Wireless issue with Event ID: 4402

[guest]

Previously I had IAS configured on a windows 2003 server and wireless worked great. I moved to my windows 20008 r2 server and just can't get it to work. I follow the microsoft documentation and setup NPS/certifcate services which are basically the same as was my 2003 setup. The only difference is I am running DHCP services from my firewall. I setup a windows 2008 dhcp server buty it would not give out IP's. Is it requred to configure a windows dhcp server or is it ok to run form the firewall? Anyway, here is the error I am getting when the test client will not authenicate:



Event ID: 18 an access-request message was received from Radius client 152.32.154. with a message Authenicator attribute that is not valid

[guest]

Did you install the certificate in the local store on the NPS server?
--------------------------------------------------------------------------------
Also, here are my notes on it and some links:

===========
The following are non-Microsoft links that provide screenshots and explanations. Note: Since the web sites are not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Setting up Wi-Fi Authentication in Windows Server 2008 (Part 1)
http://www.windowsnetworking.com/articl ... Part1.html

Setting up Wi-Fi Authentication in Windows Server 2008 (Part 2)
http://www.windowsnetworking.com/articl ... Part2.html


From: http://social.technet.microsoft.com/For ... 1ce82758ad
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by enabling additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS server) must support the same EAP type for successful authentication to occur. However, PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS server certificate is used by the NPS server during the authentication process to prove its identity to PEAP clients.

For more information, please also read the following Microsoft TechNet articles:

RADIUS Server for 802.1X Wireless or Wired Connections
http://technet.microsoft.com/en-us/libr ... 31853.aspx

Planning NPS as a RADIUS server. Includes links with how-to's.
http://technet.microsoft.com/en-us/libr ... 7604(WS.10).aspx

NAP 802.1X Configuration Walkthrough – Part 1
http://blogs.technet.com/b/nap/archive/ ... rough.aspx

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide
http://araihan.wordpress.com/2009/11/11 ... us-server/

[guest]

In addition ,not sure which documentation you referred, but it should no problem if following the design and deployment guide in the link below to deploy wireless authentication infrastructure :



802.1X Authenticated Wireless Access

http://technet.microsoft.com/en-us/libr ... 1455(WS.10).aspx



For more information please also refer to the link below:



NPS Migration Guide

http://technet.microsoft.com/en-us/libr ... 1849(WS.10).aspx

[guest]

created a new certificate this time I selecting "domain controller". Although I am not there yet, I am getting closer. Here is what I receveived in the event viewer.


Network Policy Server granted full access to a user because the host met the defined health policy.



User:

Security ID:xNCSD\egwillis

Account Name:egwillis

Account Domain:xNCSD

Fully Qualified Account Name:xNCSD\egwillis



Client Machine:

Security ID:NULL SID

Account Name:-

Fully Qualified Account Name:-

OS-Version:-

Called Station Identifier:xx-43-e1-fb-ab-e0:WLC

Calling Station Identifier:00-xx-de-82-ec-b9



NAS:

NAS IPv4 Address:xxx.34.154.190

NAS IPv6 Address:-

NAS Identifier:Cisco_xf:df:60

NAS Port-Type:Wireless - IEEE 802.11

NAS Port: 1



RADIUS Client:

Client Friendly Name:WLC

Client IP Address:xxx.34.154.190



Authentication Details:

Connection Request Policy Name:Secure Wireless Connections

Network Policy Name:Secure Wireless Connections

Authentication Provider:Windows

Authentication Server:xNCSD4.xncsd.net

Authentication Type:PEAP

EAP Type: Microsoft: Secured password (EAP-MSCHAP v2)

Account Session Identifier:-



Quarantine Information:

Result: Full Access

Extended-Result:-

Session Identifier:-

Help URL: -

System Health Validator Result(s):-

Question on Certificates?

Are some cetificates generate automatically?



I see several certificates in the store that read as follows:

1.This certificate is intended for the following purpose(s) client authenication

*prove your ID to a remote computer

*ensure the id of a remote computer

2. This certificate is intended for the following purpose(s) Server Authenication

*ensures the id of a remote comptuer

*all issurances polices

3. This certificate is intended for the following purpose(s) All

* all issuance policies

*all application policies

[guest]

Thanks for posting that info. I'm not sure of the differences between the two certs. Right click on them, properties, and take a look at what their purposes are, creation or request date, etc.

I'm still having difficulty with the topology. Everything is being "routed" between 154.x.x.x and the 10.x.x.x range, or is the firewall a NAT server?

Are 154.34.154.1 and 10.100.5.1 the same firewall/router, or is there another network or subnet between the two? Are there any firewall rules on the firewalls/routers blocking traffic?

I see the error in the bottom of the dcdiag. I think that once you put everything on the 10.100.5.0 /22 subnet, most if not all, the errors will go away. I'm thinking there's something blocking necessary traffic.

Ace


--------------------------------------------------------------------------------

Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services