locked
Windows Server 2008 as a RADIUS server for Wireless Auth RRS feed

  • Question

  • Hi

     

    I have a 2008 configured with NPS for RADIUS Wireless Authentication. Or at least I think it's configured correctly.

     

    The AP is a Cisco Aironet.

     

    In the NPS logs I'm getting the user is autenticated message, but this one if followed by 2 or 3 messages of other successful logons without a userID and them a logon session remove.

     

    On the AP I'm getting the RADIUS messages of access_granted and SERVER_PASS but I cant connect.

     

    It seems that the authetication part is OK, but then there is some sort of process bettween the AP and NPS that does not appen

     

    The conditions for the network rule that I created are:

    - Windows Group (a specific group for users of the AP)

    - NAS Port Type - Wireless 802.11

    - Allowed EAP Types: Microsfot Smart Card or Other Cert. OR Microsoft Secure Pass(EAP-MSCHAP v2)

     

    The same logon messages apear on the server if I try loging on with hte username+pass or the users' certificate.

     

    Thanks in advance for your help

     

    RG

     

     

     

    Tuesday, January 25, 2011 11:35 PM

Answers

  • Hi RG

    I think there might be a configuration issue here... first make sure NPS is a member of the RAS and IAS server group in AD. go to NPS create a new Connection Request Policy, create a new condition Nas Port Type 802.1x - wireless.. create a new network policy Nas Port type wireless, windows groups add domain computers and domain users (or specify the name of a group u will have created in AD for access to the wireless network)  make sure access permission = granted, EAP TYPE  = (Microsoft Protected EAP (PEAP), EAP Subtype = Secured Password (EAP-MSCHAP v2). And make sure the correct authentication settings are configured on your client machines and also that the radius port being used is the same on the AP and on the Server.

    Please see if there is anything from what i have mentioned that you can check and test to see if it will work, i skipped sme steps which i'm sure u'll find easy to do when u configure like specifing the new network policy name and stuff like that. good luck and please get back to us after testing


    tech-nique
    • Marked as answer by Miles Zhang Friday, February 4, 2011 4:02 AM
    Thursday, January 27, 2011 12:48 PM

All replies

  • Hi RJP Gomes

    the messages you are gettin ("user is autenticated, access_granted and SERVER_PASS) from the NPS logs and from the Radius messages are probably from succesful authentication of the AP as a radius client.. since the AP is configured as a radius client on the NPS and has a shared secret wit the server it is authenticated first then the process moves on to the user.. If we could get a more detailed NPS log from the time u start trying to authenticate to the time connection is unsuccesful it would be of much help we can see wer th problem might be.

    Waiting for your response

    Regards


    tech-nique
    Wednesday, January 26, 2011 5:18 PM
  • Thanks for your reply

     

    In the NPS text file log only one line appears per attempt, here are the lastest:

     

    192.168.1.254,ssdu\administrator,01/24/2011,20:20:33,IAS,SRV01,25,311 1 ::1 01/24/2011 16:25:53 257,4155,0,4154,Use Windows authentication for all users,4128,ap,4116,0,4108,192.168.1.254,4136,2,4142,0


    In the EventView it appears like this:

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          24-01-2011 20:20:33
    Event ID:      6272
    Task Category: Network Policy Server
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      SRV01.ssdu.local
    Description:
    Network Policy Server granted access to a user.

    User:
    Security ID: NULL SID
    Account Name: ssdu\administrator
    Account Domain: -
    Fully Qualified Account Name: -

    Client Machine:
    Security ID: NULL SID
    Account Name: -
    Fully Qualified Account Name: -
    OS-Version: -
    Called Station Identifier: 0023.042d.cdd0
    Calling Station Identifier: 0025.d3f4.25ed

    NAS:
    NAS IPv4 Address: 192.168.1.254
    NAS IPv6 Address: -
    NAS Identifier: ap
    NAS Port-Type: -
    NAS Port: 451

    RADIUS Client:
    Client Friendly Name: ap
    Client IP Address: 192.168.1.254

    Authentication Details:
    Proxy Policy Name: Use Windows authentication for all users
    Network Policy Name: -
    Authentication Provider: -
    Authentication Server: SRV01.ssdu.local
    Authentication Type: -
    EAP Type: -
    Account Session Identifier: -

    Quarantine Information:
    Result: -
    Session Identifier: -

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
        <EventID>6272</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12552</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2011-01-24T20:20:33.250Z" />
        <EventRecordID>10348</EventRecordID>
        <Correlation />
        <Execution ProcessID="596" ThreadID="2592" />
        <Channel>Security</Channel>
        <Computer>SRV01.ssdu.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">ssdu\administrator</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="FullyQualifiedSubjectUserName">-</Data>
        <Data Name="SubjectMachineSID">S-1-0-0</Data>
        <Data Name="SubjectMachineName">-</Data>
        <Data Name="FullyQualifiedSubjectMachineName">-</Data>
        <Data Name="MachineInventory">-</Data>
        <Data Name="CalledStationID">0023.042d.cdd0</Data>
        <Data Name="CallingStationID">0025.d3f4.25ed</Data>
        <Data Name="NASIPv4Address">192.168.1.254</Data>
        <Data Name="NASIPv6Address">-</Data>
        <Data Name="NASIdentifier">ap</Data>
        <Data Name="NASPortType">-</Data>
        <Data Name="NASPort">451</Data>
        <Data Name="ClientName">ap</Data>
        <Data Name="ClientIPAddress">192.168.1.254</Data>
        <Data Name="ProxyPolicyName">Use Windows authentication for all users</Data>
        <Data Name="NetworkPolicyName">-</Data>
        <Data Name="AuthenticationProvider">-</Data>
        <Data Name="AuthenticationServer">SRV01.ssdu.local</Data>
        <Data Name="AuthenticationType">-</Data>
        <Data Name="EAPType">-</Data>
        <Data Name="AccountSessionIdentifier">-</Data>
        <Data Name="QuarantineState">-</Data>
        <Data Name="QuarantineSessionIdentifier">-</Data>
      </EventData>
    </Event>


    The sequence of events in the Security EventView for each logon attempt seams to be this:

    1 - NPS successful logon 
    2 - Special Logon attributing a set of privileges, but it does not specify a user account
    3 - A successful logon with a Null SID and no user account
    4 - A logoff with a LogonID but no user account


    Thanks again for you help

    RG



     

    Thursday, January 27, 2011 11:43 AM
  • Hi RG

    I think there might be a configuration issue here... first make sure NPS is a member of the RAS and IAS server group in AD. go to NPS create a new Connection Request Policy, create a new condition Nas Port Type 802.1x - wireless.. create a new network policy Nas Port type wireless, windows groups add domain computers and domain users (or specify the name of a group u will have created in AD for access to the wireless network)  make sure access permission = granted, EAP TYPE  = (Microsoft Protected EAP (PEAP), EAP Subtype = Secured Password (EAP-MSCHAP v2). And make sure the correct authentication settings are configured on your client machines and also that the radius port being used is the same on the AP and on the Server.

    Please see if there is anything from what i have mentioned that you can check and test to see if it will work, i skipped sme steps which i'm sure u'll find easy to do when u configure like specifing the new network policy name and stuff like that. good luck and please get back to us after testing


    tech-nique
    • Marked as answer by Miles Zhang Friday, February 4, 2011 4:02 AM
    Thursday, January 27, 2011 12:48 PM