locked
Radius authentication does not work with wireless router RRS feed

  • Question

  • We have Windows Sever 2008 R2, domain and forest level is Server 2003.

    And I want to configure Radius authentication for our wireless network.
    I installed NPS server and AD Certificate Services. After installation, I requested new certificate for domain controller. Then I configured NPS to 802.1x for wireless connections. I added my router´s IP address with friendly name "router2". I typed password for device.
    I selected that members of Wireless group will have access to network. Then I choosed EAP as authentication protocol and clicked on previously generated certificate.
    I deleted all policies for new connections and created new one. Settings were default and condition was that friendly-name is "router2".
    After server configuration, I set up router to server´s IP address, auth port to 1812 and typed a password. Security type was set to WPA2-Enterprise.
    On the client PC, I imported root CA certificate and saved it to Trust Certification authorities store.
    In wireless networks I configured new with correct name, WPA2-Enterprise, Protected EAP as authentication protocol. In EAP settings, I checked validate server certificate and below I selected root CA certificate. Next to MS-CHAPv2 I clicked configuration button and unchecked to use Windows account to logon. Last thing was setting to validate user in advanced settings of this network.

    And our problem is that when we try to connect to this network, we are asked for credentials. But we are not able to authenticate to this network, dialog asking for credentials is still showing.
    Where can be a problem?

    We have tried two models of WiFi routers (D-Link DSL-2641B, Edimax 3G-6200n). Both have latest firmware.


    Monday, May 30, 2011 6:15 PM

Answers

  • I tested same configuration on newly installed machine and it worked. All other servers are working without problems. There is a problem with this server only. We tried to reinstall Active Directory and all services. It did not worked too. So my friend will reinstall operating system and it should work.
    Wednesday, June 8, 2011 11:19 AM

All replies

  • Hi Ales,

     

    Thanks for posting here.

     

    > I selected that members of Wireless group will have access to network. Then I choose EAP as authentication protocol and clicked on previously generated certificate.

    >In wireless networks I configured new with correct name, WPA2-Enterprise, Protected EAP as authentication protocol. In EAP settings, I checked validate server certificate and below I selected root CA certificate. Next to MS-CHAPv2 I clicked configuration button and unchecked to use Windows account to logon. Last thing was setting to validate user in advanced settings of this network.

     

    If you have configured to use EAP-TLS as authentication protocol on NPS server then you should also select “ Smart Card or other certificate (EAP-TLS) “ as network authentication method on client side and select proper server certificate.

     

    Please take look the links below first:

     

    Use the 802.1X Wizard to Configure NPS Network Policies

    http://technet.microsoft.com/en-us/library/dd283091(WS.10).aspx

     

    Configure Wireless Computers Running Windows Vista for 802.1X Authenticated Access

    http://technet.microsoft.com/en-us/library/dd283021(WS.10).aspx

     

    For more information please also refer to the articles below:

     

    Planning for Recommended Security Configurations

    http://technet.microsoft.com/en-us/library/dd348504(WS.10).aspx

     

    Checklist: Deploying 802.1X Authenticated Wireless Access

    http://technet.microsoft.com/en-us/library/dd283031(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, May 31, 2011 3:13 AM
  • I selected Protected EAP as authentication protocol.

    I made some more tests and when I enter correct credentials, it still asks for them and does not authenticate me to the network. But when I enter not existing user, I get error - Unable to connect to this network.


    I have already implemented radius authentication for wired network in another company and here it works very well. There I used similar settings, but there was Cisco switches.
    Tuesday, May 31, 2011 6:03 PM
  • Hi Ales,

     

    Thanks for update.

     

    So you are using PEAP-TLS authentication right now , am I correct ?

    If yes, you may first double check the wireless profile settings with following the introductions in the link below, especially the 802.1x settings and the settings in the PEAP properties(start form steps 19 ):

     

    Configure Wireless Clients running Windows 7 and Windows Vista for PEAP-TLS Authentication

    http://technet.microsoft.com/en-us/library/dd759219.aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, June 1, 2011 2:49 AM
  • We are using PEAP with secured password MSCHAPv2.

    I performed all steps in the manual, but one difference is that we use protected password MS-CHAPv2 as authentication method. I unselected use current account for logon to this network too.

    Wednesday, June 1, 2011 5:39 AM

  • We need to get more detail and logging
    1) What is the client OS version?
    2) Server side logging
    a) netsh ras set tracing * enable
    Reproduce the issue
    Netsh ras set tracing * disable
    Gather the logs from %systemroot%\tracing
    3) Client side logging
    Windows XP
    netsh ras set tracing * enable
    Reproduce the issue
    Netsh ras set tracing * disable
    Gather the logs from %systemroot%\tracing

    Windows Vista
    netsh ras set tracing * enable
    netsh wlan set tracing mode=yes
    Reproduce the issue
    netsh wlan set tracing mode=no (IMPORTANT: Wait for the command to return back
    to the command line. This may take several seconds.)
    netsh ras set tracing * disable

    Windows 7
    Netsh trace start scenario=wlan|lan capture=yes tracefile=c:\trace.etl
    Reproduce the issue
    Netsh trace stop

    4) Does the Server Certificate support Server Authentication?
    You can see this in the Enhanced


    Ketan Thakkar | Microsoft Online Community Support
    Wednesday, June 8, 2011 3:58 AM
  • I tested same configuration on newly installed machine and it worked. All other servers are working without problems. There is a problem with this server only. We tried to reinstall Active Directory and all services. It did not worked too. So my friend will reinstall operating system and it should work.
    Wednesday, June 8, 2011 11:19 AM