Cannot authenticate to MS IAS (RADIUS) server using Linksys WAP54G

Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using the
following setup.

1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS and
Microsoft CA).
2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000 (sp2).
3. Linksys WAP54G wireless AP (access point).
4. All servers and wireless AP connected to a 10/100 switch.

My laptop running W2K Pro (sp4) cannot connect to the domain. Each time, I
received a pop up msg asking me if I want to say YES or NO to accept the
certifiate, I press YES. Also a username, pw and domain window popped up but
each time I entered the information, these two windows kept popping up.
Can someone pls help me out here? TIA.

Dan

Steven
Mon May 02 10:37:45 CDT 2005

This is something you may want to post in the Microsoft wireless newsgroup.
In my experience not all WAP work well with 802.1X even if they advertise
so. The WAP and the wireless adapter both need to work with 802.1X. If you
look in Event Viewer of the IAS server you may find helpful events recorded
to as what the problem may be. If you have not done so yet make sure that
the wireless client computer and all computer involved have a copy of the
certificate for your CA in their trusted root store. You can use the mmc
certificate snapin for user or computer to view such and import the
certificate into the trusted root folder from a .cer file for the root CA
certificate [public key]. The link below may help if you have not seen it
yet. It is written for Windows 2003 but most still applies to Windows
000. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en


"Dan" <Dan@discussions.microsoft.com> wrote in message
news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
> Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using the
> following setup.
>
> 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS and
> Microsoft CA).
> 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000 (sp2).
> 3. Linksys WAP54G wireless AP (access point).
> 4. All servers and wireless AP connected to a 10/100 switch.
>
> My laptop running W2K Pro (sp4) cannot connect to the domain. Each time, I
> received a pop up msg asking me if I want to say YES or NO to accept the
> certifiate, I press YES. Also a username, pw and domain window popped up
> but
> each time I entered the information, these two windows kept popping up.
> Can someone pls help me out here? TIA.
>
> Dan
>

Dan
Mon May 02 13:39:04 CDT 2005

Thanks Steven. However, after following the steps as close to what I know
using W2K, my Network Card properties indicated "Contacting authentication
server..." and just sits for a long time. I did check my wireless AP by
pinging from the DC running Microsoft IAS and there was connection. Just not
sure why this is happening. Any other ideas you can help out?

"Steven L Umbach" wrote:

> This is something you may want to post in the Microsoft wireless newsgroup.
> In my experience not all WAP work well with 802.1X even if they advertise
> so. The WAP and the wireless adapter both need to work with 802.1X. If you
> look in Event Viewer of the IAS server you may find helpful events recorded
> to as what the problem may be. If you have not done so yet make sure that
> the wireless client computer and all computer involved have a copy of the
> certificate for your CA in their trusted root store. You can use the mmc
> certificate snapin for user or computer to view such and import the
> certificate into the trusted root folder from a .cer file for the root CA
> certificate [public key]. The link below may help if you have not seen it
> yet. It is written for Windows 2003 but most still applies to Windows
> 000. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
> > Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using the
> > following setup.
> >
> > 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS and
> > Microsoft CA).
> > 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000 (sp2).
> > 3. Linksys WAP54G wireless AP (access point).
> > 4. All servers and wireless AP connected to a 10/100 switch.
> >
> > My laptop running W2K Pro (sp4) cannot connect to the domain. Each time, I
> > received a pop up msg asking me if I want to say YES or NO to accept the
> > certifiate, I press YES. Also a username, pw and domain window popped up
> > but
> > each time I entered the information, these two windows kept popping up.
> > Can someone pls help me out here? TIA.
> >
> > Dan
> >
>
>
>

Steven
Mon May 02 15:45:34 CDT 2005

See if there are any events related in the Event Viewer for both the client
computer and the IAS server. The IAS server usually records events. You also
would want to enable auditing of account logon events and logon events for
success and failure on the IAS server to find the maximum amount of
information. Also be sure that in the Remote Access Policy for the IAS
server that you have enabled PEAP. I have wireless here at home and enabled
802.1X for the fun of it and some network cards simply do not seem to work
as advertised. Make sure that you have the latest drivers/firmware installed
for both the AP and the wireless network adapter. I also had better luck
with XP Pro in some cases. --- Steve


"Dan" <Dan@discussions.microsoft.com> wrote in message
news:DDC5D6F8-8B5B-4C0F-9369-49FEB990A961@microsoft.com...
> Thanks Steven. However, after following the steps as close to what I know
> using W2K, my Network Card properties indicated "Contacting authentication
> server..." and just sits for a long time. I did check my wireless AP by
> pinging from the DC running Microsoft IAS and there was connection. Just
> not
> sure why this is happening. Any other ideas you can help out?
>
> "Steven L Umbach" wrote:
>
>> This is something you may want to post in the Microsoft wireless
>> newsgroup.
>> In my experience not all WAP work well with 802.1X even if they advertise
>> so. The WAP and the wireless adapter both need to work with 802.1X. If
>> you
>> look in Event Viewer of the IAS server you may find helpful events
>> recorded
>> to as what the problem may be. If you have not done so yet make sure that
>> the wireless client computer and all computer involved have a copy of the
>> certificate for your CA in their trusted root store. You can use the mmc
>> certificate snapin for user or computer to view such and import the
>> certificate into the trusted root folder from a .cer file for the root CA
>> certificate [public key]. The link below may help if you have not seen
>> it
>> yet. It is written for Windows 2003 but most still applies to Windows
>> 000. --- Steve
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
>> > Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using
>> > the
>> > following setup.
>> >
>> > 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS
>> > and
>> > Microsoft CA).
>> > 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000
>> > (sp2).
>> > 3. Linksys WAP54G wireless AP (access point).
>> > 4. All servers and wireless AP connected to a 10/100 switch.
>> >
>> > My laptop running W2K Pro (sp4) cannot connect to the domain. Each
>> > time, I
>> > received a pop up msg asking me if I want to say YES or NO to accept
>> > the
>> > certifiate, I press YES. Also a username, pw and domain window popped
>> > up
>> > but
>> > each time I entered the information, these two windows kept popping up.
>> > Can someone pls help me out here? TIA.
>> >
>> > Dan
>> >
>>
>>
>>

Dan
Mon May 02 16:12:06 CDT 2005

I can't locate the Microsoft wireless newsgroup. Also, using WEP, WPA-PSK
worked, but it is not what we want on our network.

"Steven L Umbach" wrote:

> This is something you may want to post in the Microsoft wireless newsgroup.
> In my experience not all WAP work well with 802.1X even if they advertise
> so. The WAP and the wireless adapter both need to work with 802.1X. If you
> look in Event Viewer of the IAS server you may find helpful events recorded
> to as what the problem may be. If you have not done so yet make sure that
> the wireless client computer and all computer involved have a copy of the
> certificate for your CA in their trusted root store. You can use the mmc
> certificate snapin for user or computer to view such and import the
> certificate into the trusted root folder from a .cer file for the root CA
> certificate [public key]. The link below may help if you have not seen it
> yet. It is written for Windows 2003 but most still applies to Windows
> 000. --- Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
> > Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using the
> > following setup.
> >
> > 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS and
> > Microsoft CA).
> > 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000 (sp2).
> > 3. Linksys WAP54G wireless AP (access point).
> > 4. All servers and wireless AP connected to a 10/100 switch.
> >
> > My laptop running W2K Pro (sp4) cannot connect to the domain. Each time, I
> > received a pop up msg asking me if I want to say YES or NO to accept the
> > certifiate, I press YES. Also a username, pw and domain window popped up
> > but
> > each time I entered the information, these two windows kept popping up.
> > Can someone pls help me out here? TIA.
> >
> > Dan
> >
>
>
>

Steven
Mon May 02 18:01:09 CDT 2005

For WEP try selecting that key will be generated automatically and that open
authentication will be used if you have not tried that yet. --- Steve

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:261B32FB-CEAB-4007-9089-2C24C9507040@microsoft.com...
>I can't locate the Microsoft wireless newsgroup. Also, using WEP, WPA-PSK
> worked, but it is not what we want on our network.
>
> "Steven L Umbach" wrote:
>
>> This is something you may want to post in the Microsoft wireless
>> newsgroup.
>> In my experience not all WAP work well with 802.1X even if they advertise
>> so. The WAP and the wireless adapter both need to work with 802.1X. If
>> you
>> look in Event Viewer of the IAS server you may find helpful events
>> recorded
>> to as what the problem may be. If you have not done so yet make sure that
>> the wireless client computer and all computer involved have a copy of the
>> certificate for your CA in their trusted root store. You can use the mmc
>> certificate snapin for user or computer to view such and import the
>> certificate into the trusted root folder from a .cer file for the root CA
>> certificate [public key]. The link below may help if you have not seen
>> it
>> yet. It is written for Windows 2003 but most still applies to Windows
>> 000. --- Steve
>>
>> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
>> > Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using
>> > the
>> > following setup.
>> >
>> > 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS
>> > and
>> > Microsoft CA).
>> > 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000
>> > (sp2).
>> > 3. Linksys WAP54G wireless AP (access point).
>> > 4. All servers and wireless AP connected to a 10/100 switch.
>> >
>> > My laptop running W2K Pro (sp4) cannot connect to the domain. Each
>> > time, I
>> > received a pop up msg asking me if I want to say YES or NO to accept
>> > the
>> > certifiate, I press YES. Also a username, pw and domain window popped
>> > up
>> > but
>> > each time I entered the information, these two windows kept popping up.
>> > Can someone pls help me out here? TIA.
>> >
>> > Dan
>> >
>>
>>
>>

Dan
Wed May 04 14:30:03 CDT 2005

Thanks. I was able to get hold of a 3com commercial wireless AP. I used WPA
with RADIUS and same problem. My network adapter indicated it failed
authentication/cannot log into the domain. I checked the remote access
policies and a few other settings, and I don't seem to see where is wrong.
Can you point me to where else I can check out this failed authentication?

"Steven L Umbach" wrote:

> For WEP try selecting that key will be generated automatically and that open
> authentication will be used if you have not tried that yet. --- Steve
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:261B32FB-CEAB-4007-9089-2C24C9507040@microsoft.com...
> >I can't locate the Microsoft wireless newsgroup. Also, using WEP, WPA-PSK
> > worked, but it is not what we want on our network.
> >
> > "Steven L Umbach" wrote:
> >
> >> This is something you may want to post in the Microsoft wireless
> >> newsgroup.
> >> In my experience not all WAP work well with 802.1X even if they advertise
> >> so. The WAP and the wireless adapter both need to work with 802.1X. If
> >> you
> >> look in Event Viewer of the IAS server you may find helpful events
> >> recorded
> >> to as what the problem may be. If you have not done so yet make sure that
> >> the wireless client computer and all computer involved have a copy of the
> >> certificate for your CA in their trusted root store. You can use the mmc
> >> certificate snapin for user or computer to view such and import the
> >> certificate into the trusted root folder from a .cer file for the root CA
> >> certificate [public key]. The link below may help if you have not seen
> >> it
> >> yet. It is written for Windows 2003 but most still applies to Windows
> >> 000. --- Steve
> >>
> >> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
> >>
> >>
> >> "Dan" <Dan@discussions.microsoft.com> wrote in message
> >> news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
> >> > Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using
> >> > the
> >> > following setup.
> >> >
> >> > 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS
> >> > and
> >> > Microsoft CA).
> >> > 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000
> >> > (sp2).
> >> > 3. Linksys WAP54G wireless AP (access point).
> >> > 4. All servers and wireless AP connected to a 10/100 switch.
> >> >
> >> > My laptop running W2K Pro (sp4) cannot connect to the domain. Each
> >> > time, I
> >> > received a pop up msg asking me if I want to say YES or NO to accept
> >> > the
> >> > certifiate, I press YES. Also a username, pw and domain window popped
> >> > up
> >> > but
> >> > each time I entered the information, these two windows kept popping up.
> >> > Can someone pls help me out here? TIA.
> >> >
> >> > Dan
> >> >
> >>
> >>
> >>
>
>
>

Dan
Wed May 04 14:56:03 CDT 2005

Don't worry about it. I got this 3com AP to work. What I had to do was
removed the Windows wireless configuration service (by stopping the service)
and then my Dlink wireless card software was able to authenticate using
WPA-RADIUS using 802.1x with PEAP-MS-CHAP V2. Which means the Linksys
wireless AP does not work in WPA-RADIUS. Thanks again Steve for your time.

"Dan" wrote:

> Thanks. I was able to get hold of a 3com commercial wireless AP. I used WPA
> with RADIUS and same problem. My network adapter indicated it failed
> authentication/cannot log into the domain. I checked the remote access
> policies and a few other settings, and I don't seem to see where is wrong.
> Can you point me to where else I can check out this failed authentication?
>
> "Steven L Umbach" wrote:
>
> > For WEP try selecting that key will be generated automatically and that open
> > authentication will be used if you have not tried that yet. --- Steve
> >
> > "Dan" <Dan@discussions.microsoft.com> wrote in message
> > news:261B32FB-CEAB-4007-9089-2C24C9507040@microsoft.com...
> > >I can't locate the Microsoft wireless newsgroup. Also, using WEP, WPA-PSK
> > > worked, but it is not what we want on our network.
> > >
> > > "Steven L Umbach" wrote:
> > >
> > >> This is something you may want to post in the Microsoft wireless
> > >> newsgroup.
> > >> In my experience not all WAP work well with 802.1X even if they advertise
> > >> so. The WAP and the wireless adapter both need to work with 802.1X. If
> > >> you
> > >> look in Event Viewer of the IAS server you may find helpful events
> > >> recorded
> > >> to as what the problem may be. If you have not done so yet make sure that
> > >> the wireless client computer and all computer involved have a copy of the
> > >> certificate for your CA in their trusted root store. You can use the mmc
> > >> certificate snapin for user or computer to view such and import the
> > >> certificate into the trusted root folder from a .cer file for the root CA
> > >> certificate [public key]. The link below may help if you have not seen
> > >> it
> > >> yet. It is written for Windows 2003 but most still applies to Windows
> > >> 000. --- Steve
> > >>
> > >> http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
> > >>
> > >>
> > >> "Dan" <Dan@discussions.microsoft.com> wrote in message
> > >> news:BEF9C2AB-92B5-4170-88A2-9257885434AD@microsoft.com...
> > >> > Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using
> > >> > the
> > >> > following setup.
> > >> >
> > >> > 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS
> > >> > and
> > >> > Microsoft CA).
> > >> > 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000
> > >> > (sp2).
> > >> > 3. Linksys WAP54G wireless AP (access point).
> > >> > 4. All servers and wireless AP connected to a 10/100 switch.
> > >> >
> > >> > My laptop running W2K Pro (sp4) cannot connect to the domain. Each
> > >> > time, I
> > >> > received a pop up msg asking me if I want to say YES or NO to accept
> > >> > the
> > >> > certifiate, I press YES. Also a username, pw and domain window popped
> > >> > up
> > >> > but
> > >> > each time I entered the information, these two windows kept popping up.
> > >> > Can someone pls help me out here? TIA.
> > >> >
> > >> > Dan
> > >> >
> > >>
> > >>
> > >>
> >
> >
> >

Dan
Wed Jun 29 10:03:02 CDT 2005

I'm posting this again because I've got a new Dlink DWL-2100AP which
according to many people it works. My problem is understanding certification
because I'm using EAP-TLS authentication and WPA-RADIUS using Microsoft IAS
server. Steven was of great help and I hope Steven can help me sort out
some steps here.
Can you provide a few simple steps as in where and what certificate should I
install on my IAS Server and clients using 802.1x wireless access and for our
VPN users? TIA.

"Dan" wrote:

> Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using the
> following setup.
>
> 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS and
> Microsoft CA).
> 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000 (sp2).
> 3. Linksys WAP54G wireless AP (access point).
> 4. All servers and wireless AP connected to a 10/100 switch.
>
> My laptop running W2K Pro (sp4) cannot connect to the domain. Each time, I
> received a pop up msg asking me if I want to say YES or NO to accept the
> certifiate, I press YES. Also a username, pw and domain window popped up but
> each time I entered the information, these two windows kept popping up.
> Can someone pls help me out here? TIA.
>
> Dan
>

Steven
Wed Jun 29 11:19:01 CDT 2005

Hi Dan.

The IAS server will need a server or computer certificate and the each
client computer will need a computer certificate for 802.1X and each user
will need a user certificate. If the VPN users can not obtain a computer
certificate for their computer due to not being connected to the domain they
will at least need an ipsec certificate for L2TP. PPTP does not require a
computer certificate but you can use certificate authentication for the user
if you want or PPTP.

Assuming you are using an Enterprise CA you can use Group Policy - automatic
certificate request to automatically obtain computer certificates for domain
computers that are under the scope of management of that Group Policy. Also
a local administrator can request and install a computer certificate on a
computer by using the mmc snapin for certificates for computer and going to
the certificates/personal folder, right clicking and select request
certificate. Users can do the same with the mmc snapin for certificates for
user. Web Enrollment is another possibility for users to request
certificates. The links below should help get you started. Make sure that
you have enabled auditing of account logon events in Domain Controller
Security Policy and auditing of logon events on your IAS server. When you
start setting up 802.1X you will find useful in formation in the
security/system/application logs on the domain controller and IAS server.
There is also a Microsoft wireless newsgroup that you may want to take
advantage of where users who have a lot of experience with wireless swap
tips. --- Steve

http://www.microsoft.com/WINDOWS2000/techinfo/planning/security/autocertsteps.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/advcertsteps.asp
http://www.microsoft.com/windows2000/techinfo/planning/security/cawebsteps.asp
http://www.microsoft.com/windowsserver2003/technologies/networking/wifi/default.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=0f7fa9a2-e113-415b-b2a9-b6a3d64c48f5&DisplayLang=en
--- this is great info but not all applies to Windows 2000 including
autoenrollment of user certificates.

"Dan" <Dan@discussions.microsoft.com> wrote in message
news:4C86A19F-D893-4D95-9118-16A8E8EDB4B2@microsoft.com...
> I'm posting this again because I've got a new Dlink DWL-2100AP which
> according to many people it works. My problem is understanding
> certification
> because I'm using EAP-TLS authentication and WPA-RADIUS using Microsoft
> IAS
> server. Steven was of great help and I hope Steven can help me sort out
> some steps here.
> Can you provide a few simple steps as in where and what certificate should
> I
> install on my IAS Server and clients using 802.1x wireless access and for
> our
> VPN users? TIA.
>
> "Dan" wrote:
>
>> Hi, I'm trying to access to a test domain using PEAP-MS-CHAP V2 using the
>> following setup.
>>
>> 1. One W2K Server (sp4) in mixed mode running (DHCP, DNS, WINS, IAS and
>> Microsoft CA).
>> 2. One W2K Server (sp4) running RRAS and Microsoft ISA server 2000
>> (sp2).
>> 3. Linksys WAP54G wireless AP (access point).
>> 4. All servers and wireless AP connected to a 10/100 switch.
>>
>> My laptop running W2K Pro (sp4) cannot connect to the domain. Each time,
>> I
>> received a pop up msg asking me if I want to say YES or NO to accept the
>> certifiate, I press YES. Also a username, pw and domain window popped up
>> but
>> each time I entered the information, these two windows kept popping up.
>> Can someone pls help me out here? TIA.
>>
>> Dan
>>