RADIUS + Server 2000

yukichigai

Diamond Member
Apr 23, 2003
6,404
0
0
I've already posted a thread about this before, but I'm attempting to set up a WPA-Enterprise WLAN at work for added security goodness. Unfortunately it's being, to say the least, uncooperative. I'm doing everything off of our existing Server 2000 machine since that (at first anyway) seemed to be the easiest option. After enabling the Certification Authority, Internet Authentication Service, creating a Remote Access Client and Remote Access Policy for the appropriate APs and configuring windows groups I've gotten as far as getting the server to the point where IAS sends me only one repeated error message, rather than 3 or 4 cycling ones. The error message (in Event Viewer) is error code 16: "There was an authentication failure because of an unknown user name or a bad password." The odd thing is that I know for certain that the user name and password are sent okay. I think it may have something to do with validating the computer's "user name" rather than the logged-in user, but I don't know how to check that. I know it isn't an issue of hardware because this problem appears regardless of the model of wireless AP I hook up. Regardless, it's a head-scratcher. Does anybody (and I have a feeling that by "anybody" I mean JackMDS) know what might be causing this problem?
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
quick one...

if you get bad username/pass from your radius server then you did indeed send a bad username/pass. Or more specifically your radius server believes it to be a bad username/pass.

make sure you are using the correct EAP methods on the AP and the client and check the configuration of the radius server. You'll need to capture what the AP is saying as well as what the radius server is saying. bad username/pass is pretty straight forward - the AP did not format what it needed to properly in the username field, the client isn't setup correctly or the radius server doesn't understand how you formatted the question and is expecting something else. (eap methods)
 

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
Microsoft IAS only works for PEAP, EAP-TLS, MD5, and MAC auth.

What method are you using?

I believe you also need to use MS CHAPv2 for wireless.

Good Luck

Scott
 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
scott,

keep the discussion going...I am still to this day confused by the alphabet soup.
 

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
Originally posted by: spidey07
scott,

keep the discussion going...I am still to this day confused by the alphabet soup.

same here....I had a hell of a time setting IPsec the first time:eek:
 

Rilex

Senior member
Sep 18, 2005
447
0
0
What mode of authentication are you using? Smartcard or other certificate (you mentioned that you set up a CA)? Anyways, basing that you are using that method, the IAS box needs to also have a certificate (even if it is a CA, it needs a cert that provides Client Authentication/Server Authentication). Each computer and each user will also need their own certificate (and the user's cert must be on the wireless computer).

Have you looked into setting up auto enrollment? It'll make this much easier.
 

azev

Golden Member
Jan 27, 2001
1,003
0
76
I've also tried to setup WPA-Enterprise using win2k3 IAS server with no luck. Currently I am using the AP local radius server to authenticate.
I wonder is there's a vendor specific code that need to be added when adding cisco AP as a client in the IAS server.
 

spyordie007

Diamond Member
May 28, 2001
6,229
0
0
"There was an authentication failure because of an unknown user name or a bad password."
On your RADIUS server does your account have rights to use the remote access policy for wireless authentication?

I also suggest getting a 2k3 DC. The 2k3 AD schema extentions & GP editor allow you to push client settings with group policy. They will make your life much easier.

Since I'm not sure exactly where I got these Microsoft docs I zipped them up for you (PDFs); I found them very helpfull when setting up my first 802.1x WLAN:
http://www.spyordie007.com/atforums/Securing%20Wireless%20LANs.zip

I should have a little more time this afternoon and I'll try and check in on this thread.

Erik
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
you might look at using Cisco's Desktop WLSE machine. Integrated WLSE and ACS (limited, radius server stuff only) for about $3K (versus a regular WLSE, which is very spendy, and ACS, which is 5K for software only).
 

yukichigai

Diamond Member
Apr 23, 2003
6,404
0
0
I'm using PEAP with MSCHAPv2 authentication. Clients are set to use PEAP with MSCHAPv2 login and are being prompted for information. The accounts that are attempting to log in have dial in access, as do the computers used to log in. As far as receiving the information properly, I know for a fact it receives the username correctly, because the error in Event Viewer lists the user name along with the "Fully Qualified User Name" at the top of the error message. It's finding the account just fine. As far as what password is sent, I don't know. How exactly would I be able to view that information?

I can maybe get this going on a 2k3 machine running IAS, but the 2k3 machine is just 2k3 standard -- meaning no enterprise CA, which you apparently need -- and the 2k machine is the Domain Controller and will likely remain the Domain Controller for a good long time. I can't spend any additional money on this; my budget for this is literally $0.