digress..

I agree this sounds like a GPO issue. Most likely the wireless GPO either has
a small configuration error or it is not being properly pushed out to the
laptop during the WIRED connection step.

Are there other settings that could affect GPO, such as Wait for
network on startup?

In "Computer Wireless LAN Policy" -> Computer Configuration -> Windows Settings
-> Security Settings -> Wireless Network (IEE 802.11 Policies), right-click
"802.1x Computer Certificate Wireless LAN Policy" and select Properties.

Preferred Networks tab -> select your secure SSID -> [Edit] button

IEEE 802.1x tab -> [Settings] button (under EAP type)

Verify:
When connecting ... Use a certificate on this computer is selected and
Use simple certificate selection (Recommended) is checked
Validate server certificate is checked
Connect to these server is checked and the box has the INTERNAL name
of your SBS (vortex.hellmouth.local, right?)
Trusted Root Certification Authorities: Scroll down to your CA
(hellmouthCA, right?) and make sure it is checked. It may be listed
twice. If so, it's OK to check both of them. (Checking either one
should also work.) You might want to select the CA and click [View
Certificate] to verify the cert looks like what you are expecting.

To be clear, I need the CA (hellmouthCA) cert, NOT the one we created
for the DC(vortex.hellmouth.local, friendly vortexDC) correct?

When you've verified/fixed all that and have returned to the "Edit <yourSSID>
Properties" page, also verify "Authenticate as guest ..." is NOT checked,
"Authenticate as computer ..." is checked, and "Computer authentication" is set
to "Computer only".

Those settings are correct; I've checked them several times.

Redo the "Logon to the SBS domain using a _wired_ connection" steps (p. 15 of
the text document). It is VERY important to DISable the wireless NIC while
doing this because Windows XP does not deal well with two active network
connections, especially on the same subnet. Then check the laptop's event logs
to be sure there were no GPO errors. If not, disconnect wired, enable
wireless, and check the laptop's wireless properties to be sure they match the
GPO's - especially the IEEE 802.1x tab -> Settings.

I've been following that procedure to the letter, although your docs
say to check the wireless settings after forcing the gp to update and
logging back on, but before rebooting. I have to note here that I
can't actually do that, because I don't know of any way to see the
wireless network settings until AFTER I enable the wireless card. Once
I do that, the settings appear correct.

If that looks good, let's see if you can connect via secure wireless. Don't
forget to reconfigure the WAP for RADIUS rather than WPA-PSK!

I have done that.

Here's my update: back to Windows cannot logon to the <ssid> network,
and the same messages from IAS. Maybe Dlink didn't implement something
correctly? I did have this working at one point though, but with the
old AP that only supported WEP. I saw on the laptop that the
connection was authenticating and then it connected. Since that
reboot, The auth fails.

It seems to fail rather quickly.. is that to be expected? I do get IAS
messages on vortex (the DC), so it must be contacting it.

Andy

.