CoolerThenZero
2008-08-21 19:54:31 UTC
Hello all,
I'd really appreciate some direction as I tried to setup a Cisco 1242
Series WAP as a Radius Client with 802.1x authentication on a Windows
Server 2003 R2 DC running IAS/RADIUS,DNS,DHCP.
Scenario:
I have 2 machines running Windows XP Pro SP2 and a Windows Tablet
portable that I need to authenticate to a Windows Server 2003 R2 DC
(This is the only server in the infrastructure) via a Cisco Aironet
1242AG Wireless Access Point. These 2 tablet PC’s will need to access
resources on the server. The Cisco Aironet WAP does support Radius
authentication. There are also some wired PC’s on the network that
will communicate directly via the switched network. The Aironet is
also plugged into the switched network.
It seemed that we were getting close to authenticating via IAS but
just would not connect to the Cisco Wireless Access point. At one
time IAS was logging an error message but even the IAS errors
disappeared after a while, leading me to believe that the
communication between the wireless client and IAS just was not there
anymore.
Steps I took following Microsoft's 170 page pdf and a Cisco post which
showed he got it working:
I went the Securing WLANS with PEAP-MSCHAPV2 route after reading most
of the 170 pg Microsoft pdf located at the link below.
http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
.
1. The wireless clients were hardwired and promoted to the domain
first so that the computer accounts were generated.
2. A Global security group called WLAN Access was created in AD.
3. The user accounts and machine accounts were added to this group.
4. The user accounts had their Active Directory Dial-In user Property
set to Allow Access.
5. The Windows Server 2003 server was added to the RAS and IAS Server
group in AD.
Microsoft provided an msi package filled with scripts along with the
document above that automated alot of the process. Although the
Microsoft Document was based on WEP, it highly advised against going
the WPA route if the client's supported WPA which they did.
6. I installed the CA successfully using the script, setup the CA for
an IAS certificate template successfully using the script, and also
linked up an IAS server Certificated enrollment GPO to the domain
successfully using their script.
At this point, I did not use any more of their automated scripts as I
was going to setup the Wireless clients manually since there were only
two of them. Atleast I hope I didn't have too as I understood that
when going the PEAP route, the server is the only machine that
requires a certificate.
7. On the Windows 2003 R2 Standard Ed Server, I added the Cisco 1242
Aironet WAP as a Radius Client and provided the Shared Key.
8. Consoled into the Cisco Aironet 1242 WAP and configured the SSID,
the Radius Server's IP, the shared secret,etc. Config for both the
Cisco 1200 Aironet:
http://tekchicago.com/Aironet1242_IASTrouble.htm
I created an HTML page here http://tekchicago.com/Aironet1242_IASTrouble.htm
with most of my configuration except for the Wireless Client Setup.
Since there were only two Wireless clients that needed to
authenticate, I understood that I can set the Wireless clients
manually. I believe they had automatically picked up that it was an
802.1x setup and pre-configured itself.
Questions:
Has anybody setup 802.1x using a Cisco Aironet 1200 series and Windows
server 2003 before and got it too work? If so,
pleaaaaaaaaaaaaassssssse provide some documentation.
Since there are only two machines, should I follow the rest of
Microsoft's documentation and push out the wireless client settings
using a GPO?
Based on my configs and needs, how should the wireless clients be
setup?
I'll be checking this post throughout the day and will appreciate any
expertise or previous experience. Thanks alot!
Best Regards,
CoolerThenZero
I'd really appreciate some direction as I tried to setup a Cisco 1242
Series WAP as a Radius Client with 802.1x authentication on a Windows
Server 2003 R2 DC running IAS/RADIUS,DNS,DHCP.
Scenario:
I have 2 machines running Windows XP Pro SP2 and a Windows Tablet
portable that I need to authenticate to a Windows Server 2003 R2 DC
(This is the only server in the infrastructure) via a Cisco Aironet
1242AG Wireless Access Point. These 2 tablet PC’s will need to access
resources on the server. The Cisco Aironet WAP does support Radius
authentication. There are also some wired PC’s on the network that
will communicate directly via the switched network. The Aironet is
also plugged into the switched network.
It seemed that we were getting close to authenticating via IAS but
just would not connect to the Cisco Wireless Access point. At one
time IAS was logging an error message but even the IAS errors
disappeared after a while, leading me to believe that the
communication between the wireless client and IAS just was not there
anymore.
Steps I took following Microsoft's 170 page pdf and a Cisco post which
showed he got it working:
I went the Securing WLANS with PEAP-MSCHAPV2 route after reading most
of the 170 pg Microsoft pdf located at the link below.
http://www.microsoft.com/downloads/details.aspx?FamilyID=60c5d0a1-9820-480e-aa38-63485eca8b9b&displaylang=en
.
1. The wireless clients were hardwired and promoted to the domain
first so that the computer accounts were generated.
2. A Global security group called WLAN Access was created in AD.
3. The user accounts and machine accounts were added to this group.
4. The user accounts had their Active Directory Dial-In user Property
set to Allow Access.
5. The Windows Server 2003 server was added to the RAS and IAS Server
group in AD.
Microsoft provided an msi package filled with scripts along with the
document above that automated alot of the process. Although the
Microsoft Document was based on WEP, it highly advised against going
the WPA route if the client's supported WPA which they did.
6. I installed the CA successfully using the script, setup the CA for
an IAS certificate template successfully using the script, and also
linked up an IAS server Certificated enrollment GPO to the domain
successfully using their script.
At this point, I did not use any more of their automated scripts as I
was going to setup the Wireless clients manually since there were only
two of them. Atleast I hope I didn't have too as I understood that
when going the PEAP route, the server is the only machine that
requires a certificate.
7. On the Windows 2003 R2 Standard Ed Server, I added the Cisco 1242
Aironet WAP as a Radius Client and provided the Shared Key.
8. Consoled into the Cisco Aironet 1242 WAP and configured the SSID,
the Radius Server's IP, the shared secret,etc. Config for both the
Cisco 1200 Aironet:
http://tekchicago.com/Aironet1242_IASTrouble.htm
I created an HTML page here http://tekchicago.com/Aironet1242_IASTrouble.htm
with most of my configuration except for the Wireless Client Setup.
Since there were only two Wireless clients that needed to
authenticate, I understood that I can set the Wireless clients
manually. I believe they had automatically picked up that it was an
802.1x setup and pre-configured itself.
Questions:
Has anybody setup 802.1x using a Cisco Aironet 1200 series and Windows
server 2003 before and got it too work? If so,
pleaaaaaaaaaaaaassssssse provide some documentation.
Since there are only two machines, should I follow the rest of
Microsoft's documentation and push out the wireless client settings
using a GPO?
Based on my configs and needs, how should the wireless clients be
setup?
I'll be checking this post throughout the day and will appreciate any
expertise or previous experience. Thanks alot!
Best Regards,
CoolerThenZero