Re: EAP-TLS with 340 AP, 350 Client, Windows 2000 IAS...HELP!?!?

jasonhumes · ‎05-21-2003

I've been trying to setup secure wireless using a 340 AP, 350 Client Card, and using Windows 2000 IAS (RADIUS) server...authenticating with EAP-TLS. I've been trying to get this setup now for days and have been having all sorts of trouble. Does anyone have any experience with this setup or have any insight into how this can be accomplished? Maybe know where I can find a good document on how this should be configured. I've setup LEAP authentication in the past using Cisco ACS, but now a different client want to use their existing IAS server instead and only EAP-TLS is supported. THanks very much.

verdann · ‎05-23-2003

I've written a how-to on doing just this, http://www.cs.umd.edu/~mvanopst/8021x/howto/ I wrote it a little over a year ago, so some of the screenshots when setting up the client are a bit different now because of various service packs/hotfixes and the like, but its essentially still relevant. I'm currently working on PEAP/windows 2003 server documentation, check http://www.missl.cs.umd.edu/Projects/wireless/infrastructure.shtml in a few weeks if you're interested. -mike

warcollective · ‎07-02-2003

Mike,

Could I pick your brain?

Instead of the 340/350, I am using 1100.

I was wondering if you would know why I am having difficulties.

Using eap and certificates on xp clients, rotating keys provided by the ap and win2K server IAS...from a cold boot, we are not getting ip's from the AP via our dhcp server.

After the card fails to rec' an ip, xp logs the client in via cached credentials after about 1.5 minutes we finally get an ip. The debug shows that we are getting authentication failures but according to AD, the machine and the user have successfully authenticated.

Thanks!

verdann · ‎07-11-2003

OK, sounds like you're going to need to enable host-based certificate authentication. Remember that the tls certificate you've received for your user is stored in the _user_ profile, and thus you can't access it to authenticate the network port until _after_ the users logged in. You're going to need to set a group policy on the AD for each domain client to receive a certificate to authenticate the network port when it boots so the user can then log in to the network, then have the network port re-authenticate with their personal certificate (or just keep host-based authentication, whichever you prefer). - mike

brennanm · ‎08-08-2003

I'm hoping you can help me out also. I am setup with a Windows 2000 Server running IAS, a Cisco AP 350 and a laptop with a Aironet 350 Card. It sounds like I am having the same issue as others. When I boot the PC, I cannot get an IP address until I have logged in with the user account and EAP-TLS authenticates against the user's certificate. The IAS logs show that the computer prior to logon is denied access with a reason of "The user is not allowed dial-in access to the network." I have followed the instructions from you webpage which helped me out tremedously but I am still hung up on this. How do I setup the host-based authentication? I'm probably just missing something stupid. Thanks.

mschuh · ‎07-09-2003

I've setup this szenario (used the howto paper from verdann) and it works well.

use this document to understand what to do and how to troubleshoot eap-tls:

http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_white_paper09186a008009256b.shtml

at the ap350 use eap_diag1_on to troubleshoot eap, at the client and IAS-server you can use the cmd-line netsh ras set tracing * enable

see http://www.microsoft.com/windowsxp/pro/techinfo/administration/networking/troubleshooting.asp

use eventvwr at the IAS-Server to see why eap fails

if you need more help, let me know what works or what do you need to know

EAP-TLS with 340 AP, 350 Client, Windows 2000 IAS...HELP!?!?!?!