It works. Any argument ?
most likely the certificate is
deleted by some application. Sometimes
the certificate is not deleted, but
rather archived. To verify, please
run certmgr.msc and open the
certificate snap-in. Then click
Certificates->View->Options and select
Archive Certificates. the certificates
show up again.
It could be the Live Sync program that
deletes/archive the certificate. To
verify, please try not to use the
program on the machine and monitor if
the certificate gets deleted/archived.
I also found that the software
FolderShare can also cause this kind
of problem. If you have this software
installed, please remove or disabled
this software. Thank you.
To troubleshot it, I recommend we
operate a clean boot the problematic
machine and check it again.
To perform a clean boot, please follow
these steps.
Type MSCONFIG to open system configuration console.
Go to Services tab, click the option to hide all Microsoft
Services and then click the Disable
All button.
Go to Startup tab, click the Disable All button.
Restart the computer.
This worked for me.
On the AP541N:
Set the Global Radius settings:
- Radius server IP
- Radius secret
Set the SSID to connect to by selecting all:
- WPA
- WPA2
- Enable pre-authentication
- TKIP
- CCMP (AES)
- Use global RADIUS server settings
NPS Pre-configuration:
The role to install is Network Policy and Access Services, the service is Network Policy Server.
Once it is installed, right-click on NPS (local) and select Register Server In Active Directory.
(Also note that I usually have to stop and then start the NPS Service after running through the below configuration the first time; future changes seem to take effect right away.)
Define the RADIUS clients: Server Manager -> Roles -> Network Policy and Access -> NPS (Local) -> Radius Clients -> Radius Clients
Create a new client:
- Make sure it is enabled
- Short, friendly name
- IP address or DNS name
- Manual shared secret
- Repeat this set up for each AP in the cluster.
Define the Connection Request Policy:
Under Connection Request Policy, create a new policy. On the overview tab:
- make sure it is enabled
- the type of network access server is Unspecified
On the Conditions tab:
- Client Friendly Name, set to soemthing which matches the Client Friendly Names you set above; for example, I have cap-1, cap-2, and cap-3, so my Client Friendly Name in the connection policy is cap-*
On the Settings tab, Authentication methods:
- select Override network policy authentication settings
- Add EAP Types EAP-MSCHAP-v2 and PEAP
- select MS-CHAP-v2
- select MS-CHAP
- leave all the other boxes unselected
You shouldn't need any other values.
Define the Network Policy:
On the Overview tab:
- make sure it is enabled
- Grant access
- clear Ignore user account dial-in properties
- Type of network access server is Unspecified
On the Conditions tab:
- Windows Groups: set to the windows user group that will grant access
- Client Friendly Name: same as the connection policy above
On the Constraints tab:
- leave everything as default; but ideally it should look the same as the connection policy above
On the settings tab:
- remove the Standard Radius Attributes (PPP Framing type etc) because you don't need them
Configure Domain Clients:
Wireless Properties:
Security tab:
- WPA2-Enterprise
- AES
- PEAP
- Remember my credentials
PEAP Settings:
- clear Validate Server Certificate
- Select Authentication Method: EAP-MSCHAP-v2
- Enable Fast Reconnect
Security tab, Advanced Settings:
- Specify authentication mode: user authentication
Configure Non-Domain Windows Clients:
As above, except:
EAP-MSCHAP-v2 Configure:
- clear Automatically Use my Windows logon name and password (and domain if any)
Further Refinements
I added a second Network Access policy that permits access to computers that are members of a particular group.
I then changed the Security Tab -> Advanced Settings -> Specifiy Authentication Mode to Computer authentication.
Finally a co-worker created a GPO that pushes out a pre-defined SSID network definition with the settings above to all domain member computers.
Now all domain laptops automatically connect to the wireless.
Non-domain member computers can still join as long as the Specify Authentication Mode is set to User authentication.
Configuring tablets, phones, and non-Windows computers is left as an exercise for the reader.
(Further updates to this will appear on my wiki page at http://wiki.xdroop.com/space/Windows/Server/2008/Radius+Server+for+Cisco+AP541N )
Best Answer
Microsoft's TechNet page on this (here) basically says: