PaulDotCom mailing list archives

Configuring WPA2 & RADIUS

From: robert.portvliet at gmail.com (Robert Portvliet)
Date: Thu, 4 Feb 2010 14:58:48 -0500

I looked into this a bit more today & found that I can authenticate using
the machine name using my Windows 7 laptop, it works in every building
without issue.

I also ran a few more test connects with the Vista laptop & found that after
it fails authentication it logs an error in the event viewer under
WLAN-autoconfig stating 'Explicit EAP failure recieved'.

I still do not see any attempt at machine authentication in the Radius
server logs or any errors on the Radius server's event viewer logs.

I mirrored the switchport that the ap is connected to & took a packet
capture, I picked through the Radius access-request, access-challenge &
access-reject packets, but I cannot tell from them whether the machine name
is being passed or just the user name.

Any ideas?

On Mon, Feb 1, 2010 at 10:19 AM, Tim Mugherini <gbugbear at gmail.com> wrote:

agreed - thats why i asked if there were multiple AD sites

Computer accounts in those sites have a modifed date with ADUC?

One would think there would be events logs if comp auth was an issue though

On Mon, Feb 1, 2010 at 9:27 AM, Butturini, Russell
<Russell.Butturini at healthways.com> wrote:

That sounds like you could some some underlying AD issues causing the

problem.  Have you verified replication is working correctly?


________________________________

From: pauldotcom-bounces at mail.pauldotcom.com on behalf of Robert

Portvliet

Sent: Mon 2/1/2010 8:02 AM
To: PaulDotCom Security Weekly Mailing List
Subject: Re: [Pauldotcom] Configuring WPA2 & RADIUS


I was incorrect, each building is it's own site in AD & it's own subnet,

which is a /16 on a private class A.




On Sun, Jan 31, 2010 at 8:43 PM, Robert Portvliet <

robert.portvliet at gmail.com> wrote:



       That was going to be my next move, mirror the switchport the AP is

plugged into & take a capture of the auth attempt. (I'll do that tomorrow
morning)


       Like I said I'm coming into this a bit after the fact & didn't do

the initial setup, but yes the cert is self signed & generated using
Microsoft CA (I'll look into the settings further though), the clients are
all Vista btw.


       As far as the network, it's flat with layer 3 routing only in the

core switch, each building is on it's own vlan, but the wireless vlan is the
same no matter what building you are in, as far as AD goes there's only one
site, each building is an OU under that.


       I'm more of a Linux\Unix guy so I'm a bit light in the AD end of

things, I think it might be something to do with policy, but according to
the systems engineer you should be getting the same policy no matter where
you go.


       Thanks much for the help!




       On Sat, Jan 30, 2010 at 8:55 PM, Tim Mugherini <

gbugbear at gmail.com> wrote:



               Robert,

               First I would not trust the Radius server logs, grab  a

packet dump to

               verify they are not trying to auth as the computer acct (I

have seen

               MS IAS not log attempts so even though I have no

experience with 2k8

               NPS I would not trust the logs)

               Also you mentioned diff buildings, diff subnets? AD sites?

               Lastly you mentioned certifcates are you using a self

signed on the

               Radius server, MS CA? If MS CA what are your GO settings

for the

               Radius and Certs (have seen issues with MS CA and

"verification" on XP

               so just a hunch on my part.

               Tim


               On Sat, Jan 30, 2010 at 10:26 AM, Robert Portvliet
               <robert.portvliet at gmail.com> wrote:
               >
               >  I'm attempting to troubleshoot an issue with an

implementation of WPA2 &

               > RADIUS with certificates (for wireless authentication),

it is a somewhat

               > perplexing issue which I am hoping someone on the list

may be able to

               > provide some guidance on.
               >
               >  In the building local to the Radius server, the machine

will authenticate

               > to the Radius server using the machine name without

issue, however in the

               > other buildings the same machine (even using the same

access point) will

               > never try to pass the machine name to authenticate.. it

passes the user

               > name, which works if we allow that method of

authentication, but it's not

               > what we're after obviously.
               >
               >  The strange thing is I see no trace in the Radius

server log of it even

               > trying the machine name and the policy the machine

receives should be the

               > same in each building.
               >
               >   For the Radius server I am using NPS on win2k8. the

client machines are

               > Vista (latest patch level), AP's are HP ProCurve,

physical media is single

               > mode fiber between the buildings.
               >
               >   I came into this a little late in the game, from what

I can tell

               > everything seems to be configured correctly, but I'm

getting the feeling I'm

               > missing something stupid, lol
               >
               >
               > Thanks in advance!
               >
               >
               >

               > _______________________________________________
               > Pauldotcom mailing list
               > Pauldotcom at mail.pauldotcom.com
               >

http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

               > Main Web Site: http://pauldotcom.com <

http://pauldotcom.com/>

               >
               _______________________________________________
               Pauldotcom mailing list
               Pauldotcom at mail.pauldotcom.com

http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom

               Main Web Site: http://pauldotcom.com <

http://pauldotcom.com/>

******************************************************************************

This email contains confidential and proprietary information and is not

to be used or disclosed to anyone other than the named recipient of this
email,

and is to be used only for the intended purpose of this communication.

******************************************************************************

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100204/2ac31389/attachment.htm

Current thread:

Configuring WPA2 & RADIUS Robert Portvliet (Jan 30)
- Configuring WPA2 & RADIUS Tim Mugherini (Jan 30)
  - Configuring WPA2 & RADIUS Robert Portvliet (Jan 31)
    - Configuring WPA2 & RADIUS Robert Portvliet (Feb 01)
    - Configuring WPA2 & RADIUS Butturini, Russell (Feb 01)
    - Configuring WPA2 & RADIUS Tim Mugherini (Feb 01)
    - Configuring WPA2 & RADIUS Robert Portvliet (Feb 04)
    - Configuring WPA2 & RADIUS Robert Portvliet (Feb 05)
    - Configuring WPA2 & RADIUS Robert Portvliet (Feb 01)