none
RADIUS Server Configuration

    問題

  • Hello,

    I appreciate the below is probably quite a large post, but its not as bad as it looks I’m sure. I would appreciate any help you can provide with this one at all. Thank you.

     

     

    My Aim

    To configure my wireless clients to connect automatically to the network by pushing out group policies for wireless networking, the authentication would occur with a RADIUS.

     

    What I have so far

    Pointed my WAP to the RADIUS server, and configured RADIUS in the way I think is correct, when I try to connect through a domain joined client (even though the specified user is part of the connection policy group) it fails to connect. When trying to connect from a workgroup machine, it asks for my network username and password. Entering in the format of domain\user or just user does not allow connection.

     

    The Setup

    Wireless clients use Windows 7 Professional, they are all domain joined. One Windows 7 Professional in workgroup configuration (this is because we would like our staff to be able to connect to our network by using their personal laptops, so I use this as a test machine)

     

    DrayTek Vigor 2800G router, this acts as a wireless access point also and supports connecting to a RADIUS server. The shared secret was entered into the router RADIUS configuration page. The router uses IP address 192.168.1.2

     

    Windows Server 2008 (although this is a small business server I don’t think the configuration of SBS impacts its ability to be configured as a RADIUS server, all the consoles and roles are available for me to use so please don’t ask me to redirect my query to the SBS forums unless really required do to so, this is a plain Windows 2008 question as far as I am aware). This server is configured as a RADIUS server and I will now explain how I configured the environment.

     

     

    Configuring the RADIUS Server

     

    1.       Install the routing and remote access services

    2.       In Server Manager, select Roles\Network Policy And Access Services\NPS

    3.       In the details pane, under Standard Configuration, select RADIUS Server 802.1X Wireless or Wired Connections. Then click Configure 802.1X

    4.       On the Select 802.1X Connections Type page, select Secure Wireless Connections, and then click next

    5.       On the specify 802.1X Switches page, you will configure your wireless access points as valid RADIUS clients. Follow these steps for each wireless access point, and then click next

    a.       Click Add

    b.      In the New RADIUS Client dialog box, in the Friendly Name box, type a name that identifies  that specific wireless access point. For example “DrayTek Vigor 2800G”

    c.       In the address box, type the host name or IP address that identifies the wireless access point. 192.168.1.2

    d.      In the Shared Secret section, select automatically create a complex secret by selecting the Generate option button and then clicking the Generate button that appears. The shared secret is sW#apsodifughytjhyr#ioej@rhtgyfuvhbgfndmskdifugythgfjdenrbvt

    e.      Click ok

    6.       On the Configure an Authentication Method page, from the Type drop-down list, select one of the authentication methods. In this case, Microsoft PEAP was chosen.

    7.       On the Specify User Groups page, click Add. Specify the group you want to grant wireless access to, and then click OK. Click next. In this case, no groups were selected so the policy applies to all users. I have also tried having the Domain Users group added and this doesn’t make any difference to my problem

    8.       On the Configure A Virtual LAN page, you can click the Configure button to specify VLAN configuration settings. This is required only if you want to limit wireless users to specific network resources, and you have created a VLAN using your network infrastructure. Click next. Currently no VLAN has been created - this page was left uncompleted

    9.       On the Completing New IEEE 802.1X Secure Wired and Wireless Connections and RADUI Clients page, click Finish

    10.   In Server Manager, right click Roles\Network Policy and Access Services\NPS, and then choose Register Server In Active Directory, Click OK twice

    RADIUS Authentication messages use UDP port 1812, and RADIUS accounting messages use UDP port 1813. These ports are open on the server’s firewall

     

    Configuring a GPO for Automatic Connection to Wireless Network

     

     

    1.       In the GPO for the Wireless Networking Policy, expand to Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE ) Policies. Then right click and create a new Windows Vista or Later Releases Wireless Policy

    2.       In the general tab click Add, and then click infrastructure

    3.       In the new profile properties dialog box, in the connection tab, type a name for the wireless network in the profile name box. Then type the SSID in the Network Name box and click Add

    4.       In the New profile Properties dialog box, click the Security tab. Click the authentication list and select the wireless authentication technique and network authentication method for that SSID. For the router DrayTek V2800G this was set to WPA2 and encryption type was AES.

    5.       While still in the Security tab of the New Profile Properties dialog box, click advanced and select the Enable Single Sign On For This Network check box. Click OK

    6.       Click OK on each dialog box to accept all settings

     

    Configure Wireless Access Point for RADIUS authentication

     

    By using the administrative website of the Wireless Access Point, configure it to point authentications to the RADIUS server.  I entered the shared secret generated from earlier.

     

     

    Final Notes:

    I am fairly new to this whole authentication and encryption stuff, I don’t really know where the issue is occurring but I suspect it is in some kind of authentication or encryption area. I don’t know if PEAP and AES etc were the correct choices to make. As part of the SBS setup it created a self signed server certificate and this has been installed on each machine, whether I need a separate self signed certificate – I don’t know.

     

    What can I do to try and find out exactly what is happening in this process? The only thing I have so far is an event which states “An Access-Request message was received from RADIUS client with a message authenticator attribute that is not valid.”

     

    Thank you very much for your help.

    2011年1月20日 上午 10:28

解答

  • Because v3 won't work in this scenario. Especially with many devices, including Cisco devices. As for your Draytek, I doubt it.

    .

    I emailed you the password to open it. Let me know if you have any problems opening it.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • 已標示為解答 Steve Mills 2012年3月16日 下午 09:19
    2012年3月16日 下午 03:56

所有回覆

  • What I can say is that PEAP or EAP requires a certificate on both sides of the fence. I realize SBS creates a self-signed cert, but that has to be exported and imported into the Draytek to support EAP. I haven't configured or worked with a Draytek to help you out with that portion of it, however I've configured something similar with VLANs using a Cisco AP 1231 and PEAP/AES.

    Therfore, remember, the cert is the authentication factor and needs to be on the machine trying to connect. If a domain machine, it is assumed you've joined the domain machine to SBS using the http://connect method. If not, I would suggest to disjoin it, then rejoin it properly so SBS properly configures the machine with the cert, applying the computer account to the correct OUs so it gets it's SBS GPOs, and the dozens of other things that it does in the background. If you have not used this tool to properly join the machine, I would suggest to do so.

    Also with non-domain machines, you must import the cert into the cert store. That can be done using SBS' certificate installed. You can follow the instructions in this link to use the SBS cert installer: http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

    It could also be that the SBS cert you're trying to use does not have the necessary template attributes to support this, or the intended use attributes added to the cert. I have not tried this with SBS to configure a PEAP or EAP wireless configuration, since to create such a template, you would need Windows Enterprise versions to have that feature in the Cert Services. Windows 2008 R2 Standard has this feature, but not SBS. Therefore, I do not believe you can configure the necessary certificate required for wireless communcations using Cert Services under SBS, since it's core is 2008 Standard. This is probably why you are getting the "message authenticator attribute that is not valid" message.

    One thing I can tell you about SBS, is that it's all wizard based. That's why you will probably get some responses telling you to direct this question to the SBS forums. SBS is NOT necessarily straight forward Windows 2008. There are numerous differences and must be administered through the wizard, which the SBS background functions keep track of. If you do anything manually in SBS without the wizard, it may break something else. COnfiguring RRAS in this respect is one example. What I would suggest is to enable VPN access for your users within the SBS wizard, which will configure RRAS/NPS for you. Once it's configured, then you can go into RRAS and customize it for this need.

    Ace

     

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • 已提議為解答 Tiger Li 2011年1月21日 上午 09:18
    2011年1月20日 下午 07:11
  • hmm good suggestions, i do remember seeing something on my router page about certificates so i will give that a try soon and get back with further information. I know there isnt a wizard in SBS to configure wireless networking, so if i cant do the authentication using certificates, is there a different method i can use without certs to achieve the same result??

    thanks

    2011年1月20日 下午 10:42
  • You don't need to use EAP or PEAP, you can keep that unchecked.

    No there is no wizard for wireless, but I would suggest to use the wizard to setup VPN access, so now RRAS is installed, so you can customize it. Don't just install RRAS without the wizard not knowing about it. The All Mighty Wizard (of Oz!). - Just a joke from the old movie, but it's not too far off. :-)

    Remember, everything you can do in the wizard or the wizard has some sort of access to the OS, must be done in the wizard. Otherwise, why bother buying SBS??

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • 已提議為解答 Tiger Li 2011年1月21日 上午 09:18
    2011年1月21日 上午 12:11
  • Hi,

    I configured the VPN bit and re-created the wireless stuff, I also unchecked the use of EAP and PEAP and my clients still cant connect, im tearing my hair out over this it seems to be far more complicated than I first though it would be. do you know any really good quality step by step guide on how to configure this end to end?

    thanks

    2011年1月21日 上午 11:41
  • You may have missed a required connection attribute. See if these help.

    ==================================================================
    Configure RRAS and Radius to work with WIFI

    Due to the multihoming (more than one interface or RRAS configuration), this is of course assuming RRAS and RADIUS is on a member server and NOT on a domain controller. If on a domain controller, it must be configured properly to still allow AD to function properly. See the following link first to configure it before moving on:

    Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, and/or PPPoE adapters
    Published by acefekay on Aug 17, 2009 at 9:29 PM  2800  2 
    http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx

    The following are non-Microsoft links that provide screenshots and explanations. Note: Since the web sites are not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1)
    http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

    Setting up Wi-Fi Authentication in Windows Server 2008 (Part 2)
    http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part2.html


    For more information, please also read the following Microsoft TechNet articles:

    RADIUS Server for 802.1X Wireless or Wired Connections
    http://technet.microsoft.com/en-us/library/cc731853.aspx

    Planning NPS as a RADIUS server
    http://technet.microsoft.com/en-us/library/dd197604(WS.10).aspx

     

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • 已編輯 Ace Fekay [MCT]MVP 2011年1月21日 下午 01:42 clarified first sentence
    • 已標示為解答 Tiger Li 2011年1月26日 上午 08:46
    • 已取消標示為解答 Steve Mills 2011年1月28日 上午 09:32
    2011年1月21日 下午 01:41
  • I have followed the links you provided above, along with a number of other resources including the SBS 2003 wireless networking document (although i am using sbs 2008 its a similar process).

    after speaking with the manufacturer of my wireless device, it only supports EAP-TLS, the instructions i read were more towards PEAP-MSCHAP V2. so i decided to read into setting up EAP-TLS, not much different really. I have read the help files included in windows 2008 regarding setting up NPS for wireless networking, followed the instructions to the letter, but i came across a problem when it was talking about certificate templates. it seems Server 2008 standard doesnt support this, so to satisfy my curiosity i implemented a trial of server 2008 enterprise, i was able to produce certificates based on templates - yet the solution still didnt work.

    i must be missing something here, i am thinking of doing a screen recording of all my steps and posting it online for you guys to see, you experts will im sure easily identify what i am doing wrong in this.... please give me some time to do this, ill try and report back here in a week or two.

    additionally, is there any way to contact the guys on the SBS Blog to see if they would write a post about setting up wireless networking with SBS 2008? i cant seem to see any contact details on thier blog page.

    thanks again for your help.

    2011年1月28日 上午 09:38
  • Your better bet is to post this question as well as links to your screenshots, if you put them together, to the Security forum where the CA and cert services experts are. Here's the link:

    http://social.technet.microsoft.com/Forums/en/winserversecurity

    Let us know what they come up with.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • 已標示為解答 Tiger Li 2011年2月4日 上午 03:29
    • 已取消標示為解答 Steve Mills 2011年2月4日 下午 03:50
    2011年1月28日 下午 12:12
  • Hello,

    Thanks for your advice, I have posted this in the security forum and they have asked me to post it in the SBS forum, so i hope i am not going to end up in a big circle. if there is anything further you can input after watching my video setup id appreciate it. you can download either one from

    http://cid-3cc1980caf326264.office.live.com/browse.aspx/RADIUS%20Setup

     

    thank you

    2011年2月4日 下午 03:51
  • Steve,

    Maybe the NAP forum is better suited for this. Maybe a moderator can move it?

    I think I see a couple things. First, is SEVERENT a 2008 Enterprise Edition? It appears so, but I just want to confirm it. This is because you need minimally a v2 cert for autoenrollment to work.

    Second, I would sugget to use the external name on the cert. You also didn't check to use a message-authenticator, which EAP needs.

    I have a doc I can share with you, however, it has a previous customer's info in it, so I can't post it publicly. It's outdated as far as the customer is concerned. It's when I setup a similar thing with a Cisco Aironet 1231 back in 2006. Not much has changed in this respect. What's your email address? Post it with spaces.

    Couple things off the bat (pics at http://cid-0c7b9fd0852378b8.photos.live.com/browse.aspx/Technet%20Forum%20Support/Steve%20Mills?uc=4)

     

    I didn't get a chance to go through both videos because of time. Email me.
    Ace

    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    2011年2月4日 下午 05:13
  • thanks so much for posting the screenshots. possibly bit of confusion over the two videos - they are the same, just using different codecs.

    the 1st image - this may well be a missing piece in the puzzle

    2nd image - what do you mean by the external name? this is a self signed cert.... is it still supposed to have .com on the end of it or do you mean it should say remote.mydomain..... or something else??

    3rd image - how do i get it to show machine authentication? i think i did this on the server enterprise machine, and it seemed to appear in the client computers personal certifcates folder... but how do i get it to show up on that list?

    4th image - what should that say? my SBS CA is something like mydomain-sbs2008-CA ..... do you mean it should show that? if so, doesnt that cause a conflict with the CA running on SBS?

    I will have to try and spin up the test network again sometime next week and have another go, trying to find time is a difficult one of late. I will mark this as an answer once i have exhausted all possible options.

    thanks again for your time.

    2011年2月4日 下午 09:44
  • When you created the self-signed cert, it should read as your external FQDN. That's how SBS 2008 sets up its system. Therefore, the primary name on the cert should be the external FQDN so it works internally and externally for OWA, ActiveSync, Autodiscover, etc. That's usually a defacto. More here:

    Introducing the "Add a Trusted Certificate Wizard" in SBS 2008
    http://blogs.technet.com/sbs/archive/2008/09/20/introducing-the-add-a-trusted-certificate-wizard-in-sbs-2008.aspx

    However, the SBS self-signed cert is useless for Autoenrollment and Wireless because it's not a v2 cert. SBS doesn't have the ability to create one.

    I am assuming that the Servent you have CA installed on is the Enterprise version of 2008, which has that ability. That seemed evident when it asked you what cert template version you wanted to create, Windows 2003 Enterprise or Windows 2008 Enterprise. (FWIW, Windows 2008 R2 now provides that feature, but that's another topic.) So it appears you did create the correct cert and since it's set for ALL Purposes, you should be ok, but the name should be the external public name to match the SBS cert.

    Like I said, it's been 5 years since I set this up with an Aironet 1231, and I have it documented, but it's a 130 page doc (I didn't have time to go through it step by step to see where you differ than what I had). I actually had to call Cisco at that time to assist me in setting it up because there were a couple points I wasn't sure about in the device because we were also VLANing it with multiple SSIDs, as well as the EAP/PEAP settings.

    The one things I do remember once it's setup on the server side (GPOs, etc), is the wireless laptop MUST sign on first to get the wireless GPO and cert while connected by WIRE, then once the cert is acquired (may take a couple of logon/logoff or restarts and checking the certs MMC locally), then it can go on wireless with the cert. THe cert is authenticating the machine, but the user must still login.

    Ace

     


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    2011年2月4日 下午 10:09
  • thanks for the further clarification, i appreciate you might be getting tiresome of dumbing it down for me but thats exactly how i need it as i am new to this. so my certificate (v2) should be issued to say remote.mydomain.com is how i understand this? this is what the OWA and activesync use, the only difference is i create it on the server enterprise machine....

    right with that said... i have another question, at the end of my video (the last scene) i try to reconfigure wireless 802.1x on the SBS box AFTER i have created the certs on the enterprise server, restarted and updated GP etc.... but the certificates that i created from the enterprise server (regardless of its incorrect name) arent listed in the drop down during the wireless 802.1x setup, and i have no option to chose which CA's certs to use, it only shows the SBS CA. can you explain anything on that??

    thanks

    steve

    2011年2月5日 上午 10:49
  • Yes, I would use the remote.domain.com name as the Common Name for the cert. If the laptop is not getting the cert, I would suggest to make sure the GPO is linked to the machine OU, too (can't remember in your vid if that's where you linked it). But you must be wired first to get it.

    Also, if not getting the cert, run an RSOP in the GPMC, as well as run a gpresults on the laptop to see if the GPO is being applied.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    2011年2月5日 下午 05:07
  • yeah the GPO's are definatley getting applied, i have wired connection throughout this entire procedure. im a bit confused on that last image tho that you commented on - making sure that the name is the external name....that last screen is an image of the setup of the enterprise CA, that is what my enterprise CA is being called.... i didnt think that pertained to the name of the remote.domain.com certificate. also, having two remote.domain.com certs - isnt that going to confuse things (one issued by SBS and the other issued by enterprise CA), and does it matter that it is remote.domain.com... surely as long as it was issued from the enterprise CA and that enterprise CA's cert is in the trusted root certs folder on the client, it shouldnt matter what name i give it does it?

    Also, effectively (because of having to issue V2 certs and use auto enrollment) i have two root CA's, a standard root CA and an Enterprise Root CA... if these exist in the same domain can they actually coexist without any conflict/issue, and can certs from the enterprise CA go into the standard CA (which appears to be what the NPS is looking at when its configuring secure wireless), if you look at the final scene of the video it is showing the sbs CA, not the enterprise CA.... which brings me to my final question - is it therefore possible that in NPS somewhere i can change which Root CA its looking at to acquire its certifcate drop down list? because the ones provided are definatley not my V2 certs and i think thats where my problem is steming from, the client gets the V2 certs fine im sure of it because they get published in AD and GP sends them out and i can see them in the certificates mmc, but the NPS bit doesnt seem to be using the right certs.

    Thanks

    2011年2月5日 下午 09:32
  • I can't remember if having two CAs in an org will cause problems or not. Honeslty, I've never tried or tested it. And by rights, with SBS you shouldn't disable or uninstall the CA on it, since the wizard depends on it.

    Having two remote.domain.com certs is not too big of a deal, as long as you recognize which is which when applying them. Each cert has their own signature, so they are unique. It's kind of the same thing when you have an SBS self-signed for the web and Exchange services, but you go ahead and purchase and install a public cert from say Digicert, you can override that in IIS and Exchange.

    Since the NPS server itself needs the cert, which is SBS in this case, did you make sure the cert shows up in certs console? Maybe you need to install the Root CA on the SBS?

    How about making the Windows 2008 server the NPS instead of SBS?

    I'm sure there's something I'm overlooking, and as I said, it's been 5 years that I dug into this stuff, but never dealt with it with an SBS in the picture. Maybe the SBS is defaulting to its own self-signed cert.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    2011年2月6日 上午 01:43
  • thanks for your further help on this. It might be a little while until i can implemented the suggestions you have provided me with, in the meantime id like to keep this as unsolved but will close it when i'm ready to. ill post back to here after further testing.

     

    thanks

    Steve

    2011年2月7日 下午 01:09
  • Ok, good luck. Post back with updates, please, to see how things are going.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    2011年2月7日 下午 03:52
  • Hello,

     

    Sorry it has taken me a while to look back into this but I have further updates to my progress and an outstanding issue.

     

    I decided to completely remove SBS from the equation, so I built a Windows 2008 R2 Standard as a domain controller, CA, and NPS because I wanted to ensure it wasn’t my understanding or configuration that was lacking. I have followed the instructions to the letter for configuring secure wireless networking. I installed 2008 R2 on a laptop which has a built in wireless adapter, and once completed the entire thing worked perfectly – my wireless adapter on the server (laptop) now connects to the router, so I know that the configuration is correct.

     

    So, to check this works from a client, I joined a second windows 7 wireless client to the domain, and despite my GP settings being in the default domain policy the wireless connection just won’t work. It states that a certificate is required to connect to mynetwork. I checked in the certificate store of the local computer and the root CA certificate appears to be there and the workstation cert is in the personal folder based on the workstation template, but checking on the user certificates I don’t see a user certificate in the personal certs folder, even though GP is configured to auto-enroll this for the user side of the GP, and I did the correct duplicating of the cert template for the user on the root CA.

     

    So, I am now stuck again in my progress with this. any further help would be most appreciated. I am glad I have moved forwards a little bit, I know for a fact my hardware and configurations on the server are all correct because it connected fine on the server so things are working at least on the server side. If you need any further information please let me know.

     

    Thank you for your help.

    2011年4月18日 下午 06:55
  • Sorry to bring up this old thread again, i have since implemented SBS 2011 (which runs on Windows 2008 R2 standard), and i am still having difficulties.

    Having thought about my last post above, i stated that i got this working with a Windows 2008 R2 Standard installation on a laptop with a wireless adapter, this leads me to believe that the server is correctly using the RAS and IAS certificate (assuming it works that way, thats my understanding of it), BUT the client certificates either are not working, or the server and client combo just isnt matching up correctly.

    I've followed exhaustingly through all the guidance, starting from http://technet.microsoft.com/en-us/library/cc771696.aspx and am at a complete loss as to why i cant get my client connecting.

    Surely if the server connects without issue, the request is sent to the WAP, which then throws it back to the NPS all using the RAS and IAS certificate? Therefore it cant be an issue with WAP, NPS or the server certificate..... i think.... so it has to lie with the client operating system certificate/authentication...

    If someone could simply spin up a lab with Server 2008 R2 standard on a laptop, and a windows 7 pro on a laptop, join to the domain and configure this setup I am hoping you will also bump into the same issue as me, or you would have done something differently if you get it to work.

    I would even paypal over a beer to whoever genuinly finds the right solution for this!


    • 已編輯 Steve Mills 2012年3月14日 下午 02:29 Spelling Mistakes
    2012年3月14日 下午 02:26
  • Steve,

    You didn't specify what type of cert you created, but it would need to be created from a v2 certificate template. SBS2011, since it's based on Windows 2008 R2, if CA is installed. provides that ability to create a v2 template.

    .

    Then you would roll out the cert using Autoenrollment via a GPO. Did you do that?

    .

    See if these links help:

    Configure RRAS and Radius to work with WIFI

    The following are non-Microsoft links that provide screenshots and explanations. Note: Since the web sites are not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1)
    http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html

    Setting up Wi-Fi Authentication in Windows Server 2008 (Part 2)
    http://www.windowsnetworking.com/articles_tutorials/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part2.html


    The passage below was quoted from:
    http://social.technet.microsoft.com/Forums/en/winserverNIS/thread/f6382dfc-7f6e-4b0b-9098-281ce82758ad
    Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by enabling additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. However, PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.

    For more information, please also read the following Microsoft TechNet articles:

    802.1X Authenticated Wireless Access
    http://technet.microsoft.com/en-us/library/cc771455(WS.10).aspx

    Integrating Wireless Access Points with RADIUS and AD.
    http://www.hansenonline.net/Networking/wlanradius.html

    .

    Also, you have to configure your AP. With the AP, there are numerous ways to do it, and each vendor's IOS is slightly different, including among different models.

    What type of AP do you have? Cisco? If so, do you have a Gold SmartNet contract? They'll configure it for you from start to finish, including the Windows side of it, to get it to work for you.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年3月14日 下午 11:44
  • Ha, I wish i had cisco with that, i have draytek vigor 2800G. I have been told directly by them that it will only support EAP-TLS not PEAP.

    Sorry, but i am going to a screencast of the entire setup process from start to finish. Also I think I may have made a mistake in my last post, I just tried a dummy setup and the server didnt actually connect to the router so i think something is fundamentally wrong that i'm missing.

    I will update this post later today hopefully.

    I will also take a look at the links you provided. thanks, this doing my head in.

    2012年3月15日 上午 09:56
  • Right, I’ve uploaded a new 10 min video (it’s a bit rough and ready,
    apologies for the video looking odd towards an end scene, I was going through
    RD then switched to local to perform additional steps). The video shows the
    entire process from the start to end, server and client side. If someone can
    replicate an environment EXACTLY the way I have done so on my setup and it
    works for them then it would probably be very likely it is some issue with the
    router and it’s supportability for this setup (the router doesn’t have a
    hardware issue, as I have two of these routers identical models).

    If it is the router, then perhaps PEAP is the way to work and I was misled
    with what was told me from the vendor (however I did try PEAP last year and
    that didn’t work which is why it lead me to EAP-TLS). There are also two pages
    on the router for certificates, one is local certificates and the other is
    trusted CA certificates. Both are X509 certs, but I have no idea how I would
    get these off the server correctly to import them if that’s what’s needed. I am
    assuming, if any, the trusted CA is needed and id need to export this from the
    CA server, but I don’t know what export settings I would require.

    I am also assuming the certificates I generate are V2 as there is no
    evident option to say otherwise, the certificate templates I messed with here
    were simply not available on Server 2008 Standard, so I’m assuming 2008 R2 has
    correctly provided the right bits for me.

    If it doesn’t work for you either then I am definitely missing some
    crucial steps. All steps were taken from http://technet.microsoft.com/en-us/library/cc771696.aspx
    and related documentation. The only thing that wasn’t documented on there was
    the NPS setup, the video shows how I configured the role “NPS” with the routing
    and remote access – not sure if that’s required but I threw it in there anyway.

    The setup was Windows Server 2008 R2 STANDARD, and Windows 7 Ultimate.


    Video can be found at https://skydrive.live.com/?cid=3cc1980caf326264&sc=documents&id=3CC1980CAF326264%211224
    it is just called “RADIUS.MP4” the other videos are my previous ones from last
    year.


    2012年3月15日 下午 01:45
  • A few things caught my attention in your vid:

    1. You chose "RAS" cert. Should have been a User cert.
    2. Windows 2008 cert version - should be WIndows 2003. Go back and create another cert selecting Windows 2003. Without seeing the rest of the vid so far, that could be the issue.
    3. Cert snapin later in the vid only shows a computer cert. You are authenticating a user account - See #1
    4. There's more...

    .

    Here are a few step by steps:

    Building an Enterprise Root Certification Authority in Small and Medium Businesses (shows wireless cert config, GPO autoenrollment, IAS, etc)
    http://technet.microsoft.com/en-us/library/cc700804.aspx 

    Secure Wireless Access Point Configuration (comprehensive article)
    http://technet.microsoft.com/en-us/library/cc875845.aspx 

    Step-by-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode: Windows Server 2008 Certification Authority
    http://technet.microsoft.com/en-us/library/cc872789.aspx 

    .

    I have a step by step I put together 5 years ago with Windows 2003 CA and IAS using a Cisco AP 1231.
    https://skydrive.live.com/embed?cid=0C7B9FD0852378B8&resid=C7B9FD0852378B8%21830&authkey=AMrt-dsUOGow3KQ 

    But the doc is protected due to proprietary info in it. I've protected it based on Microsoft Passport IDs. Email me your Passport ID, and I'll put you in the allowed to view list.

    a c e m a n   ->   A T  ->    m v p s   ->   dot   ->  org

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年3月16日 上午 05:38
  • Yeah i created the RAS certificate as per instructions, im under the impression that this is to validate between the CA and the NPS. I then later created a user cert, but it didnt show up on the client under the personal store, in the past when i have done this it did show up though. ill check settings again.

    I will follow up your links as well during the day. thanks

    2012年3月16日 上午 09:28
  • Also, why am i creating 2003 certificates when the entire setup is Windows 7 and server 2008 R2... im assuming if i create 2008 based templates this will be version 3 certificates which one would think would include all the bits and capabilities from version 2....?
    2012年3月16日 下午 12:09
  • Because v3 won't work in this scenario. Especially with many devices, including Cisco devices. As for your Draytek, I doubt it.

    .

    I emailed you the password to open it. Let me know if you have any problems opening it.

    .


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • 已標示為解答 Steve Mills 2012年3月16日 下午 09:19
    2012年3月16日 下午 03:56
  • Ok, i tried 2003 certificates, and definatley created the user one - the whole thing still didnt work, but the user cert didnt show up in the personal certificates folder at the client.
    2012年3月16日 下午 05:03
  • Ace, I can now see why you have that name. I have finally got it to
    work in my test lab, had some minor hiccups putting it into the live network
    but it appears to be functioning correctly. The last piece of the puzzle I am
    rather proud to say came from my own brain (one of those “what if” moments) but
    if it wasn’t for all the other support and research you put into this for me I would
    not have gained the underlying understanding required. The main bit where it
    all came together was the requirement for server 2003 certificates! I didn’t even
    read any of the book you sent me, I have since deleted this file now and you
    can remove my access from it.

    I really couldn’t have done this without your patience and help Ace, so
    thank you. To summarise the steps involved see below – I will not republish the
    full setting as this can be found on Microsoft’s website.

    • Create an NPS Server Certificate (Ensure it is
      based on Windows 2003)
    • Make sure you modify the GPO for auto-enrolment
      for both user and computer sections of the GPO, ensure the required users and
      computers are in scope and that both halves of the GPO are enabled. The Default
      Domain Policy would normally be ideal for these settings
    • Configure a GPO which pushes out the Wireless
      Profile settings, when validating against a server ensure the format is server.domain.local
    • Deploy Client Computer Certificates (Ensure it
      is based on Windows 2003)
    • Deploy User Computer Certificates (Ensure it is
      based on Windows 2003)
    • Configure the RADIUS Server in NPS, and create
      the RADIUS client with shared secret
    • Configure the Wireless Access Point for RADIUS
      authentication
    • Also, for a user to receive the user certificate
      they must have the email address set in their active directory account
    • The NPS server must be a member of the RAS and
      IAS Servers group in Active Directory
    • Confirm firewall port 1812 is open on the NPS
      server

    Thanks

    Steve (glad to see the back of this issue)

    2012年3月16日 下午 09:18
  • Glad to be of help!

    I was going to put that thing together long ago, but as you saw in it, there were some propeitary info. I'll eventually change that so I can make it available publicly.

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    2012年3月17日 上午 07:53