At this point I am at a complete loss. I have attached a slighly sanitized version (replaced username and domain name) of the unfiltered system logs with the RADIUS debug from my Controller and I am hopefully someone can walk me through what I am missing. Everything I have done I've detailed above so if I am missing a step, should check something, whatever, please tell me!
We have purchased an HP MSM710 Mobility Controller and a number of MSM310 access points. Set up of the controller itself is relatively straightforward, however I am having a large amount of difficulty with the Authentication side of things.
So we don't have to worry about using a preshared key, I would like to set up my IAS RADIUS server to handle 802.1x authentication requests and to feed the Dynamic key back to the connecting client. Unfortunately I think I am missing something in my set up, so I'm trying from scratch and starting again.
Some more details:
I have already set up the Controller to handle WPA (and latter tested WPA2) encryption with TKIP and a pre-shared key. This works fine. However I now wish to enable 802.1x authentication using a Windows 2003 IAS (RADIUS) server to handle the key dynamically. However I cannot seem to allow the client to authenticate properly,and I am not sure where the problem lies. I have poured through the MSMxxx Manage/Config guide and not helpful here...
On the IAS side, I have set up a client profie for the MSM710, using RADIUS Standard, and have set up a simple shared key to eliminate testing issues there. I have logging open for everything. For simplicity I also set up a Remote Access Policy for Wifi that would just allow for all Domain Users. I then attempted setting up a self-signed cert for the RADIUS server using the method outlined here: http://www.techrepublic.com/article/ultimate-wireless-security-guide-self-signed-certificates-for-your-radius-server/6148560
The cert was created fine and I manually added it to the test laptop (Win XP SP3) and then I set up the WZC for the SSID, set it for PEAP, WPA/TKIP, and set it to use the self-signed cert.
Finally on the MSM710 controller, I set it the VSC (there is only one at the moment, again for testing) to use WPA/TKIP encryption with a Dynamic key source, set 802.1x authentication to Remote, and RADIUS to the 'Default RADIUS Profile Name' (only one.) Opened up the RADIUS profile, set the server address (IP) and shared secret. Settings are all defaulted, including the MSCHAPv2 authentication method. Also, the global 802.1x settings are the defaults.
Finally, I attempt to connect; on the laptop side, it just stops at 'Validating Identity' and there is basically nothing in the Event Logs of the laptop. Oddly, there is no logs in the RADIUS server as well. (FYI, the RADIUS server is also validating VPN requests, and those ARE working and being logged properly.) So I go to the Controller system logs, and it appears it is continually attempting to access the RADIUS server, but cannot.
I should note at this point that everything in testing is on the same subnet. No VLANS are being used for testing either. The controller can ping the RADIUS server, and vice versa.
At this point I am at a complete loss. I have attached a slighly sanitized version (replaced username and domain name) of the unfiltered system logs with the RADIUS debug from my Controller and I am hopefully someone can walk me through what I am missing. Everything I have done I've detailed above so if I am missing a step, should check something, whatever, please tell me!
#Radius#authentication#certificate#802.1x#MSM710