Authenicating to a Cisco 1250 with IAS

Answered Question
Jun 4th, 2010

Does anyone know how to configure a 1250 access point to authenicate to Windows 2003 IAS. I currently have followed links on the web but cannot get the client to authenicate.Any documentation that works? Do I need certificates on the client or at the server? Thanks for any help!!!!

I have this problem too.
0 votes
Correct Answer by leejohns about 6 years 6 months ago

Hugh,

The latest debugs show the same behavior.  The AP is starting the EAP process and the client does not appear to be responding.  We keep seeing EAP timouts:

Executing Action(CLIENT_WAIT,TIMEOUT) for 0017.c466.63bc

So all the information we have at the moment is pointing to the client being the issue here.

What don't you understand about the certificate?

Lee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
leejohns Sat, 06/05/2010 - 06:53

Hugh,

The 1250 series APs are no different than any other model of IOS based APs when it comes to configuring it to authenticate to a RADIUS server.  If you are trying to use PEAP, then you only need a certificate on the RADIUS server. If you are using EAP-TLS, the you need certificates on both the RADIUS server and the clients.  If the client is configured to validate the RADIUS server certificate, then the client needs to have the root CA for the certificate that the RADIUS server is using.  I always start with not validating the certificate just to make sure all the other underlying configs are correct.

What errors do you see on IAS when a client tries to authenticate?  What errors do you see on the AP when running the radius debugs?  The following link shows what debugs to run for various authentication methods and how to interpret the output:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_tech_note09186a008024aa4f.shtml

I attached a very simplistic working config from a 1252 using WPA2/AES and PEAP I just setup in the lab.  If your AP is setup like this, then the issue lies with either the IAS server (the remote access policy, no cert, etc.) or the client. Make sure the client is running the latest wireless drivers and if it happens to be an XP SP2 client using WZC as the supplicant, you will want to have the patch for KB885453 or SP3 installed.

Thanks,

Lee

Attachment: 
hugh.lancaster@... Sat, 06/05/2010 - 10:24

Thanks for the help. I am not using a wireless controller. I have 5 access points. On the IAS I have client configured for each access point. For the xxx.xx.xxx.193 access point I am not seeing any errors in event viewer. I do see errors on the access point "can not authenticate" (attached file). I also attached the sh run. On the wireless laptop I see the error "Windows was unable to find a certificate to log you on to the network.I am  wondering if my IAS is installed correctly.-don't have a lot of options to configure .On the client I unchecked the "validate the certificate". On another access point xxx.xx.xxx.194, client can connect. It is configured exactly the same.

Laptop wireless: windows xp sp3

Windows IAS server sp2

Again, thanks for yor help

leejohns Sat, 06/05/2010 - 10:37

I'm not seeing anything wrong with your configuration. The debug ouput from the AP indicates that the client is not responding to an EAP request:

*Jun  5 15:05:53.106: Client 0017.c466.63bc failed: Timeout waiting for client EAP auth response

If the client is not repsonding, then you will not see any errors on the IAS server b/c nothing is being sent to it.  What model of wireless card is the laptop using, Cisco, Intel, Broadcom, etc? And what driver version.  If it is an Intel card, you should be running 12.4.4.5 or 13.1.  Most times than not, updating the client drivers make a hugh difference.

Also what supplicant are you using, i.e WZC, Intel ProSet, etc.  IF you are using WZC, try using something different.  For example if you have Intel card, try using the ProSet software and see if that makes a difference.

Remember that the APs are simply a middle man in the 802.1x auth process passing credentials back and forth between the client and the RADIUS server.  If both APs are configured correctly, then that leaves the client and/or the RADIUS server.  Since the client is able to authenticate sometimes, then I would suspect the client.

Thanks,

Lee

hugh.lancaster@... Mon, 06/07/2010 - 05:04

I updated the to the lastest driver. 802n USB Wireless Card - Ralink Technology Corp, Driver Date 2/12/10, Driver ver. 3.1.0.0. On the client, I am getting error "Windows was unable to find a certifcate to log you on to the network ENCSDWIRELESS2". I am uing supplicant Ralink wireless utility WZC. I will change see what happens. I don't understand the certificate issue.

Correct Answer
leejohns Mon, 06/07/2010 - 06:10

Hugh,

The latest debugs show the same behavior.  The AP is starting the EAP process and the client does not appear to be responding.  We keep seeing EAP timouts:

Executing Action(CLIENT_WAIT,TIMEOUT) for 0017.c466.63bc

So all the information we have at the moment is pointing to the client being the issue here.

What don't you understand about the certificate?

Lee

hugh.lancaster@... Mon, 06/07/2010 - 06:27

In another building, I tried connecting  this (problem laptop) and no success. I tried another laptop same model (companion touch) and it authenticated and connected with no problem. The problem laptop and the working laptop configured exactly the same. On the laptop not authenticating I am getting "Windows was unable to find a certificate to log you on  to the network. Can you explain to me is it a certificate issue or an EAP issue? Any other suggestions to try on the client side? Thanks for your help.

hugh.lancaster@... Mon, 06/07/2010 - 06:43

Just got it to work. Under "Athentication\EAP type: Change from "Protected PEAP" to  "Smart card or other Certificate" saved and the change back to "Protected Peap" and now it works. Why?

leejohns Mon, 06/07/2010 - 06:51

Hugh,

I am glad to hear you got it working. I really have no explanation for what you are seeing with the one laptop. The card/laptop vendor would need to answer that question.  Obvioulsy the supplicant on that machine was confused or corrupted and was not properly performing EAP.  By changing the WLAN profile settings, you cleared that out so it is operating correctly now.

Lee

leejohns Mon, 06/07/2010 - 07:20

Hugh,

There is something that is not right with your clients.  As I mentioned before, the AP is simply a middle man and passing what the client sends to the RADIUS server. In this case, it obviously sent some domain name, ST01, that doesn't exit. I don't know if that is the local machine name or something else, but the client is doing this.  This is all independant of the AP. The AP has no knowledge of domains, usernames, the EAP type, etc.  It just passes the information back and forth.  Is supplicant setup to automatically use the logged in user's domain and password?  If so, are you logging on to the machine with a local or domain account?  But all of this comes down to what is the client sending, it has nothign to do with the AP itself or how it is configured.

Lee

hugh.lancaster@... Mon, 06/07/2010 - 11:57

Resolved one problem. When logging on, logging on to the local account and the domain account.  . That is why could not authenticate. I manual select the domain and athentication completes. Thanks

Actions

This Discussion