Discussion:
802.1X configuration for IAS and Cisco WLC 4402
(too old to reply)
Library Sysadmin
2008-08-28 07:26:08 UTC
Permalink
Windows 2003 R2 x64 SP2 servers; Cisco WLC 4402 v5.1.x; Windows XP SP2 clients.

I’m trying to get IAS configured to authenticate wireless devices that
connect to APs associated with the Cisco WLAN Controller. I haven’t found
any configuration that works, but I’ve narrowed this down to the fact that
the RADIUS authentication isn’t occurring.

I’ve followed the configuration documents from Cisco and Technet and many
other documents and forum threads, but nothing works.
http://www.microsoft.com/technet/network/wifi/ed80211.msp
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

There are some discrepancies between these two articles. Basically, the
Technet article recommends encryption settings between the WLAN Controller
and IAS servers, while the Cisco document recommends no encryption between
the two.

I’ve tried numerous configurations, but haven’t found anything that allows
our HP or Dell laptops to authenticate when configured with WPA-Enterprise,
WPA2-Enterprise or 802.1x authentication settings.

There are no errors logged on any device, either, which makes this more
frustrating.

If anyone has this kind of configuration working, I would appreciate it if
you could share the configuration settings for all devices.

TIA
Rick
S. Pidgorny <MVP>
2008-08-29 10:20:57 UTC
Permalink
"Nothing works" is not correct description of the problem. You need to
make sure that RADIUS traffic actually is sent from the WLC to the
RADIUS server (a simple network capture will confirm), and that IAS
services are started and have WLC defined as RADIUS clients an access
policy.

From there on, system log gives a lot of very descriptive messages. I
was configuring wireless infrastructures without referring much to the
documentation because it's very straightforward.

Post back with details.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Post by Library Sysadmin
Windows 2003 R2 x64 SP2 servers; Cisco WLC 4402 v5.1.x; Windows XP SP2 clients.
I’m trying to get IAS configured to authenticate wireless devices that
connect to APs associated with the Cisco WLAN Controller. I haven’t found
any configuration that works, but I’ve narrowed this down to the fact that
the RADIUS authentication isn’t occurring.
I’ve followed the configuration documents from Cisco and Technet and many
other documents and forum threads, but nothing works.
http://www.microsoft.com/technet/network/wifi/ed80211.mspx
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml
There are some discrepancies between these two articles. Basically, the
Technet article recommends encryption settings between the WLAN Controller
and IAS servers, while the Cisco document recommends no encryption between
the two.
I’ve tried numerous configurations, but haven’t found anything that allows
our HP or Dell laptops to authenticate when configured with WPA-Enterprise,
WPA2-Enterprise or 802.1x authentication settings.
There are no errors logged on any device, either, which makes this more
frustrating.
If anyone has this kind of configuration working, I would appreciate it if
you could share the configuration settings for all devices.
TIA
Rick
Library Sysadmin
2008-08-29 18:11:00 UTC
Permalink
Svyatoslav,

Thanks for the response.

I’ve been working with this for a few days now and the documentation on this
is conflicting, which only adds to the confusion over what the correct
settings should be. Given the number of forum threads on this exact subject
- on this and other forum sites - tells me that this really isn’t “pretty
straightforward”.

Until today, I haven’t been able to get any error messages to appear in log
files.

I had been following the configuration settings in the Technet articles,
which recommend encryption between the WLC and IAS server. If I configure
anything that attempts to encrypt the communication between the two, then no
communication takes place, therefore no log messages. I’ve removed these
settings on the WLC and in IAS.

Laptop being used for testing is an HP and is joined to the domain. It is
assigned to an OU and has a valid certificate issued through autoenrollment
from the local CA.

Upon booting, this error now displays in the IAS System Event log:
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 8/29/2008
Time: 1:19:51 PM
User: N/A
Computer: DC1
Description:
Access request for user host/SCOTRNCPQ003.scdl.local was discarded.
Fully-Qualified-User-Name = scdl.local/SCDL Training Laptop
Policy/SCOTRNCPQ003
NAS-IP-Address = 10.34.10.58
NAS-Identifier = <wlcname>
Called-Station-Identifier = TestSSID
Calling-Station-Identifier =
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.34.10.58
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 300
Reason = No credentials are available in the security package
Post by S. Pidgorny <MVP>
"Nothing works" is not correct description of the problem. You need to
make sure that RADIUS traffic actually is sent from the WLC to the
RADIUS server (a simple network capture will confirm), and that IAS
services are started and have WLC defined as RADIUS clients an access
policy.
From there on, system log gives a lot of very descriptive messages. I
was configuring wireless infrastructures without referring much to the
documentation because it's very straightforward.
Post back with details.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
CoolerThenZero
2008-08-30 03:04:43 UTC
Permalink
On Aug 29, 1:11 pm, Library Sysadmin
Post by Library Sysadmin
Svyatoslav,
Thanks for the response.
I’ve been working with this for a few days now and the documentation on this
is conflicting, which only adds to the confusion over what the correct
settings should be.  Given the number of forum threads on this exact subject
- on this and other forum sites - tells me that this really isn’t “pretty
straightforward”.
Until today, I haven’t been able to get any error messages to appear in log
files.
I had been following the configuration settings in the Technet articles,
which recommend encryption between the WLC and IAS server.  If I configure
anything that attempts to encrypt the communication between the two, then no
communication takes place, therefore no log messages.  I’ve removed these
settings on the WLC and in IAS.
Laptop being used for testing is an HP and is joined to the domain.  It is
assigned to an OU and has a valid certificate issued through autoenrollment
from the local CA.
Event Type:     Error
Event Source:   IAS
Event Category: None
Event ID:       3
Date:           8/29/2008
Time:           1:19:51 PM
User:           N/A
Computer:       DC1
Access request for user host/SCOTRNCPQ003.scdl.local was discarded.
 Fully-Qualified-User-Name = scdl.local/SCDL Training Laptop
Policy/SCOTRNCPQ003
 NAS-IP-Address = 10.34.10.58
 NAS-Identifier = <wlcname>
 Called-Station-Identifier = TestSSID
 Calling-Station-Identifier =
 Client-Friendly-Name = WLAN Controller
 Client-IP-Address = 10.34.10.58
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 29
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Reason-Code = 300
 Reason = No credentials are available in the security package
Post by S. Pidgorny <MVP>
"Nothing works" is not correct description of the problem. You need to
make sure that RADIUS traffic actually is sent from the WLC to the
RADIUS server (a simple network capture will confirm), and that IAS
services are started and have WLC defined as RADIUS clients an access
policy.
 From there on, system log gives a lot of very descriptive messages. I
was configuring wireless infrastructures without referring much to the
documentation because it's very straightforward.
Post back with details.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*http://sl.mvps.org*http://msmvps.com/blogs/sp*- Hide quoted text -
- Show quoted text -
Are you Filtering your remote access policy via a Windows Global-
Security group. If so, have you checked " Allow Access" on the Dial-
In Tab for both the user account and the computer accounts properties
in AD. Did you verify that the IAS certificate is installed on all
client computers?
Library Sysadmin
2008-08-30 14:41:00 UTC
Permalink
CTZ,

Thanks for the response.

I have configured IAS with the Global Security Groups, as described in many
of the documents about configuring IAS for wireless client access.

I have tried both settings in a user's account settings on the Dial-In tab -
Allow access or Control Access through RAP.

The testing laptop does have the autoenrolled certs - CA cert is listed in
Trusted Root and the machine has a cert in the Personal->Certificates store.
Post by CoolerThenZero
Are you Filtering your remote access policy via a Windows Global-
Security group. If so, have you checked " Allow Access" on the Dial-
In Tab for both the user account and the computer accounts properties
in AD. Did you verify that the IAS certificate is installed on all
client computers?
S. Pidgorny <MVP>
2008-09-01 09:09:14 UTC
Permalink
Post by Library Sysadmin
Laptop being used for testing is an HP and is joined to the domain. It is
assigned to an OU and has a valid certificate issued through autoenrollment
from the local CA.
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 8/29/2008
Time: 1:19:51 PM
User: N/A
Computer: DC1
Access request for user host/SCOTRNCPQ003.scdl.local was discarded.
Fully-Qualified-User-Name = scdl.local/SCDL Training Laptop
Policy/SCOTRNCPQ003
NAS-IP-Address = 10.34.10.58
NAS-Identifier = <wlcname>
Called-Station-Identifier = TestSSID
Calling-Station-Identifier =
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.34.10.58
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 300
Reason = No credentials are available in the security package
I think this may be caused by the server certificate - lack or
invalidity thereof.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *
Library Sysadmin
2008-09-01 15:48:01 UTC
Permalink
Svyatoslav,

Thanks for the response.
I was going to update this tomorrow when I was in the office (US holiday
today) but maybe someone else can post something today...

From everything I've read on configuring IAS on a DC, the request for the
certificate was to use the Domain Controller cert template, which I used
successfully. I would also note that the Default Domain GPO has been set up
for Autoenrollment and the DCs have 2 certs - one using the Domain Controller
Authentication template and the other using the Directory Service Email
Replication.

After adding the cert using the Domain Controller template, when I logged
back in on the domain controller later, the certificate was not listed in the
MMC and checking IAS configuration always complained that there was no
matching certificate. I'd reimport it, but the same thing would happen again.

In another thread, I worked with someone on the Domain Controller
certificate issue. What we found was that these are older certificate
templates and the DC template is listed as Superceded in the DC
Authentication cert. So, what I think was happening is that every time GP
was refreshed the Autorerollment update/renewal process would remove the
superceded certificate. But the DC Authentication certificate doesn't appear
in IAS when configuing PEAP Methods.

So, I updated the the CA to add the RAS and IAS Server template as one that
can be issued and set the security permissions to read, write, enroll and
autoenroll. Then, I requested a new cert on the DC using this template and
used that in the IAS config.

Once this was done, the test laptop authenticates with IAS and there is a
success message in the Windows event log.

However, no domain users can log in.
After entering the name/password/domain in the login dialog, a message box
appears saying the domain is not available.

That's about as far as I got Friday and was going to start troubleshooting
this on Tuesday.

If anyone knows what this is all about and how to fix it, I would appreciate
your input.

TIA
Rick
Post by S. Pidgorny <MVP>
Post by Library Sysadmin
Laptop being used for testing is an HP and is joined to the domain. It is
assigned to an OU and has a valid certificate issued through autoenrollment
from the local CA.
Event Type: Error
Event Source: IAS
Event Category: None
Event ID: 3
Date: 8/29/2008
Time: 1:19:51 PM
User: N/A
Computer: DC1
Access request for user host/SCOTRNCPQ003.scdl.local was discarded.
Fully-Qualified-User-Name = scdl.local/SCDL Training Laptop
Policy/SCOTRNCPQ003
NAS-IP-Address = 10.34.10.58
NAS-Identifier = <wlcname>
Called-Station-Identifier = TestSSID
Calling-Station-Identifier =
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.34.10.58
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Reason-Code = 300
Reason = No credentials are available in the security package
I think this may be caused by the server certificate - lack or
invalidity thereof.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
* http://sl.mvps.org * http://msmvps.com/blogs/sp *
CoolerThenZero
2008-09-01 18:27:20 UTC
Permalink
On Sep 1, 10:48 am, Library Sysadmin
Post by Library Sysadmin
Svyatoslav,
Thanks for the response.
I was going to update this tomorrow when I was in the office (US holiday
today) but maybe someone else can post something today...
From everything I've read on configuring IAS on a DC, the request for the
certificate was to use the Domain Controller cert template, which I used
successfully.  I would also note that the Default Domain GPO has been set up
for Autoenrollment and the DCs have 2 certs - one using the Domain Controller
Authentication template and the other using the Directory Service Email
Replication.
After adding the cert using the Domain Controller template, when I logged
back in on the domain controller later, the certificate was not listed in the
MMC and checking IAS configuration always complained that there was no
matching certificate.  I'd reimport it, but the same thing would happen again.
In another thread, I worked with someone on the Domain Controller
certificate issue.  What we found was that these are older certificate
templates and the DC template is listed as Superceded in the DC
Authentication cert.  So, what I think was happening is that every time GP
was refreshed the Autorerollment update/renewal process would remove the
superceded certificate.  But the DC Authentication certificate doesn't appear
in IAS when configuing PEAP Methods.
So, I updated the the CA to add the RAS and IAS Server template as one that
can be issued and set the security permissions to read, write, enroll and
autoenroll.  Then, I requested a new cert on the DC using this template and
used that in the IAS config.
Once this was done, the test laptop authenticates with IAS and there is a
success message in the Windows event log.
However, no domain users can log in.
After entering the name/password/domain in the login dialog, a message box
appears saying the domain is not available.
That's about as far as I got Friday and was going to start troubleshooting
this on Tuesday.
If anyone knows what this is all about and how to fix it, I would appreciate
your input.
TIA
Rick
Post by S. Pidgorny <MVP>
Post by Library Sysadmin
Laptop being used for testing is an HP and is joined to the domain.  It is
assigned to an OU and has a valid certificate issued through autoenrollment
from the local CA.
Event Type:   Error
Event Source: IAS
Event Category:       None
Event ID:     3
Date:         8/29/2008
Time:         1:19:51 PM
User:         N/A
Computer:     DC1
Access request for user host/SCOTRNCPQ003.scdl.local was discarded.
 Fully-Qualified-User-Name = scdl.local/SCDL Training Laptop
Policy/SCOTRNCPQ003
 NAS-IP-Address = 10.34.10.58
 NAS-Identifier = <wlcname>
 Called-Station-Identifier = TestSSID
 Calling-Station-Identifier =
 Client-Friendly-Name = WLAN Controller
 Client-IP-Address = 10.34.10.58
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 29
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Reason-Code = 300
 Reason = No credentials are available in the security package
I think this may be caused by the server certificate - lack or
invalidity thereof.
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
*http://sl.mvps.org*http://msmvps.com/blogs/sp*- Hide quoted text -
- Show quoted text -
Are you running both DNS & WINS for name resolution? Did you try
Demoting and Re-Promoting the client machine to the domain whle
HARDWIRED to the switched network?
Library Sysadmin
2008-09-03 00:06:41 UTC
Permalink
This is where I am:

The test laptop is booted and this message appears in the Windows Event log
on the IAS server:
Event Type: Information
Event Source: IAS
Event Category: None
Event ID: 1
Date: 9/2/2008
Time: 7:28:37 PM
User: N/A
Computer: DC1
Description:
User host/SCOTRNCPQ003.scdl.local was granted access.
Fully-Qualified-User-Name = scdl.local/SCDL Training Laptop
Policy/SCOTRNCPQ003
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
Calling-Station-Identifier = 00-90-4B-4C-92-B7
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = Staff Wireless Policy
Authentication-Type = PEAP
EAP-Type = Secured password (EAP-MSCHAP v2)

But when logging in with any account (local admin, cached profile, roaming
profile) no DHCP address is assigned and the following messages appear
repeatedly on IAS server Windows Event log:

Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 9/2/2008
Time: 7:30:59 PM
User: N/A
Computer: DC1
Description:
User SCOTRNCPQ003.scdl.local was denied access.
Fully-Qualified-User-Name = SCDL\SCOTRNCPQ003.scdl.local
NAS-IP-Address = 10.10.10.10
NAS-Identifier = scohc0ciswlc
Called-Station-Identifier = 00-21-55-C0-7D-70:Domain Staff
Calling-Station-Identifier = 00-90-4B-4C-92-B7
Client-Friendly-Name = WLAN Controller
Client-IP-Address = 10.10.10.10
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 29
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = EAP
EAP-Type = <undetermined>
Reason-Code = 8
Reason = The specified user account does not exist

Rick
Library Sysadmin
2008-09-04 06:23:01 UTC
Permalink
In ADUC, I've tried setting both the machine and users Dial-In propertied to
Allow Access and then Control through Remote Access Policy. Still get the
same message.

In IAS the 'Use Windows to authenticate...' connection policy is the default
policy that was added during IAS installation.

There's nothing in there that I can see that would generate the refusal.

I've been reading about the Ignore Dial In Properties attribute, but haven't
found where/how to add it.

Rick
Library Sysadmin
2008-09-07 16:31:01 UTC
Permalink
I've tried adding other Connection Request Policies matching on other
criteria than the Day/Time parameters set up in the default 'Use Windows..."

The same error occurs for every login when matching on the new Connection
policy.

So, basically, with the configurations currently in place, IAS will
authenticate a machine on bootup, but reject any user login attempts which
results in no wireless connection on the client being established.

I've tried various configuration changes on the client with no difference in
the result.

Rick
Library Sysadmin
2008-09-15 15:00:16 UTC
Permalink
I've had to relegate this issue to a lower priority, as there are other
issues that need attention.

I have managed to get PEAP-MSCHAPv2 authentication working by removing the
machine certificate and the autoenrollment policies. All the documentation
I've been following list these as necessary steps, but removing these allows
a user to authenticate successfully.

I would like to try to get PEAP-TLS authentication working, however. In
working through all this, I think this would be a better fit for our
environment.

I have the same problem, then. I've added a Remote Access Policy to IAS to
test this out and have it match on the Domain Computers global group. The
Authentication -> EAP Methods was set to Smart Card or other certificate.
On the client, I selected PEAP-TLS and set the Client Identity to the
certificate issued for the machine through the autoenrollment policies that I
re-enabled.

I still get the error on the IAS server that I have listed in earlier posts
- Event 2, Reason-Code=8, Reason=the specified user account does not exist.

Rick
James McIllece [MS]
2008-09-16 19:53:17 UTC
Permalink
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
All the documentation
I've been following list these as necessary steps, but removing these
allows a user to authenticate successfully.
Hi there --

Can you please provide URLs for the Microsoft documentation that states
that a computer certificate is required for PEAP-MS-CHAP v2 authentication?

I will correct that documentation or request that the doc owner correct it.

PEAP-MS-CHAP v2 requires a server certificate on the IAS or NPS server, but
user credentials are password based.

PEAP-TLS and EAP-TLS require a server certificate and either a computer or
a user certificate on the client computer. The client or user certificate
can be in the client computer certificate store or on a smart card.

Thanks --

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Library Sysadmin
2008-09-18 14:26:02 UTC
Permalink
James,

I read through at least a dozen Technet and Cisco documents pertaining to
the various aspects of this configuration.

In looking at the ones that I have bookmarked, they don't specifically state
that PEAP-MSCHAPv2 needs a certificate. I think it's just that these docs
are describing several configurations and when you start walking through the
steps to configure everything, it's easy to miss the line that PEAP-MSCHAPv2
doesn't need a cert and continue on.

Rick
James McIllece [MS]
2008-10-31 18:13:41 UTC
Permalink
=?Utf-8?B?TGlicmFyeSBTeXNhZG1pbg==?=
Post by Library Sysadmin
James,
I read through at least a dozen Technet and Cisco documents pertaining
to the various aspects of this configuration.
In looking at the ones that I have bookmarked, they don't specifically
state that PEAP-MSCHAPv2 needs a certificate. I think it's just that
these docs are describing several configurations and when you start
walking through the steps to configure everything, it's easy to miss
the line that PEAP-MSCHAPv2 doesn't need a cert and continue on.
Rick
OK, thanks for the followup, Rick.

For others who aren't familiar with PEAP-MS-CHAP v2, if you want to use
mutual authentication, where the client authenticates the IAS/NPS server in
addition to the server authenticating the client/user, the IAS or NPS
server must have a server certificate that meets the minimum server
certificate requirements. Also, client computers must be configured to
validate the server certificate. (Ideally client configurations are pushed
to clients with Group Policy.)

Thanks --
--
James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.
Library Sysadmin
2008-09-18 14:31:01 UTC
Permalink
I did get this working with a PEAP-TLS configuration.

On both the Dell and HP laptops, I had to disable the wireless utility
software or services and use Windows to configure wireless connections.

Thanks to everyone who contributed.

Rick
Loading...