Radius help please
Last Post: February 13, 2006:
-
I am trying to set up my first radius configuration and am having some problems.
I have a Colubris CN3200 controller and a Windows network. I installed CA and IAS on a test server in a new domain. Then followed the steps on http://thelazyadmin.com/index.php?/archives/321-Securing-Wifi-with-IAS-Pt.1-Server-Configuration.html to configure the Radius settings. I think I got the controller to point to the Radius server, but when I try to connect with a client, it fails the authentication.
Couple of questions:
1. does the client need to be a member of the domain?
2. does the client need the certificate installed locally?
3. Where do you start looking for the problem in troubleshooting an issue like this (workstation, controller, or server)?
Thank you so much for any help, -
Start with the Event Viewer on the MS RADIUS Server, and see what error you are getting.
Make sure the client has the CA Server's Root Certificate installed on the client.
MS IAS authenticates against Active Directory, so the user account you are using with EAP-PEAP must be configured there, and configured correctly.
Reply with the errors you get after checking these steps, and I can tell you what is wrong. PM me if needed, but if possible post so everyone may benefit. -
Thanks for the reply.
I just got a chance to look at it and I had forgot to allow the account I was using on the AP to have access to dial in, then I noticed that the client needed to be a member of the Domain.
Now I am connecting and getting an IP, but no access to the Internet yet. Still working on it - if I don't get it in the next hour or so, it will be next week before I can get on this again. I will keep you updated with what I find.
Thanks again! -
Still having problems and I don't know if this is telling me anything in the logs.
User host/ken-hp.test.local was granted access.
Fully-Qualified-User-Name = <undetermined>
NAS-IP-Address = 192.168.100.250
NAS-Identifier = R060-00218
Client-Friendly-Name = WiFi
Client-IP-Address = 192.168.100.250
Calling-Station-Identifier = 00-90-4B-43-1E-6B
NAS-Port-Type = Wireless - IEEE 802.11
NAS-Port = 5
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = <none>
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = <undetermined>
EAP-Type = <undetermined>
I don't know if the Controller (Colubris CN3200) is trying to route between subnets or not - everything is on the same subnet. It is almost acting like that is the problem but there is also the - Authentication-Server = <undetermined> - line in the event logs that I just don't know about.
Thanks for the help. -
There can be several fields reported as undetermined and it will still work.
Just to be clear, you have the wireless subnet as the same subnet as your network? What device is providing DHCP? Can you ping the network from your wireless device? Is DHCP providing DNS info, etc.?
If you are getting a valid IP address, then it sounds like you are authenticating okay, but may not have DNS configured correctly. -
I would also look to see what default gateway you're getting from your dhcp server. I agree with CC, if you're getting an IP, you should be authenticated. I'd start working up the OSI model. How far can you ping? IE. Can you ping an IP in your lan. Can you ping an IP on the internet? If both are good, start pinging names at your lan and work you way out.
-
After working on it for a while, I reset the device to factory defaults, before I reconfigured the Radius, I set it up for local auth and could not see the local network. I think it is working at layer 3 and causing some of my issues.
- 1