Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IAS and Wireless AP

Status
Not open for further replies.
BB69

BB69

MIS
Jun 23, 2003
37
0
0
US
Hello,

I am having a problem with getting a wireless laptop to stay connected when using two factor authentication. I am in the process of testing this before putting it in production. When I have the laptop using two factor authentication, the connection gets dropped after about 1 hour. I have to do a repair on the laptop wireless adapter to be able to reconnect to the wireless network again. I changed the configurations on my AP's (2 of them) to use WPA2 personal mixed and used a shared secret key, the laptop stays connected. I ran a constant ping for almost 24 hours and it never lost the connection.

I suspect it is a configuration setting on the IAS server but I don't know what I am missing.
My IAS settings are as follows:
The default ports are used

Radius Clients are set to the correct APs with the keys

I set full logging in the log file. (although I do not understand how to read the log file)

I used the wizard for the remote access policy. It is set to NAS port type matches "Wireless - others" OR "Wireless IEEE 802.11 AND windows groups matches Domain Computers and a group I made for wireless users. The account I am testing with is a member of that group. The settings in this profile for the access policy was left at the default settings except for the encryption (only 128 bit). Authentication is set to PEAP. I created a self signed certificate for this server and placed it in the trusted root certificate authority. I also installed that certificate to the laptop I am testing with.

For the connection request policies, I left the use windows authentication for all users as is.

I checked the event viewer system log on the IAS server and I see it gets granted access. When the connection gets dropped I do not see any other connection messages about being denied. The last entry of the connection shows it as successful.

I am using two Linksys WAP4400N access points. One is on channel 1 and the other is on channel 11. They are both using the same SSID to enable roaming.

If anyone has any suggestions, I would appreciate it.

Brian


 
Sort by date Sort by votes
I have two Cisco 1100 AP's and am using Radius with a Windows 2003 IAS server in an AD environment and it works flawlessly. I have two IAS policies for Wireless - one for the Machine Accounts and one for the User Accounts. This allows the machine to get access to the network when it boots so GPO's get processed etc. The default behaviour of the Microsoft 802.1x supplicant is to re-authenticate when a user logs on so the User Policy is then applied. The Policy conditions in both cases are the same except the Windows Group Membership (Machines are members of the 'Wireless Machines Group' and users are members of the 'Wireless Users Group'). The policy checks for:

Windows Group membership AND
Authentication-Type=EAP AND
NAS-Port-Type=Wireless - IEEE 802.11 AND
Service-Type=Authenticate Only OR Login'

I have configured the session-timeout for the Machine Policy for 30-minutes and for the User Policy 180-minutes. Authentication is set to EAP and PEAP. In the advanced tab I have set Service-Type=Framed and Termination-Action=RADIUS-Request. The IP, Multilink & Encryption tabs are unused.

The AP's are configured for WPA2/AES, although in Cisco-speak this is 'authentication key-management wpa' & 'encryption mode ciphers aes-ccm'. I have also enabled key rotation for every 320-seconds, although I can't remember why I did this?

HTH

Andy

 
Upvote 0 Downvote
So far it has been working for more than an hour with most of the settings you gave me. When I set the Service-Type=Authenticate Only OR Login I get the error below:

"The user attempted to use an authentication method that is not enabled on the matching remote access policy."

Without it, the connection works.

If I left the encryption at 128 bit, the connection would drop after the hour but changing it to no encryption and it has not dropped for about 2 hours. I will keep this going for two days to make sure.

Shouldn't the encryption be set though to encrypt the negotiation process?

Brian
 
Upvote 0 Downvote
In the testing I did as far as I could tell the Encryption options are ignored by the APs. I tried all four options and could connect each time. I must admit I didn't try each connection for hours though. Currently my IAS policy has the 128 bit option ticked. This does appear to be for 'legacy' options for dial-up/VPN connections though as it mentions MPPE & 3DES encryption?

Andy
 
Upvote 0 Downvote
Thanks

It seems to work with the 128 bit enabled. I have had some employees from another site here and it is working with them. At least they have not complained about losing the connection.

Brian
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
89
DrB0b
DrB0b
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
126
technome
technome
geneg28
  • Locked
  • Question
Active Directory and Linux Servers
Replies
0
Views
70
geneg28
geneg28
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
93
on3mansh0w
on3mansh0w
DrB0b
  • Locked
  • Question
HyperV Virtual Switch and Physical NIC question
Replies
3
Views
81
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top