Wireless Radius Clients

Hello MVP,

I am setting up a Wireless Network and trying to take advantage of IAS with
EAP-TLS in Windows Server 2003. The client is prompted for a cert but when I
select the cert it just tries and tries then prompts me again. This
continues....
I have a linksys wrk54g using WPA - Radius. I have both user certs and
computer certs on the client. I have a computer cert on the IAS server. Auto
entrollment is working as it should.

Note: I am using L2TP/IPsec successfully over the same Windows system. Also
note that currently I am having to just use WEP which hopefully is just
temporary.

Any help would be greatly apprciated.

In news:8F814973-64C4-4070-B024-(E-Mail Removed),
Steven <(E-Mail Removed)> stated, which I commented on
below:
> Hello MVP,
>
> I am setting up a Wireless Network and trying to take advantage of
> IAS with EAP-TLS in Windows Server 2003. The client is prompted for a
> cert but when I select the cert it just tries and tries then prompts
> me again. This continues....
> I have a linksys wrk54g using WPA - Radius. I have both user certs and
> computer certs on the client. I have a computer cert on the IAS
> server. Auto entrollment is working as it should.
>
> Note: I am using L2TP/IPsec successfully over the same Windows
> system. Also note that currently I am having to just use WEP which
> hopefully is just temporary.
>
> Any help would be greatly apprciated.

I just did this recently using a Cisco Aironet 1231 and it's still pretty
fresh in my mind. I didn't use WEP, not necessary since I used WPA and
TKIP.Works great.

I'm assuming you used a Windows 2003 Enterprise for the CA to give you the
ability to duplicate the User and Computer certs to create your
autoenrollment certs, and in the certs, you are allowing user and computer
certs to login.

From what you've posted, if you've verified by checking the workstation
(certifcates snap-in) that it has received a cert thru autoenrollment, and
depending on how the clients wireless interfaces are setup, whether static
settings or controlling the clients thru a GPO, it should pretty much work.

Are you using a GPO for a wireless policy? If so, what do you have set in
there as far as the client settings (WPA, WEP, SSID, etc)?

Is the key length on the CA and the certs no larger than 1024? Cisco, and
what I understand many others, do not support keys larger than 1024. If it
keeps prompting you for the cert, than that may be a better guess as to why
this is happening.

Make sure your RADIUS Linksys client and IAS server shared secrets match.
(You'd be suprised how this one can be easily overlooked).

Did you create an IAS policy to allow 802.1?
Controlling access by groups in the IAS policy? If so, are the users part of
that group?

What do the ISA logs, ISA server and client Event viewer logs, and possibly
the Linksys logs say? Any errors on the Event logs on the CA?

Sorry for all the questions, too many places this can go wrong, and need to
narrow it down.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.

It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Assimilation Imminent. Resistance is Futile
Infinite Diversities in Infinite Combinations

"Very funny Scotty. Now, beam down my clothes."

The only thing in life is change. Anything more is a blackhole consuming
unnecessary energy.

Thanks for your reply Ace,

I have done everything by the book. As I said, my L2TP/IPSec is working
perfectly from the same computer. It uses the computer cert and the user
cert. I suspect the problem may be my Linksys as it is a router and not a AP
however it does have the Radius selection under security. When I select it I
point it to my Radius IP address and then give the linksys a static IP and
set it as a Radius Client. Yes I tried using WPA TKIP - Radius on that end.
Trying to move away from WEP. I haven't set a Wireless GPO yet, i won't do
that untill I can successfully connect manually. Would love to get what you
have but don't want to spend 600 bucks. I have a small SOHO for testing only.
Looking at USR5450 for only 150.

Below is an ISA log:

Access request for user (E-Mail Removed)l was discarded.
Fully-Qualified-User-Name = XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven
XXXXXX NAS-IP-Address = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
Called-Station-Identifier = 00-12-17-e0-e3-2b Calling-Station-Identifier =
00-0e-35-7b-2d-8e Client-Friendly-Name = Wireless Linksys Client-IP-Address =
192.168.16.28 NAS-Port-Type = Wireless - IEEE 802.11 NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows Authentication-Server = <undetermined>
Reason-Code = 9 Reason = The request was discarded by a third-party extension
DLL file.

Lastly - I set up the IAS policy with the wizard and selected cert, then
select the server cert. Same way L2TP works. Its policy number 1.

Hope all this helps and thanks again for your help.
--
Steve

"Ace Fekay [MVP]" wrote:

> In news:8F814973-64C4-4070-B024-(E-Mail Removed),
> Steven <(E-Mail Removed)> stated, which I commented on
> below:
> > Hello MVP,
> >
> > I am setting up a Wireless Network and trying to take advantage of
> > IAS with EAP-TLS in Windows Server 2003. The client is prompted for a
> > cert but when I select the cert it just tries and tries then prompts
> > me again. This continues....
> > I have a linksys wrk54g using WPA - Radius. I have both user certs and
> > computer certs on the client. I have a computer cert on the IAS
> > server. Auto entrollment is working as it should.
> >
> > Note: I am using L2TP/IPsec successfully over the same Windows
> > system. Also note that currently I am having to just use WEP which
> > hopefully is just temporary.
> >
> > Any help would be greatly apprciated.
>
> I just did this recently using a Cisco Aironet 1231 and it's still pretty
> fresh in my mind. I didn't use WEP, not necessary since I used WPA and
> TKIP.Works great.
>
> I'm assuming you used a Windows 2003 Enterprise for the CA to give you the
> ability to duplicate the User and Computer certs to create your
> autoenrollment certs, and in the certs, you are allowing user and computer
> certs to login.
>
> From what you've posted, if you've verified by checking the workstation
> (certifcates snap-in) that it has received a cert thru autoenrollment, and
> depending on how the clients wireless interfaces are setup, whether static
> settings or controlling the clients thru a GPO, it should pretty much work.
>
> Are you using a GPO for a wireless policy? If so, what do you have set in
> there as far as the client settings (WPA, WEP, SSID, etc)?
>
> Is the key length on the CA and the certs no larger than 1024? Cisco, and
> what I understand many others, do not support keys larger than 1024. If it
> keeps prompting you for the cert, than that may be a better guess as to why
> this is happening.
>
> Make sure your RADIUS Linksys client and IAS server shared secrets match.
> (You'd be suprised how this one can be easily overlooked).
>
> Did you create an IAS policy to allow 802.1?
> Controlling access by groups in the IAS policy? If so, are the users part of
> that group?
>
> What do the ISA logs, ISA server and client Event viewer logs, and possibly
> the Linksys logs say? Any errors on the Event logs on the CA?
>
> Sorry for all the questions, too many places this can go wrong, and need to
> narrow it down.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Having difficulty reading or finding responses to your post?
> Instead of the website you're using, I suggest to use OEx (Outlook Express
> or any other newsreader), and configure a news account, pointing to
> news.microsoft.com. This is a direct link to the Microsoft Public
> Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
> to easily find, track threads, cross-post, sort by date, poster's name,
> watched threads or subject.
>
> It's easy:
> How to Configure OEx for Internet News
> http://support.microsoft.com/?id=171164
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Assimilation Imminent. Resistance is Futile
> Infinite Diversities in Infinite Combinations
>
> "Very funny Scotty. Now, beam down my clothes."
>
> The only thing in life is change. Anything more is a blackhole consuming
> unnecessary energy.
>
>
>
>
>

In news:56474046-5490-4241-9D3B-(E-Mail Removed),
Steven <(E-Mail Removed)> stated, which I commented on
below:
> Thanks for your reply Ace,
>
> I have done everything by the book. As I said, my L2TP/IPSec is
> working perfectly from the same computer. It uses the computer cert
> and the user cert. I suspect the problem may be my Linksys as it is a
> router and not a AP however it does have the Radius selection under
> security. When I select it I point it to my Radius IP address and
> then give the linksys a static IP and set it as a Radius Client. Yes
> I tried using WPA TKIP - Radius on that end. Trying to move away from
> WEP. I haven't set a Wireless GPO yet, i won't do that untill I can
> successfully connect manually. Would love to get what you have but
> don't want to spend 600 bucks. I have a small SOHO for testing only.
> Looking at USR5450 for only 150.
>
> Below is an ISA log:
>
> Access request for user (E-Mail Removed)l was discarded.
> Fully-Qualified-User-Name =
> XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven XXXXXX NAS-IP-Address
> = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
> Called-Station-Identifier = 00-12-17-e0-e3-2b
> Calling-Station-Identifier = 00-0e-35-7b-2d-8e Client-Friendly-Name =
> Wireless Linksys Client-IP-Address = 192.168.16.28 NAS-Port-Type =
> Wireless - IEEE 802.11 NAS-Port = <not present> Proxy-Policy-Name =
> Use Windows authentication for all users Authentication-Provider =
> Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> = The request was discarded by a third-party extension DLL file.
>
> Lastly - I set up the IAS policy with the wizard and selected cert,
> then select the server cert. Same way L2TP works. Its policy number 1.
>
> Hope all this helps and thanks again for your help.

Hi Steve,

This part of the log grabbed my attention:
> Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> = The request was discarded by a third-party extension DLL file.

Curious what that 3rd party DLL is it referring to that discarded the
authentication request?? Something else installed?

Is your key length greater than 1024? Windows with L2TP/IPSec will support
larger keys, but not the wireless devices, AP or not. They're maxxed at
1024.

Anything in the Event logs?

Ace

I saw that too and wondered, but isn't the authenticator the AP? Which
forwards requests to the Authentication Server? Meaning the AP is the
problem?
The keys are 1024. This is a SBS 2003 Premium DC. Nothing 3rd party should
be interfereing here. This is a very clean server and SOHO testing
environment. The Windows policy in IAS was made by the wizard. I removed it
and that didn't change anything. Nothing else in the even t logs.

Any suggestions?
--
Steve



"Ace Fekay [MVP]" wrote:

> In news:56474046-5490-4241-9D3B-(E-Mail Removed),
> Steven <(E-Mail Removed)> stated, which I commented on
> below:
> > Thanks for your reply Ace,
> >
> > I have done everything by the book. As I said, my L2TP/IPSec is
> > working perfectly from the same computer. It uses the computer cert
> > and the user cert. I suspect the problem may be my Linksys as it is a
> > router and not a AP however it does have the Radius selection under
> > security. When I select it I point it to my Radius IP address and
> > then give the linksys a static IP and set it as a Radius Client. Yes
> > I tried using WPA TKIP - Radius on that end. Trying to move away from
> > WEP. I haven't set a Wireless GPO yet, i won't do that untill I can
> > successfully connect manually. Would love to get what you have but
> > don't want to spend 600 bucks. I have a small SOHO for testing only.
> > Looking at USR5450 for only 150.
> >
> > Below is an ISA log:
> >
> > Access request for user (E-Mail Removed)l was discarded.
> > Fully-Qualified-User-Name =
> > XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven XXXXXX NAS-IP-Address
> > = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
> > Called-Station-Identifier = 00-12-17-e0-e3-2b
> > Calling-Station-Identifier = 00-0e-35-7b-2d-8e Client-Friendly-Name =
> > Wireless Linksys Client-IP-Address = 192.168.16.28 NAS-Port-Type =
> > Wireless - IEEE 802.11 NAS-Port = <not present> Proxy-Policy-Name =
> > Use Windows authentication for all users Authentication-Provider =
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
> >
> > Lastly - I set up the IAS policy with the wizard and selected cert,
> > then select the server cert. Same way L2TP works. Its policy number 1.
> >
> > Hope all this helps and thanks again for your help.
>
> Hi Steve,
>
> This part of the log grabbed my attention:
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
>
> Curious what that 3rd party DLL is it referring to that discarded the
> authentication request?? Something else installed?
>
> Is your key length greater than 1024? Windows with L2TP/IPSec will support
> larger keys, but not the wireless devices, AP or not. They're maxxed at
> 1024.
>
> Anything in the Event logs?
>
> Ace
>
>
>
>

I think the problem has to be somewhere with setting up the linksys as the
radius client. Since its a router and not an actual AP it may not be working
right. And although it has a Radius setting under Security it doesn't have a
secret key part, only a phrase for the wireless encryption key, the WPA TKIP.
Know where I can get an actual radius AP for cheap ( testing purposes ).

Correct me if you think I am wrong.
--
Steve


"Ace Fekay [MVP]" wrote:

> In news:56474046-5490-4241-9D3B-(E-Mail Removed),
> Steven <(E-Mail Removed)> stated, which I commented on
> below:
> > Thanks for your reply Ace,
> >
> > I have done everything by the book. As I said, my L2TP/IPSec is
> > working perfectly from the same computer. It uses the computer cert
> > and the user cert. I suspect the problem may be my Linksys as it is a
> > router and not a AP however it does have the Radius selection under
> > security. When I select it I point it to my Radius IP address and
> > then give the linksys a static IP and set it as a Radius Client. Yes
> > I tried using WPA TKIP - Radius on that end. Trying to move away from
> > WEP. I haven't set a Wireless GPO yet, i won't do that untill I can
> > successfully connect manually. Would love to get what you have but
> > don't want to spend 600 bucks. I have a small SOHO for testing only.
> > Looking at USR5450 for only 150.
> >
> > Below is an ISA log:
> >
> > Access request for user (E-Mail Removed)l was discarded.
> > Fully-Qualified-User-Name =
> > XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven XXXXXX NAS-IP-Address
> > = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
> > Called-Station-Identifier = 00-12-17-e0-e3-2b
> > Calling-Station-Identifier = 00-0e-35-7b-2d-8e Client-Friendly-Name =
> > Wireless Linksys Client-IP-Address = 192.168.16.28 NAS-Port-Type =
> > Wireless - IEEE 802.11 NAS-Port = <not present> Proxy-Policy-Name =
> > Use Windows authentication for all users Authentication-Provider =
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
> >
> > Lastly - I set up the IAS policy with the wizard and selected cert,
> > then select the server cert. Same way L2TP works. Its policy number 1.
> >
> > Hope all this helps and thanks again for your help.
>
> Hi Steve,
>
> This part of the log grabbed my attention:
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
>
> Curious what that 3rd party DLL is it referring to that discarded the
> authentication request?? Something else installed?
>
> Is your key length greater than 1024? Windows with L2TP/IPSec will support
> larger keys, but not the wireless devices, AP or not. They're maxxed at
> 1024.
>
> Anything in the Event logs?
>
> Ace
>
>
>
>

I think the problem has to be somewhere with setting up the linksys as the
radius client. Since its a router and not an actual AP it may not be working
right. And although it has a Radius setting under Security it doesn't have a
secret key part, only a phrase for the wireless encryption key, the WPA TKIP.
Know where I can get an actual radius AP for cheap ( testing purposes ).

Correct me if you think I am wrong.
--
Steve


"Ace Fekay [MVP]" wrote:

> In news:56474046-5490-4241-9D3B-(E-Mail Removed),
> Steven <(E-Mail Removed)> stated, which I commented on
> below:
> > Thanks for your reply Ace,
> >
> > I have done everything by the book. As I said, my L2TP/IPSec is
> > working perfectly from the same computer. It uses the computer cert
> > and the user cert. I suspect the problem may be my Linksys as it is a
> > router and not a AP however it does have the Radius selection under
> > security. When I select it I point it to my Radius IP address and
> > then give the linksys a static IP and set it as a Radius Client. Yes
> > I tried using WPA TKIP - Radius on that end. Trying to move away from
> > WEP. I haven't set a Wireless GPO yet, i won't do that untill I can
> > successfully connect manually. Would love to get what you have but
> > don't want to spend 600 bucks. I have a small SOHO for testing only.
> > Looking at USR5450 for only 150.
> >
> > Below is an ISA log:
> >
> > Access request for user (E-Mail Removed)l was discarded.
> > Fully-Qualified-User-Name =
> > XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven XXXXXX NAS-IP-Address
> > = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
> > Called-Station-Identifier = 00-12-17-e0-e3-2b
> > Calling-Station-Identifier = 00-0e-35-7b-2d-8e Client-Friendly-Name =
> > Wireless Linksys Client-IP-Address = 192.168.16.28 NAS-Port-Type =
> > Wireless - IEEE 802.11 NAS-Port = <not present> Proxy-Policy-Name =
> > Use Windows authentication for all users Authentication-Provider =
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
> >
> > Lastly - I set up the IAS policy with the wizard and selected cert,
> > then select the server cert. Same way L2TP works. Its policy number 1.
> >
> > Hope all this helps and thanks again for your help.
>
> Hi Steve,
>
> This part of the log grabbed my attention:
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
>
> Curious what that 3rd party DLL is it referring to that discarded the
> authentication request?? Something else installed?
>
> Is your key length greater than 1024? Windows with L2TP/IPSec will support
> larger keys, but not the wireless devices, AP or not. They're maxxed at
> 1024.
>
> Anything in the Event logs?
>
> Ace
>
>
>
>

Ace - just wanted to let you know I went out and purchased and actual AP and
now everything works great. Sorry to waste you time.
--
Steve
MCSA, MCSE


"Ace Fekay [MVP]" wrote:

> In news:56474046-5490-4241-9D3B-(E-Mail Removed),
> Steven <(E-Mail Removed)> stated, which I commented on
> below:
> > Thanks for your reply Ace,
> >
> > I have done everything by the book. As I said, my L2TP/IPSec is
> > working perfectly from the same computer. It uses the computer cert
> > and the user cert. I suspect the problem may be my Linksys as it is a
> > router and not a AP however it does have the Radius selection under
> > security. When I select it I point it to my Radius IP address and
> > then give the linksys a static IP and set it as a Radius Client. Yes
> > I tried using WPA TKIP - Radius on that end. Trying to move away from
> > WEP. I haven't set a Wireless GPO yet, i won't do that untill I can
> > successfully connect manually. Would love to get what you have but
> > don't want to spend 600 bucks. I have a small SOHO for testing only.
> > Looking at USR5450 for only 150.
> >
> > Below is an ISA log:
> >
> > Access request for user (E-Mail Removed)l was discarded.
> > Fully-Qualified-User-Name =
> > XXXXXXX.local/MyBusiness/Users/SBSUsers/Steven XXXXXX NAS-IP-Address
> > = 192.168.16.28 NAS-Identifier = Linksys BEFW41S4-V4.X
> > Called-Station-Identifier = 00-12-17-e0-e3-2b
> > Calling-Station-Identifier = 00-0e-35-7b-2d-8e Client-Friendly-Name =
> > Wireless Linksys Client-IP-Address = 192.168.16.28 NAS-Port-Type =
> > Wireless - IEEE 802.11 NAS-Port = <not present> Proxy-Policy-Name =
> > Use Windows authentication for all users Authentication-Provider =
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
> >
> > Lastly - I set up the IAS policy with the wizard and selected cert,
> > then select the server cert. Same way L2TP works. Its policy number 1.
> >
> > Hope all this helps and thanks again for your help.
>
> Hi Steve,
>
> This part of the log grabbed my attention:
> > Windows Authentication-Server = <undetermined> Reason-Code = 9 Reason
> > = The request was discarded by a third-party extension DLL file.
>
> Curious what that 3rd party DLL is it referring to that discarded the
> authentication request?? Something else installed?
>
> Is your key length greater than 1024? Windows with L2TP/IPSec will support
> larger keys, but not the wireless devices, AP or not. They're maxxed at
> 1024.
>
> Anything in the Event logs?
>
> Ace
>
>
>
>

"Steven" <(E-Mail Removed)> wrote in message
newsEDE260B-9F6A-4DED-80F1-(E-Mail Removed)...
> Ace - just wanted to let you know I went out and purchased and actual AP
> and
> now everything works great. Sorry to waste you time.
> --
> Steve
> MCSA, MCSE

Wow, so it was the Linksys. I honestly *assumed* that thing would work with
certs, but then come to think about it, I wasn't sure.

What did you get for an AP?

Ace

I got a Linksys AP for 79.

Can I ask ya one more question??? Is there a way to auto enroll user certs
the same way ya do computer certs or do they have to pull down from webpage?

Steve
MCSA, MCSE


"Ace Fekay [MVP]" wrote:

>
> "Steven" <(E-Mail Removed)> wrote in message
> newsEDE260B-9F6A-4DED-80F1-(E-Mail Removed)...
> > Ace - just wanted to let you know I went out and purchased and actual AP
> > and
> > now everything works great. Sorry to waste you time.
> > --
> > Steve
> > MCSA, MCSE
>
> Wow, so it was the Linksys. I honestly *assumed* that thing would work with
> certs, but then come to think about it, I wasn't sure.
>
> What did you get for an AP?
>
> Ace
>
>
>