none
Radius Authentication, what am I missing?

    問題

  • Hi,

    I have set up a Windows 2008 Server for RADIUS authentication to our Wireless network.  We are using a Brocade Mobility RFS6000 Controller as a RADIUS Client (setting the Server IP as the RADIUS Proxy on the Controller) and have enabled Hotspot Authentication using RADIUS.

    When a user connects to the wireless network they are prompted for their ID and PW and accept the terms to log in.  Their Domain ID and PW grants them access without a problem (and incorrect or improperly assigned ID's are rejected) so I believe I have the connection to the RADIUS server, and its subsequent connection to AD, working properly.

    What does NOT work, however, is the mechanism that allows the connected devices to use the network (and internet connection).  After authenticating the user can try to reach a web page but will ultimately be re-directed to the login screen.

    Without Authentication a test PC was able to acquire an IP from our DHCP server and connect to the internet and devices on our network.  Once Authentication via RADIUS was enabled, the PC is granted access and given an IP address from the DHCP server but is unable to utilize the network.

    PING tests prove that DNS, at least, is functioning since internet addresses can be resolved (though they do not respond) so I believe I am missing something in the Routing aspect of the RADIUS setup.  All of the devices/servers are internal so I did not think I needed to use DHCP Relay.  I have, however, added the IP of our DHCP server in to the DHCP relay section of Routing and Remote Access.

    I have read a lot of Radius documentation and am trying to wrap my head around what I may have done or not done to cause this scenario.  Any help is appreciated.  I will also do my best to answer any questions.

    Thanks,

    Chris

    2012年6月26日 下午 12:55

解答

  • Hi Chris,

    Wireless authentication means computer is authenticated by radius server to get a network connection (like to get ip address/gateway/dns). To your scenario, it seems that wireless controller does also act as a proxy server which should connected to Internet directly or be NAT to Internet.

    Regards


    Rick Tan

    TechNet Community Support

    2012年6月28日 上午 02:06
    版主

所有回覆

  • Hi Chris,

    Thank you for the post.

    After authenticating the user can try to reach a web page but will ultimately be re-directed to the login screen.
    Login screen? Please elaborate more.

    Here is NPS wireless deployment guide, please ensure all steps settings are not missed.
    http://technet.microsoft.com/en-us/library/dd282998(WS.10).aspx

    Without Authentication a test PC was able to acquire an IP from our DHCP server and connect to the internet and devices on our network. 
    "Without Authentication" you means wireless RFS6000 Controller not using Radius? Please post the test computer "ipconfig /all" and "tracert www.bing.com" results when the test computer is authenticated/not authenticated.

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    2012年6月27日 上午 08:42
    版主
  • By returning to the login screen I mean the same screen that authenticated me to the network in the first place.  After connecting, any web browser initiated request brings up the login screen (from the Controller) which authenticates using our RADIUS server.  The connection is successful, the machine has IP and can resolve addresses but can not GO to any address without being brought back to the login screen.  When I disable the option to login, taking RADIUS out of the mix, all is well and working.

    I know DNS is working because outside addresses resolve to their public IP but PING results show only the IP followed by * * * * non responses.

    2012年6月27日 下午 05:34
  • Hi Chris,

    Wireless authentication means computer is authenticated by radius server to get a network connection (like to get ip address/gateway/dns). To your scenario, it seems that wireless controller does also act as a proxy server which should connected to Internet directly or be NAT to Internet.

    Regards


    Rick Tan

    TechNet Community Support

    2012年6月28日 上午 02:06
    版主