PaulDotCom mailing list archives
Configuring WPA2 & RADIUS
From: robert.portvliet at gmail.com (Robert Portvliet)
Date: Mon, 1 Feb 2010 10:47:33 -0500
It's a single domain model with 4 DC's load balanced, (the radius server (NPS) is on the 4th DC btw), and I don't think there are replication issues or they would show up intermittently everywhere, authentication works fine 100% of the time in the building the DC's are located in. I said before that I thought it was policy, but when I try to reason it out I keep going back & forth between policy & some sort of strange network issue. On Mon, Feb 1, 2010 at 9:27 AM, Butturini, Russell < Russell.Butturini at healthways.com> wrote:
That sounds like you could some some underlying AD issues causing the
problem. Have you verified replication is working correctly?
________________________________
From: pauldotcom-bounces at mail.pauldotcom.com on behalf of Robert Portvliet
Sent: Mon 2/1/2010 8:02 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Configuring WPA2 & RADIUS
I was incorrect, each building is it's own site in AD & it's own subnet,
which is a /16 on a private class A.
On Sun, Jan 31, 2010 at 8:43 PM, Robert Portvliet <
robert.portvliet at gmail.com> wrote:
That was going to be my next move, mirror the switchport the AP is
plugged into & take a capture of the auth attempt. (I'll do that tomorrow
morning)
Like I said I'm coming into this a bit after the fact & didn't do
the initial setup, but yes the cert is self signed & generated using
Microsoft CA (I'll look into the settings further though), the clients are
all Vista btw.
As far as the network, it's flat with layer 3 routing only in the
core switch, each building is on it's own vlan, but the wireless vlan is the
same no matter what building you are in, as far as AD goes there's only one
site, each building is an OU under that.
I'm more of a Linux\Unix guy so I'm a bit light in the AD end of
things, I think it might be something to do with policy, but according to
the systems engineer you should be getting the same policy no matter where
you go.
Thanks much for the help!
On Sat, Jan 30, 2010 at 8:55 PM, Tim Mugherini <gbugbear at gmail.com>
wrote:
Robert,
First I would not trust the Radius server logs, grab a
packet dump to
verify they are not trying to auth as the computer acct (I
have seen
MS IAS not log attempts so even though I have no experience
with 2k8
NPS I would not trust the logs)
Also you mentioned diff buildings, diff subnets? AD sites?
Lastly you mentioned certifcates are you using a self signed
on the
Radius server, MS CA? If MS CA what are your GO settings for
the
Radius and Certs (have seen issues with MS CA and
"verification" on XP
so just a hunch on my part.
Tim
On Sat, Jan 30, 2010 at 10:26 AM, Robert Portvliet
<robert.portvliet at gmail.com> wrote:
>
> I'm attempting to troubleshoot an issue with an
implementation of WPA2 &
> RADIUS with certificates (for wireless authentication), it
is a somewhat
> perplexing issue which I am hoping someone on the list may
be able to
> provide some guidance on.
>
> In the building local to the Radius server, the machine
will authenticate
> to the Radius server using the machine name without issue,
however in the
> other buildings the same machine (even using the same
access point) will
> never try to pass the machine name to authenticate.. it
passes the user
> name, which works if we allow that method of
authentication, but it's not
> what we're after obviously.
>
> The strange thing is I see no trace in the Radius server
log of it even
> trying the machine name and the policy the machine
receives should be the
> same in each building.
>
> For the Radius server I am using NPS on win2k8. the
client machines are
> Vista (latest patch level), AP's are HP ProCurve, physical
media is single
> mode fiber between the buildings.
>
> I came into this a little late in the game, from what I
can tell
> everything seems to be configured correctly, but I'm
getting the feeling I'm
> missing something stupid, lol
>
>
> Thanks in advance!
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
>
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com <
http://pauldotcom.com/>
>
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com <
http://pauldotcom.com/>
******************************************************************************
This email contains confidential and proprietary information and is not to
be used or disclosed to anyone other than the named recipient of this email,
and is to be used only for the intended purpose of this communication.
******************************************************************************
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100201/7f63d238/attachment.htm
Current thread:
- Configuring WPA2 & RADIUS Robert Portvliet (Jan 30)
- Configuring WPA2 & RADIUS Tim Mugherini (Jan 30)
- Configuring WPA2 & RADIUS Robert Portvliet (Jan 31)
- Configuring WPA2 & RADIUS Robert Portvliet (Feb 01)
- Configuring WPA2 & RADIUS Butturini, Russell (Feb 01)
- Configuring WPA2 & RADIUS Tim Mugherini (Feb 01)
- Configuring WPA2 & RADIUS Robert Portvliet (Feb 04)
- Configuring WPA2 & RADIUS Robert Portvliet (Feb 05)
- Configuring WPA2 & RADIUS Robert Portvliet (Jan 31)
- Configuring WPA2 & RADIUS Robert Portvliet (Feb 01)
- Configuring WPA2 & RADIUS Tim Mugherini (Jan 30)