Forum

WPA and IAS

11 posts by 2 authors in: Forums > CWSP - Enterprise Wi-Fi Security
Last Post: July 21, 2004:
  • By (Deleted User)

    Hello,

    I have a problem to which I can't seem to find a solution.
    I'm studying for the CWNA and have a Linksys Wrt54G Access Point. I setup an IAS server on a Windows 2003 machine and configured a client for the AP, on the AP I configured RADIUS authentication (WPA RADIUS didn't seem to work either).

    Using my protocol analyzer I can see that the AP sends a radius request to the IAS server, and that it responds favorably (radius-accept) ..but.. the AP keeps resending the authentication request and doesn't seem to realize that it has been validated.

    This results on the user/machine not being authenticated at all. On my PDA I just see the login prompt over and over again.

    I've configured everything properly as far as I know, anyone got any ideas???

  • Do you have the latest firmware installed on the WRT54G? The latest release is v2.02.7.

    Also make sure the RADIUS server on Windows 2003 server actually supports the Linksys WRT54G.

    Have a look through this Using RADIUS For WLAN Authentication tutorial for a possible solution: http://www.wi-fiplanet.com/tutorials/article.php/10724_3287481_2

  • By (Deleted User)

    Yes, I have the latest firmware. I was under the impression that RADIUS was a standard and hardware/software devices conformed to it, hence the RADIUS server need not know that my hardware is a linksys wrt54g.

    I'll check out that tutorial, thanks.

  • I've noticed postings on other boards about certain AP's not working with specific implementations of RADIUS. In one case, a firmware upgrade introduced a bug and broke that AP's ability to successfully negotiate a RADIUS session.

    No protocol is completely free from ambiguities in its interpretation, and because of this discrepancies will occur during any implementation of the protocol. This means that no two clients and/or agents will implement a protocol in exactly the same way--unless they share the same source code, of course.

  • By (Deleted User)

    Seems reasonable, and I've searched for other users of the same AP having issues but have come up empty.

    Have any other tips?
    The tutorial didn't help..

    I'll try another AP next..

  • Trying another WRT54G is good too. Also try it with an earlier firmware revision just for grins.

    Do you have the RADIUS server set to use WPA for sending client certificates, or just plain RADIUS using only WEP encryption? You need the both the AP and RADIUS server set to use the same. Also check your server address, network port, shared key, and the four WEP keys to see if anything is incorrect.

    If all this failed to turn up the problem then I'd search USENET for other people complaining about the WRT54G not working with RADIUS on W2K3 Server. Maybe Linksys has a Knowledge Base article on it.

  • By (Deleted User)

    I believe that the windows clients support EAP-TLS and EAP-MD5 , not PEAP as I was trying to use. I'm not sure about that yet but I read so in a Microsoft book today while at Borders ...

    I'll try changing the method and will report back later.
    Thanks for your help.

  • By (Deleted User)

    Windows XP SP1 onwards supports PEAP: http://support.microsoft.com/default.aspx?scid=kb;en-us;325725

    I have recently configured a wireless network with IAS on Windows 2003, Cisco 1200 APs and Windows XP clients with Aironet 802.11a cards. There is a comprehensive guide to configuring IAS with PEAP on Microsoft’s website: http://www.microsoft.com/technet/security/guidance/peap_0.mspx

    You can download the guide in pdf format as well as the scripts used in the guide. Although the guide is around 170 pages long, the information that is pertinent to the configuration can be distilled to about 20 pages.

    I encountered a problem where the wireless client appeared to repeatedly attempt to authenticate. I had the Cisco Aironet Client Utility installed for carrying out wireless surveys. When I selected the option in the ACU to allow another application to control the wireless settings (i.e. Windows XP), everything ran fine.

  • By (Deleted User)

    This is EXACTLY what I'm seeing, I see the RADIUS-REQUEST and RADIUS-ACCEPT packet pair going from the server to the AP repeatedly, yet , no clients successfully authenticate.

    I have no Cisco equipment (well.. no real cisco equipment) and the clients I tried vary from PocketPC to WindowsXP SP1.

  • When the AP get the RADIUS-ACCEPT message from the server it must send a message back to the client indicating that the authentication was successful or not. If no message is being sent from the AP to the client, then the AP may not be interpreting the RADIUS-ACCEPT message correctly. In this case, I'd say there is a problem in the AP's configuration or (more likely) firmware.

Page 1 of 2