NPS RADIUS with Cisco wlc

Discussion:

(too old to reply)

Pha

2009-06-12 02:11:01 UTC

Hi,
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username as
"username".
On the wireless controller I have use AAA and Radius to a windows 2008
domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP Address
Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled

IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown

In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178) for
client 00:22:fb:22:30:10 / user 'unknown'

In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain DOMAIN is
established.

in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X authentication
PEAP-MS-CHAPv2, using my windows credentials.

Does anyone know a known step by step getting Cisco WLC with Lightweight
Access Points (all working if I use WPA2-PSK!) with a win2k8 NPS RADIUS
config?? Or anything that I might be missing?? I am getting it working
without certificates for the moment. We do not yet have an enterprise
Certificate Authority, and I believe PEAP-MSCHAPv2 doesnt need certs??

ANY help would be greatly appreciated!

Pha

James McIllece [MS]

2009-06-12 17:30:12 UTC

Permalink

Post by Pha
Hi,
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username as
"username".
On the wireless controller I have use AAA and Radius to a windows 2008
domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP Address
Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178) for
client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X
authentication PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with
Lightweight Access Points (all working if I use WPA2-PSK!) with a
win2k8 NPS RADIUS config?? Or anything that I might be missing?? I am
getting it working without certificates for the moment. We do not yet
have an enterprise Certificate Authority, and I believe PEAP-MSCHAPv2
doesnt need certs??
ANY help would be greatly appreciated!
Pha

PEAP-MS-CHAP v2 does require a server certificate on the NPS server. The
only exception to this is if you uncheck the "Validate server certificate"
setting on client computers (this can be done per computer or using Group
Policy); but if you do that, security is compromised, so it is not
recommended for production environments.

This deployment guide is recommended:

Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless
Access with PEAP-MS-CHAP v2

http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx

Note that there are also Foundation Network Companion Guides for deploying
server certificates and also for deploying user and computer certificates.

All of the Foundation Network (for WS08) and Core Network (for WS08 R2)
Guides are at:

Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx

Thanks --

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Pha

2009-06-14 23:37:01 UTC

Permalink

Thanks for this info James.
I have organised with the one of the guys here a certificate from openssl.
They created a root certificate, which is on the domain controllers with NPS,
I also have the trusted root certificates on my workstation (CA is
domain.com) and I have confirmed in the certificates mmc it is under trusted.

I have "uploaded" to the 2112 wlc a certificate for wireless.domain.com,
from the authority domain.com.
I still cannot get it to connect through Radius, current logs show
Log Name: System
Source: NPS
Date: 15/06/2009 9:07:05 AM
Event ID: 4400
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: dc1.domain.com
Description:
A LDAP connection with domain controller dc1.domain.com for domain DOMAIN is
established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="16384">4400</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-06-14T23:07:05.000Z" />
<EventRecordID>64254</EventRecordID>
<Channel>System</Channel>
<Computer>DC1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>DC1.domain.com</Data>
<Data>DOMAIN</Data>

On NPS server
radius client (xxx = company name)
friendly name xxxwlc01
ip: 10.0.2.3
Vendor name: Radius Standard
shared secret: set ok.

Connection request policy (ran through the wireless 802.1x wizard)

Conditions:
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Client friendly name - xxxmil?

Settings:
no override set
authenticate on this server
Attribute: (username) find domain.com Replace with $

Network Policy
Grant access
ignore dialin properties

Conditions:
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Windows Groups: Domain\domain users

Constraints
Authentication:
EAP type Microsoft: Protected EAP
Less secure auth methods MS-CHAPv2 (user can change password after it expires)
I also to try and test and get working but could remove and will remove
MS-CHAP, CHAP, PAP.

Settings:
Standard: Framed-Protocol PPP
Service type Framed

NAP Enforcement: Allow full network access

Any other ideas would be greatly appreciated if I am missing anything really
obvious?

Pha

Post by James McIllece [MS]

PEAP-MS-CHAP v2 does require a server certificate on the NPS server. The
only exception to this is if you uncheck the "Validate server certificate"
setting on client computers (this can be done per computer or using Group
Policy); but if you do that, security is compromised, so it is not
recommended for production environments.
Foundation Network Companion Guide: Deploying 802.1X Authenticated Wireless
Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for deploying
server certificates and also for deploying user and computer certificates.
All of the Foundation Network (for WS08) and Core Network (for WS08 R2)
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

James McIllece [MS]

2009-06-17 19:46:11 UTC

Permalink

The Cisco 2112 doesn't need a certificate for PEAP-MS-CHAP v2, only the NPS
server does. All you need on the 2112 is to enable EAP communication.

And you must issue a certificate to the NPS server that is based on the IAS
and RAS Server certificate template.

The DC will receive a cert automatically but it is not the same as the cert
based on the IAS and RAS Server cert template, and it won't work for PEAP-
MS-CHAP v2 authentication.

In addition, client computers must trust the CA that issued the certificate
-- this concept is covered in the guide I recommended. If you deployed your
own CA, clients must trust it -- and that means that the CA certificate
must exist in the Trusted Root Certification Authorities certificate store
on every client computer that you want to be able to successfully connect
to the network.

James McIllece, Microsoft

Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.

This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Pha
Thanks for this info James.
I have organised with the one of the guys here a certificate from
openssl. They created a root certificate, which is on the domain
controllers with NPS, I also have the trusted root certificates on my
workstation (CA is domain.com) and I have confirmed in the
certificates mmc it is under trusted.
I have "uploaded" to the 2112 wlc a certificate for
wireless.domain.com, from the authority domain.com.
I still cannot get it to connect through Radius, current logs show
Log Name: System
Source: NPS
Date: 15/06/2009 9:07:05 AM
Event ID: 4400
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: dc1.domain.com
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="16384">4400</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-06-14T23:07:05.000Z" />
<EventRecordID>64254</EventRecordID>
<Channel>System</Channel>
<Computer>DC1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>DC1.domain.com</Data>
<Data>DOMAIN</Data>
On NPS server
radius client (xxx = company name)
friendly name xxxwlc01
ip: 10.0.2.3
Vendor name: Radius Standard
shared secret: set ok.
Connection request policy (ran through the wireless 802.1x wizard)
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Client friendly name - xxxmil?
no override set
authenticate on this server
Attribute: (username) find domain.com Replace with $
Network Policy
Grant access
ignore dialin properties
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Windows Groups: Domain\domain users
Constraints
EAP type Microsoft: Protected EAP
Less secure auth methods MS-CHAPv2 (user can change password after it
expires) I also to try and test and get working but could remove and
will remove MS-CHAP, CHAP, PAP.
Standard: Framed-Protocol PPP
Service type Framed
NAP Enforcement: Allow full network access
Any other ideas would be greatly appreciated if I am missing anything
really obvious?
Pha

Post by James McIllece [MS]

Post by Pha
Hi,
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username
as "username".
On the wireless controller I have use AAA and Radius to a windows
2008 domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP
Address Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178)
for client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X
authentication PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with
Lightweight Access Points (all working if I use WPA2-PSK!) with a
win2k8 NPS RADIUS config?? Or anything that I might be missing?? I
am getting it working without certificates for the moment. We do
not yet have an enterprise Certificate Authority, and I believe
PEAP-MSCHAPv2 doesnt need certs??
ANY help would be greatly appreciated!
Pha

PEAP-MS-CHAP v2 does require a server certificate on the NPS server.
The only exception to this is if you uncheck the "Validate server
certificate" setting on client computers (this can be done per
computer or using Group Policy); but if you do that, security is
compromised, so it is not recommended for production environments.
Foundation Network Companion Guide: Deploying 802.1X Authenticated
Wireless Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for
deploying server certificates and also for deploying user and
computer certificates.
All of the Foundation Network (for WS08) and Core Network (for WS08
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

Pha

2009-06-17 22:36:01 UTC

Permalink

Hi James,
Those documents were very handy, and I did put the certificate provided to
me on the NPS (DC) and installed into the trusted.

The certificate is instended for the following purposes:
All application policies

We dont have a windows certificate server, just an openSSL cert server (And
I am instructed that I cannot install win cert server on ANY of our windows
servers), so I will be able to use openssl??

I am still trying to tweak and tweak to get this working. Again, appreciate
the documents you sent. I have the nps certificate (named the
servername.domain.com), and i also have that cert in my trusted on my laptop.
I am getting it to the point where it is doing the LDAP lookup, but getting
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 237) for
client 00:22:fb:22:30:10 / user 'unknown'

They only thing at the moment I can see different is the IAS cert, but i was
hoping "all appications" would cover this?

Again, thanks for your help!

Pha

Post by James McIllece [MS]
The Cisco 2112 doesn't need a certificate for PEAP-MS-CHAP v2, only the NPS
server does. All you need on the 2112 is to enable EAP communication.
And you must issue a certificate to the NPS server that is based on the IAS
and RAS Server certificate template.
The DC will receive a cert automatically but it is not the same as the cert
based on the IAS and RAS Server cert template, and it won't work for PEAP-
MS-CHAP v2 authentication.
In addition, client computers must trust the CA that issued the certificate
-- this concept is covered in the guide I recommended. If you deployed your
own CA, clients must trust it -- and that means that the CA certificate
must exist in the Trusted Root Certification Authorities certificate store
on every client computer that you want to be able to successfully connect
to the network.
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online account
name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by James McIllece [MS]

Post by Pha
Hi,
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username
as "username".
On the wireless controller I have use AAA and Radius to a windows
2008 domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP
Address Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178)
for client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X
authentication PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with
Lightweight Access Points (all working if I use WPA2-PSK!) with a
win2k8 NPS RADIUS config?? Or anything that I might be missing?? I
am getting it working without certificates for the moment. We do
not yet have an enterprise Certificate Authority, and I believe
PEAP-MSCHAPv2 doesnt need certs??
ANY help would be greatly appreciated!
Pha

PEAP-MS-CHAP v2 does require a server certificate on the NPS server.
The only exception to this is if you uncheck the "Validate server
certificate" setting on client computers (this can be done per
computer or using Group Policy); but if you do that, security is
compromised, so it is not recommended for production environments.
Foundation Network Companion Guide: Deploying 802.1X Authenticated
Wireless Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for
deploying server certificates and also for deploying user and
computer certificates.
All of the Foundation Network (for WS08) and Core Network (for WS08
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

James McIllece [MS]

2009-06-18 20:19:09 UTC

Permalink

Post by Pha
All application policies

This certificate will not work for Server Authentication. The "All" purpose
is different than it appears to be and does not include all purposes for
which a cert can be used. The Server Authentication purpose is represented
by a specific GUID that must be present in the certificate for clients to
be able to use it to authenticate the NPS server.

You must follow the instructions in the guides on deploying a server
certificate exactly or none of this will work.

Post by Pha
Hi James,
Those documents were very handy, and I did put the certificate
provided to me on the NPS (DC) and installed into the trusted.
All application policies
We dont have a windows certificate server, just an openSSL cert server
(And I am instructed that I cannot install win cert server on ANY of
our windows servers), so I will be able to use openssl??
I am still trying to tweak and tweak to get this working. Again,
appreciate the documents you sent. I have the nps certificate (named
the servername.domain.com), and i also have that cert in my trusted on
my laptop. I am getting it to the point where it is doing the LDAP
lookup, but getting RADIUS server 10.0.1.15:1812 failed to respond to
request (ID 237) for client 00:22:fb:22:30:10 / user 'unknown'
They only thing at the moment I can see different is the IAS cert, but
i was hoping "all appications" would cover this?
Again, thanks for your help!
Pha

Post by James McIllece [MS]
The Cisco 2112 doesn't need a certificate for PEAP-MS-CHAP v2, only
the NPS server does. All you need on the 2112 is to enable EAP
communication.
And you must issue a certificate to the NPS server that is based on
the IAS and RAS Server certificate template.
The DC will receive a cert automatically but it is not the same as
the cert based on the IAS and RAS Server cert template, and it won't
work for PEAP- MS-CHAP v2 authentication.
In addition, client computers must trust the CA that issued the
certificate -- this concept is covered in the guide I recommended. If
you deployed your own CA, clients must trust it -- and that means
that the CA certificate must exist in the Trusted Root Certification
Authorities certificate store on every client computer that you want
to be able to successfully connect to the network.
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

Post by Pha
Thanks for this info James.
I have organised with the one of the guys here a certificate from
openssl. They created a root certificate, which is on the domain
controllers with NPS, I also have the trusted root certificates on
my workstation (CA is domain.com) and I have confirmed in the
certificates mmc it is under trusted.
I have "uploaded" to the 2112 wlc a certificate for
wireless.domain.com, from the authority domain.com.
I still cannot get it to connect through Radius, current logs show
Log Name: System
Source: NPS
Date: 15/06/2009 9:07:05 AM
Event ID: 4400
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: dc1.domain.com
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
<Event
xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NPS" />
<EventID Qualifiers="16384">4400</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2009-06-14T23:07:05.000Z" />
<EventRecordID>64254</EventRecordID>
<Channel>System</Channel>
<Computer>DC1.domain.com</Computer>
<Security />
</System>
<EventData>
<Data>DC1.domain.com</Data>
<Data>DOMAIN</Data>
On NPS server
radius client (xxx = company name)
friendly name xxxwlc01
ip: 10.0.2.3
Vendor name: Radius Standard
shared secret: set ok.
Connection request policy (ran through the wireless 802.1x wizard)
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Client friendly name - xxxmil?
no override set
authenticate on this server
Attribute: (username) find domain.com Replace with $
Network Policy
Grant access
ignore dialin properties
NAS Port Type: Wireless - Other OR Wireless - IEEE 802.11
Windows Groups: Domain\domain users
Constraints
EAP type Microsoft: Protected EAP
Less secure auth methods MS-CHAPv2 (user can change password after
it expires) I also to try and test and get working but could remove
and will remove MS-CHAP, CHAP, PAP.
Standard: Framed-Protocol PPP
Service type Framed
NAP Enforcement: Allow full network access
Any other ideas would be greatly appreciated if I am missing
anything really obvious?
Pha

Post by James McIllece [MS]

Post by Pha
Hi,
I am having an issue getting an Cisco wlc2112 authenticating
using WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate
username as "username".
On the wireless controller I have use AAA and Radius to a
windows 2008 domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP
Address Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID
178) for client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for
domain DOMAIN is established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X
authentication PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with
Lightweight Access Points (all working if I use WPA2-PSK!) with
a win2k8 NPS RADIUS config?? Or anything that I might be
missing?? I am getting it working without certificates for the
moment. We do not yet have an enterprise Certificate Authority,
and I believe PEAP-MSCHAPv2 doesnt need certs??
ANY help would be greatly appreciated!
Pha

PEAP-MS-CHAP v2 does require a server certificate on the NPS
server. The only exception to this is if you uncheck the "Validate
server certificate" setting on client computers (this can be done
per computer or using Group Policy); but if you do that, security
is compromised, so it is not recommended for production
environments.
Foundation Network Companion Guide: Deploying 802.1X Authenticated
Wireless Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for
deploying server certificates and also for deploying user and
computer certificates.
All of the Foundation Network (for WS08) and Core Network (for
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my
online account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

Pha

2009-06-18 00:33:02 UTC

Permalink

Hi James,

Some more information:
Layer 2 Security WPA+WPA2
MAC Filtering not enabled

WPA+WPA2 Parameters

WPA Policy NOT ENABLED

WPA2 Policy

WPA2 Encryption AES

Auth Key Mgmt 802.1X

There is no layer 3 security assigned.

On the security Tab

RADIUS Authentication Servers
Call Station ID Type: IP Address

Does this look right??

Post by James McIllece [MS]

Post by Pha
Hi,
I am having an issue getting an Cisco wlc2112 authenticating using
WPA2-Enterprise (on the client) using PEAP with MS-CHAPv2.
I have changed our domain for DOMAIN, and ant legitimate username
as "username".
On the wireless controller I have use AAA and Radius to a windows
2008 domain controller with NPS role.
I am using the following settings :Call Station ID Type - IP
Address Server Address 10.0.1.15
Shared Secret Format ASCII
Shared Secret (This is set ok)
Confirm Shared Secret (This is set ok)
Key Wrap Not set
Port Number 1812
Server Status Enabled
Support for RFC 3576 Enabled
Server Timeout 3seconds (i up'ed this to 30 from 10)
Network User Enable
Management Enable
IPSec Not Enabled
IAS(NPS) logs
Start DateTime 06/12/2009 10:48:17
User Name DOMAIN\username
Stop DateTime 06/12/2009 10:48:17
Duration 00:00:00
User IP
Output Octets 0
Input Octets 0
Connect Request
Connect Result Unknown
In the TRAP of the WLC I get these
RADIUS server 10.0.1.15:1812 failed to respond to request (ID 178)
for client 00:22:fb:22:30:10 / user 'unknown'
In the event log on the NPS I get.
A LDAP connection with domain controller dc1.domain.com for domain
DOMAIN is established.
in the client wireless connectivity setup, I choose security
WPA2-Enterprise, Encryption AES, advanced settings for 802.1X
authentication PEAP-MS-CHAPv2, using my windows credentials.
Does anyone know a known step by step getting Cisco WLC with
Lightweight Access Points (all working if I use WPA2-PSK!) with a
win2k8 NPS RADIUS config?? Or anything that I might be missing?? I
am getting it working without certificates for the moment. We do
not yet have an enterprise Certificate Authority, and I believe
PEAP-MSCHAPv2 doesnt need certs??
ANY help would be greatly appreciated!
Pha

PEAP-MS-CHAP v2 does require a server certificate on the NPS server.
The only exception to this is if you uncheck the "Validate server
certificate" setting on client computers (this can be done per
computer or using Group Policy); but if you do that, security is
compromised, so it is not recommended for production environments.
Foundation Network Companion Guide: Deploying 802.1X Authenticated
Wireless Access with PEAP-MS-CHAP v2
http://technet.microsoft.com/en-us/library/dd183603(WS.10).aspx
Note that there are also Foundation Network Companion Guides for
deploying server certificates and also for deploying user and
computer certificates.
All of the Foundation Network (for WS08) and Core Network (for WS08
Foundation Network and Core Network Guides
http://technet.microsoft.com/en-us/library/dd630625(WS.10).aspx
Thanks --
James McIllece, Microsoft
Please do not send email directly to this alias. This is my online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers no rights.

b***@gmail.com

2014-09-19 14:46:56 UTC

Permalink

James,

Where does one purchase the special type of certificate as required with EKU extension marked as Client Authentication purpose 1.3.6.1.5.5.7.3.2?

I do not want to deploy PKI in active directory but rather prefer to buy this certificate and import it onto the NPS server; Go Daddy and the likes only sell SSL certificates which, as based on the numerous posts here will NOT do.

Thanks