I have a cluster of Cisco AP541N access points. I am trying to use the Radius authentication for WPA-Enterprise authentication, but I cannot get the APs to query the server properly.
Does anyone know of a cookbook or recipe for setting up the NPS server to provide authorization?
My current configuration is as follows.
The APs are simple, they just have a Radius Server IP field and a Radius Secret field. The SSID has all the options set: WPA, WPA2, Enable pre-authentication, TKIP, CCMP(AES) and Use Global Radius Server Settings.
On the server, each AP is defined as a client, each with a unique friendly name (cap-1 through cap-3). The secret is the same as on the AP cluster. Each AP is defined as a Cisco, and has the Access-Request Messages must have the Message-Authenticator Set box checked.
There is a single Network Policy, set as:
- policy enabled
- grant access
- unspecified network access server
Conditions:
- Windows Group Membership (a user group)
Constraints:
- Auth methods: EAP PEAP and EAP-MSCHAPv2; MS-CHAP-v2; MS-CHAP; CHAP; PAP/SPAP
Settings:
- all Standard Attributes have been removed (the PPP framing type etc).
When I try to connect to the AP, the AP logs:
cap-4th-2 hostapd: wlan0vap2: RADIUS Possible issue with RADIUS server connection - no reply received for first three attempts
Around the same time, the Windows server logs:
NPS: 18: An Access-Request message was received from RADIUS client 10.17.15.247 with a Message-Authenticator attribute that is not valid.
Best Answer
This worked for me.
On the AP541N:
Set the Global Radius settings:
Set the SSID to connect to by selecting all:
NPS Pre-configuration:
The role to install is Network Policy and Access Services, the service is Network Policy Server.
Once it is installed, right-click on NPS (local) and select Register Server In Active Directory.
(Also note that I usually have to stop and then start the NPS Service after running through the below configuration the first time; future changes seem to take effect right away.)
Define the RADIUS clients: Server Manager -> Roles -> Network Policy and Access -> NPS (Local) -> Radius Clients -> Radius Clients
Create a new client:
Define the Connection Request Policy:
Under Connection Request Policy, create a new policy. On the overview tab:
On the Conditions tab:
On the Settings tab, Authentication methods:
You shouldn't need any other values.
Define the Network Policy:
On the Overview tab:
On the Conditions tab:
On the Constraints tab:
On the settings tab:
Configure Domain Clients:
Wireless Properties:
Security tab:
PEAP Settings:
Security tab, Advanced Settings:
Configure Non-Domain Windows Clients:
As above, except:
EAP-MSCHAP-v2 Configure:
Further Refinements
I added a second Network Access policy that permits access to computers that are members of a particular group.
I then changed the Security Tab -> Advanced Settings -> Specifiy Authentication Mode to Computer authentication.
Finally a co-worker created a GPO that pushes out a pre-defined SSID network definition with the settings above to all domain member computers.
Now all domain laptops automatically connect to the wireless.
Non-domain member computers can still join as long as the Specify Authentication Mode is set to User authentication.
Configuring tablets, phones, and non-Windows computers is left as an exercise for the reader.
(Further updates to this will appear on my wiki page at http://wiki.xdroop.com/space/Windows/Server/2008/Radius+Server+for+Cisco+AP541N )