3

I cannot get WPA2 enterprise to work on my network. I will give you an overview of the current setup.

Windows Domain, using IAS and its own CA

Linksys WAP200 Access Point

I setup the AP to use WPA2-Enterprise Mixed using RADIUS I setup and registered IAS on the domain controller. I added the AP as a client with and have tried using both RADIUS Standard and Cisco as the RADIUS type.

I configured the IAS policy to grant access to Domain Computers, Authentication is set to PEAP and uses a private cert issued by our CA, the other profile settings are all default.

The client settings on the laptop match the IAS settings and the certificate is definately installed. WPA2 is supported as i can connect to WPA2 personal APs. I have tried multiple laptops.

During the connection it flashes that it "connected" for a second then goes to "Validating Identity" which it eventually timesout on. I am using the Windows Wireless Connection Manager.

Any help would be very appreciated!

ITGuy24
  • 1,576
  • 1
  • 15
  • 29

2 Answers2

3

Heh heh... I setup exactly what you're describing with that very AP earlier this week for a Customer.

  • RADIUS Standard works fine for that AP.
  • To rule out the certificate validation, uncheck the "Validate Server Certificate" setting in the PEAP properties on the client at least temporarily.
  • Be sure that IAS is starting and running. I've seen problems with IAS and the need to set "ReservedPorts" since the Kaminsky DNS update. See http://support.microsoft.com/kb/956189 for details.
  • Are you seeing the authentication requests coming in from the AP in the server's event log? If not, throw "Network Monitor" on the server (or Wireshark if you're so inclined) and sniff the traffic between the server and the AP.

On a couple of occasions I've seen that particular AP (don't know what firmware) suddenly stop attempting to authnenticate clients (it never sends any RADIUS requests) and power-cycling the AP "fixes" the issue. I suspect a firmware upgrade probably fixes that behaviour.

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
  • I checked the IAS log files and was getting "No Policy Match" error. I switched from Domain computer to Domain Users and it worked. Now i just need to figure out why... Any ideas? – ITGuy24 Jul 24 '09 at 15:46
  • An obvious question: Do you have the client computer setup to authenticate using the computer account when user credentials aren't available? – Evan Anderson Jul 24 '09 at 15:50
  • "Authenticate as computer when computer info is available" is enabled. – ITGuy24 Jul 24 '09 at 15:55
  • Woah there-- I'm having an "idiot moment". If you want to accept both computer credentials and user credentials you'll need to name both "Domain Comptuers" and "Domain Users" in your policy. By default, XP will re-authenticate with the user credential after the user logs-on (there is no way to do computer-only with XP, I believe). – Evan Anderson Jul 24 '09 at 17:51
1

I'd start by reviewing the event logs on your IAS server for reasoning as to why it's not authenticating your client. I've found the logs to be quite helpful in determining where along the the bases your authentication is getting hung up (client -> AP -> IAS).