Linksys WAP54G on Windows 2000 IAS (Radius)

Discussion in 'Wireless Networking' started by M P, Mar 3, 2006.

  1. M P

    M P Guest

    M P, Mar 3, 2006
    #1
    1. Advertisements

  2. Hi MP. I see that this was cross-posted in the radius newsgroup and some
    other places.

    Not sure where you're havintg trouble, but if you still need help, I can try
    answer here if you want. The most common problems I've experienced setting
    up radius are...

    - the radius client settings are not correct on the IAS server
    - the radius server settings are not correct on the radius client (the AP)
    - the secret doesn't match
    - the IAS sever is not registered in the domain
    - there is some default on the policy or user account that needs changed to
    actually permit authentication
    - your cert server is not set up correctly (too many or too few certs, is
    the right one selected in the IAS policy?)
    - a modification has been made to policies such that no IAS policy is
    actually matching the request
    - a firewall is blocking traffic

    After you doublecheck for all those settings, check the system event log for
    IAS events to see whether you're getting failures or whether it's not
    getting that far.

    I forget whether Windows 2000 supports PEAP, but if you can enable
    PEAP/MSCHAPv2 on the server and disable cert validation and using your
    winlogon creds on the wireless supplicant, you should be prompted for your
    password.

    Using PEAP w/o cert validation on the supplicant removes the PKI requirement
    on the client, making troubleshooting easier.

    Here are some links that might be useful, too:

    http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/wifitrbl.mspx

    http://technet2.microsoft.com/WindowsServer/en/Library/1d497af2-be8a-4e9f-a586-e01bff1862d01033.mspx



    Hope this helps!

    -Carl
     
    Carl DaVault [MSFT], Mar 6, 2006
    #2
    1. Advertisements

  3. M P

    M P Guest

    Hi Carl,

    thanks for the reply. Do I need to set my windows 2000 domain mixed mode to
    native mode? Will there be no problem on my windows nt workstation clients &
    98 connected to this server if I will switch to native mode? The reason why
    I ask is that Remote Access Policy was disabled on AD Users and Group and as
    I read some articles, AD must be in native mode to support RAP. I do have
    W2K Server DCs and some WNT Server for some of my applications.

    If you need more details on my configuration just let me know.


    MP
     
    M P, Mar 7, 2006
    #3
  4. Sorry - I can't remember all the details of supporting older OS's.

    : )

    The microsoft.public.internet.radius newsgroup will be better for that.

    But as I recall, only certain user dialin properties are available in mixed
    mode (this is because when NT4 handles user account it can't accomodate the
    extra dialin data from the AD). If you have a radio button that says "grant"
    or "permit" on the user (but "policy" is disabled) then you can still use
    most of the features - "policy" is a NULL setting on the user object that
    allows a setting on the profile to be used instead.

    You can tweak other properties of the profile to cause access to be denied
    (other than the grant/deny setting, which is overriden if there's a setting
    on the user anyway).

    There are probably a lot of options for your deployment but I wouldn't want
    to recommend anything that would upset your downlevel clients.

    I would say you should test with an XPSP2 wireless client. That will prove
    whether your basic backend infrastructure is working. Then it becomes an
    issue of helping along the older clients.

    You can also try setting up a private AP for testing, along with a custom
    policy that matches the IP address of the AP. Then try to allow everything.
    If you get it working, you can then modify it to be more restrictive about
    granting access.

    -Carl

    --
    Standard Disclaimers -
    This posting is provided "AS IS" with no warranties,
    and confers no rights. Please do not send e-mail directly
    to this alias. This alias is for newsgroup purposes only.
     
    Carl DaVault [MSFT], Mar 8, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.